Users Want Answers on Oracle-Sun Future

When Oracle Corp. Analysts said the arrival of the jointly built package shows that engineers at Oracle and Sun Microsystems Inc. have started working together in advance of the closing of Oracle's $7.4 billion acquisition of Sun , now expected in January. CEO Larry Ellison hosted a webcast last week to unveil the next generation of his company's Exadata appliance , a label reading "Oracle-Sun" was prominently displayed on the high-end database and storage system.

But Ellison and webcast co-host John Fowler, executive vice president of Sun's systems business, only touted the joint engineering effort that created the Exadata Database Machine Version 2. They said nothing about the postmerger plans for the products of either company, keeping users mostly in the dark about the future of Oracle and Sun offerings. Oracle did take an unusual step two weeks ago by running advertisements promising to spend more on Solaris software and UltraSparc hardware development than Sun does now. Oracle had hoped the deal would be closed by now, but it was held up earlier this month when the European Commission opened an in-depth investigation in response to what it called "serious concerns" that Oracle's ownership of Sun's MySQL database could blunt competition in the database market. The ads came in the midst of aggressive efforts by Hewlett-Packard Co. and IBM to court Sun's customers. He also acknowledged that he has concerns about Oracle's plans for Sun's open-source offerings. "In the open-source community, Oracle doesn't have a particularly friendly reputation," he said.

The ads somewhat reassured Richard Newman, president of Reliant Security Inc., which uses Solaris-based systems to deliver data security products and services to retail industry customers. "We're crossing our fingers that what [Oracle] stated in print is in fact going to happen," he said. Nathan Brookwood, an analyst at Insight64 in Saratoga, Calif., called Oracle's ad "a very unequivocal statement of support for the Sun hardware." However, Brookwood added that he doesn't expect the move to placate Sun's customers. "It's not time to stop biting your nails," he said. Richard Toeniskoetter, technology director at the W.A. Franke College of Business at Northern Arizona University in Flagstaff, said he wants to know Oracle's plans for Sun's Virtual Desktop Infrastructure software and its Sun Ray thin clients. "We are already running a fairly mature VDI model, and we just want to see Oracle recognize that it's a viable platform," Toeniskoetter said, adding that NAU is also interested in Oracle's plans for MySQL. This version of this story originally ran in Computerworld 's print edition. Among the Sun customers most in need of quick answers are resellers, such as PetroSys Solutions Inc., which sells repackaged systems for the government and education markets. "A lot of our clients are nervous," said Irene Griffith, who owns PetroSys. "They want to know what's going to happen." Sun's sales representatives have been mum on the subject. "They're not talking to us, they're not reaching out to us," Griffith said. It's an edited version of an article that first appeared on Computerworld.com.

Companies patch OS holes, but biggest priority should be apps

Corporations appear to be much slower in patching their applications than their operating systems - even though attackers are mainly targeting vulnerabilities in applications, according to a new report. "Now we know which vulnerabilities are being patched and which are not," says Alan Paller, director of research at the SANS Institute.   The report, "The Top Cyber Security Risks," is based on data collected between March and August and was a collaborative effort by SANS, TippingPoint and Qualys. The report shows that 80% of Microsoft operating system vulnerabilities are being patched within 60 days, but only 40% of applications, including Office and Adobe. The group analyzed six months of data related to online attacks, collected from 6,000 organizations using the TippingPoint intrusion-prevention system, along with data related to more than 100 million vulnerability scans performed on behalf of 9,000 customers of the Qualys vulnerability assessment service.

Meanwhile, the majority of online attacks are aimed at applications, particularly client-side applications, making this the No. 1 priority named in the report. The main attack methods used against Web sites were SQL injection and cross-site scripting. During the six-month timeframe, more than 60% of all attack attempts monitored by TippingPoint were against Web applications in order to convert trusted Web sites into malicious sites serving up malware and attack code to vulnerable client-side applications. In terms of vulnerability and exploitation trends, popular methods include attempting to brute-force passwords by guessing, with Microsoft SQL, FTP and SSH Servers among the most popular targets. Zero-day vulnerabilities - which occur when a flaw in software code is discovered and exploit code appears before a fix or patch for the flaw is available - were popular in targeted attacks, according to the report. Some of the main vulnerabilities being exploited include the malicious Apple QuickTime Image File download (CVE-20009-0007); Microsoft's WordPad and Office Text Converter Remote Code Execution Vulnerability (MS09-010); and multiple Sun Java vulnerabilities.

Six notable zero-day flaws in the past six months include: * The Adobe Acrobat & Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)  * Microsoft Office Web Components, Active X Control Code Execution Vulnerability (CVE-2009-1136)  * Microsoft Active Template Library Header data Remote Code Execution Vulnerability (CVE-2008-0015)  * Microsoft Direct X DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2008-0015)  * Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)  * Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556) The report concludes by pointing out that finding zero-day vulnerabilities seems to be getting easier as "a direct result of an overall increase in the number of people having skills to discover vulnerabilities worldwide."

Gonzalez pleads guilty to TJX, other data heists

The man described by federal authorities as the mastermind of the massive data thefts at TJX Companies Inc., Heartland Payment Systems and other retailers today pleaded guilty to charges in a 19-count indictment that include conspiracy, wire fraud and aggravated identity theft. That case was being prosecuted separately in New York but was merged with the case in Boston under a plea agreement negotiated with prosecutors a few days ago. Albert Gonzalez, 28, of Miami, also pleaded guilty to one count of conspiracy to commit wire fraud related to a data theft at Dave & Buster's restaurant chain.

Gonzalez is scheduled to be sentenced Dec. 8 by U.S. District Court Judge Patti Saris in Boston. Under the plea agreement, Gonzalez will serve between 15 and 25 years for both cases and will be fined as much as $250,000 for each of the charges. He faces a maximum of 25 years in prison for the charges in Boston and 20 years for the case in New York. Gonzalez will also forfeit more than $2.7 million in cash as well as multiple pieces of real estate and personal property, including a condominium in Miami, a BMW and several Rolex watches that he is alleged to have acquired through his ill-gotten gains. Gonzalez was arrested in Miami in 2008 along with 10 other individuals on charges relating to the thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In August, federal authorities in New Jersey indicted Gonzalez on charges involving breaches at Heartland Payment Systems, Hannaford, 7-Eleven Inc. and two other unnamed retailers. About $1 million of the money being forfeited was recovered from a container buried in Gonzalez' back yard, according to a statement released today by the U.S. Department of Justice.

Prosecutors alleged that Gonzalez, along with two unnamed Russian conspirators, stole more than 130 million credit and debit cards from the five retailers. It is not clear if Gonzalez was the leader of a worldwide criminal gang or merely acting at the behest of powerful crime gangs based in Russia and East Europe. Today's plea brings to an end, for the moment, to the career of a hacker who federal authorities say has been the mastermind of the biggest data thefts in U.S. history. But his actions, which his lawyer has claimed stemmed from a computer addiction , have caused millions of dollars in losses to his victims. In addition, some of the companies that were Gonzalez's victims have had to pay fines to Visa and the other card brands for being noncompliant with the credit card industry's Payment Card Industry Data Security Standard and to spend more money to revamp their security controls.

TJX has publicly estimated that costs to the company from the data breach will touch $200 million . Heartland has already spent or set aside more than $12 million and is facing numerous lawsuits from affected institutions.

U.S. Expands H-1B Fraud Case Against N.J. Firm

The U.S. government late last month filed a new, expanded 18-count indictment that now seeks $4.9 million from a New Jersey IT services firm it has accused of fraudulently using H-1B visas.

The government alleges that South Plainfield, N.J.-based Vision Systems Group Inc. paid its H-1B workers in multiple states based on low prevailing wage rates in Iowa through the creation of shell businesses in that state.

The indictment charges that the methods used by Vision Systems "have substantially deprived U.S. citizens of employment."

The initial 10-count indictment against Vision Systems , filed on Feb. 12, was part of a government investigation dubbed Operation Pacific Vision that led to the arrest of 11 people in six states on H-1B fraud charges.

Court documents show that the expanded indictment cut the amount sought by $2.5 million; no explanation for the reduction was given. But it is still the largest H-1B fraud case ever brought by the government.

The figure "represents he total amount of gross proceeds obtained as a result of offenses," according to the indictment.

Vision Systems and its executives are fighting the charges in U.S. District Court in Iowa.

"Workers were paid at or above the prevailing wage rates of the places that they were working," Mark Weinhardt, a Des Moines attorney and a member of the legal team representing the company, contended last week.

Visions Systems' defense has not yet been outlined but is hinted at in the indictment papers.

According to prosecutors, Vision Systems told its H-1B hires that green cards could be obtained more quickly from U.S. Immigration and Customs Enforcement (ICE) offices located outside of New Jersey.

Thus, Vision Systems might claim that it has been using the faster service available at the Iowa ICE offices as a recruiting tool for H-1B workers interested in getting green cards quickly.

Weinhardt did note that the defense team believes that the "indictment is based on a number of misconceptions about immigration law and procedure."