Wednesday, May 26, 2010

Shavlik offers 'cloud patching' with free service

SMBs with 10 or fewer PCs go free
By John E. Dunn | Techworld
Published: 17:24 GMT, 25 May 10

Patch management company Shavlik is offering small networks of 10 or fewer PCs access to a new online patch management service at no cost.

The new service,, is designed to scan for missing patches on a machine-by-machine basis, or using an IP address range or domain, reporting the results through the web portal. Missing patches across Windows versions are rated for severity and can be downloaded using links to the appropriate vendor website or using the ‘FixIT’ button. The service also supports VMWare ESX and ESXi hypervisors.

The only setup requirements are that users download Shavlik’s Clickonce application and already have Microsoft’s .NET Framework 3.5 installed.

Longer term, the company looks likely to introduce a degree of automation to future versions, which could allow specified patches to be fixed on an ongoing basis without the need for manual intervention.

There are a number of standalone patch discovery tools available at no cost, but IT.Shavlik is unusual in offering to manage this for up to 10 PCs and 100 separate scans per month, more than enough for a network of this size. It is also pioneering in offering what can be a tricky technology as an online service rather than a standalone app, which it believes extends the degree to which complexity can be hidden.

Separately, the company has re-purposed its established distributed patch management system as ‘PatchCloud’, which morphs existing technology for enterprises into a more ‘cloud-like’ form if they happen to want that.

Given that the announcements come as the company has adopted a new logo, the embracing of the cloud could be interpreted as a low-key re-launch of sorts.

Shavlik still sells software licenses but the future will be dominated by platforms run by giants such as Google, Amazon and Microsoft on which third-party services will integrate technology, including patch management, from specialists such as Shavlik.

Sunday, May 23, 2010

Heartland, MasterCard Settle (

Issuers Face June 25 Deadline to Accept $41.4 Million Offer
May 19, 2010 - Linda McGlasson, Managing Editor

MasterCard and Heartland Payment Systems have settled on a $41.4 million payment to recover losses from the processor's card data breach that was made public in January 2009.

Heartland has now settled with all three major card brands, Visa ($60 million), American Express ($3.6 million) and MasterCard.

This proposed settlement resolves the claims from MasterCard and its issuers from the 2008 data breach. Under the agreement, alternative recovery offers totaling $41.4 million will be made to eligible MasterCard issuers with respect to losses incurred by them as a result of the criminal intrusion. MasterCard will recommend eligible MasterCard issuers accept the offer.

"We feel that this settlement represents an appropriate and fair resolution for our issuing financial institution customers and will enable them to avoid uncertainties and delays associated with potentially protracted litigation," says Wendy Murdock, chief franchise officer for MasterCard Worldwide in the press announcement.

Bob Carr, Heartland's chairman and chief executive officer, states in a release about the settlement: "We are pleased to have reached an equitable settlement agreement that helps issuers of MasterCard-branded cards obtain a recovery with respect to losses they may have incurred from the intrusion."

The settlement will be contingent upon financial institutions representing 80 percent of the claimed-on MasterCard accounts accepting their alternative recovery offers by June 25, 2010. The settlement also includes mutual releases between Heartland and its sponsoring bank acquirers on the one hand - and MasterCard and the accepting issuers on the other.

Need Help?
The settlement states that issuers who accept their alternative recovery offers must waive rights to any other recovery of alleged intrusion-related losses from Heartland and its sponsoring bank acquirers through litigation or other remedies and release MasterCard, Heartland and its sponsoring bank acquirers from all legal and financial responsibility related to the intrusion.

MasterCard says all eligible issuers will soon receive notification with full details of the settlement agreement and how to accept their alternative recovery offers before the offers expire.

A consumer-related class action suit against the payments processor was proposed to the judge and got preliminary approval in late April.

Next Related Article:
P2P Payments: What You Need to Know
Topics of InterestPatriot Act
Privacy Breaches: Protect Yourself - and Your Vendor
Money-Laundering Update: Kevin Sullivan on Emerging Threats
Social Engineering
Redspin Security Report: Top 10 Network Security Threats of 2008 - Q2 Update
Banking Agenda: Beating the Drum for Safety & Soundness
How to Avoid Being a Victim of Multi-Channel Fraud
Ohio Skimming Scam Nets $50K
ID Theft Red Flags Examinations: What to Expect?
BankInfoSecurity.Com Week in Review: May 1, 2010
The Future of Authentication for Online Financial Services
Defeating Man-in-the-Browser: How to Prevent the Latest Malware Attacks against Consumer & Corporate Banking
Remote Capture
Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access
New Banking Services: Growth Among Community Banks - Insights from Christine Barry of Aite Group

Latest Tweets & Mentionssrcsecurity Heartland, MasterCard Settle Issuers Face June 25 Deadline to Accept $41.4 Million Offer 6 minutes ago reply
Join the conversation Recent ContentMost Popular 11 Bank Closed on May 21
2Regulatory Reform Clears Senate
3FDIC: Now 775 'Problem Banks'
4Bank vs. Customer Suit Settled
5ACH Fraud: How to Fight Back
6PCI Update Gets Mixed Reviews
7Regulatory Reform's impact on Main St.
8Failed Banks and Credit Unions, 2010
9Bank vs. Business: Judge Rejects Motions
105 Tips to Reduce Banking Fraud
View More 122 Banking Breaches So Far in 20102ATM Skimming: 8 Tips to Fight Fraud3Failed Banks and Credit Unions, 20104Hancock Breach Reveals New Trend5Job Hunter's Guide to Social Media65 Lessons from the Comerica Suit7How to Respond to Vishing Attacks8Agencies Issue ACH, Wire Advisory9Heartland Hacker Gets 20 Years10Should Banks Cover Fraud Losses?View More

PCI Issues New POS Standard

PIN Transaction Security Update is Effective Immediately

May 12, 2010 - Linda McGlasson, Managing Editor

A new measure to strengthen credit card data protection was released by the PCI Security Standards Council today.

Version 3.0 of the PIN Transaction Security (PTS) Point of Interaction (POI) standard is designed to streamline and simplify testing and implementation by providing a single set of modular evaluation requirements for all Personal Identification Number (PIN) acceptance Point of Interaction terminals. This standard is meant to enhance and prevent payment card fraud on devices that accept payment transactions and will cover everything from retail point of sale card readers to unattended payment terminals at gas stations and parking lots.

The new standard's rollout comes after a several years of noted credit card breaches such as those at retailer TJX and payment processor Heartland Payment Systems. The most recent card-related breach was Hancock Fabrics, where point of sale devices were swapped out with bogus equipment that had skimming devices in them to collect card data.

The PCI Council says the new standard is effective immediately. Version 3.0 also includes three new modules for device vendors and their customers to secure sensitive card data.

Up to now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). This version of the standard simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

Need Help?
Bob Russo, general manager of the PCI Security Standards Council says to help everyone better understand the new standards and how they should be applied, the council will host two webinars next week. Registration information is available at the PCI website.

"By combining all of the requirements into one program, we have simplified one-stop shopping when it comes to secure devices," says Russo in a statement. This new approach and additional modules make it easier for manufacturers and merchants to make sure that at any point in a transaction, account data is being protected, he adds.

The updated standard and detailed listing of approved devices are available on the PCI Council's website .

Monday, May 10, 2010

Basel Comité gaat toezicht banken aanscherpen

Gebaseerd op: Bank- en Effectenbedrijf (april 2010)
Het Basels Comité, het wereldwijde orgaan voor bankentoezicht, heeft ingrijpende aanscherpingen aangekondigd voor de bestaande regels van het bancaire toezicht om de fundamenten van het systeem te versterken. Zo worden de kapitaaleisen voor activiteiten in het handelsboek flink verhoogd.

Hiermee beoogt het Comité de prikkel tot het zogeheten regulatory arbitrage weg te nemen. Regulatory arbitrage is het verschijnsel dat banken de neiging hebben om yield te zoeken op plaatsen waar de toezicht- of kapitaaleisen het laagst zijn. Ook wil het Comité de complexe activiteiten in het bankenboek, zoals de hersecuritisaties, zwaarder belasten en moeten banken de onderliggende posities van hun activiteiten beter in de gaten houden. Een bank mag voortaan niet zomaar blind varen op het oordeel van de rating agencies.

Ten slotte moeten de banken transparanter zijn over de complexe producten op de balans. Deze specifieke maatregelen zullen naar verwachting al eind 2010 worden ingevoerd. De plannen kennen een groot internationaal draagvlak en in Europa zullen ze ingevoerd worden doormiddel van een aanpassing van de Europese bankenrichtlijn.

Saturday, May 8, 2010

FISMA Reform Bill Clears House Panel copy from Government Information Security

Measure Would Require Real-Time Monitoring of IT Systems
May 5, 2010 - Eric Chabrow, Executive Editor,

A bill to require federal agencies to employ real-time security monitoring of their information systems to replace the current paper process cleared its first hurdle Wednesday, receiving approval by the House Oversight and Government Reform Subcommittee on Government Management, Organization and Procurement.

The measure, the Federal Information Security Amendment Act, or H.R. 4900, goes to the full committee.

The bill would require that the president's top cybersecurity adviser and the federal chief technology officer be confirmed by the Senate. The measure also would establish a panel of government IT security specialists to direct agencies on the steps they must take to secure federal digital assets.

The subcommittee accepted an amendment offered by Rep. Gerald Connolly, D.-Va., to require the CTO be confirmed by the Senate. Last year, under existing authority, President Obama named Aneesh Chopra to the newly created job of federal chief technology officer, a post that didn't require Senate confirmation. Chopra serves as a presidential adviser, but reports to John Holdren, director of the White House Office of Science and Technology Policy.

"To ensure that the chief technology officer can continue to improve federal use of technology in the future, we need to make this a statutory position," Connolly (pictured above) said in a statement. "My amendment does that, and gives the chief technology officer the authority he needs by enabling him to report directly to the president."

Click to Get Updates on the Latest Information Security News



Subscription Type: HTML Text

Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews

Need Help?
Using similar authority, Obama tapped Howard Schmidt last December to be White House cybersecurity coordinator, a post that did not require Senate confirmation. In seeking to codify these positions, and by requiring Senate confirmation, Congress would provide some oversight over their performance.

The bill, sponsored by committee chair Diane Watson, D.-Calif., primarily is aimed at updating the 8-year-old Federal Information Security Management Act, the primary law regulating federal information security.

The measure would:

•Create a National Office for Cyberspace within the Executive Office of the President to coordinate and oversee the IT security of agency information systems and infrastructure, headed by a presidentially nominated director who would be confirmed by the Senate.

•Institute a Federal Cybersecurity Practice Board within the National Office of Cyberspace - chaired by the director - charged with developing the processes agency would follow to defend their IT systems. Board members would come from the Office of Management and Budget, Department of Defense and select members from civilian and law enforcement agencies. The policies the board would develop include minimum security controls, measures of effectiveness for determining cyber risk and remedies for security deficiencies.

•Establish requirements for agencies to undertake automated and continuous system monitoring to identify system compliance, deficiencies and potential risks. These activities would move agencies away from manually intensive periodic assessments that fail to incorporate emerging tends or information about an agency's current security posture.

•Require agencies to conduct regular evaluations of their systems, including so-called red-team penetration tests.

•Oblige agencies and contractors managing government systems to obtain an annual, independent audit of their IT programs to determine their overall effectiveness and compliance with FISMA requirements.

•Authorize the National Office of Cyberspace director to approve policies for the operation of a central federal information security incident center.

•Establish requirements for the purchase of secure commercial, off-the-shelf IT products and services as well as policies for mitigating supply chain risks associated with those products.
The House bill is similar to a FISMA reform measure in the Senate, the United States Information and Communications Enhancement Act, or U.S. ICE, sponsored by Sen. Tom Carper, D.-Del., which also would replace so-called FISMA paper compliance with real-time monitoring of government IT systems. The major difference of the two bills is that the House version places cybersecurity authority in the White House whereas the Senate measure - as redrafted last summer - would grant much cybersecurity governance clout in the Department of Homeland Security. Several other cybersecurity bills are at various stages in Congress.