Warning 1:  Many of the links were broken when the FASB changed all of its links.  If a link to a FASB site does not work , go to the new FASB link and search for the document.  The FASB home page is at http://www.fasb.org/ 

 

Warning 2:  In February 2008 the FASB for the first time allowed users free access to its "FASB Accounting Standards Codification" database. Access will be free for at least one year, although registration is required for free access. Much, but not all, information in separate booklets and PDF files may now be accessed much more efficiently as hypertext in one database. The document below has not been updated for the Codification Database. Although the database is off to a great start, there is much information in this document and in the FASB standards that cannot be found in the Codification Database. You can read the following at http://asc.fasb.org/asccontent&trid=2273304&nav_type=left_nav

Welcome to the Financial Accounting Standards Board (FASB) Accounting Standards Codification™ (Codification).

The Codification is the result of a major four-year project involving over 200 people from multiple entities. The Codification structure is significantly different from the structure of existing accounting standards. The Notice to Constituents provides information you should read to obtain a good understanding of the Codification history, content, structure, and future consequences.

 

 

 Bob Jensen's Introduction to e-Business and e-Commerce
http://www.trinity.edu/rjensen/ecommerce/000start.htm

Bob Jensen at Trinity University

Top 25 Google e-searches of the month
          Most Popular Web Sites 2006 - 2007 --- http://www.webtrafficstation.com/directory/
          WebbieWorld Picks --- http://www.webbieworld.com/default.asp

How E-commerce Works --- http://money.howstuffworks.com/ecommerce.htm 

Revenue Recognition Accounting Fraud (much of this fraud is in ecommerce) --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm

Electronic Commerce:  The Fastest Growing Phenomenon in World Commerce

Electronic Commerce:  Special Problems Arising for Accountants and Auditors  

Electronic Commerce:  Webledgers  

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

Electronic Commerce:  Training and Education Issues 

Electronic Commerce:  Assurance Services Opportunities and Risks 

Illustration of Topics in a Continuous Assurance Symposium 

Investor Relations and Internet Reporting  

XBRL Will Change the World of Financial Reporting and Analysis --- 
http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended
 

Education and Online Training Issues  

A Special Section on Computer and Networking Security (including spam fighters)  

Introduction (with a personal account of my own problems)

How to make stolen laptop data useless to thieves

Is your data safe? Survey reveals scandal of snooping IT staff

Viruse and Worms

Spyware  (and SiteAdvisor)

Cell Phone Records are for Sale 

Identigy Theft:  Phishing , Pharming, Vishing, Slurping, and Spoofing

Pretexting

Cookies 

Spam Blocking 

Searching Dangers:  Beware of Search Engines

Hacking Into Systems

Security on Public Wireless Networks

Denial of Service Attacks 

Spy Tools:  How safe are unlisted phone numbers?

Forget Big Brother, Now You Are Being Watched by Almost Anybody

Weapons of Information Warfare  

Threads on Firewalls --- Go to  http://www.trinity.edu/rjensen/firewall.htm 

Identity Theft http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

Encryption

New Tech Tools to Combat Fraud

The Downside: Psychology of Electronic Commerce and Technology 

Intangibles Accounting Issues --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://www.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://www.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://www.trinity.edu/rjensen/ecommerce/curricula.htm
 

Accounting Threads

Bob Jensen's Threads on Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

Bob Jensen's Technology Glossary

Bob Jensen's threads on computer security are under "Security" (in the S-Terms) at http://www.trinity.edu/rjensen/245gloss.htm
Also look under the C-Terms for "Cookies."

Top 25 Google e-searches of the month
          Most Popular Web Sites 2006 - 2007 --- http://www.webtrafficstation.com/directory/
          WebbieWorld Picks --- http://www.webbieworld.com/default.asp

I created a timeline of major happenings (on a timeline) leading up to the eXtensible Business Reporting Language (XBRL) and On LIne Analytical Process (OLAP) systems.  Overviews of XML, VoiceXML, XLink, XHTML, XBRL, XForm, XSLT, RDF and the Semantic Web are also provided --- http://www.trinity.edu/rjensen/xmlrdf.htm

This is what Professor Jim Mahar says about ERisk in the March 24, 2003 edition of TheFinanceProfessor (an absolutely fabulous newsletter) --- www.FinanceProfessor.com 

Erisk.com. I simply love the site. I know it has been site of the week before, but it is so good, it earned it again. Try it, you’ll love the case studies and the newsletter! http://www.erisk.com

ERisk --- http://www.erisk.com/ 

ERisk is the leading provider of strategic solutions for risk and capital management. We deliver a unique combination of world-class analytics for risk-based capital, strategic risk management expertise, risk transfer advice and risk information.

You can find out more about our products and services in the Overview section. On this page, you can find out more about the people and ideas that power our company.

The ERisk Report --- http://www.erisk.com/about/about_company.asp?ct=n#report 

The ERisk Report is a concise monthly briefing for senior financial executives. Every month, contributors from ERisk's team of risk management experts address today's most pressing issues in strategic risk and capital management. Sign up today for your personal copy of this cutting-edge publication!

Vol 1.6: Measuring the return on risk management; leveraging the economic benefits of risk management

Vol 1.5: Putting the real value on customer relationships; rolling out risk management

Vol 1.4: Making risk more transparent; fed takes pulse of economic capital practices

Vol 1.3: Credit scoring: robots versus humans; James Lam's three lessons from Enron

Vol 1.2: Weathering credit losses; regulators line up behind economic capital

Vol 1.1: Revamping your credit ratings system; measuring bank profitability

The ERisk Portal --- http://www.erisk.com/portal/home.asp 
Resources for Enterprise Risk Management

ERisk today continues to successfully develop and install its analytics at client sites, conduct high-value consulting engagements, offer unbiased advice on risk transfer alternatives, and attract thousands of readers to the ERisk portal.

"New e-Accounting Advisor Network Debuts," SmartPros, September 29, 2003 --- http://www.smartpros.com/x40720.xml 

Insynq Inc., a provider of Internet-delivered online accounting solutions and services, has launched an online advisor network to assist the accounting professional by supporting back-office processing requirements on a highly cost-efficient basis.

The e-Accounting Advisor Provider Network (http://eaccounting.cpa-asp.com) has created a new cost-effective resource for practices of all sizes to use to expand their practice, or to provide the opportunity of higher gross margins, Insynq announced. Through the use of business process outsourcers -- such as call centers, payroll and HR processing services -- professional practices are able to improve client services, expand their practices, and improve practice profitability.

"These accountants have gained a comprehensive solution that combines our online accounting technology services with business process outsourcing models," said Insynq president John Gorst. "e-Accounting is one of the few providers in the industry with a service model that encompasses online accounting applications, data management, document management and workflow tools."

Insynq will co-sponsor a series of seminars in the top 25 U.S. markets over the next four months for CPAs, accountants and bookkeepers that explain the online accounting model. These seminars will detail the outsourced accounting opportunity, and demonstrate the benefits of using business process outsourcers in support of practice initiatives.

 

Electronic Commerce

ONLINE SPENDING CLIMBED 25% during the holiday season from a year earlier, a survey found.
Desiree J. Hanford, The Wall Street Journal, January 4, 2005 --- http://online.wsj.com/article/0,,SB110478868075315675,00.html?mod=technology_main_whats_news


Question
What turns Web retailing into eCommerce?

Answer
A special feature about eCommerce is revenue collection over the Internet.  Today that revenue collection typically entails online credit card transacting.  

Bob Jensen's threads on accounting for electronic commerce are at http://www.trinity.edu/rjensen/ecommerce.htm 

"E-tailing Comes of Age," by Nick Wingfield, The Wall Street Journal, December 8, 2003 --- http://online.wsj.com/article/0,,SB10708342997640400,00.html?mod=technology%5Ffeatured%5Fstories%5Fhs 

Dot-com retailers had a message for bricks-and-mortar stores at the start of the 1999 holiday season: We're coming after you.

A year or two later, traditional retailers had their revenge, of course, when stock certificates of such companies as Pets.com Inc., eToys Inc. and Webvan Group Inc. were fit for little more than wrapping paper. With some notable exceptions -- including Amazon.com Inc. and eBay Inc. -- established stores and catalog companies ended up snaring most of the online sales.

But something surprising happened: Some small Web-only retailers refused to die. A handful in unlikely categories such as jewelry, shoes and luggage are profitable and growing far more quickly than their offline counterparts.

These specialty online retailers are prospering at a time when overall online sales are booming. Consumers are expected to spend $12.2 billion online this year in the Thanksgiving-to-Christmas period, up 42% from last year, according to Forrester Research of Cambridge, Mass. The growth reflects a steady shift of retail spending to the online world, as consumers grow more comfortable with the Internet and the spread of high-speed home connections makes browsing and ordering simpler. Online shopping also tends to be more weather-proof; many snowbound Northeasterners ventured out into cyberspace instead of the elements to continue their holiday shopping this past weekend.

Still, a mere 4.5% of total retail spending is expected online this year, compared with 3.6% in 2002. But even the small shift in retail sales represents a combined billions of dollars for Internet retailers.

Traditional retailers are doing their best to keep holiday customers clicking on their sites by offering good deals. Some are discounting heavily; free-shipping offers are commonplace. Gap Inc., for instance, is waiving standard delivery fees on orders of $100 or more until Dec. 15.

Continued in the article


There were 50 global online users of the new World Wide Web in 1990.  The worldwide growth is connected consumers, businesses, and other types of organizations is staggering.  A study conducted by IDC (2001) estimates the following at http://www.filmsoho.com/marketing/marketing_internet.html 

 Use of the Internet continues to grow rapidly worldwide. This growth is fuelling e-commerce transactions which are one barometer of the commercial success of the medium. Almost 1 billion people (about 15 percent of the world's population) are forecast by research firm International Data Corp to be using the Internet by 2005. IDC foresee a spending of more than $5 trillion in Internet commerce representing a staggering 70 percent compound annual growth rate from last year's Internet spending of $354 billion in 2000.

The adoption of the Internet as a communications tool is still undergoing explosive growth. In the developed world the proliferation of mobile phones and other Internet access devices will maintain these growth rates even once PC penetration has reached saturation.

Growth statistics are provided the following sites:

Web Data and Statistics
Builder.com --- http://builder.cnet.com/webbuilding/pages/Servers/Statistics/ 
This site is great for definitions and explanations.

Why Web usage statistics are (worse than) meaningless --- http://www.goldmark.org/netrants/webstats/ 

Internet Sizer http://www.netsizer.com/  
(This site has a link to a neat graph that shows the increase in Web use in a spinning real-time counter.  It resembles the counter on Times Square that used to show the increases in the U.S. National Debt.)

Web Characterization --- http://wcp.oclc.org/ 

Listings from Webreference.com --- http://webreference.com/internet/statistics.html 

Internet Statistics

CyberAtlas (*)
Internet market research and information site. Provides a periodic overview of Internet trends, demographics, marketing, and advertising information.
CyberGeography
Interesting collection of experiments and approaches in visualizing internet statistics and topology.
GVU WWW User Surveys
User surveys dating back to 1994. The surveys feature a wide variety of WWW usage and opinion-oriented questions.
The Internet Index
"An occasional collection of facts and statistics about the Internet and related activities." By Win Treese of Open Market.
ISC: Internet Domain Survey
Estimates the number of hosts and domains by doing a complete search of the Domain Name System. From the Internet Software Consortium.
Media Metrix
Web market research information and analysis service providing demographic data, measuring Internet and digital media audiences and usage since 1996.
MIDS: Matrix Information and Directory Services
MIDS provides statistics on about the Internet and estimates of its growth. Information is presented textually, graphically, and in geographic maps.
Netcraft
Conducts the Web Server Survey which tracks the usage of HTTP server software. Also offers a searchable hostname database.
Nielsen Net-Ratings
Online usage and popularity statistics.
Nua's Internet Surveys
An organized collection of Internet statistical surveys. Has digests of the important research reports and demographic surveys from the major research companies. Includes summary graphs and data of Internet statistics and trends. Offers a monthly newsletter.
StatMarket
In-depth statistics on a wide variety of Internet topics, and a sharp interface. StatMarket provides free global Internet usage statistics gathered from tens of thousands of web sites and and millions of daily visitors.
TheCounter.com
Detailed browser statistics, including information on monitor resolution, color depth and java/javascript usage.
Yahoo: Statistics and Demographics
Yahoo's collection of related sites.

Most popular Websites in the world --- http://www.webbieworld.com/ww/ 

 

Bob Jensen's Off-the-Wall Definitions
Electronic Business (B2B)and Commerce B2C)
Any computer-networked communications or transactions  that were formerly more apt to be transmitted by physical transfers such as in-store purchases and mail ordering and payment.  Electronic business makes it possible to eliminate paper documentation such as purchase orders, invoices, monthly account statements, and payment checks or credit card receipts.  Electronic communications and transactions with retail customers are generally referred to as e-Commerce.  Business-to-business (B2B) communications and transactions between business firms are generally called e-Business.

Includes electronic business, but electronicization encompasses other things as well such as Enterprise Resource Modeling (ERP), customer relations management (CRM), artificial intelligence/smart agents, and computerization/networking of virtually all elements of the supply chain.

 

M. Greenstein and M. Vasarhelyi Definition
Electronic Commerce:  Security, Risk Management and Control (McGraw-Hill, 2002, p. 3)
The use of electronic transmission mediums (telecommunications) to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location.

 

Electronic Commerce - A Leading Definition --- http://www-cec.buseco.monash.edu.au/links/ec_def.html 

A broad definition of 'electronic commerce' is provided by Electronic Commerce Australia (ECA, formerly EDICA) in its 1994 Annual Report as:

The process of electronically conducting all forms of business between entities in order to achieve the organisation's objectives.

The term 'electronic commerce' embraces electronic trading, electronic messaging, EDI, EFT, electronic mail (e-mail), facsimile, computer-to-fax (C-fax), electronic catalogues and bulletin board services (BBS), shared databases and directories, continuous acquisition and lifecycle support (CALS), electronic news and information services, electronic payroll, electronic forms (E-forms), online access to services such as the Internet (discussed later), and any other form of electronic data transmission.

For example, medical and clinical data, data related to taxation, insurance, vehicle registration, case information involving legal proceedings, immigration and customs data, data transmitted for remote interactive teaching, video-conferencing, home shopping and banking, EDI purchase orders and remittance advices - are all applications of electronic commerce.

The term 'electronic commerce' is sometimes incorrectly used as an alternative to EDI. EDI, a subset of electronic commerce, refers specifically to the inter-company or intra-company transmission of business data in a standard, highly structured format. Electronic commerce, however, includes structured business data and unstructured messages or data, such as electronic memos sent via e-mail.

Another term, 'electronic trading', is commonly used to refer to electronic transactions which occur in the procurement of goods and services. Electronic trading uses structured and/or free-form messages. Electronic trading can also be considered a sub-set of electronic commerce.


Small Business Administration: Free Online Courses (video) ---  http://www.sba.gov/services/training/onlinecourses/index.html


"Amazon Finally Clicks:  Ten years old and profitable at last, it offers a textbook lesson on how to be both focused and flexible," by Russ Banham, CFO Magazine, Spring 2004 Special Issue, pp. 20-22 --- http://www.cfo.com/article/1,5309,12598||M|846,00.html 

The foosball tables are still there, as are the desks made from sawhorses, plywood, and old doors. And no one wears a tie, not even CFO Thomas J. Szkutak. But if some E-commerce trappings are alive and well at Amazon.com headquarters, others are not. Red ink, for example, has disappeared—at least for now. The company posted its first indisputably (that is, GAAP-based) profitable year in 2003, propelled by strong holiday sales and a weakened dollar, which boosted overseas results.

That has prompted plenty of backslapping in the halls of Amazon's headquarters, a former hospital with an improbable Art Deco design and a postcard view of downtown Seattle and Puget Sound. As it prepares to celebrate its 10th anniversary, Amazon.com is a very different company from the so-called E-tailer that, at the time of its initial public offering in 1997, had to caution would-be investors not to confuse it with Amazon Natural Treasures, a retailer and E-tailer of rain-forest products.

Few would make that mistake today. While still sometimes referred to as an online bookstore, Amazon now boasts a product line that staggers the imagination, from apparel, sporting goods, and jewelry to new services including a feature that lets customers make "1-Click" Presidential campaign contributions.

Behind Amazon's breadth of products and services are myriad business arrangements: some products the company owns, inventories, sells, and ships; others it sells on behalf of third-party retailers. Some of these third-party products Amazon ships and fulfills; others are shipped and fulfilled by the third parties themselves. Among those third parties are thousands of mom-and-pop E-tailers that collectively make Amazon's Marketplace division a perpetual online garage sale surpassed only by E-bay.

With 39 million active customer accounts (based on the number of E-mail addresses from which orders originated in 2003), Amazon seems to be making good on its promise to offer the "Earth's biggest selection of products," or as Szkutak puts it, "to build a place where people can find, discover, and buy anything they want online." To do that, he says, the company has learned—sometimes the hard way—to "start with the customer and work backward."

Working backward has changed Amazon from an online retailer to an E-commerce platform. Today, it is not a store so much as a channel, a place where brand-name third-party retailers, smaller businesses, and just plain folks can hawk their goods to a worldwide clientele. This past holiday season, shoppers traipsed through Amazon to buy products from Gap, Toys "R" Us, True Value Hardware, and Kitchen Etc.—and maybe some kid in Idaho who was trying to unload his slightly dog-eared Harry Potter library. Assembling such a vast collection of partners and building the systems that allow customers to buy from an individual as easily as they buy from a retail giant has not been easy, and analysts praise Amazon's achievements. "Amazon has knocked 10 steps down to 1," says Adam Sarner, a research analyst at Stamford, Connecticut-based technology research firm Gartner Inc. "This is what they mean by 'customer convenience.'"

Jonathan Gaw, a research manager at technology research firm IDC, says, "No one else has this kind of expertise, because no one else has invested the capital to build this kind of infrastructure."

Amazon.com was once viewed as a leading member of the E-commerce vanguard, but most of the followers have fallen by the wayside. True, the survivors—E-bay, MSN, AOL, Yahoo, and Google—have become household names, but success remains precarious and depends on, among other things, the ability to be nimble. Amazon built its brand initially on low-priced books and waited for customers to come bargain-hunting. Today it pulls out all the stops to get people to visit, from "never-before-seen" Bruce Springsteen concert footage to a "secret message" from Madonna. If that sounds like the sort of pop-culture gimmickry one might expect from, say, AOL, there's good reason: the E-commerce giants are out to eat one another's lunch. When Google, for example, announced Froogle, a new service that allows users to search for a product name and be directed only to sites that sell that product, Amazon launched a new subsidiary, A9, devoted to Web searching, and even located its offices close to Google in Silicon Valley. Similarly, the boundaries between the business models of E-bay, Yahoo, and even Microsoft can be hard to discern, as all of these companies seek to protect themselves and to copy whatever seems to work.

Continued in the article


Yahoo's Links to Electronic Commerce Sites

Yahoo Computer and Internet  Guides --- http://dir.yahoo.com/Computers_and_Internet/Internet/ 
Categories

 

 

 

Yahoo B2B (Business-to-Business Electronic Commerce) --- http://dir.yahoo.com/Business_and_Economy/Business_to_Business/ 
Categories

 

The U.S. Government Knows How to Sell Online (e-Commerce)
From InformationWeek Online May 30, 2001

Uncle Sam Rings Up $3.6B In Online Sales

Look out, Jeff Bezos. Amazon.com Inc.'s $2.8 billion in annual revenue has been eclipsed by another E-commerce contender--a purveyor of flame throwers, burros, and Lamborghini Diablos that generated $3.6 billion in sales last year. The mastermind behind this E-retailing juggernaut? Uncle Sam.

That revelation comes from a recent study by the Pew Internet & American Life Project and Federal Computer Week magazine, which tracked the government's E-commerce activity. Of course, straight revenue comparisons may not be fair. After all, it's not exactly a level playing field for Amazon since the government's $3.6 billion came from 164 sites. That was a bit of a shock for Allan Holmes, editor-in-chief of Federal Computer Week. "When we first started, I had no idea how many sites we would find. I thought maybe a few dozen." Plus, that revenue figure would be significantly lower without the Treasury Department, which generated $3.3 billion from the sale of bonds and notes.

But the remaining $300 million in sales is still a significant achievement, considering the government hasn't done much to promote its efforts. Looking to bid on luxury items such as helicopters or sports cars? Try Bid4Assets, which sells property seized by the U.S. Marshals Service in criminal raids. "The federal government has always had surplus property and auctioned off property seized in drug busts. Now they're able to do it more efficiently and reach more people," Holmes says.


 

Yahoo B2C (Business-to-Consumer Electronic Commerce) --- http://dir.yahoo.com/Business_and_Economy/Shopping_and_Services/ 

 

 

While so many others are still struggling to make the Web pay, Walt Disney's Internet ventures are thriving --- http://www.wired.com/news/business/0,1367,56314,00.html 

LOS ANGELES, November 11, 2002 -- Last year, the Walt Disney Co. surrendered in the Internet portal wars after spending hundreds of millions of dollars to compete against Yahoo!, America Online and others.

But it didn't give up entirely. In a strategic retreat, the company refocused on Web projects that highlighted its core brands, such as ABC News and ESPN, which is the exclusive provider of sports on the MSN service.

That strategy has started to pay off. Last week, Disney announced a modest milestone -- its Internet properties are profitable.

The company doesn't report the results of its Internet properties as a group, so Disney did not provide any profit figure when it reported fourth-quarter earnings. But the company said profits from individual sites, led by ESPN and Disney's online store; from licensing content to other Internet sites; and from advertising and subscriptions pushed online operations into the black.

Disney's Internet ventures contribute only about several hundred million dollars to the company's $25 billion in annual revenue. Nonetheless, Disney can say it is profiting online while so many others are still struggling to make the Internet pay.

"I feel good that we've been able to sort of figure it out," said Steve Wadsworth, president of the Walt Disney Internet Group.

What Disney learned and other companies are discovering is that it's best to abandon a one-size-fits-all approach to the Web.

"There is not one single formula that is going to work," said Charlene Li, principal analyst for Forrester Research, a technology consulting firm based in Cambridge, Mass. "What works for Disney.com and its characters isn't the same thing that will work for ESPN. Even The New York Times and The Boston Globe are completely different. They're owned by the same company, but they use completely different approaches."

Disney's announcement of its modest profit is a victory of sorts for chairman and CEO Michael Eisner. During the heyday of e-commerce, he resisted pressure to merge with Yahoo or Microsoft, even after AOL merged with Time Warner.

Today, AOL is struggling, weighed down by declining advertising revenue and a government investigation into its accounting practices. Chairman Steve Case reportedly has considered separating the companies.

Continued at http://www.wired.com/news/business/0,1367,56314,00.html 


Webledger alternatives are becoming a much bigger deal in accounting information systems.  I suspect that many accounting educators are not really keeping up to date with the phenomenal growth in vendor services.

I am a strong advocate of Webledger accounting and information systems.  
In my viewpoint they are the wave of the future for small and even medium-sized business and other organizations.  The main obstacle is overcoming the natural tendency to fret over having data stored with a Webledger vendor.  But the advantages of cost savings (e.g., savings not having to employ technical database and IT specialists. savings in hardware costs, and savings in software costs), advantages of worldwide access over the Internet, and advantages of security (due to the millions invested by vendors to ensure security) far outweigh the disadvantages until organization size becomes so overwhelming that Webledgers are no longer feasible for accounting ledgers, inventory controls, payroll processing, billings, etc.

Webledger software and databases offer accounting, bookkeeping, inventory control, billings, payrolls, and information systems that can be accessed interactively around the globe.  Companies and other organizations do not maintain the accounting systems on their own computers.  Instead, the data are stored and processed on vendor systems such as the Oracle database systems used by NetLedger.

NetLedger is part of the NetSuite described at http://www.netledger.com/portal/home.shtml

Click on the "See One System in Action" Link

NetSuite's all-in-one business management application allows each user to work off the same, real-time information, but with a user interface and functionality appropriate to them. Watch the role-based demo

As a project in Fall of 2000, a team of my students set up an accounting system on Netledger.  This team's project report is available at http://www.trinity.edu/rjensen/acct5342/projects/Netledger.pdf

Bob Jensen’s threads on Webledgers can be found at http://www.trinity.edu/rjensen/webledger.htm 


A Guide to E-Commerce at http://e-comm.internet.com/

An Electronic Encyclopedia  at http://e-comm.internet.com/library/glossary.html
A longer listing of this and similar glossaries can be found at http://www.trinity.edu/rjensen/245gloss.htm

U.S. Policy on E-Commerce at http://www.ecommerce.gov/

Electronic Books Directory (U. Mn.)

Electronic Commerce World: On-line journal for electronic commerce - Articles, Resource Directory, Discussions

Electronic Commerce:  Special Problems Arising for Accountants and Auditors  

Question
Were accountants responsible for the dotcom bubble and burst at the turn of the Century?

Jensen Answer
The article below fails to directly mention where auditors contributed the most to the 1990's bubble. The auditors were allowing clients to get away with murder in terms of recognizing revenue that should never have been recognized. The dotcom companies were not yet making profits but were full of promise as the bubble filled with hot air. In financial reporting (especially in pro forma reporting) dotcom companies shifted the attention from profit growth to revenue growth. But much of the revenue growth they got away with reporting was due to bad judgment on the part of their auditors. Corrections finally began to appear after the EITF belatedly made some bright line decisions --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm

I give auditors F grades when auditing the hot air balloons of dotcom companies. This shows what can happen when we let judgment overtake some of the bright line rules in accounting standards. Auditors were supposed to have "principles" when they had no bright lines to follow. The auditing firms demonstrated their lack of professional principles in the 1990s.
 

"Were accountants responsible for the dotcom bubble and burst?" AccountingWeb's U.K. Site, March 11, 2008 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=104768

"Were accountants responsible for the dotcom bubble and burst?" This worrying allegation emerged from a question two weeks ago at the ICAEW IT Faculty annual lecture.

During a thought-provoking talk on Second Life and related issues, Clive Holtham mentioned the dotcom bubble, which prompted the pointed follow-up question from one audience member.

The answer was that they weren't - which accorded with the general audience reaction. The reason? Accountants, Holtham argued, had not made the investment and business decisions that fuelled the boom and led to the bust.

Some would argue that this is exactly why accountancy, perhaps more than accountants, was responsible. Why weren't accountants more involved in these decisions? We would surely expect accountants to have been stressing the need to temper the wild enthusiasm with a bit of solid business analysis. It's hard to escape the conclusion that accountants either didn't put forward the right arguments, or were not sufficiently influential. Accountants either lacked the confidence to participate forcefully enough in the debate, or were viewed as not knowing enough about IT.

Either way, it suggests that the main accountancy bodies had allowed a major change in business to occur without preparing their members to deal competently and confidently with it. If technology had been seen as a natural competency of an accountant, accountants might have been more able to fight their corner over the excesses of the dotcom era.

Anyway, that was years ago. Surely things have changed. The recent AccountingWEB/National B2B Centre survey on accountants' involvement in ebusiness was introduced in the following terms: "In spirit accountants would like to get involved with ebusiness, but the reality of their current knowledge and workload means that only a small minority are able to help clients take advantage of new technology opportunities."

It's unfair to blame the accountants themselves. Their workload is a significant factor. Government has been piling regulation after regulation upon them and it must be a struggle to keep up with just what they consider their core skills and knowledge. Ethically, you would not expect accountants to offer advice in areas in which they do not consider themselves adequately qualified. Technology is such a vast and rapidly moving area that it's pretty hard for most full time IT professionals to keep up, let alone accountants with their myriad other responsibilities. Yet the need, and opportunity, certainly seems to be there. Various government initiatives in the past have sought to identify sources of competent advice to help companies succeed in ebusiness.

Usually, articles about accountants doing more in the field of IT elicit comments about "leaving it to the IT professionals". The worry is that accountants may not know enough to be able to do so confidently and therefore they withdraw from any involvement - this is what the AccountingWeb/NB2BC survey seems to suggest is happening. This is in nobody's interest. Businesses may fail to exploit key opportunities, accountants will lose out on income and probably credibility, and IT specialists will have fewer clients. A more ebusiness-confident accountancy profession should be able not only to offer advice itself, but also to recommend, trust and work with specialists where required.

To achieve this it's vital that the professional bodies help their members more than they are doing currently. What seems to be missing is a set of boundaries. What exactly do accountants need to know about IT and ebusiness in order to be able to confidently and competently advise their clients? How can you, as an accountant, assess your competence in this vital area?

It's not as if this is anything new, The International Federation of Accountants (IFAC) has been working on a revised Education Practice Statement regarding 'Information Technology for Professional Accountants' for years and in October 2007 released International Education Practice Statement 2 (IEPS 2) after consultation with accountancy bodies worldwide. This sets out "IT knowledge and competency requirements" for the qualification process, but also for continuing professional development.

So should accountants be more active in advising on ebusiness? Should they do it themselves or work with specialists? And are the professional bodies doing enough to help their members in this, and other IT related, areas? We look forward to hearing the views of AccountingWEB members so that we can carry this debate forward.

March 12, 2008 reply from Bob Jensen

With all due respects to Ed and Jagdish, I still think that inflated revenue reporting and other creative accounting ploys led to a bubble of artificially inflated stock prices of dotcom companies. It was more than the "premature revenue recognition" that Ed mentions. It was reporting of questionable revenues that would never be realized in cash. For example dotcomA contracts with dotcomB, dotcomC, ..., dotcomZ to trade advertising space on Websites and vice versa for all combinations of contracting dotcom companies. Each company counts the trade at estimated value as revenue and expense even though there will never be any cash flows for these advertising trades.

The dotcom companies did not inflate profits with this move but they dramatically inflated revenues which was all they cared about since the investing public never expected them to show a profit early on. You can read about how bad this bartering scam became --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm#Issue02
And auditors let the dotcom companies get away with this scam until EITF 99-17 made auditors finally recognize the errors of their ways.

Other revenue inflation scams and questions raised in the following issues resolved by by various EITF pronouncements --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm

Revenue Issue: Gross versus Net

Issue 01: Should a company that acts as a distributor or reseller of products or services record revenues as gross or net?
Examples of Creatively Reporting at Gross:

Priceline.com brokered airline tickets online and included the full price of the ticket as Priceline.com revenues. This greatly inflated revenues relative to traditional ticket brokers and travel agents who only included commissions as revenue.

eBay.com included the entire price of auctioned items into its revenue even though it had no ownership or credit risk for items auctioned online.

Land's End issued discount coupons (e.g., 20% off the price), recorded sales at the full price, and then charged the price discount to marketing expense.

Issue 02: Should a company that swaps website advertising with another company record advertising revenue and expense?

Issue 03: Should discounts or rebates offered to purchasers of personal computers in combination with Internet service contracts be treated as a reduction of revenues or as a marketing expense?

Issue 04: Should shipping and handling fees collected from customers be included in revenues or netted against shipping expense?

Discounts and rebates are traditionally deducted from gross revenues to arrive at a net revenue figure that is the basis of revenue reporting. Internet companies, however, did not always follow this treatment. Discounts and rebates have been reflected as operating expenses rather than as reductions of revenue.

Handling fees and pricing rebates throughout accounting history could not be included in revenues since the writing of the first accounting textbook. Auditors knew this very well from the history of accounting, but it took EITF 00-14 in Year 2000 to remind auditors that this bit of history applied to dotcom companies as well as mainstream clients.

Definition of Software

Issue 07: Should the accounting for products distributed via the Internet, such as music, follow pronouncements regarding software development or those of the music industry?

Issue 08: Should the costs of website development be expensed similar to software developed for internal use in accordance with SOP 98-1?

Revenue Recognition

Issue 9: How should an Internet auction site account for up-front and back-end fees?

Issue 10: How should arrangements that include the right to use software stored on another company’s hardware be accounted for?

Issue 11: How should revenues associated with providing access to, or maintenance of, a website, or publishing information on a website, be accounted for?

Issue 12: How should advertising revenue contingent upon “hits,” “viewings,” or “click-throughs” be accounted for?

Issue 13: How should “point” and other loyalty programs be accounted for?

Prepaid/Intangible Assets vs. Period Costs

Issue 14: How should a company assess the impairment of capitalized Internet distribution costs?

Issue 15: How should up-front payments made in exchange for certain advertising services provided over a period of time be accounted for?

Issue 16: How should investments in building up a customer or membership base be accounted for?

Miscellaneous Issues

Issue 17: Does the accounting by holders for financial instruments with exercisability terms that are variable-based future events, such an IPO, fall under the provisions of SFAS 133?

Issue 18: Should Internet operations be treated as a separate operating segment in accordance with SFAS 131?

Issue 19: Should there be more comparability between Internet companies in the classification of expenses by category?

Issue 20: How should companies account for on-line coupons?

In nearly every instance dotcom companies were inflating the promise of their new companies with creative accounting blessed by their auditors until the EITF and other FASB pronouncements set some bright lines that auditors had to stand behind. The investing public was nearly always misled by both the audited financial statements and the pro forma statements of dotcom companies in the 1990s. Then the bubble burst, in part, by bright line setting by the EITF and the FASB.

Bob Jensen

 

Especially note the revenue recognition issues at http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

 


You must be very careful when viewing a corporate Website that you think is authentic but is a total fraud.  One such site is http://www.dowethics.com/  which spoofs the genuine http://www.dow.com 

The site at dowethics.com is a very clever spoof site that mirrors the real corporate site but runs it with stories against the company.  It is interesting because it appears to be very authentic and illustrates how companies really do need authentication seals such as Verisign, the Better Business Bureau BBB seal, or the WebTrust Seal --- http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems 

 

Immense problems arise in accounting, auditing, and taxation as the world moves ever forward into electronic commerce.

 

  • Stewardship, control, and security problems such as the explosion of computer and Internet fraud
  • Auditing and information systems problems such as the loss of audit trails over global networks of transactions
  • Revenue accounting problems such as gross vs. net, bartering, and recognition timing.
  • Cost accounting problems such as accounting for the costs of intangibles
  • Managerial accounting problems apart from cost accounting, including evaluation of return on investment (ROI) that includes startup net losses in the numerator and excludes intangibles in the denominator.
  • Taxation problems such as the purchase and sale of merchandise and service outside accustomed taxation jurisdictions

 

 

Advantages and disadvantages of electronic commerce
Advantages Disadvantages
Convenience
Speed
Information Access Volume
Expense Savings (e.g., Marketing)
Reduced Transactions Cost
Improved Training & Education
(Army University and IRS University)
Revenue Enhancing
Reduced Barriers to Entry
Innovative Products & Services
Increased Price Competition
Increased Vendor Selection
Increased Access to Customers
Customer Behavior/Interest  Databases
(Like it or not, have a cookie!)
Increased Ability to Place Custom Orders
Improved Warranty & Customer Service
Customized & Personalized Feedback
Common Interest Virtual Communities
Globalization of Business and Labor

Ever-Changing Technologies
Geek Dependent Systems
Going Concern Risks
Risk of Service Disruptions
Customers Need Computers 
Customers Need Access
 Shortage of Bandwidth
Frauds & Error Risk
Highly Creative Deceptions
Security Nightmares
Privacy Risks
(Data sale, theft, sniffers)
Hacker Targets
Dehumanization of Life
Rise in Gambling & Porn
Cut-Throat Competion
(e.g., Encyclopedia Britannica)
Information Warfare
System-Wide Vulnerability
 

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

Common Electronic Risks
Disruption of service 

Hardware/software failure
Virus
Worm
Trojan Horse
Hoax
Logic Bomb

Unauthorized access 

Trap Door
Data theft 

Loss of data/information 

Privacy issues 

Pro-Forma Earnings (Electronic Commerce, e-Commerce, eCommerce)

From the Wall Street Journal's Accounting Educators' Reviews, October 4, 2001
Educators interested in receiving these excellent reviews (on a variety of topics in addition to accounting) must firs subscribe to the electronic version of the WSJ and then go to http://209.25.240.94/educators_reviews/index.cfm 

Sample from the October 4 Edition:

TITLE: Sales Slump Could Derail Amazon's Profit Pledge 
REPORTER: Nick Wingfield 
DATE: Oct 01, 2001 
PAGE: B1 
LINK: http://interactive.wsj.com/archive/retrieve.cgi?id=SB1001881764244171560.djm  
TOPICS: Accounting, Creative Accounting, Earnings Management, Financial Analysis, Net Income, Net Profit

SUMMARY: Earlier this year Amazon promised analysts that it will report first-ever operating pro forma operating profit. However, Amazon is not commenting on whether it still expects to report a fourth-quarter profit this year. Questions focus on profit measures and accounting decisions that may enable Amazon to show a profit.

QUESTIONS: 

1.) What expenses are excluded from pro forma operating profits? Why are these expenses excluded? Are these expenses excluded from financial statements prepared in accordance with Generally Accepted Accounting Principles?

2.) List three likely consequences of Amazon not reporting a pro forma operating profit in the fourth quarter. Do you think that Amazon feels pressure to report a pro forma operating profit? Why do analysts believe that reporting a fourth quarter profit is important for Amazon?

3.) List three accounting choices that Amazon could make to increase the likelihood of reporting a pro forma operating profit. Discuss the advantages and disadvantages of making accounting choices that will allow Amazon to report a pro forma operating profit.

SMALL GROUP ASSIGNMENT: Assume that you are the accounting department for Amazon and preliminary analysis suggest that Amazon will not report a pro forma operating profit for the fourth quarter. The CEO has asked you to make sure that the company meets its financial reporting objectives. Discuss the advantages and disadvantages of making adjustments to the financial statements. What adjustments, if any, would you make? Why?

Reviewed 

By: Judy Beckman, University of Rhode Island Reviewed 
By: Benson Wier, Virginia Commonwealth University Reviewed 
By: Kimberly Dunn, Florida Atlantic University

Bob Jensen's threads on pro forma accounting issues can be found at 
http://www.trinity.edu/rjensen/theory.htm
 

 

 

Links to Some of Bob Jensen's Documents on Electronic Commerce
Introduction

Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

Intangibles Accounting Issues --- http://www.trinity.edu/rjensen//theory/00overview/theory01.htm#TheoryDisputes 

Managerial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm 

How Can Technology be Used to reduce Fraud? --- http://www.trinity.edu/rjensen/ecommerce/managerial.htm#Issue7 

ROI Issues --- http://www.trinity.edu/rjensen/roi.htm 

Implications for Auditing and Assurance Services --- 
http://www.trinity.edu/rjensen/ecommerce/assurance.htm
 

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk --- http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

The Controversial Electronic Commerce of Education --- http://www.trinity.edu/rjensen/000aaa/0000start.htm

Investor Relations and Internet Reporting   

Education and Training   

Evaluation of Websites 

Search for Internet, e-Commerce, or e-Business Phrases

Top Year 2002 Accounting Technologies 

Bob Jensen's Threads on Electronic Commerce --- 
http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's Threads on Electronic Commerce in College Curricula --- 
http://www.trinity.edu/rjensen/ecommerce/curricula.htm
 

Accounting Threads

 

Links to Some of Bob Jensen's Accounting Theory Documents
Introduction to Accounting Theory ---  http://www.trinity.edu/rjensen//theory/00overview/theory01.htm  

Accounting for Electronic Commerce, Including Controversies on Business Valuation, ROI, and Revenue Reporting --- http://www.trinity.edu/rjensen/ecommerce.htm 

State of Accountancy in the Year 2002: My Lectures for Germany (Augsburg and Rothenburg) in June 2002 --- http://www.trinity.edu/rjensen/FraudConclusion.htm 

Accounting Tricks and Creative Accounting Schemes Intended to Mislead Investors, Creditors, and Employees --- http://www.trinity.edu/rjensen//theory/00overview/AccountingTricks.htm

Letter to Senator Schumer --- http://www.trinity.edu/rjensen/theory/sfas123/jensen01.htm 

Links to the following accountancy documents:

Accounting Theory Course --- http://www.trinity.edu/rjensen/acct5341/index.htm 

Pro forma reporting ---  http://www.trinity.edu/rjensen/acct5341/theory/00overview/theory01.htm 

Accounting for Derivative Financial Instruments and Hedging Activities --- http://www.trinity.edu/rjensen/caseans/000index.htm 

Real Options, Option Pricing Theory, and Arbitrage Pricing Theory --- http://www.trinity.edu/rjensen/realopt.htm 

An Accounting Theory Final Examination, The Open Polytechnic of New Zealand Semester Two, 2000,  http://www.topnz.ac.nz/info/services/pdf/71300_00_2.pdf 

Bob Jensen's threads on e-Commerce and e-Business can be found at http://www.trinity.edu/rjensen/ecommerce.htm 

Bob Jensen's threads on XBRL are at http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended 

Bob Jensen's Helpers for Accounting Educators --- http://www.trinity.edu/rjensen/default3.htm 

Bob Jensen's Accountancy Bookmarks --- http://www.trinity.edu/rjensen/bookbob.htm 

Bob Jensen's Threads --- http://www.trinity.edu/rjensen/threads.htm

 

Electronic Commerce:  Revenue Accounting Problems and Related Financial Accounting Issues --- http://www.trinity.edu/rjensen/ecommerce/eitf01.htm 

 

Accounting Issues Addressed by the SEC and FASB

DESCRIPTION OF THE PROPOSED PROJECT

This potential FASB project on disclosure about intangibles would focus on improving information about intangible assets that are seen by many as increasingly important to business success but are not currently recognized as assets in financial statements. Intangible assets are generally recognized only if acquired, either separately or as part of a business combination. Intangible assets that are generated internally, and some acquired assets that are written off immediately after being acquired, are not reflected in financial statements, and little quantitative or qualitative information about them is reported in the notes to the financial statements. The principal goals of the project would be to make new information available to investors and creditors and to improve the quality of information currently being provided—information vital to well-reasoned investment and credit resource allocation decisions. A secondary goal of the project would be to take a first step in what might become an evolution toward recognition in an entity’s financial statements of internally generated intangible assets. The balance of this Proposal discusses the problem to be addressed, the scope of the project, the issues that would have to be resolved, how practice might change, and the FASB agenda criteria. It concludes with a request for comments and several questions for constituents.


Dear Professor Jensen:

As you may know, Greenstein and Vasarhelyi's ELECTRONIC COMMERCE was the first book to combine accounting risk management and control issues with systems issues--in other words, the first book to really combine accounting and electronic commerce.  But it's not enough to be first once--you need to be first every time. And with ELECTRONIC COMMERCE 2/E, once again you get the newest and most up-to-date coverage available.

Just published this summer, ELECTRONIC COMMERCE, 2/E covers the hottest topics in e-commerce, including e-business strategy, XML and XBRL, and emerging supply chain e-commerce and e-revenue models. And a constantly updated Website will insure your course has access to the very latest developments.

To learn more about ELECTRONIC COMMERCE, 2/E or to request a complimentary copy, contact, Ray Lesikar, your McGraw-Hill/Irwin representative, at ray_lesikar_jr@mcgraw-hill.com. You may also visit the book's Website at this address: http://www.mhhe.com/webmaster/redirector.pl?p=1000001004457&c=938&a=4&s=1 .

Thank you for your time.

Regards,
Rich Kolasa
Marketing Manager, Accounting, McGraw-Hill/Irwin

 


How to Build Customer Relationships Online Marketing is not just about getting an order, it's about getting a customer and keeping them. Nurture your customer relationships with regular e-mails. With regular e-mails you can build relationships and gather market intelligence. http://www.newmedia.com/default.asp?articleID=3275 

Bob Jensen's small business links are at http://www.trinity.edu/rjensen/bookbob1.htm#SmallBusiness 


Top Year 2002 Technologies as Rated by the AICPA --- http://www.cpa2biz.com/ResourceCenters/Information+Technology/Top+10+Techs/default.htm 

Top 10 Techs
Top 10 Techs Categories
 
TopTechs provide information about cutting edge technologies that could impact your ability to compete effectively in the e-world.
 
TopTechs are presented in four categories:
  • Issues -- situations that result from technology  implementation
  • Applications -- business opportunities/objectives using  one or more technologies
  • Technologies -- end products (hardware, software, or   standard)
  • Emerging Technologies -- new developments currently under review
Certainly database technology has been around for a while. It made the list of top ten technologies ... [ Article ] Full Story
Technologies: Security Technologies
In the past year, nine out of 10 organizations experienced security breaches, according to a recent ... [ Article ] Full Story
Technologies: XML (Extensible Markup Language)
"Your tax dollars at work" could be the subtitle for this section, assuming you waited 20 years and ... [ Article ] Full Story
Technologies: Communications Technologies - Bandwidth
Here's a riddle for you: What doubles in demand every three to four months, but drops in price over ... [ Article ] Full Story
Technologies: Mobile Technologies
Convenience, Efficiencies are Hallmarks of Mobile Technologies What would Benjamin Franklin think o ... [ Article ] Full Story
Technologies: Wireless Technologies (includes wireless networks)
Are you on the cutting edge of wireless technology? If your first thoughts were of your beloved PDA ... [ Article ] Full Story
Technologies: Electronic Authorization
In a workflow system, documents move from one user to another as they are electronically processed. ... [ Article ] Full Story
Technologies: Encryption
We've come a long way from the "magical" times of the 17th century where works about ciphers and cry ... [ Article ] Full Story
Technologies: Remote Connectivity Tools
The information you need is in one place; you are in another place. Traditional solutions to remote ... [ Article ] Full Story
Technologies: Electronic Authentication
Are you who you say you are? That is, in fact, the question of authentication, which is one aspect o ... [ Article ] Full Story

 


Investor Relations and Internet Reporting

Jerry Trites from Canada and I conducted two workshops on electronic reporting and electronic commerce.  The first of these is for August 14 in San Antonio (AAA Annual Meetings) and November 23 in Los Angeles (Asian Pacific Conference).  I received the following message from Jerry on February 14, 2002:

Hi Bob,

Following is the URL for the website for my new e-business textbook. Thought you might be interested.

http://www.pearsoned.ca/trites/ 

Jerry,

p.s. When will we hear back from AAA re the San Antonio conference? 

Gerald Trites, CA*CISA, FCA 
Gerald Schwartz School of Business and Information Systems, 
St Francis Xavier University, 
Antigonish, Nova Scotia 
Phone: (902) 867-5410 Fax: (902) 867-3352 Cell: (902) 867-0977 
Home page: http://iago.stfx.ca/people/gtrites/index.html 


August 8, 2002 message from Miklos

I have posted on the Web pieces of my e-commerce course about hr + of clips,, .... be my guest to use them

http://raw.rutgers.edu/miklos/baxtermovies/baxter.html 

they can be used (not tightly coupled) with my e-commerce slides

http://raw.rutgers.edu/ecommerce2 

Miklos A. Vasarhelyi 
KPMG Professor of AIS
Rutgers University Director, Rutgers Accounting Research Center 
315 Ackerson Hall, 180 University Ave. Newark, NJ 07102 
tel: 973-353 5002 fax 973-353 1283 miklosv@andromeda.rutgers.edu 

Bob Jensen's related assurance services threads are at http://www.trinity.edu/rjensen/ecommerce/assurance.htm 


This appeared in one of my older documents that is no longer updated --- http://www.trinity.edu/rjensen/99aaa/updatefr.htm 

Online Financial Reporting

Ross A Kaplan, "Identity Crisis for Online Annual Reporting," Financial Executive, Jul/Aug 1999, 38-39.

Have traditional accounting and finance measures of corporate wealth "lost their Utility?"
http://www.zdnet.com/pcweek/stories/columns/0,4351,407222,00.html

However, I will provide some updates below:

Top Investor Relations and Internet Reporting Sites --- http://ids.csom.umn.edu/faculty/kauffman/courses/8420/Projects/POlson/page5.htm 

According to Ross Kaplan of the Off-line website, six attributes of a good IR web site are:
Investor Relations Magazine  provides the following advice on adding value to a corporate web site:
    • Investors are becoming more sophisticated and expect to be able to add their names to a mailing list and be kept updated on press releases.
    • The IR site should have different design considerations than the rest of a corporate web site.  Investors want detailed information and fast downloads, forget the spinning logos.
    • Make sure your server is adequate for traffic requirements.
    • Keep the IR web site  content and corporate values consistent with other communication with shareholders (annual reports, brochures, etc.).
In March, 1998 Investor Relations Magazine named Microsoft as the winner of its "Best World Wide Web Site" award.  The magazine holds an annual awards ceremony to recognize exellence in investor relations.  The Microsoft IR web site is a standard of excellence in using technology to promote investor relations.  Attributes of the web site include:
  • Basic offerings such as stock quotes, Frequently Asked Questions (FAQs), annual reports, and press releases
  • A daily update on the antitrust trial brought against it by the U.S. Department of Justice
  • Transcripts of speeches by company executives
  • Live internet broadcasts of its conference calls
  • Detailed historical data and analysis tools which allow an investor to analyze income statement line items dating back to 1985 or analyze revenue by product group
  • Stock information such as price and volume history, investment growth history, five year comparison to the S&P 500, history of stock splits and dividend information
  • The annual report is available in eleven languages
  • Its income statements can be viewed in accordance with accounting standards and in the local currencies of Australia, Canada, Germany, France, Japan, and the U.K.
Companies such as Intel, 3comXerox, Dell computer, and IBM are also frequently discussed as having exceptional IR web sites.

XBRL Will Change the World of Financial Reporting and Analysis --- http://www.trinity.edu/rjensen/XBRLandOLAP.htm#XBRLextended 


Data Binding

Data Binding as defined at http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci991121,00.html

Data binding is a process that allows an Internet user to manipulate Web page elements using a Web browser. It employs dynamic HTML (hypertext markup language) and does not require complex scripting or programming. Data binding first became available with Microsoft Internet Explorer (MSIE) version 4. It can be used in conjunction with that and all subsequent versions of MSIE to create and view interactive Web sites with a minimum demand on authoring time, subscriber effort, server drive space, and server processing resources.

The data binding architecture consists of data source objects (DSOs) that supply the information to viewed pages, data consumers that display the DSO information, and agents that ensure that the data is synchronized between the DSOs and the consumers. Data binding is used in Web pages that contain interactive components such as forms, calculators, tutorials, and games. Pages are displayed incrementally so that portions of a page can be used even before the entire page has finished downloading. This makes data binding convenient when pages contain large amounts of data and bandwidth is limited.

Data binding has been used by hackers in attempts to gain access to the hard drives of Internet users. This is known as a DSO exploit.
 

XML Data Binding --- http://www.rpbourret.com/xml/XMLDataBinding.htm 

Data Binding for Java --- http://www-106.ibm.com/developerworks/xml/library/x-bindcastor/ 


From Builder.com --- http://builder.com.com/5100-6387-1058862.html?tag=grid 

Data binding 101: DataSets
In its simplest form, data binding involves attaching an ASP.NET Web control, say a ListBox, to a DataSet containing some database data. The ListBox.DataSource property lets you specify the DataSet to which the control should bind, and the DataBind method actually fills the control with data. Because a DataSet can contain multiple fields, Web controls with a single column (ListBox, DropDownList, etc.) all expose DataTextField and DataKeyField properties to let you specify the name of the field the control will display as text and use as a value, respectively.

Listing A contains a simple example that binds a ListBox to the Categories table of the Northwind sample database. After creating the DataSet, I bind it to ListBox1 using the DataSource property. I then set the DataTextField property to CategoryName, the field that ListBox1 should display (it will be used as SelectedItem.Text), and the DataKeyField property to CategoryId so that ListBox1 will use it as the key. (It will be returned as SelectedItem.Value.).

Data binding 201: Arrays and collections
Okay, so binding to a DataSet is child’s play. But what if the data you want isn’t contained in a database? What if you would like to allow the user to choose from an array of objects? Sure, you could manually create a DataSet containing the data, but that's kind of like building a mansion when all you need is a tool shed. Wouldn’t it be nice if you could just bind directly to the array?


Continued at  http://builder.com.com/5100-6387-1058862.html?tag=grid  
 

 


Education and Training Outlines

Electronic business education and training programs in various major universities are outlined at 
http://www.ehrlichorg.com/ibp/Undergraduate%20E%20BusE%20Com-0825.doc 


Note the sheer size of this operation --- "more than 1.5 million people already use its 15 e-Learning modules in three topic areas of leadership, strategy and general management."

From Syllabus News on October 2, 2001

Harvard B-School Expands Business Courses Via the Web

Harvard Business School Publishing said last week it would use the Internet to make available its electronic learning programs in best management and business practices to corporate groups and enterprises. HBSP said more than 1.5 million people already use its 15 e-Learning modules in three topic areas of leadership, strategy and general management. HBSP will now offer support for companies that wanted to make the modules available to company groups via the Internet.

For more information, contact Nancy O'Leary at Harvard Business School Publishing http://noleary@hbsp.harvard.edu 


Electronic commerce courses, including accounting courses, have been added to the curricula of many business schools.  As a sample, the courses at the University of Scranton are shown below --- http://matrix.scranton.edu/academics/ac_courses_electronic_commerce.shtml 

Electronic Commerce Program

Course Descriptions — Electronic Commerce

EC 251 —  Introduction to Electronic Business — 3 credits
(Prerequisite: C/IL 104) This introductory course in electronic business explores how the Internet has revolutionized the buying and selling of goods and services in the marketplace. Topics covered include: business-to-business and business-to-consumer electronic commerce, electronic commerce infrastructure, designing and managing online storefronts, payment acceptance and security issues, and the legal and ethical challenges of electronic commerce. Students will also gain hands-on experience in creating, editing, and enhancing a web site using an HTML editor.
EC 361 — Electronic Business Communication Networks — 3 credits
(Prerequisite: EC 251) The course is designed to provide students with networking and telecommunications fundamentals necessary to develop enterprise networks to conduct business on the Internet. Topics covered include: communication network media; processors and protocols; multimedia transmission; wireless networks; network design, management and security; and present capabilities and future trends in communication. Discussion of the technology is focused on business applications within and among organizations. Hands-on experience and case studies will be used to illustrate concepts and business use of enterprise networks.
EC 362 — Database Management for Electronic Business — 3 credits
(Prerequisites: EC 251, OIM 471) The course deals with database design, implementation and use of Database Management Systems to support Electronic Business. Topics covered include: database design and implementation; data modeling and structured query language (SQL); distributed data base management system, open data base connectivity, integration of web server and backend database server; data warehousing and mining; on-line analytical processing; and database application and management. Cases and DBMS software will be used to illustrate concepts and to gain hands-on experience.
EC 370 — Interactive Marketing — 3 credits
(Prerequisite: MKT 351, junior standing) This course focuses on the integration of state-of-the-art interactive technologies in the design and implementation of marketing programs for the new millenium. The functions of market identification through customer analysis, and the planning and implementation of conception, pricing, promotion and distribution of ideas, goods and services to satisfy the market benefit immensely from the capabilities of the rapidly developing information technology (IT) infrastructure.
EC 371 — Investments — 3 credits
(Prerequisite: FIN 351, junior standing) This course will provide students with an overview of the fundamentals of investing, with specific emphasis on the use of information technology tools. Topics will broadly cover the areas of stock selection and valuation, bond valuation, and the use of options and futures to hedge risk. Students will be taught to use resources available on the Internet in order to develop security selection rules and valuation models. For example Quicken.com and Hoovers have web sites that enable an investor to retrieve current financial data and build stock screens. Students will also learn to build a financial web site that contains features found in many professional web sites.
EC 372 — Accounting for Electronic Business — 3 credits
(Prerequisite: ACC 252 or ACC 254, junior standing) This course is intended to introduce E-Commerce students to the role of accounting in today’s business environment. Students will examine how technology has impacted the techniques of accounting and reporting. Computerized models of accounting will be used to explore the tools available to compile data for management decisions and reporting. Internet business and traditional business transactions will be evaluated in light of global markets. Thus students will see the effects of control features built into software systems and understand the role such systems play in running the company.
EC 461 — Internet Applications Development — 3 credits
(Prerequisites: EC 361, EC 362) The course introduces the student to existing and evolving Internet technologies needed for electronic commerce site development and management. Topics covered include: Windows NT, Internet information server, index and transaction servers, object-oriented paradigm, client and server side scripting, active server page, enterprise data access, domain name service, and trends in web development tools. The course emphasizes applications of the technology and provides hands-on experience by having students develop a working electronic business site. Cases will be used to illustrate concept and the role of each technology used to conduct business on the web.
EC 462 — Projects in Electronic Business — 3 credits
(Prerequisite: EC 461) In this course, students will develop an electronic commerce project that will be used to conduct online business. The purpose of this course is to synthesize the Internet related technologies and the business knowledge acquired in different courses to develop a working electronic commerce site. Students will work in a team-oriented environment under the guidance of the instructor. Students will design, develop, implement, and operate a secure content-rich electronic commerce web site to attract and retain customers.
EC 470 — Supply Chain Management — 3 credits
(Prerequisites: EC 361, EC 362) This course integrates two powerful trends that are critical management imperatives for the new millennium: Supply Chain Management & Electronic Business. The students will learn how the principles of supply chain management integrate into the “real-time” environment of e-business and examine case studies of such implementations. Latest software and technology will be discussed and examples demonstrated on the SAP R/3 platform available at KSOM.
EC 471 — Electronic Business Security Controls and Ethics — 3 credits
(Prerequisites: EC 361, EC 362) The course is designed to provide students with an understanding of the technical, managerial, legal and ethical issues to build, operate and manage e-commerce solutions. Topics covered include: web server and client security; secure transactions and payments; information security; digital certificates and practices; civil and criminal legal issues; morality and ethical issues; intellectual property and patents; governmental regulations and policies; and emerging technologies and standards. Appropriate cases will be used to illustrate the above concepts.
EC 472 — Electronic Business and Entrepreneurship — 3 credits
(Prerequisites: EC 361, EC 362) This course links electronic commerce with entrepreneurship. The convergence of information and communication technologies has created numerous opportunities to entrepreneurs to start new and innovative businesses based on electronic commerce. The course will examine the issues related to the starting and establishment of new businesses based on electronic commerce. The course comprises three parts. The focus of the first part is on issues related to the establishment of a new business and entrepreneurship. The second part examines the business issues related to electronic commerce including the development of business models and plans. The last part is a practical part where groups of students will develop and establish small electronic commerce businesses from start to finish. The learning will occur through study and discussion of conceptual reading material, analysis and discussion of cases, and through the development and implementation of an e-commerce business.

 


Question
What are the CERIAS programs in assurance services?

Answer
Certified Public Accountants over the past decade have be actively promoting the branching out of financial attestation services (especially auditing) into wider ranging "assurance services."  Especially noteworthy is the new service SysTrust where pubic accountants in the U.S. and Canada have partnered to extend assurance services into the areas of computing services and information systems.  For details and links, see http://www.trinity.edu/rjensen/ecommerce/000start.htm#AssuranceServices 

I mention this because, unlike auditing services by public accountants, where there is an SEC-mandated monopoly under SEC rules, there is no such monopoly on extended assurance services.  In assurance services other than auditing, CPAs face increasing competition from other professional bodies.  One such area is in the entire area of Information Assurance and Security.  I mention this, because an education and training center at Purdue University is generating courses and graduates in a program that is not a part of the Accounting Department or the School of Business.  I will now briefly summarize the CERIAS Center at Purdue University --- http://www.cerias.purdue.edu/ 

What I found interesting is the extent to which students can get both MS and PhD degrees in Information Assurance and Security.

The Center for Education and Research in Information Assurance and Security, or CERIAS, is the world's foremost University center for multidisciplinary research and education in areas of information security. Our areas of research include computer, network, and communications security as well as information assurance.

Mission Statement 
To establish an ongoing center of excellence which will promote and enable world class leadership in multidisciplinary approaches to information assurance and security research and education. This collaboration will advance the state and practice of information security and assurance. The synergy from key members of academia, government, and industry will promote and support programs of research, education, and community service.

Vision Statement 
The Center for Education and Research in Information Assurance and Security will be internationally recognized as the leader in information security and assurance research, education, and community service.

Internal Vision 
Build a well-supported community of scholars actively involved in: Evolution and offering of educational programs in information assurance and security. Solving fundamental questions of science, engineering and management as they relate to information security and assurance. Transfer of expertise and technology to organizations with real world needs. Assuming leadership roles in appropriate community and government organizations. Activities to enhance the public's understanding and acceptance of information protection. To accomplish this, the Center promotes research, education and community service programs in conjunction with various key groups. It also brings synergy to these diverse groups (consisting of members from academia, government agencies and industrial partners) to advance the philosophy of information security and assurance.

Education
 - - - - - - - - -
  • We have compiled resources for students, parents, and teachers on a host of topics including copyright, safe surfing, acceptable use, cryptography, and much more; we also offer teacher and student workshops on a variety of security topics, at a variety of levels.

     

  • Information about our graduate studies, including the Scholarship for Service program.

     

  • The post-secondary education site contains information about formal and informal information security and assurance educational initiatives, including workshops, multimedia product offerings, certification and faculty development efforts, and awareness activities.

     

  • A site created by CERIAS and several partners to raise awareness of Information Security in the state. Includes information for K-12, Home Computing, and Business and Industry.
 - - - - - - - - -
Introduction to CERIAS
So, you are interested in graduate studies in Information Security at Purdue University? That's great! You can take advantage of the infosec expertise present at Purdue and associated with CERIAS, but you can't actually get your degree from there. CERIAS is a research center, and not an academic department. However, there are other ways to get your degree and be associated with CERIAS.

There are currently 3 different approaches to graduate study in infosec here:

  1. The interdisciplinary MS specialization
  2. A standard MS in one of the involved departments, with a focus on infosec topics
  3. A PhD course of study in one of the involved departments, with a dissertation topic in infosec
We are currently offering an interdisciplinary Master's specialization in InfoSec. This is offered as an MS through a participating department, not CERIAS. While the program is multidisciplinary and requires (and recommends) courses in Computer Sciences as well as other fields, admission to the program is handled administratively by a participating department. The specialization on your diploma will, however, read "Information Security," independently of what department handles the admission. As of September 2000, the only department ready to admit students to the program is Philosophy. Computer Sciences, Education, and Electrical & Computer Engineering are all in the midst of the administrative process to join the program.

You can apply for the Program electronically for future sessions. Please select "Philosophy" on the application and indicate "Information Security" as your area of interest. Your default contact professor in the next field of the application is Eugene H. Spafford, Director of CERIAS and of the Program. Feel free to mention in that field any other professor in information security that you would like to work with if you have established such a contact already. You will eventually be contacted by the graduate school about your admission status.

 

Students can also receive graduate degrees in existing programs with a specialization in infosec areas. To do this, the students enroll in a traditional major, take a core of common courses, and then are able to take electives related to their interests. Masters students may choose to research and write a Master's thesis that involves further study in a particular area of interest, or they may simply take 30 or more credit hours of coursework. PhD students must choose a specialized topic for their dissertation research. The most common major for students interested in information security is Computer Sciences, but degrees are also associated with Electrical & Computer Engineering, Management, Philosophy, Political Science, and many other departments associated with CERIAS.

Note that specific requirements for individual department degrees are given in the course catalogs and on some departmental WWW pages. What follows is a summary of the requirements for a CS graduate degree, serving as an example of what is expected. You need to consult one of the definitive references to get the whole picture. (CS graduate degree requirements are available on the WWW; information on other graduate programs can be found by starting at the main Purdue WWW page.)

 

MS in CS Program
MS students are required to take a course in operating systems or networks (CS 503 or CS 536), one in programming language design or compilers (CS 565 or CS 502), and algorithm analysis (CS 580), plus another 7 courses of electives, or 5 courses and the thesis option. Normally, for infosec study, MS (and PhD) students would take CS 502 and CS 503, plus the courses in computer security (CS 526) and cryptography (CS 555) as electives, and consider taking the advanced security (CS 626) and cryptanalysis courses (CS 655), too.

There are many electives available to graduate students, including graphics, databases, numerical methods and distributed systems. Each year, several faculty also offer special topic courses in their areas of interest. Opportunities for directed reading or research courses are also available. In the last few years, we will have had seminars in Intrusion Detection and Incident Response, Penetration Analysis, Firewalls, Electronic Commerce, Network Security, and Security Tools. Additionally, we have had seminar courses in Wireless Networks, Advanced Operating Systems, and Internetworking.

 

Normally, a PhD program starts with 2 years of graduate study and passing a series of general exams in the area of study (the "qualifier exams"). The candidate then decides on an area of study, chooses an advisor, and takes an in-depth exam in the area of specialization (the "preliminary exam"). Next, the candidate performs in-depth research under the guidance of the advisor for a period of time ranging from 6 months to as many as 5 years. Finally, the candidate writes a detailed scientific account of his or her research (the dissertation) and defends it in a public exam before a committee of faculty, visitors, and members of the community. The average time to complete a PhD in CS at Purdue (assuming the student already has a good undergraduate background in CS) is 5 years.

Required courses for PhD students in CS include courses in operating systems, algorithm analysis, compilers and programming languages, numerical analysis, and theory of computation; this is a superset of the courses required for the MS degree, and almost all PhD candidates obtain their MS degree during their candidacy for the PhD.

 

MS & PhD Research
Currently, there is a large range of projects being conducted in information security at Purdue. We have almost 40 projects involving over 30 faculty in a dozen different academic departments. You can get a more complete picture of the faculty and research projects via the CERIAS WWW pages. These projects are normally open to graduate students and can be used to satisfy research requirements towards MS and PhD thesis work. Not all infosec projects are offered through CERIAS, either, and there is no requirement that students work on a CERIAS project to get an infosec-related degree.

 

Special Notes for CS
Students coming in to the graduate program are expected to be ready to pursue the degree upon arrival. There are limits as to how many semesters may be spent in residence before completing each of the steps towards the degree.

In particular, students are expected to:

  • have strong, basic skills in mathematics, including working knowledge of statistics, calculus and linear algebra
  • know how to write programs in some advanced computer language (C/C++/Java are languages of choice; Perl is also encouraged)
  • have mastery of spoken English sufficient to understand lectures and presentations, and to discuss assignments with faculty and TAs
  • have mastery of written English sufficient to document programs and write grammatical research papers. This is especially critical for MS and PhD
  • students who need to write a thesis and research papers
Students without adequate preparation, or who fall behind in assignments, may be tempted to take "shortcuts" on assignments to keep up. Cheating, plagiarism, and falsifying work are severe violations of both the student code of conduct and academic honesty, and discovered incidents are dealt with particularly harshly by faculty in the infosec arena. Graduate students in violation of these rules are routinely recommended to the dean of students for expulsion from the university; foreign students in this situation will lose their visas. Thus, it is strongly recommended that applicants be sure they have mastery of these basic skills prior to applying to graduate school at Purdue.

Financial Aid
Financial aid for graduate students is based on both scholarship and need. Some fellowships are available to exceptional incoming students. Others are supported by the departments or by research projects. It is unusual that a new student will get support from a faculty member's research funding; indeed, most faculty do not support students prior to their completion of some of the qualifying exams. Some incoming students qualify for selection as teaching assistants, however. Other information about financial aid is in the graduate student information documents.

For financial aid, contact the admitting department and not individual faculty members.

Disclaimer
The above is not an official document of Purdue University, but Professor Spafford's interpretation of Purdue policy. Interested parties should consult official University documents, available through the graduate school.
 
 

From Syllabus News on December 10, 2002

Compsec Firm Funds Purdue Info Assurance Degree

Internet security firm Symantec Corp. has endowed a fellowship for a student pursuing a degree at Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS. The Symantec Fellowship will provide up to $50,000 to cover the full tuition costs for two years and a stipend for a degree-seeking student enrolled at Purdue and working with CERIAS, a center for multidisciplinary research and education in information security. Applications will be accepted immediately with a deadline of March 1, 2003. The Fellowship recipient will be announced April 8, 2003 at the annual CERIAS Spring Symposium held on the West Lafayette, Ind., campus of Purdue University. The Fellowship will begin during the 2003-2004 school year and will be expanded to include a second student beginning the Fall of 2004.

December 11, 2002 reply from J. S. Gangolly [gangolly@CSC.ALBANY.EDU

Bob,

I wanted to brief AECMers on the happenings, with respect to Information Assurance in Albany.

The Department of Accounting & Law at SUNY ALbany is starting with the Fall semester 2003 an MBA track on Information Assurance (IA) based on our earlier efforts in AIS in the MS program in Accounting with an emphasis in AIS. When we have prepared the materials about the program, I'll post them on this listserv.

We have re-engineered all courses in AIS to have security/assurance permeate throughout the curriculum. This is now receiving the last review by us to ensure compliance with the curriculum recommendations of the National Security Agency.

The above is a part of our campus-wide forensics initiative (Departments of Accounting & Law, Management Science & Informatrion Systems, Department of Computer Science, School of Information Science & Policy, and in the future hopefully our very well regarded School of Criminal Justice) which has already received funding from the US Department of Education and is in partnership with the New York State Police, and CERIAS is also our partner in the efforts.

We are hoping to apply and receive next year the designation of Center of Excellence in Information Assurance Education. We hope more Accounting Departments will be hospitable to this "diversion" from our perceived central mission of educating future CPAs (currently there is no curriculum on IA in any Accounting Department that I am aware of).

It is important for me to brief the AECMers on the issue of "accountingness" of the curriculum in this respect, particularly since it became quite an issue even at Albany where our Department has traditionally been hospitable to off-the-wall curricular innovations. 'Accounting content' in much of the Information assurance curriculum usually is (and probably should be) expected to be very meager even though the assertions-based philosophy is rather similar.

I had a quite difficult time convincing my dyed-in-the-wool accounting colleagues (specially in Financial Accounting) that Information Assurance education can coexist peacefully in our Department. (Many Financial Accounting colleagues rightfully asked: since accounting content is minimal, why not have it in the MSIS or some other Department? My arguments were: 1. Such other departments do not have the tradition of scepticism that we in accounting/auditing have, and 2. we were better poised to offer a computationally intensive Information Assurance curriculum in the department because of the sophistication of our existing AIS curriculum). Ultimately, we did win the confidence of the department faculty, though in some instances it might have been grudging acceptance because of what we would lose in the long run if we chose to not have the program.

Jagdish S. Gangolly, 
Associate Professor (j.gangolly@albany.edu)  
Accounting & Law and Management Science & Information Systems 
State University of New York at Albany, Albany, NY 12222. 
Phone: (518) 442-4949 Fax: (707) 897-0601 
URL:
http://www.albany.edu/acc/gangolly 

December 11, 2002 reply from Bob Jensen

Hi Jagdish,

I appreciate your informative reply. It appears that Albany has avoided the vexing problem that Notre Dame and the University of Virginia faced with their Masters of Assurance Services Programs for Ernst & Young employees --- http://www.trinity.edu/rjensen/255wp.htm#ErnstandYoung 

The vexing problem arises when one of the goals is to have the graduates of the assurance services program also be eligible to sit for the CPA examination. It appears that assurance services masters programs at Albany and Purdue have no CPA examination goal. Hence there can be very little accounting, tax, and auditing in those programs. This was not the case for Notre Dame and the University of Virginia where a major goal is for the graduates to be eligible to sit for the CPA examination in most states.

This begs the question about what career paths students will take after graduating from assurance services programs. It would seem that Albany and Purdue University are envisioning graduates joining consulting firms, computer systems companies, etc. Graduates of the Notre Dame and UVA programs already work for the accountancy divisions of Ernst & Young.

It seems to me that for a career path in the accountancy divisions of a public accounting firm, there is very little future without becoming a CPA.

Hence, I anticipate two types of assurance services degree programs. One type is more focused on computer science and information systems. The other type is more focused on accountancy and accounting information systems.

I think there's room for both types of emerging programs.

Bob Jensen

December 12, 2002 reply from Calderon,Thomas G [tcalder@uakron.edu

Our entire grad program (at the University of Akron) is built around an IT security and assurance theme. Each course taught by acct dept faculty has security and assurance content and we attempt to tie everything together in our capstone IS Audit & Control Project (a hands-on project organized as a mini-internship and supervised by a faculty member and a "competent" professional in the field.)

Courses, 3 hrs each, in the program are: 1. Business Application Development (taught by MIS) 2. Applications Development for Financial Systems (taught by accounting -- uses skills learned in BAP to address assurance type problems) 3. Enterprise Resource Planning & Financial Systems (uses Oracle 11i to expose students to architecture, business process issues, & security and assurance issues in ERP environments) 4. Financial Data Communications & Enterprise Integration (focus on XML, XBRL, and security/assurance issues associated with enterprise integration) 5. Advanced Information Systems (database/data warehouse design/assurance issues; use Oracle 8i) 6. e-business foundations (general management issues in a distributed network environment--taught by MIS) 7. e-business technologies (exposure to networks, internet technologies, and application development for a web environment; use Windows OS, Cold Fusion, Oracle--taught by MIS) 8. e-business risk, control & assurance (business risk assessment, security, & assurance for entities that use distributed networks such as the Internet for business critical activities) 9. Assurance Services with Data Warehousing & Data Mining (a hands-on course that uses Classification & Regression Trees (CART), Multivariate Adaptive Regression Splines (MARS), neural networks, and ACL to identify red flags in quantitative data). 10. IS Audit & Control Project (the capstone hands-on project, structured as a mini-internship with a very specific deliverable).

All students admitted into the program must take the following courses if not taken in their undergrad program: 3 hrs of accounting information systems 3 hrs of intermediate accounting 3 hours of auditing 3 hours of cost & management accounting (beyond principles)

We encourage students to prepare for and take the CISA exams and CITP. The program does not attempt to prepare students for any specific professional examination.

 

 

Electronic Commerce:  Assurance Services Opportunities and Risks


Possible new assurance service clients for CPA firms
A number of major international charities are opening their doors for the first time to outside inspectors, allowing them to certify that donations are spent as advertised.  The charities say they hope thorough inspections and a new industry seal of approval will assuage public fears of donations being misused. The nonprofits are also trying to keep ahead of a movement in Congress to impose regulations on the fast-growing but largely unsupervised world of nongovernmental organizations.
Michael M. Phillips, "Big Charities Pursue Certification To Quell Fears of Funding Abuses," The Wall Street Journal, March 9, 2005; Page A1 --- http://online.wsj.com/article/0,,SB111033202546074217,00.html?mod=todays_us_page_one 
Bob Jensen's threads on charity frauds are at http://www.trinity.edu/rjensen/FraudReporting.htm#CharityFrauds 


Nobody has been more influential in moving the auditing profession toward expansion of scope of services than the former KPMG partner and former Past Chairman of the AICPA than Robert K. Elliott.  In the mid-1990s, Bob Elliott chaired the AICPA Special Committee on Assurance Services.  His basic argument was that the future auditing was becoming increasingly bleak without expansion into a broader scope of services that did not impair professional reputation for CPA integrity and independence.

First he argued that the traditional audited financial statements rooted in standards for industrial companies are rapidly becoming obsolete in terms of usefulness and timeliness to investors.  He stated the following in a November 2, 1998 Saxe Lecture at Baruch College: --- http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm 

Now let's focus, in this new environment, on the financial statements that we prepare under generally accepted accounting principles. These financial statements have been designed by the FASB and its predecessors to describe the industrial-era enterprise, the enterprise that creates value by physically manipulating tangible property like raw materials and turning them, by the application of energy and labor, into finished goods, then pushing the finished goods down the line to customers physically. What you see on those financial statements are the very tangible assets of that process. You see the raw material, the work in process, the finished goods. You see machinery and equipment. You see the buildings and the land.

That's what's on the financial statements, but post-industrial enterprises run on a different set of assets. They basically run on intangible assets, such as the capacity of innovation, research and development, human resources, information and know-how, brand equity, relations with customers and vendors, and relations with employees. These intangible assets drive the post-industrial firm, and none of them are on the balance sheet at all. We don't account for them.

Post-industrial enterprises run on intangible assets...

  • Information
  • Research and development
  • Capacity for innovation
  • Human resources

...which are not in the financial statements

Now you're thinking, "Okay, but those are just the post-industrial enterprises. Most of American economy is still making things-automobiles, steel, food." Well, let me tell you, two percent of the American work force is involved in growing things on farms, and ten percent of the American work force is involved in making things in factories. The rest of the work force is doing something else. Seventy percent are involved in the creation, distribution, or use of information. The economy has basically become information-oriented. Even industrial enterprises are no longer strictly tangible-goods companies.

Let me give you an example: Motorola. It's a manufacturing company, so it should be described by an industrial accounting model. Let's look into that. Say you go down to the store and buy a Motorola cellular phone that costs $100. How much of the $100 was for the physical content of the phone? There is less than a penny's worth of sand, turned into silicon. There is less than two cents worth of copper, to make the wires to connect things. There is less than a nickel's worth of oil, turned into a plastic box. What is the rest of the $100? Software, research and development, innovation, brand equity, information. Manufacturing companies are putting out more and more products that are post-industrial. They too run on assets that are not in the financial statements.

Let's took at it graphically, on this slide. In the past, a company's value-producing assets were largely tangible. There were intangible assets, but tangible assets dominated. So at this end of the spectrum, think of United States Steel. You've got steel mills, blast furnaces, land, piles of coal. But the emergent economy is basically working on intangible assets.

At the other end of the spectrum, think Microsoft and think of Microsoft's balance sheet. I guarantee you, Microsoft's balance sheet has nothing of interest on it whatsoever. What are the assets of Microsoft that comprise the balance sheet? A couple of diskettes, probably not even much land. Where is the some $300 billion of Microsoft's market value? It's between the ears of Microsoft's people, not on the balance sheet.

Don't get me wrong; I'm not saying that we should take these intangible assets and turn them into debit and credit entries, but I am saying that ignoring them in the accounting model is a fatal mistake, because what we're doing with these grand financial statements is producing what's in the left-hand column. We're producing periodic historical cost basis financial statements, five terms to describe what we provide as accountants, but look at the right-hand column and you will see the way in which people are used to getting information in every other information domain besides accounting.

Periodic? No. People don't want periodic information. They want to log on and get the information they want on demand. They want up-to-the-minute, if not forward-looking, cost bases. I'm not saying they want to know the current value of the assets as much as I'm saying they want to know the capacity of this basket of assets to make customers better off, to create value for customers.

Sure they want financial information, but they want much more than that: They want to be able to look behind it and see the operating data that lie behind those numbers, see the leading indicators, see the non-financial performance indicators that management itself is using increasingly to run the enterprise, things like customer satisfaction, product and process quality, measures of innovation-those types of things.

Then, the last word in this five-part set is the word statements." We're referring to general purpose financial statements. General purpose financial statements means the information is not exactly what the investors need, not exactly what the creditors need, not exactly what the managers need, not exactly what the regulators need, not exactly what the tax man needs. It's not exactly what anybody needs. It's a compromise.

But today, we actually have the capacity to go in and find out what we want on demand. This trick of summarizing a complex enterprise in two pages, a balance sheet and an income statement, is a neat trick we learned as accountants 500 years ago or so. It was a pretty good trick when people could hardly come into the enterprise, thumb through the journals and ledgers, and form their own impression of the enterprise.

But today, we actually have the capacity to go in and find out what we want on demand. This trick of summarizing a complex enterprise in two pages, a balance sheet and an income statement, is a neat trick we learned as accountants 500 years ago or so. It was a pretty good trick when people could hardly come into the enterprise, thumb through the journals and ledgers, and form their own impression of the enterprise.

But today, users can literally come in and thumb through the journals and ledgers themselves. I don't mean with their thumbs, but with their software. They have the ability to come in and express their information demands and get them met in the format that they need, drill down, and get whatever they want when they want it.

What I am saying is that this left-hand column is not a formula for success in the future. In fact, it leads to something we might call a loss of decision-information market share.

On this graph, what I show, over the extent of the 20th century, is the information content of financial statements available to decision makers. It has been going up somewhat during the century as a result of higher standards, better accounting, better practice, and so forth. Actually, those show a tailing off at the end of the century. That's what I was talking about earlier. These financial statements don't describe the Microsofts and the other post-industrial enterprises.

Looked at this way, the information content of financial statements is declining. At the same time, we have other information. At the beginning of the century, you would certainly need information outside the financial statements to decide whether to commit money to the enterprise as either an investor or a creditor, but a relatively large percent of what we needed could come from the financial statements. You always need some other information, but the financial statements supply a relatively large part of what is needed.

As the century goes on, though, low-tech information intermediaries emerged, people like Moodys, Standard & Poors, and Dun & Bradstreet. Later in the century, you get an explosion of other sources of information because of electronic databases now on line. So while the total information that creditors and investors have is exploding, the piece that we as accountants are involved in preparing and auditing is flat at best, perhaps even declining, but either way, it's a loss of relative market share.

That's why I say we're facing a parlous present. Yet, I have the temerity to tell you there is a great future in front of us. How so? How do I get there?

First, there are some enormous megatrends in our favor. One megatrend is the change from an industrial to an information or post-industrial economy. We as the information people should be able to figure out how to take advantage of the shift to an information economy. Unless we're foolish or lack creativity, that megatrend actually operates in our favor. A second megatrend is that all around the world, people of every type are expressing less and less trust in institutions, businesses, governments, and people. More and more, they want accountability for the money they are investing or contributing, for resources managed by others, and for relationships. They want to be told about what's happening with their trusted inputs.

These demands for accountability express themselves in many ways, but we as the accountability people should be able to figure out how to take advantage of the trend. That's what we supply. If people are demanding more of it, that's good for us.

The third megatrend is that information technology is making markets so much more competitive. You have probably heard this comparison: an Internet year to a regular year is like a dog year to a human year. This enormously speedy change creates turmoil everywhere. That should be good for us. We should be able to step in and help resolve the turmoil by bringing some information discipline to it. What we have to do is figure out how to harness these megatrends.

Continued at http://newman.baruch.cuny.edu/digital/saxe/saxe_1998/elliott_98.htm 

The Special Committee under Elliott's leadership contacted a random sample of CPAs in all 50 states and concluded the following four bullet points as listed on pp. 11-12 of the above document:

Combining insight with integrity, CPAs deliver value. They listed four bullets: 

  1. One is communicating a total picture with clarity and objectivity. 
  2. Second is translating complex information into critical knowledge. 
  3. Third is anticipating and creating opportunities. That sounds a little more creative than what most people think of when they think of accountants. 
  4. And fourth is designing pathways that transform vision into reality.

Let me take those four bullets and recast them a bit for you. I want to start here with the information value chain. You have probably seen this in some form or another, but here's the idea. At the left end of this chain, we've got business events and transactions taking place, but we don't know anything about them yet, so the first thing we do is record them. Now we have data about them, and we can begin to take a look at what happened. We take the data, refine and combine it with other information, and we have more than data -- we have information, information from the outside and so forth. That turns into knowledge, and we use that knowledge in order to make wise decisions -- consumption decisions or welfare, political, and social decisions. Any type of decision.

So as you move up the information value chain, you get to higher and higher value activity. The person who sits there at shipping, taking down and recording things going in and out, creating data, is earning what? Perhaps ten dollars an hour. That's what you get for actually creating data. Then you move up to the 30 people who get $100 an hour because they are transforming data into information and refining information into knowledge.

Now let's take those four bullets that I showed you here and locate them on this value chain. The first was communicating the picture with clarity and objectivity. That's down here at this level. The conversion of data and information -- good work, pays decent, but a lot of that is being made redundant by technology. It's not going to be great work too far into the future. The next bullet is translating information into knowledge. That falls right here; that's higher value. People who do that get paid more.

The third bullet is creating opportunities. That lies even further up the value chain, and those people get paid even more. The fourth is designing the pathways that permit people to achieve their vision, and that's where you're up at the top of the value chain. So 3,000 members told us they aspire to move their practice up the information value chain. We also asked, "What do you think are the core values of the accounting profession?" These were the top five that they listed: First, a commitment to continuing education and lifelong learning. Second, competence. They think that whatever they are doing, they must be highly competent at it. Third, integrity -- stands to reason. The reputation of the accounting profession rests on people believing that we have integrity, and that rests on CPAs having integrity. Fourth, they list attunement to broad business issues, not just narrow green-eye shade focus on the numbers, but a holistic view of the enterprise. Fifth, objectivity, which is different from integrity. You can have one or the other or both, but objectivity is the neutrality, trustworthiness. So these are the top five values.

Now look at what our numbers showed as the services with the highest potential in the future. The first one was assurance and information integrity services. They extend the historical audit function, taking in a much broader domain. The second is technology. They see technology services as something that's really going to be high value-added and demanded well into the future. Third, management consulting and performance management. Obvious, right? The fourth is financial planning, helping people to achieve their financial objectives. And fifth, they see the world economy as global and see in that enormous opportunities for international services, much more than we have exploited in the past.

Our members also identified the capabilities that CPAs would need to have in order to succeed in taking advantage of the opportunities they identified. Number one was communications and leadership skills. Number two, strategic and critical thinking skills. You can't get up the value chain if you're just thinking about the production of debits and credits; you have to think strategically, the way the management of the enterprise thinks.

The third needed competency is a focus on customer, client, and market. We talked earlier about mass production, where the producer tries to drive down the price and isn't too concerned whether the product meets specific customer needs. Demassification is where you turn around and face every problem from the customer's perspective. You have to turn around and face the whole thing from the customer's perspective or you won't get the right answer.

The fourth competency is the interpretation of convergent information, by which they mean the ability to interpret both financial and non-financial information. If you only see one side of the picture, you don't have the full story. Fifth, you have to have high technology skills to succeed in this environment. When vision-project participants talk technology skills, they are not talking about the ability to run a PC, do a spreadsheet, and make a Powerpoint presentation; they're talking about a fundamental understanding of how technology reshapes organizations, products, services, and markets, and about the risks of employing technology and the ways in which to control those risks. They are talking about business implications of technology, not just the ability to run applications or deploy software. Those are necessary, but not sufficient in order to succeed.

The vision-project participants mentioned obstacles to achieving this vision-problems we have to solve and issues we have to deal with. One is that we can't get anywhere if the customers don't believe we can do it. So they held that future success would be based on public perceptions of our ability and roles. The second issue is that we've got to become as a profession much more market-driven than we are. Third, we have to be less dependent on traditional accounting and auditing services and focus more on high-value services like consulting. Fourth, you can't face this marketplace as a generalist very well in the future. You've got to specialize in some area. You need the breadth to see problems as a whole, but you also have to have the skills to be able to solve problems in some specialized domain. Fifth, these CPAs are saying that as a profession, they don't think we're sufficiently global in our perspective and outlook. That's an issue as well.

So these are the things that our members are telling us. This is not the leadership of the AICPA telling us what to do; it's the members of the AICPA telling the leaders what to do. That doesn't mean that if the AICPA does those things, the game is won, because other actions are necessary as well. Some actions have to be taken at the level of firms, both industrial firms and CPA practice firms. Since I am in practice and I'm familiar with what we have to do in our firm and firms like it, I'll focus on them.

The first thing that firms have to do in order to realize these opportunities is to adopt a customer focus for the auditing product. The customers are not only the clients, but the investors and creditors out there who are the end users of the information. If we're not making those people better off, we're not going to have much of a job in the future. The second thing is that firms have to build competencies, particularly in the technology area but in some others as well. The third thing is that we have to take our existing product offerings and invest them with higher and higher value. We have to make them more valuable to the customers, and we have to show our customers and clients our capacity to create value.

When they think of CPAs, we don't want them to think only of people who prepare the financial statements and tax returns; we want them to think of CPAs as the people who help them shape their future. Those firms that don't have a research and development arm oriented to finding out customer needs and creating service opportunities to fulfill those needs will have to create one.

It should be stressed that Elliott and the Special Committee viewed assurance services to extend well beyond attestation services.  Attestation is usually associated with verification of past transactions such as attesting to a golfer's score or attesting to the fairness of a contest drawing outcome.  Assurances can be more forward looking in terms of design of systems that are "assured" to perform within specified tolerances.  For example, one type of assurance service proposed by the Special Committee is called WebTrust.  It is intended not so much as an "attestation" that a company in the past did not violate its data privacy policy with customers as it is intended to "assure" customers that the company will abide by its promises in the future.

I greatly admire Bob Elliott and the Special Committee for both giving us a vision for the future and for the boldness in the plan.  The disappointment, at least in the short-run, has been in the inability of CPA firms to undertake many new assurance service experiments.  And some of the experiments like WebTrust that have taken place have been largely disappointing in terms of perceived value in the eyes of potential customers.  

Then came the implosion of Enron and the explosion of the auditing firm, Andersen, that transpired in 2002.  Public respect for the independence and integrity of CPAs plummeted along with short-term prospects that the world was ready for a new type of professional.  Members of the AICPA resoundingly defeated the AICPA proposal that a new professional designation be developed such as the failed XYZ (unspecified) and Cognitor proposed designations.

Rather than focus more and more on expanded services, large CPA firms in the post-Enron era had to divest themselves of large chunks of the consulting practice in concerted effort to restore public confidence in CPAs and in their audit services.  The momentum for expanded assurance services has temporarily slowed, but it will come booming back over the longer term.


Virtually all colleges with accounting programs have added assurance service modules and/or complete courses.

The future of assurance services is so promising, that some major universities have initiated assurance service degree programs apart from traditional accounting and tax degree programs.  Several examples are listed below:



Assurance Services Updates

January 19, 2003 message from Lawrence Gordon [LGordon@rhsmith.umd.edu

Dear Bob:

The Journal of Accounting and Public Policy has initiated a new sub-section called "Accounting and Information Assurance Letters." The sub-section publishes short papers (not to exceed 6 printed pages, or approximately 2400 words) that link timely accounting (broadly defined) and information assurance issues to public policy and/or corporate governance. Papers submitted to this subsection of the journal will be reviewed within four weeks of receipt and revisions will be limited to one. Papers accepted for this subsection will be published within four months of acceptance.

We believe that this new section of the journal will help define the relationship between accounting and information assurance, and would be especially pleased to publish papers on this topic from members of the journal's Editorial Board. Accordingly, if you are working on research papers that seem to fit the new section of the Journal of Accounting and Public Policy ,we hope you will consider submitting it to the journal. More information about the new section can be found at: http://www.elsevier.com/inca/publications/store/5/0/5/7/2/1/ . We also hope you will bring this new section of the journal to the attention of your colleagues.

Sincerely,

Larry and Marty

Lawrence A. Gordon, Ph.D. Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance Director, Ph.D. Program The Robert H. Smith School of Business University of Maryland - College Park College Park, Maryland 20742 Phone: (301) 405-2255 Fax: (301) 314-9611 E-mail:lgordon@rhsmith.umd.edu       http://www.rhsmith.umd.edu/accounting/lgordon/ 

Martin P. Loeb Professor of Accounting and Information Assurance Deloitte & Touche Faculty Fellow The Robert H. Smith School of Business University of Maryland, College Park College Park, MD 20742-1815 e-mail: mloeb@rhsmith.umd.edu  phone: 301-405-2209 fax: 301-405-0359


The AICPA's main site of interest --- http://www.aicpa.org/assurance/index.htm 

Assurance Services are defined as "independent professional services that improve the quality or context of information for decision makers." Today's business environment is marked by increased competition and the need for quicker and better information for decisions. In addition, the complexity of systems and the anonymity of the Internet present barriers to growth. Businesses and their customers need independent assurance that the information on which decisions are based is reliable. By virtue of their training, experience and reputation for integrity, CPAs are the logical choice to provide this assurance.

The AICPA's movement into developing additional Assurance Services began with the 1993 Audit/Assurance Conference. The Conference had been concerned with the decline in the demand for audits and other attest services and that the users of Assurance Services had expressed dissatisfaction with their scope and utility. It analyzed why the audit and assurance function had come to this juncture and developed a broad plan for shaping the future of assurance to enhance its value.

The AICPA authorized the Special Committee on Assurance Services ("SCAS") to investigate the issues and what could be done to reposition CPAs for the future. The SCAS's report, The Report of the Special Committee on Assurance Services, was issued in 1997. The report called for the development of additional services to serve the needs of clients. For a complete understanding of the history of Assurance Services, follow the links under About Assurance Services.

The first four services that were developed are: ElderCare Services, Performance View, SysTrust Services, and WebTrust. This section of the AICPA's Web site provides information on each of these services, including: what the service encompasses; the necessary skills; information on developing a practice; and FAQs. In addition, links to the people to contact to request additional information are also provided.

Risk Advisory Services by CPA Firms --- http://www.aicpa.org/assurance/risk/index.htm 

What are Risk Advisory Services and Why Should I Get Involved?

Risk Advisory Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.

How to obtain a free copy of the new thought leadership document on Risk,
MANAGING RISK IN THE NEW ECONOMY  

Download URL --- http://ftp.aicpa.org/public/download/Managing%20Risk.pdf 

 

Update on SysTrust --- http://www.aicpa.org/assurance/systrust/index.htm 
The AICPA/CICA Trust Services principles and criteria will be released January 1, 2003. The effective date of the new Trust Services principles and criteria will be effective for engagements beginning on or after January 2003. Earlier implementation is encouraged.

 

What are SysTrust Services and Why Should I Get Involved?
A Brief Introduction on SysTrust Services

SysTrust Principles & Criteria

What Skills Do I Need to Provide SysTrust Services?
Find out what skills are necessary and what resources are available to enable you to offer SysTrust Services.

Getting Started
Learn about SysTrust licensing agreement and training opportunities.

Marketing and Managing a SysTrust Practice
Tips on Marketing and Managing Your SysTrust Practice.

What's New with SysTrust Services?
New standards, product developments, etc.

Systems Reliability Assurance Services Task Force
Learn about the Task Force's mission and its members.

Frequently Asked Questions about SysTrust

Press Room
Press Releases, Product News, Fact Sheets, Q&As, Case Studies, Spokesperson Biographies, etc.

Contact the AICPA

Give feedback on assurance services.

 

Update on WebTrust --- http://www.aicpa.org/assurance/webtrust/princip.htm 

The AICPA/CICA Trust Services principles and criteria will be released January 1, 2003. The effective date of the new Trust Services principles and criteria will be effective for engagements beginning on or after January 2003. Earlier implementation is encouraged.

Trust Services Principles and Criteria Exposure Draft Click here to view the Trust Services principles and criteria The Trust Services Principles and Criteria are intended to address user and preparer needs regarding issues of security, availability, processing integrity, online privacy and confidentiality within ecommerce and nonecommerce systems. The Principles and Criteria contained in this program supersede Version 2.0 of the SysTrust Principles and Criteria and Version 3.0 of the WebTrust Principles and Criteria and are effective for examination periods beginning after August 31, 2002.

The new and improved WebTrust 3.0 family of services provides best practices and eBusiness solutions for Business-to-Consumer and Business-to-Business Electronic Commerce, for Service Providers, and for Certification Authorities. Please review each to determine which would be best for your clients and their customers.

 

Update on EderCare Assurance Services --- http://www.aicpa.org/assurance/eldercare/index.htm


What are ElderCare Services and Why Should I Get Involved?

A brief introduction to ElderCare Services

CPA ElderCare Testimonials from Members and Their Clients

What Skills Do I Need to Provide CPA ElderCare Services?
Find out what skills are necessary and what resources are available to enable you to provide ElderCare Services.

Getting Started
Learn about ElderCare Training Opportunities, ElderCare Conferences and Practice Tools.

Marketing and Managing an ElderCare Practice
Tips on Marketing and Managing Your ElderCare Practice.

Resources & Links
Learn about the product and publications you need to assist you in performing ElderCare engagements including useful links to other Web sites.

What's New with CPA ElderCare Services?
Press Releases, new products, etc.

AICPA/CICA ElderCare Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.

Frequently Asked Questions about CPA ElderCare Services

Contact the AICPA!
List Names of ElderCare Team Members with Title, address, email and phone numbers.

Give feedback on assurance services.


 

Illustration of Topics in a Continuous Assurance Symposium

Fifth Continuous Assurance Symposium

November 22 and 23(AM), 2002

Rutgers Business School

190 University Ave.

Bove Lecture Hall – Engelhard Hall

Newark, NJ 07102

Web address- http://raw.rutgers.edu/continuousauditing/fifthaudit.htm

Sponsored by IMA, Artificial Intelligence and Emerging Technologies section of the AAA, ISACA.

November 22nd, 9am-6pm

INTRODUCTION: 9:00-10:30

Welcome to Rutgers: Dean Howard Tuckman

§         Update on the Center for Continuous Auditing, Don Warren(Texas A & M University)

§         Update on the European Center for Continuous Auditing, Robert Onions (Salford University, UK)

§         Principles of Analytic Monitoring, Mike Alles, Alex Kogan & Miklos Vasarhelyi, (Rutgers Business School)

§         Understanding the New Business Reporting Model for the Future, Tony Pugliese (AICPA)

Break: 10:30-10:45

RESEARCH PAPERS I: 10:45-12:15

·         James Hunton(Bentley College),Jackie Reck (Univ. of So. Florida) &Robert Pinsker (Old Dominion Univ.) , Investigating the Reaction of Relatively Unsophisticated Investors to Audit Assurance on Firm-released News Announcements

·         Ron Fritz, The Tax Department Is Well Positioned to Perform Independent Periodic Validation Checks

·          Roger Debreceny (Nanyang Technological University),  and Glen Grey: Embedded Audit Modules

 

Lunch in the Dean’s Lounge located in Ackerson Hall: 12:15-13:15

CORPORATE EXPERIENCE IN CONTINUOUS AUDITING: 13:15-14:15

§         HCA Healthcare, Chase Whitaker

§         KOLA: KPMG On-Line Audit:Practical Experiences From Piloting On-Line Continuous Audit Tools,  Kevin Handscombe, KPMGAssurance Innovation Centre, UK

RESEARCH PLANNING WORKSHOP:     14:15-15:15

·         Mary Curtis( University of North Texas), An Innovation Characteristics Approach to the Study of the Adoption of Continuous Auditing

·         Michael Fancher, National Consortium of Manufacturing Services, Research Opportunities in Continuous Auditing in the Manufacturing Area

Break: 15:15-15:30

SOFTWARE FOR CONTINUOUS AUDITING & CLIENT APPLICATION: 15:30-18:00

§         ACL, John Verver

§         AuditMaster, Ed Kress

§         Approva, Larry Roshfeld

§         Caseware, Alain Soubliere

§         Applimation and Ernst & Young, Rajesh Parthasarathy,  Value Added Auditing of Oracle Applications: How Ernst & Young Used Assessor  to Take Audits to the Next Level. A Case Study.

Dinner at Mediterranean Manor  (rodizio and others)  6:30

Located at 255-269 Jefferson Street, Newark, NJ  07105 – Telephone # 973-465-1966 or1967

 

Saturday Nov 23, 8 AM-1PM

RESEARCH PAPERS II:     8:00-9:00

·         Richard Dull (Clemson)  and David Tegarden (Virginia Tech), The Proposal of a Visual Approach to Implement Continuous Auditing

·         Rob Nehmer ( Berry College), Continuous Auditing Implications:Rethinking the Roles of Systems of Internal Controls

RESEARCH PAPERS III: … 9:10:30

·         Jim Hunton (Bentley College), Arnold Wright (Boston College) & Sally Wright (Univ. of MA), Assessing The Impact of More Frequent External Financial Statement Reporting and Independent Auditor Assurance on Quality of Earnings and Stock Market Effects

·         Michael Alles (Rutgers Business School), The Black Box Log Proposal

·         Bonnie Morris (West Virginia University), The Use of Legal Ontologies to Model Privacy Policies

Break: 10:30-10:45

RESEARCH PAPERS III: … 10:45:11:45

·         Vicky Arnold (University of Connecticut) , Clark Hampton(Uconn), Deepak Khazanchi (University of Connecticut) and Steve Sutton (UConn), Risk Analysis in B2B E-Business Relationships: A Model for Continuous Monitoring and Assurance in Partnering Relationships

·         Don Warren ( Texas A & M University), Data Mining As a Continuous Auditing Tool For Soft Information: A Research Question

 

CONCLUSION: THE ROLE XML – XBRL/GL IN CONTINUOUS AUDIT: 11:45-13:00

·         Eric Cohen, PWC, Data Level Assurance: Bringing Data into to Continuous Audit Using XML Derivatives

·         Michael Groomer,( U of Indiana) and Uday Murthy(Texas A&M University), Enhancing an XML Schema for Accounting Systems to Facilitate Continuous Auditing

Discussants

·         Jim Peters, (University of Maryland )

·         Charlie LeGrand, IIA

 

 


Financial Statement Assurance in an E-Business Environment
  • Risks uniquely present in an e-business environment.  

    • Networked transactions

    • Changing technologies that can tank a business overnight

    • Soft assets dominate hard assets

    • Ever-evolving series of mergers and acquisitions

    • Short and high-risk product life cycles

    • Young and inexperienced labor force

    • Success or failure may ride on one person or a few key people

    • Lack of management focus on cost control

  • Successions of losses do not necessarily impair a going concern (provided investors are willing to keep infusing the business with cash)

  • Substantive testing in audits may not be practical or feasible (see Statement on Auditing Standards [SAS] 80, Amendment to SAS 31, Evidential Matter)

 

 

New Forms of Assurance to Facilitate E-Business

AICPA formed the Special Committee on Assurance Services (SCAS) in 1994.  After a careful analysis of demographic and other trends, this committee concluded the following:

Your marketplace is changing.  Multibillion-dollar markets for new CPA services are being created.  Investors, creditors, and business managers are swamped with information, yet frustrated about not having the information they need and uncertain about the relevance and reliability of what they use.  CPA firms of all sizes--from small practitioners to very large firms--can help these decision makers by delivering new assurance services.  (AICPA Web site, "Assurance Services," www.aicpa.org).

The Elliott Committee (named after its chair, Robert K. Elliott) identified six new service areas considered to have high potential for revenue growth for assurance providers:

  1. Risk Assessment

  2. Business Performance Measurement

  3. Information Systems Reliability

  4. Electronic Commerce

  5. Health Care Performance Measurement

  6. ElderCare

The work of the Elliott Committee was followed by the appointment of the ongoing Assurance Services Executive Committee, chaired by Ronald Cohen.  This committee is charged with the ongoing development of new assurance services and the provision of guidance to practicing CPAs on implementing the services developed.

  • Information Systems Reliability Assurance 

  • Electronic Commerce Assurance. 

Business-To-Consumer Assurance

  • CPA/CA WebTrust (Joint Venture of AICPA and CICA)
    • Business Practices and Disclosure--The entity discloses its business and information privacy practices for e-business transactions and executes transactions in accordance with its disclosed practices.

    • Transaction Integrity--The entity maintains effective controls to provide reasonable assurance that customers' transactions using e-business are completed and billed as agreed.

    • Information Protection and Privacy--The entity maintains effective controls to provide reasonable assurance that private customer information obtained as a result of e-business is protected from uses not related to the entity's business.

  • Proprietary E-Business Audits

  • Privacy Audits

Business-to-Business Assurance

  • Assurances against service disruptions and product shipments

  • CPA/CA SysTrust (Joint Venture of AICPA and CICA)
    • Availability--The system is available during times specified by the entity.

    • Security--Adequate protection is provided against unwanted logical or physical entrance into the system.

    • Integrity--Processes within the system are executed in a complete, accurate, timely and authorized manner.

    • Maintainability--Updates (upgrades) to the system can be performed when needed without disabling the other three principles.

  • SAS 70 Reviews of Service Organizations (extended to B2B Risks)

SAS 70, Reports on the Processing of Transactions by Service Organizations, was issued to provide assistance in the auditing of entities that obtain either or both of the following services from an external third party entity.

  • Executing transactions and maintaining related accountability

  • Recording transactions and processing data

  • Internal Controls Risk

    • The financial statement assertions that are either directly or indirectly affected by the service organization's internal control policies and procedures.

    • The extent to which the service organization's policies and procedures interact with the user organization's internal control structure

    • The degree of standardization of the services provided by the third-party to individual clients.  In the case of highly standardized services, the service auditor may be best suited to provide assurance: however, when the third-party offers many customized services, the third-party auditor may be unable to provide sufficient assurance regarding a specific client.

SAS 70 provides for two reports the service auditor can provide to the user auditor concerning the policies and procedures of the service organization:

  • Reports on policies and procedures placed in operation.

  • Reports on policies and procedures placed in operation and tests of operating effectiveness.

Other Potential New Services to Facilitate E-Business

  • Value-Added Network (VAN) Service Provider Assurance

  • Evaluation of Electronic Commerce Software Packages

  • Trusted Key and Signature Provider Assurance

  • Criteria Establishment

  • Counseling Services

The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm 

 

Major Constraints and Considerations
Competencies Required

Competition

Jeopardy to Public Accountancy's Image of Independence and Professionalism

Legal Risks

 


One of the most significant and controversial professional practice areas where Bob Elliott led accounting profession into its new Song of SysTrust.  I don't know if all accountants have noticed the monumental and highly controversial change in attestation services being proposed by the AICPA and the CICA for the public accounting profession.  Most certainly the lyrics are not familiar to non-accountants other than attorneys who, while dancing in their briefs, have difficulty containing their enthusiasm for this new Anthem of the Auditors.  This is the first major shift of the accounting profession into the attestation of complete information services.  Financial audits may eventually be but a small part of the total attestation and assurance service symphony of services.  The proposed new "accounting"-firm service is called SysTrust at http://www.aicpa.org/assurance/systrust/index.htm  .  

Probably the best summary of SysTrust to date is "Reporting on Systems Reliability," by Efrim Boritz, Erin Mackler, and Doug McPhie in the Journal of Accountancy, November 1999, pp. 75-87.  The online version is at http://www.aicpa.org/pubs/jofa/nov1999/boritz.html.  (It might be noted that both Boritz and McPhie are from Canada --- SysTrust is a joint venture with the Canadian Institute of Chartered Accountants and the AICPA in the U.S.)  


How can you protect confidential documents at your Website?

Answer:  See http://www.w3.org/Security/Faq/wwwsf5.html#Q14 


Privacy in eCommerce


Playboy says hacker stole customer info," by Greg Sandoval and Robert Lemos, C|Net News Com, November 20, 2001 --- http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 

Playboy.com has alerted customers that an intruder broke into its Web site and obtained some customer information, including credit card numbers.

The online unit of the nearly 50-year-old men's magazine said in an e-mail to customers that it believed a hacker accessed "a portion" of Playboy.com's computer systems. In the e-mail, a copy of which was reviewed by CNET News.com, Playboy.com President Larry Lux did not disclose how many customers might have been affected.

Playboy.com encouraged customers to contact their credit card companies to check for unauthorized charges. New York-based Playboy.com also said it reported the incident to law enforcement officials and hired a security expert to audit its computer systems and analyze the incident.

Continued at http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 


For a brief period, Ziff Davis published the personal information -- including credit card numbers -- of thousands of its subscribers on the Web. --- http://www.wired.com/news/ebiz/0,1272,48525,1162b6a.html 
"A Tell-All ZD Would Rather Ignore," by Declan McCullagh, Wired News, November 20, 2001

Because Ziff Davis' 1.3-MB text file included names, mailing addresses, e-mail addresses and in some cases credit card numbers, a thief who downloaded it would have enough information to make fraudulent mail-order purchases. An executive at one New York magazine firm called the error "a bush-league mistake for a major online publisher."

Zane said Ziff Davis relies on EDS and Omeda database technology to protect subscriber information. He refused to provide details, except to say that "we were doing a promotion not using the EDS and Omeda products."

In interviews, two people who appeared on the Ziff Davis list said they had typed in their information when responding to a promotion for Electronic Gaming Monthly.

"I went to the site and signed up for the free year, but did not sign up for the second year, which was not free," said Jerry Leon of Spokane, Washington, whose Visa number and expiration date appeared in the file. "I get the feeling that this was one huge scam, but that card is now dead, and any charges made on it will be refused."

"If it was just a stupid accident, they are going to regret failing a community that worries about this stuff ever happening, but if something less innocent has occurred, they may as well fold the tents," said Leon, who signed up through AnandTech's hot deals forum.

Rob Robinson, whose address information -- but not credit card number -- was on display, says he subscribed to Electronic Gaming Monthly through a promotion on ebgames.com.

"I'm annoyed that my home info as well as a valid e-mail is available to anyone. That's quite a valuable list of gamers' personal data up for grabs. I feel really bad for the poor folks who are going to have to cancel their credit cards," Robinson said.

It's not clear whether Electronic Gaming Monthly subscribers were the only ones affected by the security snafu, and Ziff Davis refused to provide details. The file appeared at the address http://www.zdmcirc.com/formcollect/ebxbegamfile.dat until around noon EST on Monday.

That address began circulating around Home Theater Forum discussion groups over the weekend, and Ziff Davis at first erased the contents of the database at around 9 a.m. EST Monday. But its system continued to add new subscribers to the public file until Ziff Davis administrators blocked access to that address around midday Monday.

"Every week we learn of new cases where companies used insecure technology or unsecure servers to handle business that utilizes financial information or customer information," says Jericho, who edits the security news site attrition.org. "In the rush to be e-appealing for e-business they e-screw up time and time again."

Jericho has compiled a list of miscreant firms whose shoddy security practices have exposed customer information. The hall of shame includes notables such as Amazon, Gateway, Hotmail and Verizon.

Ziff Davis Media publishes 11 print magazines. It is a separate company from ZDNet, which is owned by CNET Networks.

See also:
HQ for Exposed Credit Numbers
Students Expose Bank ATM Hole
E-Commerce Fears? Good Reasons


Privacy in eCommerce:  Personal Certificates

For discussion of cookies and how to Surf the Web anonymously, see Cookies.

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 

What is WebTrust?  What are its major competitors?  

Hint: See the following:

Question:  
What makes WebTrust more "trusted" vis-a-vis its competitors (aside from being CPA or CICA firms)?

Answer:  
WebTrust is the only service that requires random site visits by independent CPA firms to spot check if privacy policies are being adhered to by the WebTrust client.

Truste Network Authenication Security in Question

Even one of the originators of the Internet's wannabe consumer seal -- ubiquitous technologist Esther Dyson -- is disappointed in the way the service has panned out.

"Just How Trusty Is Truste?," by Paul Boutin, Wired News, April 10, 2002 --- http://www.wired.com/news/exec/0,1370,51624,00.html 

Enron had Arthur Andersen. Yahoo has Truste, the nonprofit privacy organization whose seal of approval is designed to assuage consumer fears about giving personal information to websites.

But Yahoo's recent announcement of sweeping changes in the way it will use customer data collected under previous policies has many calling Truste's seal as meaningless as an Andersen audit.

Even Esther Dyson, the high-profile technologist who played a major role in Truste's launch five years ago, says she is "disappointed in what ended up becoming of it."

By its own account, Truste was conceived at Dyson's industry-leading PC Forum conference in 1996. Dyson credits others with the concept, but she pushed both publicly and privately for the establishment of the nonprofit company and adoption of its "trustmark," which certifies that online companies comply with their own stated privacy policies.

Truste makes no attempt to set privacy policies. It merely ensures that companies clearly state their own rules for handling customer data, and then adhere to them.

"We thought disclosure would be enough," Dyson said.

Web surfers, her reasoning went, would read the various companies' policies themselves and make their own choices, letting companies use privacy policies as a competitive differentiator. Truste's seal would simply ensure that the policy was being followed, so that "between two sites I've never heard of, I'd rather pick the one that has the Truste logo," she explained.

But over the years, a series of Truste clients have managed to violate the spirit, if not the letter, of their Truste-approved policies.

Rather than revoking seals left and right, Truste officials often seemed to be covering for their clients -– explaining, in one case, that a Real Networks media player which reported users' video selections back to Real headquarters in Seattle was "outside of the scope of Truste's current privacy seal."

Their reasoning: The program uploaded data not to Real's website, but to a nearby set of servers.

"That symbol is meaningless, because of the number of institutions it has been associated with and the things they've gotten away with," said Yahoo user Jenifer Jenkins, who claims she stopped using Yahoo mail and other services last week after learning of the company's policy changes. "If (Yahoo) wants to be the first place people go on the Internet, they need to clean up their act."

Dyson agreed that, despite being co-founded by outspoken privacy advocates the Electronic Frontier Foundation, Truste's image has slipped from consumer advocate to corporate apologist. "The board ended up being a little too corporate, and didn't have any moral courage," she said.

"Clearly, if you're hostile all the time you're not very effective. But you have to have the moral courage to say, 'This is wrong, even if it's not in our contract.'"

Truste executive director Fran Maier argued that in Yahoo's case, critics don't recognize how much work her organization did to keep the megaportal in line -- not only with its own policy, but with generally acceptable behavior. "I can't tell you all the things they wanted to do, but believe me, we were there," she said.

"We reviewed a number of proposed changes, some of which were made, some weren't," she added. "It went through the highest level of oversight at Truste. Before they can launch or relaunch something with our seal on it, they have to deal with our review."

Continued at  http://www.wired.com/news/exec/0,1370,51624,00.html 


You must be when viewing a corporate Website that you think is authentic but is a total fraud.  One such site is http://www.dowethics.com/  which spoofs the genuine http://www.dow.com 

The site at dowethics.com is a very clever spoof site that mirrors the real corporate site but runs it with stories against the company.  It is interesting because it appears to be very authentic and illustrates how companies really do need authentication seals such as Verisign, the Better Business Bureau BBB seal, or the WebTrust Seal --- http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialProblems 

 

Question:  What is the most popular and less costly privacy seal alternative relative to WebTrust?

Answer:  The Better Business Bureau --- http://www.bbbonline.org/privacy/index.asp 

 Of the many challenges facing the Internet, privacy has risen above them all as the number one concern (and barrier) voiced by web users when going online. Participants in the BBBOnLine Privacy Program are addressing this concern head-on with responsive and effective self-regulation. By subscribing to responsible information practices, BBBOnLine Privacy participants are promoting the vital trust and confidence necessary for their own and future success of the Internet.

Taking advantage of the significant expertise the Council of Better Business Bureaus wields in self-regulation and dispute resolution, the BBBOnLine Privacy Program features verification, monitoring and review, consumer dispute resolution, a compliance seal, enforcement mechanisms and an educational component. The BBBOnLine Privacy Program offers consumers a user-friendly tool that helps increase their comfort while on the Internet and is a reasonably priced and a simple, one-stop, non-intrusive way for business to demonstrate compliance with credible online privacy


Question on Website (Provider) Authentication
How can you find out that you are not at a phony site that pretends to be legitimate?

Answer:
Look for a logo verification seal on at the site.  Although the AICPA's WebTrust seal is primarily a Web privacy seal (credit card information, medical information, etc.), the WebTrust seal is also a seal that assures users that the site is not a phony imitation of a real site --- http://www.aicpa.org/assurance/webtrust/princip.htm 
The WebTrust privacy and logo verification seal contains the following image on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

 

A less costly  logo verification seal is the VeriSign seal if it appears on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

"VeriSign Delivers Protections for Digital CPA Documents," by Wayne Harding, Journal of Accountancy, May 2002 ---  http://www.aicpa.org/pubs/jofa/may2002/cpa2biz.htm 

CPA2Biz, the AICPA, and VeriSign are now offering Authentic Document Service to CPAs. Through the use of Authentic Document IDs CPAs can notarize electronic documents. This notarization prevents any changes— a paragraph being deleted, a sentence added, even a space changed.

VeriSign --- http://www.verisign.com/ 
Get VeriSign's free white paper at https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0714&toc=w093325300714000&email= .

Learn From the Experts VeriSign's Training Courses cover all areas of enterprise security including Firewalls, PKI, VPNs, Applied Hacking, and Web Security. Our small classes, hands-on labs, and world-class instructors ensure the highest level of security for your networks. Download our FREE White Paper, "VeriSign Internet Security Education: E-Commerce Survival Training" outlining the benefits of security education.



 Retail Services
  SSL Certificates
  Payment Services
  Domain Names
 
  Web Site Services
 
  Secure E-Mail Certificates
 
  Authentic Document IDs
 
  Code Signing IDs
 
  Wireless Server Certificates
 

 Enterprise Services
  SSL ID Management for
Multiple Servers

 
  Authentication and PKI
  Authorization Services
 
  Payment Services
  Online Brand Protection Services
  Managed DNS Services
 Professional Services
  Consulting
 
  Training

 Solutions
  Financial Services
  Government
  Healthcare
  Wireless
  B2B
  Smart Card
  Cable Modem

The Better Business Bureau (BBB):  Another Source of Website (Provider) Authentication --- http://www.bbb.org/ 

ADVERTISING REVIEW PROGRAMS    ADVERTISING/SELLING GUIDELINES  

 

 
   DISPUTE RESOLUTION    BUSINESS GUIDANCE  

 

   
   CONSUMER GUIDANCE    NEWS AND ALERTS  
   

 

Although the BBB is best known as a place where consumers and businesses can file complaints about unethical, deceptive, and illegal commerce and charitable practices, the BBB also provides an Internet seal of Website (Provider) Authentication.  


Reliability Seal Program --- http://www.bbbonline.org/reliability/index.asp   
Helping Web users find reliable, trustworthy businesses online, and helping reliable businesses identify themselves as such, through a voluntary self-regulatory program that promotes consumer trust and confidence on the Internet.

Privacy Seal Program --- http://www.bbbonline.org/privacy/index.asp 
Helping Web users identify companies that stand behind their privacy policies and have met the program requirements of notice, choice, access and security in the use of personally identifiable information.

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 


Advantages of and risks of cookies --- see Cookies.


What is user authentication?

Answer See Question 4 at http://www.w3.org/Security/Faq/wwwsf5.html#Q14 

User verification is any system that for determining, and verifying, the identity of a remote user. User name and password is a simple form of user authentication. Public key cryptographic systems, described below, provide a more sophisticated form authentication that uses an unforgettable electronic signature.

Continued at at http://www.w3.org/Security/Faq/wwwsf5.html#Q14  

What Dollar Rental Car Company now requires from persons who rent cars might be extended to people who conduct transactions on Websites.  Dollar Rent A Car is currently making customers give a thumbprint before they give them the keys, another example of biometrics being used for ID purposes.

"No Thumbprint, No Rental Car," by Julia Scheeres, Wired News, November 21, 2001 --- http://www.wired.com/news/privacy/0,1848,48552,00.html 


For more discussion of the above issues, go to the  document entitled "Opportunities of E-Business Assurance:  Risks in Assuring Risk" at http://www.trinity.edu/rjensen/ecommerce/assurance.htm 

My other electronic Business links are at http://www.trinity.edu/rjensen/ecommerce.htm 


Crime and Justice Data Online --- BJS http://149.101.22.40/dataonline/ 


Ten Ways to Reduce Chargebacks and Fraud Merchants' concern about online credit card fraud and chargebacks is rising at a significant rate. According to the 2001 Online Fraud Report conducted by Mindwave Research, 41 percent of merchants say the issue of online credit card fraud is "very serious" to their business. http://www.newmedia.com/default.asp?articleID=3443 

Bob Jensen's threads on fraud are at http://www.trinity.edu/rjensen/fraud.htm 

Bob Jensen's e-Commerce threads are at http://www.trinity.edu/rjensen/ecommerce.htm

 

A Special Section on Computer and Networking Security

Stay Safe Online --- http://www.staysafeonline.info/ 


Questions that have stumped the experts at Snopes --- http://www.snopes.com/humor/question/requests.asp


Internet Fraud Prevention Helpers from the Federal Trade Commission
OnGuard Online --- http://www.onguardonline.gov/default.aspx

Federal Trade Commission (Then and Now) --- http://www.ftc.gov/index.html

Bob Jensen's fraud prevention helpers --- http://www.trinity.edu/rjensen/FraudReporting.htm


Introduction to Security Edition 7, by Robert J. Fischer and Gion Green (Elsevier, 2004)
Note that this link provides a very generous preview --- Click Here
Parts could be used by students for free and other readers gainfully for no charge.


Question
What are some of the pop-up advertisements to avoid at all times?
What Bob Jensen found out the hard way that legitimate adware programs often fail in permanently deleting an adware Trojan virus!

"How to Stop Operating-System Attacks Ads for DriveCleaner, WinFixer, Antivirus XP, Antivirus 2009 and others pop up on PCs all the time, but the software may be fraudulent or ineffective. Also: Mac users need security updates, too.," by Andrew Brandt, PC World via The Washington Post, January 29, 2009 --- http://www.washingtonpost.com/wp-dyn/content/article/2009/01/27/AR2009012701528.html?wpisrc=newsletter&wpisrc=newsletter

A legitimate malware remover--one that independent testing has objectively demonstrated to be effective--should be able to deal with the immediate problem of an adware program that won't let you remove it. Check your security software to see if it will do the trick. But the real fix may be concerted government action: Late last year the Federal Trade Commission asked a federal court to stop some perpetrators of this type of scam. It may be that prison terms or massive fines are the only useful deterrents.

Putting a condom around the computer also does not help!

Learn the fundamentals of the game and stick to them. Band-aid remedies never last.
Jack Nicklaus as quoted by Mark Shapiro at http://irascibleprofessor.com/comments-01-12-09.htm

My Recent Saga With Malware
Since viruses vary in terms of how difficult they are to disinfect from your computer, some of the remedies that failed for my deep-seated infections may not fail in all instances. In my case I had to give up and rebuild the hard drive, which is tantamount to getting a new computer.

I tried a number of different software downloads (some free and some fee-based) to rid my computer of infections that kept returning even when my main computer was disconnected from any network. Some of the disinfectants worked, but they also created more problems than the malware itself.

In the end I gave up and had the hard drive cleaned and started over with the same hardware and re-installed software. I suspect the problem is that I just don't know enough fundamentals of the game when it comes to disinfecting malware from the system, although the pros tell me that some malware just cannot be disinfected without cleaning out (called rebuilding) the entire hard drive and starting over. That's like killing the patient to rid her of chronic headaches. Sometimes the bad guys win. Sigh!

In my case I think I got the infection from a site that pretends to improve computer efficiency and security. Since I can't be certain, the site will remain anonymous. I'm told the most dangerous sites to visit include gambling sites, porn sites, and computer protection sites from sources other than trusted sources. Except when a computer-protection site is recommended by a trusted magazine like PC Magazine, a trusted newspaper like the tech section of The Washington Post, or trusted friends like your employer's tech support team, don't go there and most certainly don't download anything from that site even though it promises improved computer security and efficiency. Remember that some bad guys put up Web documents claiming some downloads are safe when in fact they are not at all safe. Don't trust all Google or Yahoo hits in this regard. The bad guys have Web documents and YouTube videos that lie big time.

Google searches can be hazardous to your computer's health. Of course there's a gray zone where I think taking chances are necessary to scholarship. Be more cautious about downloading files than merely visiting a site. Also some types of download files are more dangerous than others.

Don't be led into complacency that your anti-virus shields stop all the serious bad stuff. Wikipedia has a pretty good module on computer security --- http://en.wikipedia.org/wiki/Computer_security

I think my next new computer will be a Mac where computer and networking security is enormously better than PCs operating under Windows, but certainly Mac security is not perfect. The most popular Mac browser, Safari, had had some known security problems in the past. Before buying a Mac I will further investigate the current Safari risks. Fortunately Firefox makes a browser version for Mac computers. Unfortunately I will still mostly use a Windows machine since my Web servers, LAN servers, and email server are all at Trinity University. The Trinity University network service is only Windows-friendly. And I can only get Trinity's free and excellent tech support for a Windows computer.

In my case it's not the cost of a new computer that frustrates me. What frustrates me is that all the installed software must be dug out of my barn or repurchased. Training a new computer is even more frustrating than training a new puppy.

By Comparison, My Malware Problems are Rather Insignificant
Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company's transaction-processing system last year, had compromised credit-card data as it crossed the network. The breach was announced on Tuesday--the day of the U.S. presidential inauguration--and, according to some experts, it shows that attackers are successfully defeating the financial industry's tough computer-security rules. "The potential is certainly there for this to be one of the biggest, if not the biggest breach we've seen," says Rich Mogull, founder of computer-security consulting company Securosis. "Something huge had to have gone wrong here." It's not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.
John Borland, "Malware Swipes Millions of Credit Cards A security breach shows failings in security rules," MIT's Technology Review, January 22, 2009 --- http://www.technologyreview.com/computing/22007/?nlid=1714&a=f


Engaging Privacy and Information Technology in a Digital Age --- http://books.nap.edu/catalog.php?record_id=11896 


Also see Also see http://www.google.com/search?hl=en&lr=&q=parental+control+software

"Keeping Kids Safe Online," by Johanna Ambrosio, InformationWeek Newsletter, March 15, 2006

I'm no expert, but I am a parent of three teenagers who, thankfully, have been safe so far. My reaction to the news about Microsoft jumping into the monitoring space with a free tool to be available this summer is that it sounds great, but I hope parents realize that the use of any monitoring software isn't by itself enough to guarantee kids' safety.

I think anyone in the computer industry already knows this and certainly understands the dangers that lurk. But I worry there may be some parents who too readily trust a tool to take the place of their (human) care and concern. Parents must still be parents, and older teens especially must be made aware of their responsibility in this, too. With great freedom comes great personal responsibility, both online and offline, and kids need the adults in their lives to both explain and model this.

We've certainly been lucky, and we've done some things to help. (For the fuller story, please check out my blog entry.)


"Human error and criminal cleverness still beating data security," AccountingWeb, September 2007 ---
http://www.accountingweb.com/cgi-bin/item.cgi?id=104033


Computer-based fraudsters are finding new ways to trick people—not technology—to get the information they seek

"Tech Special Report," Business Week, June 13, 2007 --- Click Here

Phisher Kings Court Your Trust
Computer-based fraudsters are finding new ways to trick people -- not technology -- to get the information they seek

What I Learned at Hacker Camp
It's easy to create malicious code, penetrate firewalls, and steal personal and financial information. "Ethical hacker" Andrew Whitaker can show you how

A Guide to PC Security Products
Slide show: Concerned about your computer, but confused about how to keep it safe? Here's a look at some helpful hardware and software

This Bug Is Nasty, Brutish, And Sneaky
Cyberthieves have raised the stakes with a clever new program almost immune to detection

Stopping a Scam from Spreading
Thwarted by bigger banks, ID thieves are taking aim at smaller financial institutions. One credit union provides a model for fighting back

Dazed and Confused: Data Law Disarray
A profusion of legislation regarding privacy and data breaches puts businesses in a bind and consumers at risk

Gator is Dead. Long Live Claria
The company that annoyed countless Net surfers with its adware is reinventing itself with a new custom portal service


"The 25 Worst Web Sites," by Dan Tynan, PC World, September 21, 2006 --- http://www.pcworld.com/article/id,127116/article.html

  • People say hindsight is 20/20. When it comes to the Web, hindsight is more like X-ray vision: In retrospect, it's easy to see what was wrong with dot coms that tried to make a business out of giving stuff away for free (but making it up later in volume), or to make fun of venture capitalists who handed millions to budding Web titans who had never run a lemonade stand before, let alone an enterprise.

    It's so easy, in fact, we can't help doing it ourselves. So as venture capitalists scramble to throw money at anything labled Ajax or Web 2.0, and Web publishing becomes so simple that anyone with a working mouse hand can put up a site, we offer our list of the 25 worst Web sites of all time.

    Many of our bottom 25 date from the dot-com boom, when no bad idea went unfunded. Some sites were outright scams--at least two of our featured Net entrepreneurs spent some time in the pokey. Others are just examples of bad design, or sites that got a little too careless with users' information, or tried to demand far too much personal data for too little benefit.

    And to prove we're not afraid to pick on somebody much bigger than us, our pick for the worst Web site may be the hottest cyberspot on the planet right now.

    Feel free to start at the bottom and work your way up, or jump ahead and read about the worst of the worst.

  •  


    Center for Systems Security and Information Assurance ---] http://www.cssia.org/


    NetVeda Safety. Net 3.62 http://www.netveda.com/consumer/safetynet.htm 

    The idea behind the NetVeda Safety Net application is a simple one: to allow users to control access to certain websites on their computer and to maintain firewall protection in the process. Users of the application can define user access based on the time of day and for content, if they so desire. As might be expected, the application also contains privacy controls that block the sending of personal information and that can also generate activity reports. This version is compatible with all computers running Windows 95 and newer.

     


    "Laptop Security, Part 2:  Tips on protecting your data, should fate--or a criminal--separate you and your notebook," by James A. Martin, PC World via The Washington Post, June 9. 2006 --- Click Here

    My guess is that your notebook is worth several thousand dollars. I'd also guess that the data stored on it is worth much, much more--and that you'd be entering a world of woe if your notebook were stolen or lost.

    Last week I offered tips on how to protect and physically secure your notebook when you're out of the office. This week, I've got tips on protecting your data, should fate--or a criminal--separate you and your notebook.

    Windows XP gives you the option of requiring a user password to log on. Though certainly far from bulletproof, a relatively complex password provides more protection than none at all.

    A complex password includes upper- and lowercase letters, numbers, and one or more special characters. For example, suppose your name is Pat. You wouldn't use "Pat" as your password, would you? (You would? My, aren't we feeling lucky?) A better password would be something not easily identified with you.

    The more complex your password, the more difficult it is to crack--and, potentially, for you to remember. Don't make your password so complex you can't remember it. Or, if you must store your passwords, keep them somewhere safe. Some software programs for PCs and PDAs give you the ability to manage and secure passwords. One example: DataViz's Passwords Plus ($30), which lets you manage and secure passwords on your notebook as well as your Palm OS PDA.

    To create a password for your account in Windows XP, go into Control Panel, then open User Accounts. Select the account you want to protect with a password and click the "Create a password" button.

    For more about passwords, read Scott Dunn's June " Windows Tips ."

    Some laptops now come equipped with biometric fingerprint scanners, as an alternative or enhancement to Windows password-protection. For more on this, see number 3, below.

    Another option is to encrypt any files on your notebook that contain sensitive data, such as customer Social Security numbers. (Of course, as I said last week, it's best not to place any sensitive data on a mobile system.)

    In essence, encryption scrambles data into code that only an authorized user can access. However, encrypting files, or your entire drive, can be time-consuming, slow system performance, and increase the likelihood you'll lose access to the data.

    Windows XP Professional (but not XP Home) includes an option that lets you encrypt files on an NTFS-formatted hard drive. After encrypting a file, you can open it just as you would any file or folder. However, someone who gains unauthorized access to your computer cannot open any encrypted files or folders.

    To encrypt a folder in Windows XP Professional, right-click it in Windows Explorer, choose Properties, click Advanced, select the "Encrypt contents to secure data" check box, and click OK twice. In the Confirm Attribute Changes dialog box, do one of the following: To encrypt only the folder, click "Apply changes to this folder only," and click OK; to encrypt the folder contents as well as the folder, click "Apply changes to this folder, subfolders, and files," and click OK.

    Continued in article


    "First-Ever Virus Hits Mac OS X:  There are many signs that Apple computers are finally becoming vulnerable to Internet-based viruses and other attacks," MIT's Technology Review, May 2, 2006 --- http://www.technologyreview.com/read_article.aspx?id=16758

    Benjamin Daines was browsing the Web when he clicked on a series of links that promised pictures of an unreleased update to his computer's operating system.

    Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone else. Daines was the victim of a computer virus.

    Such headaches are hardly unusual on PCs running Microsoft Corp.'s Windows operating system. Daines, however, was using a Mac -- an Apple Computer Inc. machine often touted as being immune to such risks.

    He and at least one other person who clicked on the links were infected by what security experts call the first-ever virus for Mac OS X, the operating system that has shipped with every Mac sold since 2001 and has survived virtually unscathed from the onslaught of malware unleashed on the Internet in recent years.

    ''It just shows people that no matter what kind of computer you use you are still open to some level of attack,'' said Daines, a 29-year-old British chemical engineer who once considered Macs invulnerable to such attacks.

    Apple's iconic status, growing market share and adoption of same microprocessors used in machines running Windows are making Macs a bigger target, some experts warn.

    Apple's most recent wake-up call came last week, as a Southern California researcher reported seven new vulnerabilities. Tom Ferris said malicious Web sites can exploit the holes without a user's knowledge, potentially allowing a criminal to execute code remotely and gain access to passwords and other sensitive information.

    Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.

    ''They didn't know how to deal with security, and I think Apple is in the same situation now,'' said Ferris, himself a Mac user.

    Apple officials point to the company's virtually unvarnished security track record and disputed claims that Mac OS X is more susceptible to attack now than in the past.

    Apple plans to patch the holes reported by Ferris in the next automatic update of Mac OS X, and there have been no reports of them being exploited, spokeswoman Natalie Kerris said. She disagreed that the vulnerabilities make it possible for a criminal to run code on a targeted machine.

    In Daines' infection, a bug in the virus' code prevented it from doing much damage. Still, several of his operating system files were deleted, several new files were created and several applications, including a program for recording audio, were crippled.

    Behind the scenes, the virus also managed to hijack his instant messaging program so the rogue file was blasted to 10 people on his buddy list.

    ''A lot of Mac users are in denial and have blinders on that say, 'Nothing is ever going to get to us,''' said Neil Fryer, a computer security consultant who works for an international financial institution in Britain. ''I can't say I agree with them.''

    Continued in article


    Video Tutorials

    Protecting Your PC --- Digital Duo --- http://www.pcworld.com/digitalduo/video/0,segid,35,00.asp


    A ray of hope for the new Internet Explorer
    Firefox may still be better at repelling spyware

    "Internet Explorer 7.0 makes waves," PhysOrg, March 1, 2006 --- http://www.physorg.com/news11306.html

    After winning the browser wars and vanquishing its chief competitor, Netscape, the folks at Microsoft decided it was time to take a break from improving its industry standard browser. Without competition the company felt that there was no need to release any new updates. But an upstart open-source group funded in part by Mozilla (the same folks who originally created Netscape) created a new browser called "Firefox" that sparked the brand-new browser wars. While the folks at MS won't admit that Firefox spurred them into action, it's hard to deny that the new beta release of Internet Explorer 7.0 doesn't have more than a passing resemblance to the Firefox browser.

    "Microsoft welcomes competition because it drives innovation which benefits customers. That's a good thing," said a spokesperson for Microsoft. "Ultimately, customers will choose the browser that best meets their needs, and we are confident that most will continue to use Internet Explorer when they evaluate factors such as end-user functionality, site and application compatibility, developer extensibility, enterprise manageability, and security backed by the processes and engineering discipline employed by Microsoft."

    Maybe it's the new interface, or the fact that it's been over three years since the last major release of I.E., but the new version just "feels" different and fresh. It could be the idea that MS has finally added tabbed browsing to Explorer -- one of the key features that made me go with and stick with Firefox -- I always felt Explorer was the better browser, but I became addicted to my precious tabs. Another nice addition to I.E. 7.0 is it now handles bookmarks (or as I.E. calls it "favorites") the same way as Firefox does. Instead of exporting all of your bookmarks as individual folders, I.E. now places everything into a single html index file. Which can be imported into Firefox, and you can now import Firefox bookmarks into I.E., which makes moving between both browsers painfully simple.

    "I.E. 7.0 is the right product, though late in the market. This demonstrates Microsoft's approach to the Internet browser market as being more laid back and reactionary rather than leading the development of new features," said Razvan Neagu, president and chief executive officer of KOMOTION Inc., developer of Web Gallery Wizard.

    One of the major complaints about I.E. has been its lack of compliance with Web standards, part of the problem is, as stated before, it's been three or four years since there was a major release of I.E. And in that time Web development standards have progressed exponentially. While playing around with I.E., I noticed that some Web sites didn't display properly in the new release, while they displayed perfectly fine in the current version. I'm hoping against hope that these are isolated incidents and not a sign of the future, and an indication that 7.0 still has a way to go to be completely standards based.

    A spokesperson for Microsoft said "The IE7 beta 2 preview for Windows XP, which was released to Windows XP testers on 1/31, is considered feature complete. We do however expect to continue development work based on tester feedback and expect to do additional design work and enhancements to application compatibility and fit and finish. At this point we are targeting to release the final product in the second half of 2006."

    Another main draw of the new version of I.E. is all of the new built in security features, starting with its new anti "phishing" filter. The new trend in e-mail spam is for scam artists to create fake websites that resemble popular sites like eBay, PayPal, etc. in attempt to get users to submit their personal account information. I.E. 7.0 anti-phishing filter successfully warned and blocked these sites from showing up. While this is a fantastic new feature, it has a major drawback, the validity of Web sites appears based on whether or not a site has a valid SSL Certificate or not, and you would be surprised at the number of websites that don't have these certifications. Eventually, I had to deactivate the filter, although you can change the settings in the tools menu.

    "IE's top priority is security. While we made great progress with support for CSS 2.0, we knew that we would have to trade off full compatibility with CSS 2.0 for additional work on security," added the Microsoft spokesperson. "We will not pass CSS 2.0, but certainly will evaluate doing that in the future."

    Other new security features include ActiveX Opt-In. This is a malware protection feature that disables nearly all pre-installed ActiveX Controls, and helps prevent potentially vulnerable controls from being exposed to attack. Users can easily enable or disable ActiveX Controls as needed through the Information Bar and the Add-on Manager. Cross-domain script barriers. This feature limits the ability of Web page script to interact with content from other domains or windows to help users keep their personal information out of potentially malicious hands. This new safeguard further protects users against malware by limiting the potential for malicious Web sites to manipulate flaws in other Web sites, or cause users to download undesired content or software onto their PCs.

    International Domain Name Anti-Spoofing. In addition to adding support for International Domain Names in URLs, Internet Explorer 7.0 also notifies the user when similar characters in the URL are not expressed in the same language -- even when the characters look similar across several languages -- thus helping protect the user against sites that would otherwise appear as a known trustworthy site.

    When a new version of I.E. is released everyone has to take notice, it's impact on Web development and business owners can't be underestimated.

    "Business strategy always needs to take into account market forces and competitive threats; so, the direction that Microsoft takes is very important," said Neagu. "Unless you're a 100-pound gorilla yourself, you don't want to compete directly with Microsoft. So, there are really two strategies. You can either add value to the marketplace by working with their products, or you must make sure you're in a space that is either small enough or removed enough from Microsoft's strategic interests so that you minimize the possibility of conflict.

    "With our product, Web Gallery Wizard, we maximized both of these strategies. We took advantage of Microsoft's solid .Net framework for rapid development, and we targeted digital photo enthusiasts offering functionality which is underserved by the big players in the market."

    Continued in article


    Video Guide To Securing Your Computer

    I wanted to call attention to a new resource on washingtonpost.com for people who need a little help getting started in securing their computers. We produced a series of "screencasts" or video guides demonstrating some of the basic steps users need to take to stay safe online, including brief primers on choosing and using firewall and anti-virus software, downloading and installing the latest Microsoft Windows patches, and taking advantage of free anti-spyware tools.

    These videos are by no means definitive guides, but I hope they will be of some use to those who find themselves completely intimidated by computer security.
    Brian Krebs, "ideo Guide To Securing Your Computer," The Washington Post --- http://blogs.washingtonpost.com/securityfix/2005/05/video_guide_to_.html?referrer=email


     


    Video Tips of the Week for Windows XP

    Enabling the Internet Firewall --- http://channels.lockergnome.com/windows/videotips/1/
    Customizing the Window Taskbar --- http://channels.lockergnome.com/windows/videotips/2/
    Disabling Windows Messenger Service (to reduce spyware) ---
                        http://channels.lockergnome.com/windows/videotips/3/
    Sending E-mail from a Different Address --- http://channels.lockergnome.com/windows/videotips/4/
    Managing Windows Updates --- http://channels.lockergnome.com/windows/videotips/5/
    Selecting a Different Image Viewer --- http://channels.lockergnome.com/windows/videotips/6/
    Logging Security Events --- http://channels.lockergnome.com/windows/videotips/7/
    Using Remote Desktop --- http://channels.lockergnome.com/windows/videotips/8/
    Exploring With Process Explorer --- http://channels.lockergnome.com/windows/videotips/9/
    Defragging With Task Scheduler --- http://channels.lockergnome.com/windows/videotips/10/
    Killing Spyware With Spybot --- http://channels.lockergnome.com/windows/videotips/11/
       Also see (you can change the video number at the end to go to video1, video2, etc.)
       http://www.homenetworkhelp.info/popup.php?popup=podcast-2005-06-11-spyware-video1
    Managing .Net Passports With Windows XP ---
                        http://channels.lockergnome.com/windows/videotips/12/
    Managing E-mail With Outlook Rules (guard against spam) ---
                        http://channels.lockergnome.com/windows/videotips/13/
    Exploring Windows XP Security Center ---              
                        http://channels.lockergnome.com/windows/videotips/14/
    Windows XP Firewall Helper Video --- http://channels.lockergnome.com/windows/videotips/15/
    Internet Explorer's Add-On Manager --- http://channels.lockergnome.com/windows/videotips/16/
    Internet Explorer's Popup Blocker --- http://channels.lockergnome.com/windows/videotips/17/

    The FBI's Internet Fraud and Complaint Center (IFCC FBI) --- Report Internet frauds and crimes here.
    To thwart fraud on the Internet and terror in general, check in and/or report to http://www1.ifccfbi.gov/index.asp

    National Infrastructure Protection Center (NIPC) --- Report infrastructure security incidents here.
    Located in the FBI's headquarters building in Washington, D.C., the NIPC brings together representatives from U.S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures.
    http://www.nipc.gov/
     

    Computer Emergency Response Team (CERT) --- Report computer invasions and viruses here.
    The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems, and develop information and training to help you improve security at your site.  http://www.cert.org/

    Center for Systems Security and Information Assurance ---] http://www.cssia.org/

    Stay Safe Online http://www.staysafeonline.info /

    Bob Jensen's threads on Identity Theft --- http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft 

    Pop Up Blocker --- http://www.synergeticsoft.com/

    Recommended Reading:  Getting Smart About Information Security
    Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc., has spent much of his career educating people about digital security. His book, Secrets and Lies: Digital Security in a Networked World, serves as a non-technical introduction to the full, messy complexity of digital security.
    "Recommended Reading:  Getting Smart About Information Security," The Wall Street Journal,   July 18, 2005; Page R2 --- http://online.wsj.com/article/0,,SB112060620712177906,00.html?mod=todays_us_the_journal_report

    Information Warfare Weapons --- http://www.trinity.edu/rjensen/acct5342/infowar.pdf

    The World Wide Web Security FAQ ---  http://www.w3.org/Security/Faq/www-security-faq.html

    Trinity students may access this at
    J:\courses\ACCT5342\readings\WWWsecurity\The WWW Security FAQ.htm

    CIAC Notes

    http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-01.html
     

    http://www.alw.nih.gov/Security/CIAC-Notes/CIAC-Notes-02.html

    2005 Anti-Virus product comparison guide ---
    http://www.tips-it.com/product.php?x_user_number=305788&pid=13&smb=1&emailid=WNN081605


    All you have to do is open the message, nothing else
    Microsoft's Newest Bug Could Be Awful, Researcher Says

    Forget the WMF problems; the really big issue could be with the flaw in Outlook and Exchange that Microsoft disclosed on Tuesday. All that's required to exploit this is an e-mail message.
    Gregg Keizer, "Microsoft's Newest Bug Could Be Awful, Researcher Says," InformationWeek, January 11, 2006 ---  http://www.informationweek.com/story/showArticle.jhtml?sssdmh=dm4.163111&articleID=175803695
    "What I find bizarre is that there's still all this focus on the WMF [Windows Metafile] bug," said Mark Litchfield, the director of NGS Software, a U.K.-based security company, and one of the two researchers credited by Microsoft with the discovery of the TNEF (Transport Neutral Encapsulation Format) vulnerability.

    "This one has massive financial implications if someone exploits it," Litchfield said.

    The TNEF vulnerability, which Microsoft spelled out in the MS06-003 security bulletin, is a flaw in how Microsoft's Outlook client and older versions of its Exchange server software decode the TNEF MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users.

    "All that's required to exploit this is an e-mail message," said Litchfield. No user interaction is needed to compromise an Exchange 5.0, 5.5, or 2000 server; all that's necessary is to deliver a maliciously-crafted e-mail to the server.

    It's that characteristic, as well as the ease with which an attack could spread, that has Litchfield so worried.

    "You could take over an Exchange server with a single, simple e-mail," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

    Continued in article

    "Unknown Attacks: A Clear and Growing Danger,"  by Secure Computing, InformationWeek, January 2006 --- http://snipurl.com/UnknownAttacks 

    More on security threats and hoaxes --- http://www.trinity.edu/its/virus/


    "Everyone Wants to 'Own' Your PC," by Bruce Schneier, Wired News, May 4, 2006 --- http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4

    You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.

    Using the hacker sense of the term, your computer is "owned" by other people. 

    It used to be that only malicious hackers were trying to own your computers. Whether through worms, viruses, Trojans or other means, they would try to install some kind of remote-control program onto your system. Then they'd use your computers to sniff passwords, make fraudulent bank transactions, send spam, initiate phishing attacks and so on. Estimates are that somewhere between hundreds of thousands and millions of computers are members of remotely controlled "bot" networks. Owned.

    Now, things are not so simple. There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require. And there are software companies that are trying to make money by pleasing not only their customers, but other companies they ally themselves with. All these companies want to own your computer.

    Some examples:

    • Entertainment software: In October 2005, it emerged that Sony had distributed a rootkit with several music CDs -- the same kind of software that crackers use to own people's computers. This rootkit secretly installed itself when the music CD was played on a computer. Its purpose was to prevent people from doing things with the music that Sony didn't approve of: It was a DRM system. If the exact same piece of software had been installed secretly by a hacker, this would have been an illegal act. But Sony believed that it had legitimate reasons for wanting to own its customers’ machines.

       

    • Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong.

       

    • Internet services: Hotmail allows you to blacklist certain e-mail addresses, so that mail from them automatically goes into your spam trap. Have you ever tried blocking all that incessant marketing e-mail from Microsoft? You can't.

       

    • Application software: Internet Explorer users might have expected the program to incorporate easy-to-use cookie handling and pop-up blockers. After all, other browsers do, and users have found them useful in defending against internet annoyances. But Microsoft isn't just selling software to you; it sells internet advertising as well. It isn't in the company's best interest to offer users features that would adversely affect its business partners.

    Business-Technology: Security Threats Galore, But No Worries Here
    Taken together, you begin to get the full, unsettling picture of information security today. Automated bot attacks, Windows bulletins by the dozen, a new breed of business worms, risk of heap overflow in Cisco's IOS, the underground's new fascination with unpatched holes in 20 types of applications and devices. And that doesn't even include problems caused by spyware or phishing, or customer-data breaches, or the complications of wireless networks and devices, or CDs with hidden rootkits, or the Sober worm variants spreading again. With all of this going on, how do you explain the fact that so few security and IT professionals feel things have gotten worse? It's possible they have systems in place to ward off ill-intended probes, keep software patched, and protect customer records. Maybe the bullets are bouncing off. That, or maybe security at their companies isn't as good as it seems.
    John Foley, "Business-Technology: Security Threats Galore, But No Worries Here," InformationWeek Newsletter, November 29, 2005

    "Two More Ways to Fight Viruses, for Free," by Rob Pegoraro, The Washington Post, November 28, 2005 --- http://snipurl.com/PegoraroNov28

    But you don't have to. For several years, two Czech software developers have offered free versions of their anti-virus programs to home users. These no-charge downloads don't offer every feature provided by McAfee Inc. and Symantec Corp., the two security developers whose programs come pre-installed on most Windows PCs. But when put to the same tests as software from the Big Two, they did the job almost as well and with less fuss.

    Both of these freebies -- Avast 4 Home Edition, from Prague's Alwil Software, and AVG Free Edition, from Brno-based Grisoft Inc. -- can be installed only on home computers that aren't put to any business or commercial use. (Income from sales to businesses and organizations covers the cost of this exercise in Internet charity.)

    These two programs share a few welcome traits. Both are relatively small downloads -- almost 10 megabytes for Avast, just under 15 for AVG -- that tout compatibility with systems as old as Windows 95. And both automatically download updates every day and allow quick manual updates.

    With Avast ( http://www.avast.com/eng/free_virus_protectio.html ), the major selling point is a greater sense of security. After a refreshingly fast install, Avast automatically scans your computer for trouble before allowing Windows to boot up -- a helpful precaution if the computer may already be infected.

    Continued in article

    Auntie Spam's Net Patrol ---
    http://www.aunty-spam.com/deleting-email-leads-to-145billion-judgement-against-company/

    Cagey Consumer --- http://cc.edumacation.com

    Latest security threats and hoaxes --- http://www.trinity.edu/its/virus/

    25 Hottest Urban Legends (hoaxes) --- http://www.snopes.com/info/top25uls.as

    JUNKBUSTERS Anti-Telemarketing Script http://www.junkbusters.com/script.html 

    From the Scout Report on July 14, 2005

    Powerful Cookies 1.0.7
    http://www.freewebs.com/powerfulcookies/


    For those people who are concerned about erasing evidence of their Internet activity stored in their browser, Powerful Cookies 1.0.7 may be worth taking a look at. Visitors can use this program to delete cookies, clean index.dat files, clean the cache, remove temporary files, and erase typed URLs. This application is compatible with Windows 95 or newer.


    The Sorry State of ID Theft
    One of the most popular stories on our site over the last two weeks was PIN Scandal 'Worst Hack Ever'; Citibank Only The Start, followed closely by International Citibank Customers Shaken By Data Breach. Day after day, one or both made our list of the five most popular headlines.I'm guessing another story, about two large botnets hacking into users' online shopping carts to steal credit card numbers, bank account details, and log-on passwords, will grab similar reader interest.Little wonder. The banks involved in the first story were huge, with huge IT budgets and even bigger data stores. We all bank and use ATMs, and many use debit cards. And regards the second story, most of us shop, to varying degrees, online. It just isn't hard to imagine yourself as one of the current--or future--victims of these scams or dubious security policies.
    Patricia Keefe, "Securing A Solution To Data Theft," InformationWeek Daily, March 21, 2006

    The High Cost Of Data Loss
    Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.
    Elena Malykhina et al., InformationWeek, March 20, 2006

    How many ways are there to expose sensitive personal data? One company misplaces a backup tape; another puts customers' Social Security numbers onto mailing labels for anyone to see. Others lose laptops, inadvertently post private information online, or leave documents exposed to prying eyes. The possibilities are endless-- as we're learning with every new revelation of a data breach or hack or inexcusable lapse in secure business practices. By one estimate, 53 million people--including consumers, employees, students, and patients--have had data about themselves exposed over the past 13 months.

    This sorry state of affairs is taking its toll: fines, lawsuits, firings, damaged reputations, spooked customers, credit card fraud, a regulatory crackdown, and the expense of fixing what's broken. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about

    Continued in a long article


    In parts to follow, I will define and elaborate on various terminologies of computer and networking security.  For help in preventing and overcoming invasions, I especially recommend the links provided by Yahoo below:

     

    Yahoo Security and Encryption Guides --- http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/ 
    Categories

     

     

     

     


    Microsoft to Bundle Anti-Spyware App With Windows
    Microsoft said Friday that it plans to bundle its "Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next version of the company's operating system. Microsoft also decided to rename the program "Windows Defender," in part to give it "a more positive name." The announcement, like others of late, was posted on one of the numerous blogs on Microsoft's site that catalog the daily doings of the software giant's many technical divisions. But this news -- for me, anyway -- was more than just a press release issued via a breezy blog post. It offered a glimpse of something Redmond hinted it was going to do years ago, but which has only recently become more of a reality: ship antivirus and anti-spyware updates to hundreds of millions of Windows computers every day through its Windows/Microsoft Update feature.
    Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The Washington Post, November 7, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email




    This module may seem a little off topic.  But it fits nicely into past AECM threads about Big Brotherism in the age of technology.  David Fordham expressed it well by stating that almost anything about a person is either available for free or for sale.  It is in the spirit of those threads that I forward the following tidbit.  Those of you with liberal arts backgrounds may especially like this tidbit.  My threads on this are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#Cellphones

    Bob

    "Making Ideas Beautiful:  Do art and ideas mix? It depends on who's stirring the pot," by Terry Teachout, The Wall Street Journal, December 10, 2005; Page P15 ---
     http://online.wsj.com/article/SB113416176976318692.html?mod=todays_us_pursuits

    Sometimes a heartfelt compliment can blow up in the recipient's face, as when T.S. Eliot said of Henry James that he had "a mind so fine that no idea could violate it," thus making him sound like a plot-spinning idiot savant. What Eliot really meant was that James understood how an artist who dabbles in ideas can lose sight of the true purpose of art, which is (as Renoir said) to "make everything more beautiful." You can't paint a picture of E = mc2, or compose a symphony about the law of supply and demand. Nevertheless, art is so effective at swaying men's minds that there have always been cultural commissars prepared to enlist it in the service of ideas by any means necessary -- including brute force.

    To see what happens when politicians ram ideas down artists' throats, take a trip to "Russia!" This once-in-a-lifetime blockbuster show of Russian art from the 12th century to the present, on display at the Guggenheim Museum through Jan. 11, is billed as "the most comprehensive and significant exhibition of Russian art outside Russia since the end of the Cold War." It's that, for sure, but it's also an object lesson in the power of ideas to hijack a great culture.

    In the '30s and '40s, Russian artists were expected not merely to toe the Marxist line, but to embody it in their work. Unless you wanted to end up in the Gulag -- or worse -- you did what Stalin said. The deliberately anti-modern style that resulted, known as "socialist realism," was a crude burlesque of 19th-century realism in which the Soviet Union was portrayed as a proletarian paradise. Visual artists had an especially tough time of it, for the once-thriving Russian avant-garde was replaced overnight by a school of simple-minded poster artists who specialized in cheery canvases with titles like "Collective Farm Worker on a Bicycle." To stroll through "Russia!" is to be stupefied by the sheer banality of the assembly-line art these brush-wielding apparatchiks cranked out.

    That's one kind of idea-driven art in which the artist illustrates ideas, often with the intention of bludgeoning others into embracing them. But there's another kind, in which an idea is so radically transformed by the artist that the resulting work of art floats free from its initial inspiration, taking on the haze of ambiguity that is part and parcel of beauty.

    I saw a wonderful example of the latter kind of art last week at Brooklyn's BAM Harvey Theater. "Super Vision" is an evening-long piece of performance art created by the Builders Association, a New York-based touring experimental theater troupe, in collaboration with dbox, the multidisciplinary design studio. On paper it sounds like a "Nineteen Eighty-Four"-style documentary about how governments and corporations misuse the mountains of personal data they collect from private citizens. In the theater, though, "Super Vision" blossoms into something completely different, a computer-enhanced visual poem about the pitfalls and promise of life in the information age.

    "Super Vision," which is being performed this weekend at Montclair State University in Montclair, N.J. (for a tour itinerary, go to www.superv.org ), consists of three interwoven stories in which six actors move through a breathtakingly complex series of digitally generated three-dimensional projections. In one story line, a computer-savvy swindler named John steals his young son's identity, uses it to run up $400,000 in debt, then vanishes. John and his wife are played by real-life actors, but John Jr. exists only as a video image, while the suburban house in which they live is entirely animated.

    Again, this bald description makes "Super Vision" sound like a technical tour de force -- which it is. Yet it's far more than that. "I think of the stories in 'Super Vision' as the emotional side of data," explains Marianne Weems, the show's director. "The point is to bring visceral sensation and visual impact to these stories -- and as we move more deeply into interpreting the factual material on which they're based, we move away from the literal."

    This is what lifts "Super Vision" out of the pedestrian realm of the purely factual. Yes, Ms. Weems and her collaborators are rightly disturbed by what she calls "this new form of surveillance and its constant incursions into the realm of our selves." But instead of preaching a strident sermon about how "dataveillance" threatens the right to privacy, they've transformed their fears into a fast-flowing stream of nonliteral images that stick in your mind like the swirling colors of an abstract painting. Just when John, the identity thief, thinks he's gotten away clean, you see in the distance what looks like a flock of birds. Then, as it draws nearer, you realize that it's actually a cloud of computer-generated data points hurtling through the air to chase him down. That's not politics -- it's poetry. And it's the quintessence of "Super Vision," a work of theatrical alchemy in which ideas are turned into art by making them more beautiful.


    "Viral cure could 'immunise' the internet," Kurt Kleiner, NewScientist, December 1, 2005 --- http://www.newscientist.com/article.ns?id=dn8403

    Some researchers have developed artificial "immune systems" that automatically analyse a virus meaning a fix can be sent out more rapidly. In practise, however, computer viruses still tend to spread too quickly.

    Now Eran Shir, and colleagues at Tel-Aviv University in Israeli, have applied network theory to the problem, and believe they have come up with a more effective solution.

    Part of the problem, the researchers say, is that countermeasures sent from a central server over the same network as the virus it is pursuing will always be playing catch-up.

    They propose developing a network of "honeypot" computers, distributed across the internet and dedicated to the task of combating viruses. To a virus, these machines would seem like ordinary vulnerable computers. But the honeypots would attract a virus, analyse it automatically, and then distribute a countermeasure

    Healing hubs But the honeypots would be linked to one another via a dedicated and secure network. This way, once one has captured a virus, all the others will quickly know about the infection immediately. Each honeypot then acts as a hub of healing code which is disseminated to computers connected to it. The countermeasure then spreads out across the broader network.

    Simulations show that the larger the network grows, the more efficient this scheme should be. For example, if a network has 50,000 nodes (computers), and just 0.4% of those are honeypots, just 5% of the network will be infected before the immune system halts the virus, assuming the fix works properly. But, a 200-million-node network – with the same proportion of honeypots – should see just 0.001% of machines get infected.

    Security measures, such as encryption, would be needed to prevent viruses from exploiting the honeypot network.

    "They've shown it is possible to use this epidemically spreading immune agent to good advantage," says Jeff Kephart, a computer scientist at IBM in Hawthorne, New York, US. "The next step would be to look more carefully at the benefits and costs of this approach. I see promise in it."

    The paper only discusses the mathematical model, and there is no effective implementation as yet. But Shir plans to release a simple example program soon and hopes that volunteers or a company will eventually implement the real thing across the internet.

    Journal reference: Nature Physics (DOI: 10.1038/nphys177).


    Walt's Warnings About File Sharing

    "The Practical Case Against File Sharing," by Walter Mossberg, The Wall Street Journal, October 20, 2005 --- http://online.wsj.com/article/SB112976373382173735.html?mod=todays_us_marketplace 

    Q:
    Are there problems with using file-swapping sites like Kazaa, as long as you have a good antivirus protection program? I don't mind paying for individual songs, but other sites like iTunes or Rhapsody often don't have the songs I want.

    A:
    Yes, there are problems. The first are the ethical and legal issues arising from obtaining somebody else's copyrighted intellectual property without paying for it, from a person who isn't licensed or authorized to distribute it. The other sites you mention, iTunes and Rhapsody, are legally licensed to distribute music. Kazaa and its ilk aren't, nor are the people who make music available through them. Your argument is like rationalizing buying stolen TVs because your local Best Buy didn't have the model you wanted.

    If your conscience can get past that, there are practical issues. These sites are major transmitters not only of viruses, but of spyware, which your antivirus program can't stop. Even if your PC has a full, up-to-date security suite, with antispyware software, you are asking for trouble by downloading from "file swapping" sites. Many of the people I hear from who have had to take drastic, costly steps to save heavily infected PCs attribute their problems to the fact that their kids were frequenting file-sharing sites.

    Bob Jensen's threads on file sharing are at http://www.trinity.edu/rjensen/napster.htm


    Telling Computers How to Keep Secrets
    The home version of Windows XP (unlike Apple's two most recent Mac OS X releases) can't lock up your important data, but other developers have come up with tools for this task. You just have to decide which of these three qualities is most important to you: simplicity, price or capabilities.  The easiest data-protection software we tested was Steganos Safe 8 (Win 2000 or newer, $30 at http://www.steganos.com/  ). It creates a "secure drive," an encrypted, password-protected file that houses whatever files you choose to put in it. When the secure drive is unlocked, it works just like a regular drive, but when locked, it turns into a single file filled with encrypted gibberish.
    Kevin Savetz, "Telling Computers How to Keep Secrets," The Washington Post, July 3, 2005 --- http://www.washingtonpost.com/wp-dyn/content/article/2005/07/02/AR2005070200116.html?referrer=email

    Kim Zetter. "ID Theft: What You Need to Know," Wired News, June 29, 2005 --- http://www.wired.com/news/privacy/0,1848,68032,00.html?tw=wn_tophead_8

    What should I do if my wallet or purse is lost or stolen?

    Immediately contact all three credit reporting agencies -- Equifax, Experian and TransUnion -- and have them place a fraud alert on your account. This means that companies issuing new credit accounts in your name will have to call you to obtain permission first. The alert will last for 90 days only. You can extend the alert to seven years, but only if you've been a victim of identity theft and can provide a police report.

    Equifax: 1.800.525.6285

    Experian: 1.888.397.3742

    TransUnion: 1.800.680.7289

    In addition to contacting the credit reporting agencies, you should file a police report if your property was stolen. Close any accounts that you think may have been compromised by the loss or theft. The FTC provides more information and a chart to tick off steps you should take.

    What can I do to prevent myself from becoming a victim?

    There isn't really anything you can do to prevent identity theft. As long as Social Security numbers are used for purposes other than Social Security, you are at risk of having your identity stolen any time someone has access to documents that carry your number and other personal data. There are, however, things you can do to lower your risk of becoming a victim.

    • Review monthly financial statements carefully for fraudulent activity.
    • Request a free copy of your credit report from a credit-reporting agency once a year to examine it for fraudulent activity. A new law requiring credit reporting agencies to provide a free annual report goes into effect nationwide in September. Until then, it's in effect only in western and Midwestern states. The credit report will show who requested access to your credit record. Look for requests from companies you haven't done business with and tell credit-reporting agencies if you see credit accounts that you didn't open or debts you didn't incur. Check to see that your name and address are correct.
    • Don't give your Social Security number to any business that doesn't really need it.
    • Cross shred sensitive documents. Thieves have been known to piece together strips of paper that are shredded only once. Cross-shredders double-shred documents.
    • Shred pre-approved credit-card offers before tossing them in the garbage.
    • Don't store sensitive personal information, such as bank account numbers and passwords, on home computers or handheld devices.
    • Install a firewall and anti-virus software on your computer and keep the virus definitions up to date to prevent viruses and Trojan horses from infecting your computer and feeding personal information back to hackers.
    • Don't fall for phishing scams. Phishing occurs when someone sends you an e-mail purporting to be from your bank or other company you do business with and requesting you to update your account information.
    • Use specially designed software programs to clean data from your computer before you sell or discard it. Simply deleting files will not remove data from the memory.
    • Don't carry any documents in your wallet that have your Social Security number on them, including your medical card or military ID, on days when you don't need the card.
    • Opt-out when your bank or other financial institution requests permission to share information about you with other businesses.
    • Close all credit-card accounts except the one or two that you really need.
    • If you are an identity theft victim and live in one of ten states, including California, Colorado, Louisiana, Maine, Texas, Vermont or Washington, consider placing a "freeze" on your credit report so that no one can access it without your permission. More than 20 additional states are considering passing similar legislation. Creditors need to look at your report before granting you credit. By freezing your report, it will prevent unauthorized people from seeing your personal data and it will prevent creditors from opening a new credit account in your name for an impostor. Some states only let victims of identity theft freeze their records. Other states allow anyone to freeze their record. The State Public Interest Research Groups maintains a list of states with freeze laws.

    Bob Jensen's guides on how to report fraud --- http://www.trinity.edu/rjensen/FraudReporting.htm

    Bob Jensen's helpers on identity theft --- http://www.trinity.edu/rjensen/FraudReporting.htm#IdentityTheft

     

    A government Website on Cybercrime --- http://www.usdoj.gov/criminal/cybercrime/

    FCC Posts Lists of Sites That Send Spam to Cell Phones --- http://www.technologyreview.com/articles/05/02/ap/ap_2020805.asp?trk=nl 

    "Blocking Cellphone Spam," by Debra Goldschmidt, The Wall Street Journal,  January 3, 2006; Page D1 --- http://online.wsj.com/article/SB113625263355436073.html?mod=todays_us_personal_journal

    The Problem:
    You're paying for all the unwanted text messages you get on your cellphone.

    The Solution:
    Unwanted text messages usually come from two sources: telemarketers or friends who do more typing than talking.

    The first is called cell spam -- illegal solicitations. Most service providers use anti-spam programs but nothing is foolproof. If you receive cell spam, ask your cellphone company to deduct the cost of that message from your next bill. You can also file a complaint with the Federal Communications Commission at www.fcc.gov.

    So-called friendly fire text messages are those from people you know -- such as your teenager's friends who inadvertently run up your bill. To combat these, most service providers allow you to log onto their Web site to block a limited number of phone numbers from sending you messages. If you have Cingular or Verizon, you can ask to disable the text messaging function on your phone -- or your teenager's phone.

     


    "Adobe PDF Patch Plugs Data Leak Threat," by Brian Krebs, The Washington Post, June 20, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/06/adobe_pdf_patch.html?referrer=email

    According to Adobe, the latest version gets rid of a fairly serious security flaw. By convincing a target to download a specially crafted PDF document, attackers could "discover the existence of local files," -- i.e., read documents on the victim's computer. Adobe says that threat is minimized because the attacker would have to know the exact name and location of the files he was searching for to be able to leverage the security flaw.

    Anyway, you can update using the automatic updater bundled with Adobe, or visit Adobe's download site to install the fix manually. Adobe says it is working on a fix for Mac users. If any Mac users are concerned about this vulnerability, this page has instructions on how to disable Javascript in Adobe.

    By the way, if you browse the Web using Mozilla's Firefox Web browser and have always had trouble loading PDF documents, you might consider following the advice here to fix the problem. Just scroll down to the question in the FAQ that reads "Why do Adobe pdf files load slowly in Windows?" For the longest time I put off researching a tweak for this problem. Mozilla says it's because Adobe Reader for Windows loads lots of unused plugins on startup.


    "The State Of Internet Security," by Fahmida Y. Rashid, Forbes, June 14, 2005 --- http://www.forbes.com/technology/2005/06/14/verisign-internet-security-cx_fr_0614verisign.html

    E-mails from Nigeria asking for your help in transferring money. Important information about compromised bank accounts.

    While the scams that daily flood our e-mail in-boxes show no signs of abating, there is some good news for the users who have to sort through them all. So says VeriSign (nasdaq: VRSN - news - people ), in its latest "State of Internet Security" address covering the first three months of 2005.

    Phishing attacks--the attempted theft of information such as user names, passwords or credit-card numbers--are increasingly more sophisticated, VeriSign said. But the company, which lives by the sale of computer security software, says phishing attacks are less profitable than they used to be, and of shorter duration, since affected companies work with Internet service providers to shut down sites capturing the information.

    Pharming, also known as DNS spoofing because it fools the domain-name system, is an alternative technique that tries to direct users to a fake Web site even when the correct address is entered into a browser. "It's as if you looked up a number in the phone book," says Phillip Hallam-Baker, a Web security expert at Verisign, "but someone somehow changed the number, managed to swap the phone book on you."

    VeriSign's report lists ways to lock down DNS infrastructure to shut down pharming. It encourages administrators to upgrade their DNS software and to install cryptography solutions. Hallam-Baker feels that pharming attacks that depend on cached information could be eliminated fairly easily. Pharming attacks infrastructure, so the company in charge of that segment could prevent further attacks by upgrading necessary components.

    Continued in article

    Links to the ISIB report are given at
    http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2005/page_030922.html

     


    Tired of Computer Viruses, Spyware, and all the Other Microsoft Diseases?
    Switch to a Mac

    If you switch to a  Mac, a must book is Mac OS X: The Missing Manual by David Pogue http://www.amazon.com/exec/obidos/tg/detail/-/0596000820/002-3743809-1628824?v=glance 

    This book explains how to translate what you liked to do in Windows into how to do the same things on a Mac.


    It's been proven, there is life after death
    Identity theft isn't among the risks of medical treatment -- such as infection -- listed on the standard release form that patients sign. But there's evidence that identity thieves are starting to target medical patients. 
    Kevin Helliker, "A New Medical Worry: Identity Thieves Find Ways To Target Hospital Patients," The Wall Street Journal, February 22, 2005, Page D1 --- http://online.wsj.com/article/0,,SB110902598126260237,00.html?mod=todays_us_personal_journal 

    Just this weekend, the University of Chicago Hospitals reported that a former employee had stolen identity information from as many as 85 patients. In recent years, rings of thieves stole the identities of more than 15 such patients in Iowa, 30 in Minnesota and nearly 50 in Indiana. During the past two years, the state of Michigan has prosecuted more than 20 cases involving medical-patient identity theft, many involving multiple victims, Michigan Attorney General Mike Cox says.

    Hospital patients are vulnerable in part because they are unlikely to detect anything amiss. Some may never leave the hospital. A team of alleged identity thieves arrested in 2003 in New Jersey were targeting the terminally ill, according to police.

    Continued in article


    Hackers are turning digital rights management features of Microsoft's Windows Media Player against users by fooling them into downloading massive amounts of spyware, adware, and viruses.  A year after it went into effect, the federal CAN-SPAM Act is a "miserable" failure, a messaging security firm that monitors compliance with the anti-spam legislation says.  The United States was the 800-pound spam-spewing gorilla throughout 2004, a spot it held from wire to wire throughout the year, an anti-virus firm says.  Federal judge grants restraining order shutting down six porn purveyors.
    Information Week's Updates on Spam (including how spyware burglars and spammers stay ahead all efforts to stop it) --- http://snipurl.com/spamJan19 


    "Beware Web Hitchhikers," CBS News, December 31, 2004 --- http://www.cbsnews.com/stories/2004/12/31/eveningnews/consumer/main664185.shtml 

    One of the big-sellers this holiday season is the wireless router, which lets you link your computer to the Internet from any room in the house.

    But as CBS News Correspondent Vince Gonzales reports, the problem is that strangers on the street can also hook up to the net -- through your router.

    It's called "war-driving" -- prowling neighborhoods, searching for open wireless networks that offer a free ride onto the Internet.

     

     


    Surprise, Surprise!
    In terms of features, especially security protection, Microsoft's Internet Explorer is well behind the times in terms of alternatives.

     

    Meanwhile, other people have been building much better browsers, just as Microsoft itself did in the 1990s, when it challenged and eventually bested the then-dominant browser, Netscape Navigator. The most significant of these challengers is Firefox, a free product of an open-source organization called Mozilla, available for download at www.mozilla.org. Firefox is both more secure and more modern than IE, and it comes packed with user-friendly features the Microsoft browser can't touch.

    "Security, Cool Features Of Firefox Web Browser Beat Microsoft's IE," Walter Mossberg, The Wall Street Journal, December 30, 2004, Page B1 --- http://online.wsj.com/article/0,,SB110435917184512320,00.html?mod=todays_us_marketplace 

    Microsoft's Internet Explorer Web browser is one of the most important, and most often used, programs on the world's personal computers, relied upon by more than 90% of Windows users. But Microsoft hasn't made any important functional improvements in Internet Explorer for years.

    The software giant has folded IE into the Windows operating system, and the browser only receives updates as part of the "Windows update" process. In recent years, most upgrades to IE have been under-the-hood patches to plug the many security holes that have made IE a major conduit for hackers, virus writers and spyware purveyors. The only visible feature added to IE recently: a pop-up ad blocker, which arrived long after other browsers had one.

    Meanwhile, other people have been building much better browsers, just as Microsoft itself did in the 1990s, when it challenged and eventually bested the then-dominant browser, Netscape Navigator. The most significant of these challengers is Firefox, a free product of an open-source organization called Mozilla, available for download at www.mozilla.org. Firefox is both more secure and more modern than IE, and it comes packed with user-friendly features the Microsoft browser can't touch.

    Firefox still has a tiny market share. But millions of people have downloaded it recently. I've been using it for months, and I recommended back in September that users switch to it from IE as a security measure. It's available in nearly identical versions for Windows, the Apple Macintosh, and the Linux operating system.

    There are some other browsers that put IE to shame. Apple's elegant Safari browser, included free on every Mac, is one. But it isn't available for Windows. The Opera browser is loaded with bells and whistles, but I find it pretty complicated. And NetCaptor, my former favorite, is very nice. But since it's based on the IE Web-browsing engine, it's vulnerable to most of IE's security problems.

    Firefox, which uses a different underlying browsing engine called "Gecko," also has a couple of close cousins based on the same engine. One is Netscape, now owned by America Online. The other is a browser called Mozilla, from the same group that created Firefox. But Firefox is smaller, sleeker and newer than either of its relatives, although a new Netscape version is in the works.

    Firefox isn't totally secure -- no browser can be, especially if it runs on Windows, which has major security problems and is the world's top digital target. But Firefox has better security and privacy than IE. One big reason is that it won't run programs called "ActiveX controls," a Microsoft technology used in IE. These programs are used for many good things, but they have become such powerful tools for criminals and hackers that their potential for harm outweighs their benefits.

    Firefox also has easier, quicker and clearer methods than IE does for covering your online tracks, if you so choose. And it has a better built-in pop-up ad blocker than IE.

    But my favorite aspect of Firefox is tabbed browsing, a Web-surfing revolution that is shared by all the major new browsers but is absent from IE. With tabbed browsing, you can open many Web pages at once in the same browser window. Each is accessed by a tab.

    The benefits of tabbed browsing hit home when you create folders of related bookmarks. For instance, on my computer I have a folder of a dozen technology-news bookmarks and another 20 or so bookmarks pointing to political Web sites. A third folder contains 15 or so bookmarks for sites devoted to the World Champion Boston Red Sox. With one click, I can open the entire contents of these folders in tabs, in the same single window, allowing me to survey entire fields of interest.

    And Firefox can recognize and use Web sites that employ a new technology called "RSS" to create and update summaries of their contents. When Firefox encounters an RSS site, it displays a special icon that allows you to create a "live" bookmark to the site. These bookmarks then display updated headlines of stories on the sites.

    Firefox also includes a permanent, handy search box that can be used to type in searches on Google, Yahoo, Amazon or other search sites without installing a special toolbar.

    And it has a cool feature called "Extensions." These are small add-on modules, easy to download and install, that give the browser new features. Among the extensions I use are one that automatically fills out forms and another that tests the speed of my Web connection. You can also download "themes," which change the browser's looks.

    There is only one significant downside to Firefox. Some Web sites, especially financial ones, have chosen to tailor themselves specifically for Internet Explorer. They rely on features only present in IE, and either won't work or work poorly in Firefox and other browsers.

    Luckily, even if you switch to Firefox, you can still keep IE around to view just these incompatible sites. (In fact, Microsoft makes it impossible to fully uninstall IE.) There's even an extension for Firefox that adds an option called "View This Page in IE."

     


    "Barbarians at the Digital Gate," by Timothy L. O'Brien and Saul Hansell, The New York Times, September 19, 2004 --- http://www.nytimes.com/2004/09/19/business/yourmoney/19gator.html 

     

    KARSTEN M. SELF, who oversees a children's computer lab at a youth center in Napa, Calif., spends about a half-hour each morning electronically scanning 10 PC's. He is searching for files and traces of code that threaten to hijack the computers by silently monitoring the children's online activities or by plastering their screens with dizzying - and nearly unstoppable - onslaughts of pop-up advertisements.

    To safeguard the children's computers, Mr. Self has installed a battery of protective software products and new Web browsers. That has kept some - but by no means all - of the youth center's digital intruders at bay. "You would expect that you could use these systems in a safe and sane way, but the fact of the matter is that you can't unless you have a fair amount of knowledge, time to fix the problems and paranoia," he said.

    The parasitic files that have beset Mr. Self and other frustrated computer users are known, in tech argot, as spyware and adware. The rapid proliferation of such programs has brought Internet use to a stark crossroads, as many consumers now see the Web as a battlefield strewn with land mines.

    At the same time, major advertisers and big Internet sites are increasingly tempted by adware's singular ability to display pop-up ads exactly when a user has shown interest in a particular service or product.

    "Adware has its place, but to grab market share I think a lot of companies are doing things that make consumers feel betrayed," said Wayne Porter, co-founder of Spyware-Guide.com, a Web site that tracks adware and spyware abuses. "I think we're at a very important inflection point that is going to decide how the Internet operates."

    Continued in the article


     

    The link below was forwarded by Helen Terry
    "Digital mafia hitting Web sites in protection racket," by Joseph Menn, Los Angeles Times, October 26, 2004 --- http://www.chron.com/cs/CDA/ssistory.mpl/front/2867289 

    To an old-time bookie like Mickey Richardson, $500 in protection money was chump change.

    So when he got an e-mail from gangsters threatening to bring his online sports betting operation to its knees, he paid up.

    Before long, though, the thugs wanted $40,000. And that ticked him off.

    "I'm stubborn," said Richardson, who runs Costa Rica-based BetCRIS.com. "I wanted to be the guy that says, 'I didn't pay, and I beat them.'"

    Richardson couldn't figure the odds, but he was determined to fight what's fast becoming the scourge of Internet-based businesses: high-tech protection rackets in which gangs of computer hackers choke off traffic to Web sites whose operators refuse their demands.

    Rather than brass knuckles and baseball bats, the weapons of choice for these digital extortionists are thousands of computers. They use them to launch coordinated attacks that knock targeted Web sites off-line for days, or even weeks, at a time.

    The shakedowns generate millions of dollars. Many Internet operators would rather pay protection money than risk even greater losses if their Web sites go down.

    After more than a year perfecting their techniques on gambling and pornographic Web sites, the gangs are starting to turn their talents to mainstream e-commerce operations.

    "It's pretty much a daily occurrence that one of our customers is under attack, and the sophistication of the attacks is getting better," said Ken Silva, a vice president at VeriSign Inc., the company that maintains the ".com" and ".net" domain name servers and provides security to many firms.

    • Last month, Authorize.net, one of the biggest credit-card-services processors for online merchants, was hit repeatedly over two weeks, leaving thousands of businesses without a means to charge their customers.

    • In April, hackers silenced Card Solutions International, a Kentucky company that sells credit card software over the Web, for a week after its owner refused to pay $10,000 to a group of Latvians. Only after switching Internet service providers could the company come back online.

    • In August, a Massachusetts businessman was indicted on charges of orchestrating attacks on three television-services companies -- costing one more than $200,000. The case against Saad Echouafni is one of the rare instances in which alleged attackers have been identified and charged. Echouafni skipped bail.

    Many more attacks go unreported. "You're just seeing the tip of the iceberg," said Peter Rendall, chief executive of the Internet filter maker Top Layer Networks.

    Richardson was intent on keeping his ship afloat.

    BetCRIS, short for Bet Costa Rica International Sportsbook, takes about $2 billion in bets every year from gamblers around the world. Most are placed online. After customers complained early last year that the Web site seemed sluggish, Richardson felt a little relieved when an anonymous hacker e-mailed an admission that he had launched a denial-of-service attack against BetCRIS.

    The hacker wanted $500, via the Internet payment service e-Gold.

    That seemed like a bargain to Richardson. He paid up and promptly spent thousands more on hardware designed to weed out unfriendly Web traffic. "I was thinking if this ever happens again," he said, "we won't have a problem."

    The Saturday before Thanksgiving, Richardson found out how wrong he was. An e-mail demanded $40,000 by the following noon. It was the start of one of the biggest betting weeks of the year, with pro and college football as well as basketball.

    Richardson didn't respond.

    The next day, BetCRIS crashed hard.

    About the same time, other betting sites were getting hit too. The threats came in mangled English: "In a case if you refuse our offer, your site will be attacked still long time." Some sites were shut down for weeks.

    Costa Rican law enforcement was ill-equipped to deal with computer hackers thousands of miles away. Given the shaky legality of offshore betting, seeking help from U.S. authorities wasn't an attractive option.

    So the bookie in Costa Rica turned to Barrett Lyon, a spiky-haired philosophy major from Sacramento.

    Continued in the article


    Bottom Line Solution --- Change to a Mac

    "How to Protect Yourself From Vandals, Viruses If You Use Windows," by Walter Mossberg, The Wall Street Journal, 
    September 16, 2004; Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html 

    If you use a Windows personal computer to access the Internet, your personal files, your privacy and your security are all in jeopardy. An international criminal class of virus writers, hackers, digital vandals and sleazy businesspeople wakes up every day planning to attack your PC.

    And the company that controls the Windows platform, Microsoft, has made this too easy to do by carelessly opening numerous security holes in the operating system and its Web browser. Even if you install the recent Service Pack 2 update to Windows XP, you will still be vulnerable.

    As I have said before, I believe Microsoft and the computer makers should be taking care of all these problems with a unified, managed approach that would free users from having to learn about all the threats and constantly manage security. They should take responsibility for shielding users from hackers, spammers, viruses and spyware -- the malicious software that hijacks your browsing and searching, pushes ads into your face, and secretly logs your activities.

    But until that happens, you will have to fend for yourself. So here's a quick, rudimentary guide to protecting yourself in the digital world.

    Opting out: The single most effective way to avoid viruses and spyware is to simply chuck Windows altogether and buy an Apple Macintosh. Apple's operating system, Mac OS X, is harder for the criminals to infect, and the Mac's market share is so small that hackers, virus writers and spies get little thrill, financial gain or publicity from attacking the platform.

    There has never been a successful virus written for Mac OS X, and there is almost no spyware that targets the Mac. Plus, the Mac is invulnerable to viruses and spyware written for Windows. Not only is it more secure, but the Mac operating system is more capable, more modern and more attractive than Windows XP, and just as stable.

    Macs are as good as, and often better than, Windows PCs at doing the most common computing tasks: Web browsing, e-mail, word processing, spreadsheets, presentations, photos, music and video. The Mac version of Microsoft Office can handle Windows Office files with ease, and it produces files that Office for Windows handles effortlessly. Apple's computers are also gorgeous.

    But switching platforms is expensive, and scary to people. So if you're sticking with Windows, read on.

    Halting hackers: Buy a software firewall program, one that won't only stop hackers trying to get in but will also halt suspicious programs already on your PC from trying to send information out over the Internet. The one I recommend is ZoneAlarm, a free utility from Zone Labs, available at www.zonelabs.com. Use it instead of the wimpier built-in firewall Microsoft supplies.

    If you have a broadband connection or a home network, make sure your modem or router (a common piece of networking gear) is equipped with a feature called NAT, or Network Address Translation. This technology makes it harder for criminals on the Internet to find your computers. Even if you have NAT, however, I still recommend you have a software firewall program, because NAT doesn't block every attack.

    Curing viruses: You must run a strong antivirus program, and keep it updated, even if updates cost money. I recommend Norton AntiVirus (the stand-alone program, not the cumbersome security suite). It's very effective, and its automatic update system is the best I've ever tested. It costs $50, including a year of updates.

    Stopping spyware: Since antivirus programs don't attack spyware, you will need to run, and keep updating, a separate piece of software called an antispyware program. I recommend Spy Sweeper from Webroot software, at www.webroot.com . It costs $30, including a year of updates. Like an antivirus program, it not only detects and removes spyware already on your PC, but also watches for, and blocks, new spyware.

    Stuffing spam: Buy a decent antispam program. I know of none that is close to perfect, but the best is probably MailFrontier Desktop, available for $30 at www.mailfrontier.com . If you're really fed up, you can turn on the "challenge" feature in this program, which forces unknown senders to pass a simple test that baffles the mass-mailing software spammers use.

    Browsing safely: I suggest dumping Microsoft's Internet Explorer Web browser, which has a history of security breaches. I recommend instead Mozilla Firefox, which is free at www.mozilla.org    It's not only more secure but also more modern and advanced, with tabbed browsing, which allows multiple pages to be open on one screen, and a better pop-up ad blocker than the belated one Microsoft recently added to IE.

    Being careful: Never download software from the Web unless you are certain you know what it is and that you want and need it. If a Web site says you need some special plug-in to view things, be very wary. Common viewer software, like that from Real Networks, Apple or Macromedia, should be obtained from those companies' official sites.

    Staying current: You should probably install Microsoft's new SP2 update, which does improve Windows security -- although it has caused serious problems for a minority of Windows users. And you should install all the "critical updates" Microsoft issues for Windows.

    Bottom line: If you use Windows, you're asking for trouble. But you can mitigate the risk by taking precautions.

    It's the Best Solution, But It's No Longer Perfect

    From Technology Review on October 28, 2004 
    Apple's Got a Virus? Congratulations!
    Whenever Windows users grouse about the latest virus or spyware attack, Macintosh devotees good-naturedly tease that they don't have worry about such nonsense. Well, the Apple-heads can't say that anymore. Last week, astute Mac users discovered a program dubbed "Opener"--a nefarious piece of code embeds itself onto Macs using OS X, disables the computer's firewall, and collects any password information it can find. The Apple community should not be upset about this malware news, writes Eric Hellweg, but celebrating it. Finally, a virus writer thinks Macs matter enough to merit attack!
    http://www.technologyreview.com/articles/04/10/wo_hellweg102804.asp?trk=nl


    Changes in Microsoft Windows XP Service Pack 2 --- http://www.macromedia.com/devnet/logged_in/wanbar_sp2.html 

    On Friday, August 6, 2004 Microsoft announced the release of a significant update to the Windows XP operating system: Microsoft Windows XP Service Pack 2 (SP2). This security-focused update includes numerous changes, many of them transparent to end users, which aim to reduce the operating system's exposure to attacks from the Internet and protect users from predatory software like adware, spyware, and malware. The Windows XP operating system is installed on nearly 50% of net-connected computers worldwide—almost 250 million PCs, according to the Flash Player survey Macromedia conducts quarterly through NPD.

    While targeted at abusers of the current Windows security model, the changes in SP2 also peripherally affect many safe and useful technologies, including, in some instances, Macromedia software. Microsoft and Macromedia have worked closely throughout the development of SP2 to ensure the best possible experience for customers of Macromedia Flash Player.

    In this article I'll talk about areas of the service pack that web designers and developers, website owners, IT and MIS personnel, and Flash Player users might be concerned about, with the goal of outlining the impact SP2 will have on the user experience and the development process.

    To get the most comprehensive and detailed information about the service pack, visit the Microsoft website, which includes the following:

    What's New in Windows XP Service Pack 2

    Microsoft Windows Service Pack 2 users will experience some changes in the way software behaves, including some minor changes when launching some Macromedia products. The most visible change is the presence of a new security warning dialog box, which asks users to confirm that they want to install or launch software.

    Many of the new security dialog boxes appear if a particular piece of software does not have a digital signature. Digital signatures verify the authenticity of the software download. As software publishers get busy creating and filing their digital signatures, there will be a transitional period in which many reliable software applications will not yet have them. Even without a digital signature, users are able to click to confirm that they want to install their software and proceed with the installation. To find out more about the digital signatures, see the Enhanced Browser Security section of the Microsoft TechNet article, Changes to Functionality in Microsoft Windows XP Service Pack 2.

     


    "Free Security Update To Windows XP Has Value but Falls Short," by Walter Mossberg, The Wall Street Journal, August 19, 2004, Page B1 --- http://online.wsj.com/article/0,,personal_technology,00.html 

    Microsoft has paid so little attention to security over the years that consumers who use Windows have been forced to spend more and more of their time and money fending off viruses, hackers, spyware and spam. For this reason, the burden of using a Windows computer has grown immeasurably recently.

    Now, under pressure from its customers and critics, the software giant is making a move toward undoing that damage. Over the next few weeks, Microsoft will be rolling out a major, free security update to Windows XP. It's called "Service Pack 2," or simply "SP2."

    I've been testing SP2 on two Windows computers, and it seems to work fine. I recommend installing it, if only because of the under-the-hood security improvements Microsoft claims it contains.

    But SP2 falls way short of what Microsoft could have done to fix the miserable state of security in Windows. While the update will make it harder for malicious software to enter your PC, SP2 doesn't detect or remove viruses or spyware or spam.

    What's more, some of the key features of SP2 are inferior to those in third-party security software. In fact, even after you install SP2, you will still have to use add-on security programs, if you want to be reasonably safe.

    Over the next month, SP2 will arrive at many PCs, unbidden, via the built-in Windows Update feature in Windows XP. It will also be available for downloading from Microsoft's Windows Update Web site. And Microsoft plans to mail it out, by request, on a free CD.

    On my two test machines, an IBM laptop and a Dell desktop, installation went very smoothly. All my programs and data remained intact and functional. Microsoft concedes that SP2 does interfere with about 50 known programs. Most are corporate products, but the list also includes a few games and consumer utilities.

    In addition to the under-the-hood changes, which are aimed at stopping several common intrusion techniques, SP2's main features are a new firewall, a new "Security Center" and new protections built into Microsoft's Internet Explorer Web browser. SP2 also turns on the automatic-update feature in Windows, which allows Microsoft to transmit and install future patches without user intervention.

    The firewall, which is designed to shield your PC from attacks over the Internet, is now turned on by default. Formerly, it was off by default. (You can still turn it off manually, along with the automatic update feature.) And it has a few new features, including one that warns you if a program running on your PC is seeking to open a "port" -- a conduit to the Internet -- so it can receive incoming data.

    But the new firewall lacks a crucial component present in some third-party firewalls, like ZoneAlarm. It doesn't prevent rogue programs already on your PC from using the Internet to make outbound data transfers, such as the secret reports that spyware programs make on your activities, or instructions that Trojan horse programs send out to attack other computers.

    Also, Microsoft has made it easy for other software programs to turn off the new firewall. This was done so competing firewalls like ZoneAlarm could turn off the Windows firewall during installation, to avoid having duplicate firewalls running. But Microsoft concedes that hackers can use the technique to shut down the firewall as well. So I recommend buying, or sticking with, a superior third-party firewall.

    The Security Center is where you can determine whether your firewall, your automatic-update settings and your antivirus program are on or off. It doesn't actually add a layer of protection to your PC. It's just an information device.

    Even in that role, it falls short. In my tests, it couldn't tell whether Symantec's Norton AntiVirus program was on or off, and it warned me that my PC might not be protected against viruses, even though my antivirus protection was definitely on. This is apparently because Symantec needs to patch its product so it can talk to the Security Center. And the center made no effort to monitor my antispyware or antispam programs.

    The changes to the Internet Explorer browser include a long-overdue pop-up ad blocker, which many other browsers now include, and additional warnings and controls on software downloads, so users will think twice about installing programs that might be malicious. An "Information Bar" at the top of the browser screen warns about downloads and notes that pop-ups have been blocked.

    Microsoft still hasn't devised a quick, easy way to thoroughly erase your browsing tracks in Explorer or added an antispam feature to its Outlook Express e-mail program. The company says that SP2 was all about security, and these things weren't viewed as core security features. But it somehow still managed to use this security update to jam an unsolicited new "Favorites" link into the browser, one that points to a Microsoft site where it wants to sell you software and hardware.

    Overall, SP2 is worth installing and will definitely improve Windows security. But it's limited. You'll still need to look beyond Microsoft to really secure your Windows PC.


    It's almost the same thing as robbing the jewelry in your house and then asking $300 for the map to where it's buried --- only this time Ole would say "the yoke's on yew."

    But I have to admit that it is a clever password.

    "New Trojan Ransoms Files, Demands $300:  The Trojan archives 44 file types with a ZIP library, then password-protects the files and deletes the originals. But some have discovered the password needed to free the files," by Gregg Keizer, Information Week, March 16, 2006 --- http://www.informationweek.com/news/showArticle.jhtml?articleID=183700241

    A Trojan is loose that locks up files and then demands a $300 ransom to return access, several security firms said Thursday, but at least two have discovered the password needed to free the files.

    Dubbed "Cryzip" by some anti-virus vendors and "Zippo.a" by others, the Trojan archives 44 file types -- including .doc (Microsoft Word), .pdf (Adobe Acrobat), and .jpg (images) -- with a ZIP library, then password-protects the files and deletes the originals.

    A "ransom note" is left on the machine, and reads in part: "Do not try to search for a program what encrypted your information - it is simply do not exists in your hard disk anymore. If you really care about documents and information in encrypted files you can pay using electonic [sic] currency $300.

    "Reporting to police about a case will not help you, they do not know password."

    At least two security firms, however, have dug up the password, which was left in plain view within one of the DLL files dropped by the Trojan. According to both Sophos and LURHQ, the password is:

    C:\Program Files\Microsoft Visual Studio\VC98

    "Because this string often appears inside projects compiled with Visual C++ 6, the author likely figured anyone who found the infecting DLL and examined its strings looking for the password would simply overlook it," LURHQ wrote in its Cryzip advisory.

    "There should be no need for anyone to pay the reward," said Graham Cluley, a senior technology consultant with Sophos, in a separate statement. "It looks like this password was deliberately chosen by the author in an attempt to fool analysts into thinking it was a directory path instead."

    Victims can use any ZIP utility to unlock the files with the password.

    Ransom-like attacks, labeled "ransomware," are rare. The last full-fledged attack was in May 2005 when another security company, California-based Websense, spotted a Trojan that demanded $200 for a decryption key.

    Other, and more common, forms of ransomware-style attacks are used by bogus spyware vendors, who claim that users' PCs harbor massive amounts of adware and spyware, and try to sell their phony products to spooked consumers.

    Bob Jensen's threads on reporting computer frauds are at http://www.trinity.edu/rjensen/FraudReporting.htm

     


    Leading Anti-Virus, Anti-Spyware, and Anti-Spam Alternatives
    I trust Consumer Reports rankings more than virtually all other ranking sources mainly because Consumer Reports accepts no advertising or has other links to the vendors of products rated in Consumer Reports' labs.

    The Consumer Reports home page is at http://www.consumerreports.org/cro/index.htm  

     

    Consumer Reports Rankings of AntiSpam Software
    September 2006, Page 29
    E-MAIL ANTISPAM SOFTWARE (used in conjunction with e-mail programs)

    Rank 1 Microsoft Outlook http://www.microsoft.com/athome/security/email/fightspam.mspx

    Rank 2 Apple Mac X Mail http://www.apple.com/macosx/features/mail/ 

     

    ADD-ONS TO E-MAIL PROGRAMS (can filter spam without additional software)

    Rank 3 Trend Micro Anti-Spam Pilot Click Here

    Rank 4 Allume Systems Click Here

    Rank 5 Cloudmark Desktop http://www.cloudmark.com/desktop/

    Rank 6 Trend Micro Anti-Spam Pilot Click Here   

    Rank 7 PC Tools Spam Monitor http://www.pctools.com/

    Rank 8-13 given on Page 29

     

    Consumer Reports Rankings of Antivirus Software
    September 2006, Page 27

    Rank 1 BitDefender http://www.bitdefender.com/index.php 

    Rank 2 Zone Labs Zone Alarm Anti-Virus http://www.zonelabs.com/store/content/home.jsp  

    Rank 3 Kaspersky Anti-Virus Personal --- http://www.kaspersky.com/ 

    Rank 4 Norton AntiVirus http://www.symantec.com/avcenter/ 

    Rank 5 Norton AntiVirus for Macintosh http://www.symantec.com/avcenter/ 

    Rank 6 McAfee ViruScan http://www.mcafee.com/us/

    Rank 7 Trend Micro PC-cillin http://www.trendmicro.com/en/home/us/enterprise.htm 

    Ranks 8-12 given on Page 27
     

     

    Consumer Reports Rankings of AntiSpyware Software
    September 2006, Page 28
    Rank 1 F-Secure Anti-Spyware http://www.f-secure.com/

    Rank 2 Webroot Spy Sweeper http://www.webroot.com/wb/products/spysweeper/index.php?rc=266&ac=417 

    Rank 3 PC Tools Spyware http://www.pctools.com/

    Rank 4 Trend Micro Anti-Spyware Click Here

    Rank 5 Lavasoft Ad-aware http://www.lavasoftusa.com/software/adaware/

    Rank 6 Spybot-Search & Destroy http://www.safer-networking.org/en/index.html 

    Rank 7 Zone Labs Zone Alarm Anti-Spyware http://www.zonelabs.com/store/content/home.jsp  

    Ranks 8-12 Given on Page 28


    Spyware Dectector and Remover
    January 2004 message from Richard Campbell [campbell@RIO.EDU

    This product gets my 5 star rating - I was lulled into a false sense of security with Norton Security suite on my new computer.

    http://www.sunbeltsoftware.com/product.cfm?page=benefits&id=410 

    Richard J. Campbell mailto:campbell@rio.edu 

     


    What a Great Idea in the War on Spam:  Unfortunately, Make Love, not Spam only covers Italy, France, Germany, The Netherlands, Spain, Sweden and the UK to Date
    Internet users fed up with spam can go on the offensive by downloading a screensaver aimed at hitting junkmailers in the pocket.  The screensaver, called Make Love Not Spam and launched by search engine Lycos, requests data from websites that are mentioned in bulk mailings.  Lycos Europe spokesman Frank Legerland says if thousands of users sign up, the websites' servers will run at nearly full tilt.  The demand will slow the websites' response and hike their bandwidth bills, yet derive no income for the accesses.  He says those costs may discourage the sites from hiring email spammers to advertise their wares.
    ABC News, November 30, 2004 --- http://www.abc.net.au/news/newsitems/200411/s1254988.htm 
    You can read reviews at http://www.macupdate.com/info.php/id/16592 
    Also see http://www.eweek.com/article2/0,1759,1733446,00.asp 

     


    "Microsoft, Amazon Unite to Battle E-Mail Scammers," by Judy Lam, The Wall Street Journal, September 29, 2004, Page D3 --- http://online.wsj.com/article/0,,SB109639503163330213,00.html?mod=technology_main_whats_news 

    Amazon.com Inc. and Microsoft Corp. have joined forces to combat online fraud and find the people behind e-mail scams that send millions of forged messages to consumers.

    Yesterday, the two companies said they filed suits against Canadian company Gold Disk Canada Inc. and three individuals for allegedly sending millions of unsolicited e-mails using Microsoft's Hotmail services and forging the name of Amazon.com. The suits were filed in Superior Court of the State of Washington and the U.S. District Court in Seattle.

    Amazon and Microsoft said they are working to identify offenders and are collaborating to test technical solutions that would make it more difficult to send unwanted messages to consumers.

    Over the past year, Microsoft has stepped up its efforts to fight spam and e-mail scams as part of a broader move to stem a range of attacks on its software. The company has had to respond to growing customer complaints about the security of Microsoft applications, prompting the company to release a host of new security software, sign new partnerships, and begin taking more legal action to thwart hackers and senders of spam.

    Continued in the article


    Microsoft to Bundle Anti-Spyware App With Windows
    Microsoft said Friday that it plans to bundle its "Windows Anti-Spyware" tool with Windows Vista, the chronically delayed next version of the company's operating system. Microsoft also decided to rename the program "Windows Defender," in part to give it "a more positive name." The announcement, like others of late, was posted on one of the numerous blogs on Microsoft's site that catalog the daily doings of the software giant's many technical divisions. But this news -- for me, anyway -- was more than just a press release issued via a breezy blog post. It offered a glimpse of something Redmond hinted it was going to do years ago, but which has only recently become more of a reality: ship antivirus and anti-spyware updates to hundreds of millions of Windows computers every day through its Windows/Microsoft Update feature.
    Brian Krebs, "Microsoft to Bundle Anti-Spyware App With Windows," The Washington Post, November 7, 2005 --- http://blogs.washingtonpost.com/securityfix/2005/11/microsoft_to_bu.html?referrer=email


    The 10 best tools to keep viruses, spyware and bad guys away
    "Defensive Perimeter," by Gary Berline, PC Magazine, July 9, 2004  --- http://www.pcmag.com/article2/0,1759,1621759,00.asp 

    Detailed Checklist 
    "Keep Your PC Safe," PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618797,00.asp 

    Toolkit of Free Products
    "Keep Your Friends Safe," by Neil J. Rubenking, PC Magazine, August 3, 2004 --- http://www.pcmag.com/article2/0,1759,1618804,00.asp 

    Security Watch Special Report --- http://www.pcmag.com/category2/0,1738,12,00.asp 

    My good friend Amy Dunbar at the University of Connecticut recommends the following spam blocker ---  http://spambayes.sourceforge.net/ 
    Bob Jensen's threads on spam blocking are at http://www.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

    Eileen Taylor from the University of South Florida recommends Cloudmark's SpamNet spam protection --- http://www.cloudmark.com/ 

    Puala Ward sent this link to a listing of spam fighters --- http://email.about.com/od/windowsspamfightingtools/ 

    Spam and Spyware Blocker Software
    All-in-One- Secretmaker (Free) --- http://www.secretmaker.com/ 

    All-in-One SECRETMAKER is designed for users who wish to:

    ● Keep their email box free of spam
    ● Avoid irritating pop-up and banner interruptions
    ● Protect their privacy and avoids profiling
    ● Use the Internet efficiently for private or business use



    Spam Blocking

    January 25, 2006 Update

    Bill Gates prediction of spam elimination widely misses his expectation
    Two years ago, Gates said the spam problem would be "solved" by now. We're not even close, experts say, and for many reasons that don't have anything to do with Microsoft.
    Gregg Keiser, "Bill Gates' Spam Prediction Misses Target," Information Week, January 24, 2006 --- http://www.informationweek.com/story/showArticle.jhtml?articleID=177103434
    Also see http://www.internetweek.cmp.com/showArticle.jhtml?articleId=177103508


    Damn Spam: The Losing War on Junk E-Mail, by Michael Specter, The New Yorker, August 6, 2007 --- 
    http://www.newyorker.com/reporting/2007/08/06/070806fa_fact_specter 

    "Major Source of Internet Spam Yanked Offline:  Web Hosting Firm Shuttered After Connection to Spammers is Exposed," by Brian Krebs, The Washington Post, November 12, 2008 --- http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html?wpisrc=newsletter

    The gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for a full-scale cyber crime offensive against America. But security experts say a relatively small Web hosting firm at that location is home to servers that help manage the distribution of the majority of the world's junk e-mail.

    The servers are owned by McColo Corp, a Web hosting company that has emerged as a major U.S. base of operations for a host of international cyber-crime syndicates, involved in everything from the remote management of millions of compromised PCs to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography.

    Multiple security researchers have recently published data naming McColo as a mother ship for all of the top robot networks or "botnets," which are vast collections of hacked computers that are networked together to blast out spam or attack others online.

    Joe Stewart, director of malware research for Atlanta based SecureWorks, said that these known criminal botnets: "Mega-D," "Srizbi," "Pushdo,""Rustock" and "Warez