SecGuru -

PriceWaterhouseCooper wrestles with Satyam dilemma

Param — Sun, 04 Jan 2009 16:37:39 -0800

The statutory auditor for Satyam Computer Services, PricewaterhouseCoopers (PwC), may review its “continuance” with the troubled software firm. The company’s image has been tarnished after its scuppered bid to buy two firms linked to its promoter B Ramalinga Raju.

“We do re-visit the process acceptance and continuance, whenever there are any major developments. We have been statutory auditors for the company for at least six years now. But we need to assess whether our judgement (on the company) continues to hold good. A re-evaluation is in sync with international norms on auditing,” said a source privy to the developments at PwC, who wished not to be named.

However, when contacted PwC’s spokesperson said: “As auditors, we are not allowed to comment on audit clients due to client confidentiality.” The source quoted earlier did not categorically say that the relationship would be reviewed, but said such a review was a possibility given what had happened.

In the normal course, the board (of any company) has to recommend the auditors’ appointment at the time of finalisation of accounts. The auditors, in turn, give their concurrence (continuance is industry jargon for this) in case they wish to come on the board or continue with the contract. The appointment is then ratified by shareholders at the company’s annual general meeting.

“The Satyam case relates to a risk on the company’s reputation, as investors questioned the propriety of buying two firms run by Ramalinga Raju’s sons. So a review on continuance of the auditing relationship appears possible,” said the source.

The board had on December 16 passed an unanimous resolution to allow Satyam buy Maytas Infra and Maytas Properties for $1.6 billion. But the deal was called off in the wake of an outrage from the company’s shareholders as well as the institutional investors.

Tech Jobs May Increase Despite Economic Trends

Param — Sun, 04 Jan 2009 16:31:36 -0800

The outlook for IT jobs in 2009 may not be as bad as some observers suggest. While some indicators and surveys are showing some declines in tech jobs, none predict a precipitous drop. In fact, a federal economic stimulus package may even add IT positions.

"IT jobs are relatively safe in the aftermath of the economic meltdown compared to jobs in general," said David Foote of Vero Beach Fla.-based Foote Partners LLC , which analyzes IT wages and hiring data.

While 853,000 U.S. jobs in all industries were lost in October and November, 9,000 were gained in the U.S. Bureau of Labor Statistics categories of "Computer Systems Design and Related Services" and "Management and Technical Consulting Services," said Foote.

The IT job market is stable, said Foote, "because a lot has happened to show businesses that IT is really our edge."

How to Succeed in Tech in a Downturn

Param — Sun, 04 Jan 2009 16:30:32 -0800

The economy is in trouble -- everywhere. Even outsourced providers are nervous. Already under stress, IT staffers see their jobs getting more and more difficult as they must do more with less, all while wondering if they'll keep their jobs at all.

That's why you need a plan for your tech career. The worst thing you can do is give up or panic. Although tech jobs are under increasing pressure, the reality is that the technology jobs market overall is still doing better than the market for other types of jobs. That doesn't mean you're immune from layoffs, stagnant salaries, or increasing workloads, but it does mean you have more options than many other workers -- if you're willing to be flexible.

14% of SSL certificates on the Internet potentially unsafe

Param — Sun, 04 Jan 2009 16:28:54 -0800

Netcraft provided more details on a critical digital certificate vulnerability revealed last week. Although Microsoft downplayed the problem by stating that the successful exploit was not published, Netcraft found that 14% of SSL certificates use the vulnerable MD5 hashing algorithm. That number may provide a large enough target for attackers to invest time into cracking MD5, while certificate authorities will have a choice of using MD5 and hope that it will not be cracked or transitioning to a stronger encryption technology such as SHA-1.

A digital certificate is what we typically rely on as evidence for a secure encryption to another website. Especially when we want connection to be protected, for example during money transactions and online banking, these certificates provide proof that we are in fact dealing with an intended website and not, for example, a phishing attack. However, that may no longer be the case as researchers demonstrated last week that it is possible to create to create a rogue certification authority (CA) that is “trusted by all major web browsers and a cluster of more than 200 commercially available game consoles” by using an advanced implementation of a strategy called collision attack.

Microsoft made $1.5B on 'Vista Capable' campaign

Param — Sun, 04 Jan 2009 16:27:51 -0800

Microsoft Corp. earned more than $1.5 billion from the sale of PCs marked as "Vista Capable" in the months leading up to the 2007 debut of Windows Vista, according to an expert's estimate.

University of Washington economist Dr. Keith Leffler pegged Microsoft's income from sales of Windows XP licenses on Vista Capable-labeled computers at $1.505 billion. Leffler has testified for the plaintiffs in the ongoing class-action lawsuit that accuses Microsoft of deceiving consumers during its Vista Capable marketing program. The company created the program to maintain PC sales momentum as the launch of Vista neared.

Secrets of Top Pentesters

Param — Sat, 03 Jan 2009 06:22:47 -0800

Secrets of Top Pentesters

View SlideShare document or Upload your own.

Zero Wine - Malware Behavior Analysis Tool

Param — Sat, 03 Jan 2009 05:49:23 -0800

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

Zero wine is distributed as one QEMU virtual machine image with a Debian operating system installed. The image contains software to upload and analyze malware and to generate reports based on the information gathered (this software is stored in /home/malware/zerowine).

Running the distributed virtual machine with the correct command line options (use the supplied startup shell script to run the virtual machine) provides a web based (web server is written in python) graphical interface to upload malware to be analyzed (a CGI written, also, in python).

When a new malware is uploaded, it is copied to the directory /tmp/vir/MD5_OF_THE_FILE, then, the previous created WINE environment (WINEPREFIX if you prefer) is removed and a backup system is untared (the backup system is /home/malware/backup/backup.tar.gz). After this operation, the malware is executed using the shell script malware_launcher.sh (the file is stored in the folder /home/malware/bin).

Startup Founders Turn Android into Desktop OS

Param — Fri, 02 Jan 2009 19:15:21 -0800

Google has been slowly, but surely, displacing Microsoft as the number one PC technology company. Google has done it by misdirection. Instead of taking Microsoft head-on in desktops, Google first consolidated their hold on Web search and only then started moving into Web-based desktop applications. Then, in 2008, they made their first direct strike at the desktop with the release of their own Web browser: Google Chrome. Now, Matthaus Krzykowski and Daniel Hartmann, founders of the stealth startup Mobile-facts, have found that you can take Google's smartphone operating system, Android, and use it as a desktop operating system.

In fact, the dauntless duo found that it took them only "about four hours of work to compile Android for the netbook. Having done so, we (Daniel Hartmann, that is) got the netbook fully up and running on it, with nearly all of the necessary hardware you'd want (including graphics, sound and the wireless card for internet) running." In short, they found that Android was already a desktop operating system.

Where IT jobs are headed ?

Param — Fri, 02 Jan 2009 19:13:26 -0800

New surveys show job cuts are on the way for 2009, especially in entry-level to mid-level IT jobs. Higher-level jobs are under strong pressure to do more with less. And there are all those offshore firms who want these jobs.

Curse of Silence - Nokia SMS exploit uncovered

Param — Fri, 02 Jan 2009 05:57:15 -0800

Mobile phone security vendors were rejoicing last night when it emerged that an obscure bug in an old version of the Symbian OS could allow an attacker to crash a target's mobile phone with a specially-formatted text message.

The attack has been rather dramatically branded the "Curse of Silence", and is a genuine bug that prevents incoming SMS messages being received once a specially-formatted text has been sent to the target as, demonstrated by Tobias Engel. Phones running Nokia's S60 interface, versions 2.6 to 3.1, can be attacked in this way, and some models need a hard reset to recover.

The bug comes courtesy of the way that SMS was designed to integrate with internet email services: no one really understood what the relationship between email and SMS would eventually be, and in the early days there were many email-to-SMS gateway services. Short messaging was seen as the ideal way of delivering email alerts, but the combination of price and increasing spam levels paid to most of them, especially as spam filtering was unknown at the time.