In 2017 my Website was migrated to the clouds and reduced in size.
Hence some links below are broken.
Contact me at rjensen@trinity.edu if you really need to file that is missing

Opportunities of E-Business Assurance & Security:  Risks in Assuring Risk

Bob Jensen at Trinity University

Assurance Services Opportunities and Risks 

Large CPA Firm Revenues and Services  

A Special Section on Computer and Networking Security  

External Auditing of Information Security: Perception Versus Reality

External Auditing Combined With Consulting and Other Assurance Services: Audit Independence?

Cookies 

Threads on Firewalls

Bob Jensen's Threads on Accounting Fraud, Forensic Accounting, Securities Fraud, and White Collar Crime

Bob Jensen's Technology Glossary

Internal auditing and fraud investigation site of Mark R. Simmons --- http://www.mrsciacfe.cjb.net/

I created a timeline of major happenings (on a timeline) leading up to the eXtensible Business Reporting Language (XBRL) and On LIne Analytical Process (OLAP) systems.  Overviews of XML, VoiceXML, XLink, XHTML, XBRL, XForm, XSLT, RDF and the Semantic Web are also provided --- http://faculty.trinity.edu/rjensen/xmlrdf.htm

Assurance Services Opportunities and Risks

You might find some added materials of interest at http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm 

November 8, 2002 updates on  electronic commerce and assurance services --- http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm 

Update on a new education program that appears to not involve CPAs
Seeking to lead the country in higher education to combat cyber crime, the University of Fairfax announced today its first graduates from MS and PhD programs designed to produce information security and information assurance leaders. These graduate programs enable students to earn an MS or PhD in Information Security.
"University Of Fairfax Announces First Graduation," PRWeb, July 24, 2006 --- http://www.prweb.com/releases/2006/7/prweb413757.htm

Jensen Comment
Perhaps CPAs really did not have much comparative advantage in the realm of information security. CPA firms in reality had to hire assurance services experts from outside traditional accounting programs. Even the Masters of Assurance Services introduced by such universities as Notre Dame and the University of Virginia had very non-traditional curricula in terms of accountancy.

Some universities now offer a specialty curriculum (usually at the graduate level) in Assurance Services.  For example, note the E&Y funded programs at Notre Dame and the University of Virginia ---
http://www.ey.com/global/Content.nsf/US/Careers_-_Student_-_Your_Master_Plan

Whatever happened to the AICPA's SysTrust initiative for expanding CPA firm revenues and services?
http://en.wikipedia.org/wiki/Certified_Information_Technology_Professional

"Compliance et al," by Jerry Trites, IS Assurance Blog, July 16, 2011 ---
http://uwcisa-assurance.blogspot.com/

Recently, ISACA conducted a survey of the top business issues facing enterprise It technology. The list is of course directed primarily to the concerns of IT Assurance providers and contains the following issues:

• Regulatory compliance (Score: 4.6)
• Enterprise-based IT management and governance (Score: 4.4)
• Information security management (Score: 4.1)
• Disaster recovery/business continuity (Score: 3.1)
• Challenges of managing IT risks (Score: 2.5)
• Vulnerability management (Score: 2.1)
• Continuous process improvement and business agility (Score: 2.0)

Compliance has been a big issue since the SOX days, but shows no sign of abating. Assurance providers can expect to spend more of their time in this area for the foreseeable future. Nothing really new or startling in the list, but it does provide a good high level overview of where we are in the world of IT Assurance. See the press release here and the survey here.

Bob Jensen's badly neglected threads on Assurance and Security Services
See Below!

The AICPA's main assurance site of interest --- http://www.aicpa.org/assurance/index.htm 

The Trust Services principles and criteria with links to SysTrust and WebTrust are on the AICPA website at www.aicpa.org/trustservices/  ( http://tinyurl.com/8h4twP ) ..
Also see Privacy materials at http://infotech.aicpa.org/Resources/Privacy/

“E-Commerce And CPA WebTrust,” New Accountant, October 21, 2005 --- http://www.newaccountantusa.com/newsFeat/t2k1/t2k1_cpawebtrust.html

Performance View Services --- http://www.aicpa.org/assurance/view/what.htm

Bob Jensen's threads on performance measurement are at http://faculty.trinity.edu/rjensen/roi.htm

Question
When are performance evaluation services assurance services as opposed to advisory services?

Answer
It probably doesn't matter much how they are classified, but I like to think of advisory services as being for the direct benefit of the client who pays for the service.  Assurance services tend to be intended for third party benefit such as customers, creditors, investors, employee unions, etc.
 

Risk Advisory Services by CPA Firms ---
http://www.aicpa.org/assurance/risk/index.htm 

What are Risk Advisory Services and Why Should I Get Involved?

Risk Advisory Services Task Force
Learn about the Task Force's mission, its members and highlights of meetings.

How to obtain a free copy of the new thought leadership document on Risk,
MANAGING RISK IN THE NEW ECONOMY  

Download URL --- http://ftp.aicpa.org/public/download/Managing%20Risk.pdf 

Question
When are risk evaluation services assurance services as opposed to advisory services?

Answer
It probably doesn't matter much how they are classified, but I like to think of advisory services as being for the direct benefit of the client who pays for the service.  Assurance services tend to be intended for third party benefit such as customers, creditors, investors, employee unions, etc.

Example of one firm's risk advisory services
KPMG Risk Advisory Services ---
http://www.kpmg.com/services/content.asp?l1id=90&l2id=520

One area of expanded assurance services is in the auditing and analysis of fair values and risk.
E-COMMERCE AND AUDITING FAIR VALUES SUBJECTS OF NEW INTERNATIONAL GUIDANCE
The International Federation of Accountants (IFAC) invites comments on two new exposure drafts (EDs): Auditing Fair Value Measurements and Disclosures and Electronic Commerce: Using the Internet or Other Public Networks - Effect on the Audit of Financial Statements. Comments on both EDs, developed by IFAC's International Auditing Practices Committee (IAPC), are due by January 15, 2002. See http://accountingeducation.com/news/news2213.html  

The IFAC link is at http://www.ifac.org/Guidance/EXD-Download.tmpl?PubID=1003772692151 

The purpose of this International Standard on Auditing (ISA) is to establish standards and provide guidance on auditing fair value measurements and disclosures contained in financial statements. In particular, this ISA addresses audit considerations relating to the valuation, measurement, presentation and disclosure for material assets, liabilities and specific components of equity presented or disclosed at fair value in financial statements. Fair value measurements of assets, liabilities and components of equity may arise from both the initial recording of transactions and later changes in value.

 

Download "Auditing Fair Value Measurements And Disclosures" in MS Word format. File Size: 123 Kbytes Download "Auditing Fair Value Measurements And Disclosures" in Adobe Acrobat format. File Size: 209 Kbytes

Bob Jensen's threads on risk and financial reporting are at
http://faculty.trinity.edu/rjensen//theory/00overview/theory01.htm

In particular note the threads on risk hedging at
http://faculty.trinity.edu/rjensen/caseans/000index.htm

SysTrust --- http://www.aicpa.org/assurance/systrust/index.htm 

The AICPA/CICA Trust Services principles and criteria will be released January 1, 2003. The effective date of the new Trust Services principles and criteria became effective for engagements beginning on or after January 2003. Earlier implementation is encouraged.

What are SysTrust Services and Why Should I Get Involved? A Brief Introduction on SysTrust Services FAQs about SysTrust --- http://www.aicpa.org/assurance/systrust/faq.htm SysTrust Principles & Criteria What Skills Do I Need to Provide SysTrust Services? Find out what skills are necessary and what resources are available to enable you to offer SysTrust Services. Getting Started Learn about SysTrust licensing agreement and training opportunities. Marketing and Managing a SysTrust Practice Tips on Marketing and Managing Your SysTrust Practice. What's New with SysTrust Services? New standards, product developments, etc. Systems Reliability Assurance Services Task Force Learn about the Task Force's mission and its members. Frequently Asked Questions about SysTrust Press Room Press Releases, Product News, Fact Sheets, Q&As, Case Studies, Spokesperson Biographies, etc. Contact the AICPA

A good source to look at is entitled "SysTrust and WebTrust Technology Assurance Opportunities,"  by Anthony J. Pugliese and Ronald Halse, The CPA Journal, 2000 --- http://www.nysscpa.org/cpajournal/2000/1100/features/f112800a.htm How SysTrust Works SysTrust is designed to offer assurance to a broad audience—management, boards of directors, customers, and business partners—about the information systems that support a business or one of its segments. In a SysTrust engagement, a CPA performs an examination, similar to an audit, to evaluate the system’s reliability. A positive SysTrust report attests to the system’s reliability and ability to operate without material error, flaw, or failure during a stated period of time in a specified environment. Clients would be interested in a systems assurance examination for some of the following reasons: Internal and external users can lose access to essential services because of system failures and crashes. Systems can be vulnerable to viruses and hackers because of unauthorized system access. System failure can result in loss of access to system services or loss of data confidentiality or integrity. Negative publicity in the wake of high-profile system failures can undermine customer and investor confidence. SysTrust can benefit a business’s day-to-day operations in the following scenarios: A company is trying to win a major contract as a supplier to a corporation that uses just-in-time (JIT) inventory management. A SysTrust report that demonstrates the reliability of the company’s systems and shows its capacity to be a dependable partner in the JIT environment enables the company to differentiate itself from its competitors. A company decides to outsource its human resources, payroll, and other employee-related systems. To ensure smooth operations, it insists that any successful bidder maintain unqualified SysTrust reports on the outsourced systems. A retailer qualifies for a discount on business interruption insurance because its SysTrust report attests to the reliability of its inventory management systems. When technology problems at foreign subsidiaries cause trouble for an international company, its audit committee decides to adopt the SysTrust principles and criteria as a minimum standard for key subsidiaries. In a SysTrust engagement, a system is divided into five elements: Infrastructure, such as hardware and facilities Software, including operating systems, utilities, and business applications software n People, who operate and use the system Procedures, which can include information system backup and maintenance or input procedures. Data, or the information that the system uses and supports. Together, these elements form a system that provides the information that the business needs to function and supports management in long-term decision making. Four essential principles comprise a SysTrust engagement: Availability. Does the system operate in accordance with the business requirements? Is it accessible for routine processing and maintenance? Security. Is the system protected against unauthorized access? Integrity. Does the system process information completely, accurately, in a timely manner, and in accord with the required authorization? Maintainability. Can the system be updated to provide continued availability, security, and integrity? SysTrust standards also include 58 underlying criteria that establish the specific control objectives a system must meet to be considered reliable. Under the version 2.0 SysTrust Principles and Criteria for Systems Reliability exposure draft, practitioners can report on any of the SysTrust principles in an individual engagement, depending on the client’s needs. SysTrust version 2.0 also offers guidance on testing systems in the preimplementation stage. In addition, it covers agreed-upon procedures and consulting engagements. SysTrust examination-level attestation engagements are performed in accordance with Statements on Standards for Attestation Engagements No. 1, Attestation Standards (an examination-level engagement must be performed to issue a SysTrust report), and are also covered by the AICPA Code of Professional Conduct. At the conclusion of a SysTrust engagement, the CPA gives the client a reporting package that includes an attestation report, a system description, and an assertion about the effectiveness of controls over the reliability of the system.

October 18, 2005 message from XXXXX

The problem with both Webtrust and Systrust was the volume of recurring work and the associated high fees the client incurred. Also, the products were designed in the audit area of the AICPA when they should have been in the tech area. The zeal in the audit area has traditionally been the core of the organization so it was the 800 pound gorilla. Unfortunately, this gorilla had one answer for all issues, full scope substantive audit procedures. As a result, the products by design are not affordable.

This same inertia occurred when Ev and I tried to change the audit standard to acknowledge that electronic evidence and fully automated systems were very difficult to audit and that substantive audits may not be possible.
That effort took 5 years to gain two small lines in the audit evidence standard. We were at one point told off the record that to put this into the standard was not in the best interest of the profession since auditors were not trained to audit through the computer, only around it. We have come a long way since the early 1990's, but there are still a number of firms that gloss past this change and the standard remains woefully short of what we need.

Digital Certification Services Ohio CPA Journal, October-December 2000 --- http://www.ohioscpa.com/publications/journal/default.asp?article=647-7  

Options for Providing Consumer Assurances CPAs and their clients have three basic options to provide Web-based privacy, reliability, and security assurances to customers. Self-Reported Assurances. Online businesses can devise policies, implement security measures, and then, if their managers so desire, inform consumers about these actions. Government Regulation. Government agencies might recommend or regulate Web-based business actions under the guise of consumer protection. Third-Party Assurance Services. A Web-based business can support online industry self-regulation via third-party certification of Web sites. In fact, some firms or organizations are actively pursuing each of these options, and each option is associated with costs and benefits. . . . A Comparison of Third-Party Assurance Services A number of third-party assurance seals are appearing on various Web sites today. CPAs actively participate in several such programs by offering either the assurance service or by providing dispute resolution services. Commonly found seals offering some level of assurance for customers include WebTrust, TRUSTe, BBBOnline, and BetterWeb. Other seal programs exist but have not yet achieved the recognition for assurance associated with these four. WebTrust <www.cpaWebtrust.org> The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants developed one of the older and strongest assurance programs for online businesses, WebTrust, in 1997. This program is the only one that requires the certifier to be a specially trained and licensed reviewing agent. The AICPA has licensed approximately 175 firms in the United States and an additional 75 firms in other countries to perform WebTrust services. WebTrust has an alliance with VeriSign, a company that provides digital identification and a seal for Web sites that have passed the review of the WebTrust agent. VeriSign lists all the firms that have received WebTrust seals on its Web site; as of May 2000, 27 Web sites have been WebTrust certified. The WebTrust review process is very comprehensive and correspondingly expensive compared to the other assurance seal programs. The cost of obtaining a WebTrust seal can range from thousands to millions of dollars, depending on the number of transactions audited, the complexity of the Web site, and other factors. Under the WebTrust process, a CPA reviews the Web site's technology, security, and business practices. Business practices encompass, for example, the online business' policies for sales returns, shipping costs, transit time, and so on. The WebTrust agent examines transaction integrity to be sure that the firm actually processes and bills its electronic orders or handles its electronic messages appropriately. Effective controls to provide reasonable assurance of sound business practices are to be in place and are examined. In addition, the Web site must protect consumer information via methods such as encryption, firewalls, physical facility safeguards, and other appropriate controls. Web sites must offer choices to customers about use of their personal information. Either opt-in (e.g., the use of check-off boxes for activities in which the consumer wants to be included) or opt-out (e.g., the use of check-off boxes for activities in which the consumer does not want to be included) choices must be available on the Web site. Further, Web sites must give consumers opportunities to review and contest personal data. Thus, a WebTrust-certified site discloses its actual business practices; it has internal controls that assure satisfactory handling of customer transactions; and, it maintains controls that provide reasonable assurance that confidential consumer information is protected from uses that are not related to the entity's business. Undergoing a WebTrust certification process helps businesses by enhancing consumer confidence, which should lead to increased revenue. The process also provides a WebTrust-licensed CPA with a basis for providing sound advice for strengthening a client's online business activities. WebTrust seals involve an ongoing review process to ensure that the seal-holder's online business practices continue to meet WebTrust standards. Webtrust CPAs update the certification reports at least once every 90 days. A Web site user who is interested in knowing details about the firm's policies can read the most recent report online. If consumers have complaints about a WebTrust certified business, they can contact the issuing CPA directly, who will act as a liaison to the certified firm. TRUSTe <www.TRUSTe.org> Also founded in 1997, TRUSTe's developers were the Electronic Frontier Foundation and the CommerceNet Consortium. TRUSTe is an independent, nonprofit organization whose mission is to build users' trust and confidence in the Internet. To accomplish this mission, TRUSTe is involved with educational efforts, assurance services, and oversight activities. TRUSTe is probably the best known assurance seal service; it issued its 1000th seal in January 2000. Cost is based on the online business' annual revenues, and ranges from $299 to $6,999. TRUSTe's assurance certifications are focused primarily on the privacy of consumer information. However, TRUSTe defines privacy to include selected security aspects. The organization's procedures assume that no one privacy policy will work for all firms. Thus, TRUSTe requires disclosure of each certified business' particular policies, typically displayed when a site visitor clicks on the "trustmark" or seal. If a firm needs help in creating its privacy policy, TRUSTe has made wizards available to help generate a customized privacy statement for that firm. TRUSTe's review process examines whether the firm's privacy policies are in line with fair information practices and are posted. TRUSTe expects the site to disclose the information that is being gathered about the consumer, how it will be used, with whom it will be shared, and how to verify, update, or correct personal data. TRUSTe Web sites must allow consumers to opt-out of internal secondary uses of their data and third-party distribution of their data for secondary uses. Further, procedures must be in place to protect a user's information from loss or misuse. After issuing a seal, TRUSTe monitors the seal-holding Web site on a quarterly basis. The organization plants identifiable records on Web sites and observes the consequences to see if the Web site is violating its policies. All TRUSTe members have agreed to comply with its dispute resolution process, and TRUSTe will act as a liaison between the consumer and the licensed firm in case of consumer complaint. Suspected policy violation investigations may trigger an onsite compliance review. Currently, TRUSTe arranges for PricewaterhouseCoopers or KPMG to conduct the compliance reviews. In addition, TRUSTe is currently working with Ernst & Young on an enhanced verification approach. BBBOnline <www.bbbonline.org> Founded in 1998 with its first seals issued in 1999, BBBOnline is a subsidiary of the Better Business Bureau (BBB). BBBOnline's assurance services benefit from the aura of the BBB, which has nearly ninety years of experience in voluntary self-regulation and consumer-dispute resolution. As with other seal programs, BBBOnline provides an online, searchable database of businesses that it has deemed trustworthy. BBBOnline offers two different seals for Web sites: a Privacy seal and a Reliability seal. In general, the Reliability seal relates to the "bricks-and-mortar" BBB program. To receive a reliability seal, a firm must be a BBB member. Thus, this seal identifies online businesses that are associated with honest advertising and fair treatment of customers. An online business must not have an unsatisfactory record with the BBB to be considered for a separate Privacy seal. Then, the review process focuses on the privacy policies of the Web site. An organization's privacy policies must meet BBBOnline's core principles for disclosure, choice, and data security, and the organization must post its policies on its Web site with clear links on Web site pages. Sites must undergo annual self-assessments of their security policies, and BBBOnline monitors sites on a random basis. Certified sites agree to the mandatory dispute resolution procedures of BBBOnline. Annual cost for this assurance service is inexpensive; ranging from $150 to $5,000 based on annual revenue. BBBOnline gives a 50 percent discount to businesses that also participate in the BBB Reliability program. Currently, BBBOnline has granted more than 500 Privacy seals and more than 5,000 Reliability seals. BBBOnline offers opportunities to professional organizations for co-marketing of the BBBOnline seal. The partnered organization must commit to promoting good privacy practices and to educating their members about the Privacy seal program. Association members then receive discounts on the annual Privacy seal fee, making it even less costly to some online businesses. BetterWeb <www.betterWeb.com> PricewaterhouseCoopers has recently developed an assurance seal program called BetterWeb. This program offers certification to firms whose policies are disclosed according to the BetterWeb standards. PricewaterhouseCoopers officially launched BetterWeb in December 1999 and has certified eight sites as of May 2000. BetterWeb is a relatively costly service with an annual fee of approximately $15,000 per site. The BetterWeb program examines policies regarding sales terms (if applicable to the online business), privacy and security of consumer information, and customer complaints. If a site is certified, BetterWeb assures that policies in these areas exist and are readily accessible to the site visitor. BetterWeb does not provide consumers any assurances about the effectiveness of a firm's internal controls or adherence to its posted policies. With respect to consumer complaints, the online business must post contact information and provide a timely confirmation of complaint receipt to the correspondent. BetterWeb does not act as an intermediary in the dispute process. Table 3 provides a summary of the services and features of the major third party assurance seals discussed above. Other Third-Party Efforts Initiated in December 1999, the Secure Assure model is quite different from the previously discussed programs. While these other seal programs all require posting of firm-specific policies, SecureAssure does not permit its affiliates to have independent policies in areas covered by its seal. All seal holders must agree to follow the SecureAssure standards for accountability, security, dependability, and legitimacy in addition to limitations on collection, use, and distribution of personal information. Many CPA firms also offer online business reviews leading to opinions on the adequacy and reliability of controls related to operational and privacy issues. Except for PricewaterhouseCoopers' BetterWeb Seal, these efforts have not been directed at branding a specifically identifiable emblem. Also, a number of other seals are available that do not include reviews of policies, compliance reviews, or dispute-resolution processes. Some are free, and some require a minimal fee for listing a Web site in what is essentially an online database of members. Examples include Multicheck, PublicEye, and Netcheck Commerce Bureau. Enonymous.com is a Web site that offers related but somewhat different services to consumers. Enonymous rates online sites on the comprehensiveness of their stated privacy policies. Sites do not have to be members and compliance with stated policies is not examined. Enonymous provides free software that resides on the consumer's computer and places an icon on the computer screen. When the consumer is visiting an online business, a click on the Enonymous icon provides a rating of the online business's privacy policies. Enonymous assigns an online business's privacy policies from one to four stars. As net-businesses grow, consumers should expect additional seal-branding efforts. Conclusion Consumer concerns about the legitimacy and operational aspects of online businesses and the use of personal information certainly are warranted. Assurances range from comprehensive to very narrow just as the cost of being certified ranges from inexpensive to costly. At the present time, the more costly assurance services, WebTrust and BetterWeb; have the fewest certified Web sites. Because BetterWeb is relatively new, its market potential is difficult to assess. WebTrust, on the other hand, is one of the oldest Web site assurance services. Evidently, the marketplace does not perceive that the extra value associated with WebTrust is worth the additional cost. The AICPA and WebTrust licensed CPAs need to promote the advantages of WebTrust's more comprehensive assurance services if this program is to grow. CPAs, with their understanding of assurance services, are in a unique position to assist clients in choosing among competing Web site certification programs. In addition, CPAs can aid clients in developing policies that are appropriate for the assurance seal required. In the event that legislation is passed requiring compliance with online privacy practices, CPAs must be ready to help clients meet the requirements. Also see http://www.msnainc.com/publications/archive/webtrust.pdf

Bob Jensen's threads on assurance services --- - http://faculty.trinity.edu/rjensen/ecommerce/assurance.htm  

Some sample questions

Question 1.1
What is the WebTrust^SM Electronic Commerce Seal that is now offered by an increasing number of public accounting firms who provide assurance services? What are the three broad categories of WebTrust^SM (referred to in the case as LogoTrust, TransTrust, and DataTrust)? How did WebTrust^SM come about and what is the AICPA/CICA relationship with VeriSign?

[Hint: Start your search at the AICPA web site http://www.aicpa.org/assurance/index.htm  and then go to the VeriSign web site at http://www.verisign.com ]

Verifying that the company or person on the other end of the line is truly that company or that person has become known as authentication. The best-known web authentication service is VeriSign. In a single press release on September 16, 1997, the American Association of CPAs and the Canadian Institute of Chartered Accountants announced the public/chartered accountant WebTrust^SM Electronic Commerce Seal. The Seal was to be used by member firms that offer assurance services in the broad areas of the following:

1. Business Practice Disclosures
2. Transaction Integrity
3. Information Protection

Employees engaged in WebTrust activities are required to meet training standards set by the AICPA and the Canadian CICA.

In the area of authentication services, the best-known current provider is VeriSign at the URL shown in the "hint" above. VeriSign provided the expertise to make the WebTrust^SM online Seal difficult to forge.

Question 1.2
How do the logo assurance services of the BBB Online program at http://www.bbb.com and the TRUSTe DataTrust assurance services at http://www.TRUSTe.com differ? What comparative advantages do public accounting firms have vis-à-vis these two competitors who are not public accounting firms?
[Hint: See G.G. Gray and R. Debreceny, "The Electronic Frontier," Journal of Accountancy, May 1998, 32-38.]

The Better Business Bureau offers an online LogoTrust service that is somewhat unique. The BBB Online logo appears at registered company web sites. At those sites, the BBB Online Logo is hyperlinked to the BBB Online site which verifies that the link came from a legitimate site. This LogoTrust service is similar to WebTrust^SM services from VeriSign. However, VeriSign is better known in the digital signatures industry to date.

TRUSTe at http://www.TRUSTe.com is a DataTrust service aimed at protecting privacy rights and privacy agreements of companies and individuals that have shared information for an authorized purpose. For example, DataTrust is analogous to having an unlisted phone number. Telephone companies agree not to give out names, addresses, and phone numbers of persons who pay for unlisted numbers. In the case of listed phone numbers, however, telephone companies traditionally sell that data to anyone willing to pay the price for the data. Persons with listed phone numbers thereby find themselves deluged with telemarketers, junk mail solicitations, etc.

Unless web users have set their browser options not to accept cookies, companies build up information (e.g., names, addresses, phone numbers, product interests, browsing patterns, payment histories, etc.) that can be used and abused by companies such as DARE. For example, DARE may willingly or accidentally share cookie data (recipes?) with outsiders.

Definition of Cookies from Bob Jensen's Technology Glossary at http://www.trinity.edu/~rjensen/245glossf..htm :
Cookies= Applets that enable a web site to collect information about each user for later reference (as in finding cookies in the cookie jar). Web Browsers like Netscape Navigator set aside a small amount of space on the users hard drive to record detected preferences. Many times when you browse a web site, your browser checks to see if you have any pre-defined preferences (cookie) for that server if you do it sends the cookie to the server along with the request for a web page. Sometimes cookies are used to collect items of an order as the user places things in a shopping cart and has not yet submitted the full order. A cookie allows WWW customers to fill their orders (shopping carts) and then be billed based upon the cookie payment information. Cookies retain information about a users browsing patterns at a web site. A good place to find out more about cookies is at http://www.illuminatus.com/cookie.fcgi . Also see http://www.doubleclick.net/ and http://www.ipro.com/. Cookies perform storage on the client side that might otherwise have to be stored in a generic-state or database server on the server side. Cookies can be used to collect information for consumer profile databases. Browsers can be set to refuse cookies. Other ways of controlling cookies or deleting selected cookies can be obtained from http://www.privnet.com/ and http://www.wizvax.net/kevinmca/. Source of definition: http://www.trinity.edu/~rjensen/245glossf.htm#Cookies1

Under the WebTrust^SM program, accounting firms may offer DataTrust services similar to that of TRUSTe at http://www.TRUSTe.com. In fact TRUSTe uses PwC and KPMG Peat Marwick accounting firms to conduct surprise investigations of possible misuse of the TRUSTe logo by its clients.

Question 1.3
What are the risks to consider when providing LogoTrust assurance services to an online company?
[Hint: See G.G. Gray and R. Debreceny, "The Electronic Frontier," Journal of Accountancy, May 1998, 32-38.]

LogoTrust has less risk than DataTrust because it guards against fewer things that can go wrong. LogoTrust assures users that the logo is being used legitimately. There are, of course, potential lawsuits if damages ensue from its misuse. Restraints such as limits to the dollar amount of a transaction are not much protection since any person or company using a logo for fraudulent purposes may also change the transaction restraints.

Risks are somewhat reduced following legislation in the U.S. Congress regarding joint and several liability of CPAs. The risk of being the deep pocket defendant left to bear all of the damages in failures that are only partly attributable to CPA firm negligence has been greatly reduced. CPAs, however, are still subject to having to pay whatever share of the damages that courts attribute to those CPAs.

Apart from lawsuit risks, there are risks of bad publicity and tarnished reputation for failed assurances. CPAs have a competitive advantage at the moment because of public perception of CPAs as honest and diligent. Entering into more risky services such as information security assurances might tarnish both the reputation of a particular CPA firm and the CPA profession in general.

Question 1.4
What are the risks to consider when providing DataTrust assurance services regarding confidentiality?
[Hint: Cookies are explained at http://www.trinity.edu/~rjensen/245glosf.htm#Cookies1 ]

WebTrust assurances cover a broader range of electronic commerce transactions in addition to logo assurances. WebTrust can cover business practices and internal control. It requires more testing and professional competence in electronic commerce. Whereas some logo assurance services like TRUSTe require only after-the-fact self reporting, WebTrust service providers require client recertification every 90 days.

The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm 

Return to Starting Page

August 8, 2002 message from Miklos

I have posted on the Web pieces of my e-commerce course about hr + of clips,, .... be my guest to use them

http://raw.rutgers.edu/miklos/baxtermovies/baxter.html

they can be used (not tightly coupled) with my e-commerce slides

http://raw.rutgers.edu/ecommerce2

Miklos A. Vasarhelyi
KPMG Professor of AIS
Rutgers University Director, Rutgers Accounting Research Center
315 Ackerson Hall, 180 University Ave. Newark, NJ 07102
tel: 973-353 5002 fax 973-353 1283 miklosv@andromeda.rutgers.edu

Large CPA Firm Revenues and Services

Auditing Firm Revenues and Services (I think the data are suspect in this article) ---
http://www.usubscribe.com/order.cfm?tid=12560&gtse=goog&GTKW=Accounting+Today

August 26, 2005 message from Jim Borden

I was wondering if anyone might be able to help me respond to the following question I received from a student:

"I had a quick question concerning Chapter 1. The text states that consulting is the area of highest growth for public accounting firms. Isn't that misleading considering that most firms gave up their consulting business to conform with SOX?"

I was trying to look for some up to date stats on what percentage of the Big 4's revenues are audit versus non-audit, and how that percentage has changed over the past 2-3 years. Any suggestions? Thanks,

Jim Borden
Villanova University

August 26, 2005 reply from Bob Jensen

Hi Jim,

I’m not a whole lot of help on this, and I would appreciate it if you would let me know what you find out.  You might put this one out to the AECM.

I currently do not have great free sources of this information.  It is likely to be available to subscribers at http://www.auditanalytics.com/

PwC has a helpful table at http://www.pwc.com/extweb/aboutus.nsf/docid/8f6f5cb458a82d4c85256f350064cd9d
I suspect PwC will share prior-year tables with you.

Aggregated Revenues of PricewaterhouseCoopers Firms by Service Line Service Line At FY04 exchange rates (USD Millions) FY04 FY03 % Change % Change Assurance 8,713 7,433 17.2% 9.6% Advisory 3.077 2,709 13.6% 6.3% Tax 4.464 4,197 6.4% -0.2% Net Revenue from Continuing Professional Services 16,254 14,339 13.4% 6.1% Expenses Billed to Clients 1,317 1,137 15.8% 6.3% Gross Revenue from Continuing Operations 17,571 15,476 13.5% 6.1% Discontinued Operations 29 344 -91.5% -92.3% Total Gross Revenues 17,600 15,820 11.3% 3.9% FY04 revenues are expressed in US dollars at average FY04 exchange rates. FY03 revenues are shown as originally reported last year at average FY03 exchange rates. Fiscal year ends 30 June. FY03 Service Line revenues have been reclassified to reflect the new Service Line structure, which came into effect in 2004. Tax figures include correspondent law firms where regulations permit. Discontinued operations represent businesses disposed of during the year, principally affecting Tax services revenues of firms in Europe.

 

Whereas E&Y and PwC sold their consulting divisions to Cap Gemini and IBM respectively, KPMG went public with KPMG Consulting in an IPO.  The company's symbol is KCIN on NASDAQ.  It experienced huge cash flow difficulties in 2001 following the IPO --- http://www.businessweek.com/magazine/content/01_21/b3733096.htm 
  You can get current information in KCIN at http://biz.yahoo.com/ipo/p/kcin.html

As of February 8, 2001, KPMG Consulting, Inc. is an independent consulting company and no longer affiliated with KPMG LLP.  Hence, KPMG's subsequent non-tax advisory services exclude consulting revenues of KCIN. 

You can download KPMG’s 2004 Annual Report from http://www.us.kpmg.com/microsite/attachments/IAR_04.pdf
On Page 43 of that report, I'm a bit surprised that audit revenues in 2004 slipped to only 48% of total revenue whereas non-tax advisory services hit 29% of the $13.44 billion in revenue after selling off its consulting division.

Similarly, KPMG reported its 2003 non-tax advisory revenues as 27% of its $$11.16 billion in total revenues.  The Accounting Today article reports zero KPMG consulting revenues such that I find it hard to reconcile the 27% versus 0%.  Since the Accounting Today article reports KPMG's revenue as 67% for audit and 33% from tax, it would appear that non-tax advisory services have all been declared auditing revenue by Accounting Today.  This makes no sense to me. 

It would appear that the Accounting Today article greatly understates what the Big Four firms today really earn from non-tax advisory services.

 

 I don’t have any suggestions for finding Deloitte and Touche data.  This is unfortunate since Deloitte is the only one of the Big Four that did not sell off much of its consulting.  You might note the link at http://www.deloitte.com/dtt/section_node/0%2C1042%2Csid%25253D41153%2C00.html

E&Y’s annual report was disclosed without E&Y permission a while back, but I lost my link to this information.

This will tell you something about the early pace of consulting revenues in the 1990s
EY --- http://www.sec.gov/litigation/aljdec/id249bpm.htm

From at least 1994 until about May 25, 2000, when EY sold its Management Consulting Group ("Consulting"), EY was a "Big Six" accounting firm organized as a limited liability partnership that referred to itself as a leading professional services firm. (EY Findings of Fact at 2) Ernst & Young LLP, SEC No-Action Letter, [2000 Transfer Binder] Fed. Sec. L. Rep. (CCH) ¶ 77,863 (May 25, 2000). In the period 1996 to 2000, EY had 70,000 to 80,000 employees, annual revenues of $6 to $12 billion, and offices in 700 locations in 130 countries. (March 25, 2003, Tr. 96; Div. Exs. 169 at 032052, 413 at 036204, 514 at 040028.) EY's organizational structure was matrix-based, not hierarchical, and it operated on a very decentralized basis. (April 1, 2003, Tr. 123, April 2, 2003, Tr. 84.) The organization consisted of a management committee, a chief executive officer or senior partner, several deputy partners, separate leadership for the practice areas of audit, tax, and consulting, and, at a lower level, regional or area structures. (April 1, 2003, Tr. 127.) EY's national office was spread geographically over EY's twelve regions. (March 25, 2003, Tr. 178.)

EY's audit revenues increased at a much slower pace than revenues from both tax and consulting as shown by figures for two years, 1994 and 1999.

	Audit	Tax	Consulting	Total
1994	$1,225 million	$   543 million	$   775 million	$2,543 million
1999	$2,205 million	$1,436 million	$2,459 million	$6,100 million

 

E&Y has continued to rebuild its consulting practice after selling its consulting practice and this has led to numerous troubles for E&Y.  A reference you might look at is at http://faculty.trinity.edu/rjensen/fraud001.htm#Professionalism

Obviously tax consulting has been a huge recent problem for KPMG that has spilled over into the auditing profession in general.  You might read KPMG’s recent statement about this at http://www.us.kpmg.com/news/index.asp?cid=1872
It says KPMG no longer provides the “services in question,” but is somewhat vague as to what tax advisory services have been eliminated.

One added reference you might look at is http://faculty.trinity.edu/rjensen/FraudConclusion.htm#FutureOfAuditing

Bob Jensen

 August 26, 2005 reply from Randy Elder

Accounting Today is a good source of information on this issue. Here is some comparative data for the Big 5 (4):

Percentage of revenue from consulting

           2000     2003
PwC         50%       5%
D&T         50       36
KPMG        43        3
E&Y          5        3
Andersen    25      N/A

          
The primary factor driving this is disposals of consulting. By 2000 both Andersen and E&Y had disposed of the consulting practices. Deloitte & Touche still has its consulting practice, so its decline in consulting may best capture the effects of SOX. The percentage of revenue from consulting did increase dramatically during the 90s, and at one time was the largest source of revenue for most of the Big 5. Tax is not included in these percentages, and is about a third of revenue for the Big 4. The change is that partners tell me that only a third of this work is for audit clients, down from fifty percent before SOX.

The second tier national firms earn about 20% of their revenue from consulting, and this is down only slightly. Regional firms earn around 25% of their revenue from consulting, and this is steady.

Randy


*****************************************
Randy Elder
Associate Professor and Director
Joseph I. Lubin School of Accounting
Martin J. Whitman School of Management
Syracuse University
Syracuse, NY 13244-2130
Email: rjelder@som.syr.edu

August 27, 2005 reply from Bob Jensen

Hi Randy,

There may be some problem with what is defined as "consulting."  For example, in the Year 2003 your Accounting Today table reports 5% of total revenues from non-tax consulting in PwC.  The 2004 annual report from PwC, however, reports non-tax "advisory" service revenue at around 17% for both Years 2003 and 2004.  I don't know why there is a difference of 17%-5% = 12%.

Similarly, KPMG reported its 2003 non-tax advisory revenues as 27% of its $$11.16 billion in total revenues.  The Accounting Today article reports zero consulting revenues such that I find it hard to reconcile the 27% versus 0%.  Since the Accounting Today article reports KPMG's revenue as 67% for audit and 33% from tax, it would appear that non-tax advisory services have all been declared auditing revenue by Accounting Today.  This makes no sense to me. 

 Let's begin with Year 2000. Your Accounting Today table only leaves 17% of revenue from audit services after you deduct 50% from consulting services and 33% from tax services. Of course that was in the Year 2000. It's small wonder why the big auditing firms love the tremendous surge in audit revenues arising from SOX.

It's also small wonder why quality of auditing dropped in the 1990s with much of this quality decline arising from cutbacks in costly detail testing in audits. The firms were trying to make auditing more profitable.

There is rising sympathy these days for the old Andersen firm when we hear bleeding heart speeches from former partners, but it’s my opinion that the Arthur Andersen firm led the pack in reducing audit quality and probably got what it deserved. Enron and Worldcom were merely the culminations of years of bad auditing. The problem was not so much with staff auditors as it was with their managing partners who were willing to sacrifice both integrity and quality to keep an audit client and make a huge profit on audit-consulting-tax services for that client. It's hard to weep for the audit partners who were cutting corners and expounding ethics and professionalism at the same time.  The Andersen firm looks especially bad in the new book called Conspiracy of Fools by Kurt Eichenwald (Broadway Books, 2005).

In the Year 2004 in PwC, the revenues flip flopped to a reported 17% from consulting and 50% from "assurance" services. The lion's share, although not all, of that 50% arises from financial audits. By 2004, PwC had sold its consulting practice to IBM and then rebuilt its own consulting (non-tax advisory) services back up to 17% of revenues --- http://www.pwc.com/extweb/aboutus.nsf/docid/8f6f5cb458a82d4c85256f350064cd9d 

SOX enabled the large firms to charge much more for audits. Of course costs have also mounted and litigation exposure is probably greater. The firms are settling lawsuits in ever-increasing amounts --- http://faculty.trinity.edu/rjensen/fraud001.htm#others 

For example, by the time legal costs and settlements are paid in KPMG's admitted tax criminality, the cost will approach $1 billion. That's an enormous amount of money to spread over 6,500 partners in KPMG. And this is only one of the many settlements that KPMG faces in the future --- http://faculty.trinity.edu/rjensen/fraud001.htm#KPMG 

A large share of lawsuit settlements are paid from insurance, but insurance companies are not in business to lose money. Eventually, those insurance settlements are returned to insurance companies in future premiums.

Bob Jensen

August 27, 2005 added reply from Bob Jensen

Hi again Jim Borden,

In digging for trends in revenue from "consulting" among the big auditing firms, I forgot to weigh in on why I think three of the four of the firms sold their consulting practices. Your (Jim Borden's) initial question that set us off on this was whether the sales of the consulting practices in E&Y, PwC, and KPMG were due to new SOX regulations.

My answer on this is NO! I think the decisions to sell predated SOX.

In my own opinion sales the consulting divisions were mainly an effort to stay in the auditing business after Enron imploded and serious questions were raised about independence of auditors as well as poor quality of auditing --- http://faculty.trinity.edu/rjensen/fraud001.htm#Professionalism 

SOX is a compromise in an immense crisis that could have resulted in putting all audit and accounting standard setting in the hands of the SEC, breakups of the big auditing firms, and/or even taking auditing out of the private sector. The sales of the consulting divisions helped the legislature to reach a compromise.

There was also some feeling within the firms that it was good timing to sell since the bursting of the 1990s technology bubble was going to make consulting, at least in the short run, less profitable. It was a good time to cash in the chips. Consulting has always been more risky than auditing in the sense that CPA firms do not have the legal monopoly on consulting that they have on audit certification.

When you look at the rapid rise of consulting revenue and profits in the 1990s, it is tempting to ask why the firms didn't sell the auditing sides of the business and stay in consulting. Firstly, I doubt that there were any buyers for audit divisions other than one of the other large auditing firms, and further consolidation into say one, two, or even three mega-auditing firms would have been frowned upon by the FTC and corporate clients.

Secondly, the true decision making power in the large accounting firms was still in the hands of the older auditors who had little where else to go relative to their young whippersnapper information systems consultants.

Thirdly, we have seen that the big firms managed to sell their consulting divisions at enormous gains while at the same time managed to start out anew building new advisory services that in some, but not all, cases compete. There were no lifetime sales contracts not to compete. As you can see from the 2004 PwC annual report, non-tax advisory services have leapt back into action after selling the non-tax advisory service division to IBM.

What SOX has done is change who your advisory service customer can be if you also are the external auditor for that customer. Some types of advisory services are verboten under SOX, particularly consulting on information systems that you also audit. That practice enjoyed by Andersen in Enron is strictly forbidden (well sort of strictly depending upon certain definitions) under SOX. What we now have is PwC advising E&Y audit clients, E&Y advising PwC audit clients, and every other permutation of four firms taken two at a time.

It's all a bit too pat as far as I'm concerned, especially when clients are encouraged to frequently change auditors. How can they find a new auditor who has not been paid to help build their information system and its internal controls?

But auditing firms cannot blame SOX. They should, and are, praising SOX like the holy grail.

Bob Jensen

August 27, 2005 reply from Randy Elder

Bob,

I agree there are potential measurement issues in the Accounting Today data, but the data I provided fairly well captures the trend in consulting revenue.

I also agree with you on the connection between nonaudit services and the reduction in audit testing. Academic research in this area has largely focused on whether nonaudit services impacted auditor independence. Not surprisingly, most of this research has found little or no relation between the extent of nonaudit services and earnings management measures and audit opinions. The larger problem was that firms were reducing testing in an attempt to make auditing as profitable as consulting.

As for the sales of consulting practices, most of them preceded SOX and even the SEC restrictions on consulting. Many academics are unaware that SOX largely codifies SEC restrictions on nonaudit services adopted in 2000. The consulting practice sales largely reflect that it was a good time to get out when the market was high. However, it is also true that as consulting grew firms were increasingly finding themselves with conflicts of interest.

Randy

A Special Section on Computer and Networking Security

This section has been moved to http://faculty.trinity.edu/rjensen/ecommerce/000start.htm#SpecialSection

Some highly dated material remains below:

Bob Jensen's threads on the Enron scandal are at http://faculty.trinity.edu/rjensen/fraud.htm 

Question 1:
How can you send email anonymously?

Answer 1:
Simply set up an email account under a fictitious name.  For example, you can send email under multiple fictitious names from the Yahoo email server at http://www.yahoo.com/   (Click on 'Mail" in the row "Connect")

Question 2:
How can you be totally anonymous on the Web such that cookie monsters do not track your Web navigation at your site and bad guys cannot track your surfing habits or get at your personal information such as medical records, name, mail address, phone number, email address, etc.?  (You can read about cookie monsters at 

Answer 2:
There is probably no way to be 100% safe unless you use someone else's computer without them knowing you are using that computer on the Web.  In most instances, the owner of the computer (a university, a public library, an employer, etc.) will know who is using the computer, but cookie monsters and bad guys on the Web won't have an easy time finding out who you are without having the powers of the police.

About the safest way to remain anonymous as a Web surfer is to sign up for Privada from your IP Internet provider that obtain your line connection from for purposes of connecting to the Web.  In most instances, surfers pay a monthly fee that will increase by about $5.00 per month for the Pivada service (if the IP provider has Privada or some similar service).  To read more about Privada, go to http://industry.java.sun.com/solutions/company/summary/0,2353,4514,00.html 

Privada Control (Application)

Primary Market Target: Utilities&Services 
Secondary Market Target: Financial Services

Description Used with Privada Network, PrivadaControl provides the consumer component of Privada's services, and is distributed to end-users by network service providers. Users create an online identity that cannot be linked to their real-world identity, allowing them to browse the Internet with the level of privacy they choose while still reaping the benefits of personalized content. PrivadaControl is built entirely in the Java(TM) programming language and runs completely in a Java Virtual Machine.

For discussion of other forms of protection, see Privacy in eCommerce.

Question 3:
Where can you find great links to security matters in computing?

Answer 3:
Try Yahoo's links at http://dir.yahoo.com/Computers_and_Internet/Internet/World_Wide_Web/Security_and_Encryption/ 

• DomiLock - online Lotus Domino security scanner.
• DShield - provides a platform for users of firewalls to share intrusion information.
• IDzap.com - offers secure and anonymous web browsing products.
• KeyNote Trust Management System - unified approach to specifying and interpreting security policies, credentials, and relationships, allowing direct authorization of security-critical actions.
• Netscape Security (2)
• Publius Censorship Resistant Publishing System - Web publishing system that is highly resistant to censorship and provides publishers with a high degree of anonymity, developed by researchers at AT&T Labs.
• Secure Sockets Layer (SSL) Protocol (11)
• Shields Up - Internet connection security analysis utility for Windows users.
• Shockwave Security Alert - details potential security holes created by Shockwave and solutions for them.
• Trust Management on the World Wide Web - paper describing the philosophy for codifying, analyzing, and managing trust decisions by Rohit Khare and Adam Rifkin.
• Twenty Most Critical Internet Security Vulnerabilities, The - based on consensus from security experts at the SANS Institute, grouped into three categories: general , Windows, and Unix vulnerabilities.
• FAQ - World Wide Web Security

Question 4:
It is extremely dangerous to open email attachments.  However, is it dangerous to open an email message without opening any attachments?

Answer 4:
Generally the answer is no.  However, it is a bit more complicated than this.  The following is stated at http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q11 

For many years the answer to this question was a resounding no and that is largely the case now as well. There are a series of hoax chain letters that are seemingly endlessly circulating around the globe. A typical letter is the "Good Times" hoax. It will warn you that if you see an e-mail with a subject line that contains the phrase "Good Times" you should delete it immediately because the very fact of opening it will activate a virus that will do damage to your hard disk. The letter will encourage you to send this warning to your friends.

The "Good Times" hoax, and many like it, are simply not true. However there are enough people who believe these hoaxes that the messages are endlessly forwarded and reforwarded. If you get a letter like this one, simply delete it. Do not forward it to your friends, and please do not forward it to any mailing lists. If you are uncertain whether the letter is a hoax, refer it to your system administrator or network security officer.

Just to make life complicated, however, there are some cases in which the simple act of opening an e-mail message can damage your system. The newer generation of e-mail readers, including the one built into Netscape Communicator, Microsoft Outlook Express, and Qualcomm Eudora all allow e-mail attachments to contain "active content" such as ActiveX controls or JavaScript programs. As explained in the JavaScript and in the  ActiveX sections,  active content provides a variety of backdoors that can violate your privacy or perhaps inflict more serious harm. Until the various problems are shaken out of JavaScript and ActiveX, enclosures that might contain active content should be opened cautiously. This includes HTML pages and links to HTML pages. Disabling JavaScript and ActiveX will immunize you to potential problems.

In addition, there are other cases where e-mail messages can be harmful to your health. In the summer of 1998, a number of programming blunders were discovered in e-mail readers from Qualcomm, Netscape and Microsoft. These blunders (which involved overflowing static buffers) allowed a carefully crafted e-mail message to crash your computer or damage its contents. No actual cases of damage arising from these holes has been described, but if you are cautious you should upgrade to a fixed version of your e-mail reader. More details can be found at the vendors' security pages:

Microsoft

http://www.microsoft.com/security/bulletins/

Netscape

http://www.netscape.com/products/security/

Qualcomm

http://eudora.qualcomm.com/security.html

Finally, don't forget that some documents do carry viruses. For example, Microsoft Word, Excel and PowerPoint all support macro languages that have been used to write viruses. Naturally enough, if you use any of these programs and receive an e-mail message that contains one of these documents as an enclosure, your system may be infected when you open that enclosure. An up-to-date virus checking program will usually catch these viruses before they can attack. Some virus checkers that recognize macro viruses include:

McAfee VirusScan

http://www.mcafee.com/

Symantec AntiVirus

http://www.symantec.com/

Norton AntiVirus

http://www.symantec.com/

Virex

http://www.datawatch.com/virex.shtml

IBM AntiVirus

http://www.av.ibm.com/

Dr. Solomon's Anti-Virus

http://www.drsolomon.com/

Question 5:
How can I safely open up email attachments?

Answer 5:
One way is to save the attachment to a floppy disk or some other storage disk that can be accessed by more than one of your computers.  The open the attachment in the computer that you least care about if there is a virus infection.  Even that computer, however, should have the latest updated version of one of the virus detection programs listed above.

You can avoid macro virus damage (which is the most common type of danger when opening email attachments) by installing QuickView Plus from JASC.  The good news is that you are totally safe from macro viruses.  The bad news is that QuickView Plus does not provide full functionality apart from displaying the text and graphics.  For example, QuickView Plus will not run the macros that may be an integral part of an Excel program.  To read more about QuickView Plus, go to http://www.jasc.com/ 

Especially note the Stein and Stewart FAQ site at http://www.w3.org/Security/Faq/www-security-faq.html 

CONTENTS

1. Introduction
2. What's New?
   

   Recent versions of the FAQ. Version 3.0.1, June 22, 2001 Updated information on Apache Server vulnerabilities Updated information on IIS Server vulnerabilities Added information on the MIME Headers, cache content flaw, and certificate validation in Internet Explorer 5.5. Added information on the email tapping Netscape 6. Added information on the Brown Orifice vulnerability in Netscape 4.0-4.74. Added new section on Active Content Protection Version 2.0.1, March 24, 2000 Updated information on Netscape Enterprise Server vulnerabilities Added section on Denial of Service Attacks provided by Marc Myers. Updated section on CyberCash, SET, and Open Market.

    

3. General Questions
   • Q1 What's to worry about?
   • Q2 Exactly what security risks are we talking about?
   • Q3 Are some Web servers and operating systems more secure than others?
   • Q4 Are some Web server software programs more secure than others?
   • Q5 Are CGI scripts insecure?
   • Q6 Are server-side includes insecure?
   • Q7 What general security precautions should I take?
   • Q8 Where can I learn more about network security?
4. Client Side Security
   • Q1 How do I turn off the "You are submitting the contents of a form insecurely" message in Netscape? Should I worry about it?
   • Q2 How secure is the encryption used by SSL?
   • Q3 When I try to view a secure page, the browser complains that the site certificate doesn't match the server and asks me if I wish to continue. Should I?
   • Q4 When I try to view a secure page, the browser complains that it doesn't recognize the authority that signed its certificate and asks me if I want to continue. Should I?
   • Q5 How private are my requests for Web documents?
   • Q6 What's the difference between Java and JavaScript?
   • Q7 Are there any known security holes in Java?
   • Q8 Are there any known security holes in JavaScript?
   • Q9 What is ActiveX? Does it pose any risks?
   • Q10 Do "Cookies" Pose any Security Risks?
   • Q11 I hear there's an e-mail message making the rounds that can trash my hard disk when I open it. Is this true?
   • Q12 Can one Web site hijack another's content?
   • Q13 Can my web browser reveal my LAN login name and password?
   • Q14 Are there any known problems with Microsoft Internet Explorer?
   • Q15 Are there any known problems with Netscape Communicator?
   • Q16 Are there any known problems with Lynx for Unix?
   • Q17 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-csh. Is this a good idea?
   • Q18 Is there anything else I should keep in mind regarding external viewers?
5. Server Side Security
   • General
     • Q1 How do I set the file permissions of my server and document roots?
     • Q2 I'm running a server that provides a whole bunch of optional features. Are any of them security risks?
     • Q3 I heard that running the server as "root" is a bad idea. Is this true?
     • Q4 I want to share the same document tree between my ftp and Web servers. Is there any problem with this idea?
     • Q5 Can I make my site completely safe by running the server in a "chroot" environment?
     • Q6 My local network runs behind a firewall. How can I use it to increase my Web site's security?
     • Q7 My local network runs behind a firewall. How can I get around it to give the rest of the world access to the Web server?
     • Q8 How can I detect if my site's been broken into?
   • Windows NT Servers
     • Q9 Are there any known problems with the Netscape Servers?
     • Q10 Are there any known problems with the WebSite Server?
     • Q11 Are there any known problems with Purveyor?
     • Q12 Are there any known problems with Microsoft IIS?
     • Q13Are there any known security problems with Sun Microsystem's JavaWebServer?
     • Q14Are there any known security problems with the MetaInfo MetaWeb Server?
   • Unix Servers
     • Q15 Are there any known problems with NCSA httpd?
     • Q16 Are there any known problems with Apache httpd?
     • Q17 Are there any known problems with the Netscape Servers?
     • Q18 Are there any known problems with the Lotus Domino Go Server?
     • Q19 Are there any known problems with the WN Server?
   • Macintosh Servers
     • Q20 Are there any known problems with WebStar?
     • Q21 Are there any known problems with MacHTTP?
     • Q22 Are there any known problems with Quid Pro Quo?
   • Other Servers
     • Q23 Are there any known problems with Novell WebServer?
   • Server Logs and Privacy
     • Q24 What information do readers reveal that they might want to keep private?
     • Q25 Do I need to respect my readers' privacy?
     • Q26 How do I avoid collecting too much information?
     • Q27 How do I protect my readers' privacy?
6. CGI Scripts
   • General
     • Q1 What's the problem with CGI scripts?
     • Q2 Is it better to store scripts in the cgi-bin directory or to identify them using the .cgi extension?
     • Q3 Are compiled languages such as C safer than interpreted languages like Perl and shell scripts?
     • Q4 I found a great CGI script on the Web and I want to install it. How can I tell if it's safe?
     • Q5 What CGI scripts are known to contain security holes?
   • Language Independent Issues
     • Q6 I'm developing custom CGI scripts. What unsafe practices should I avoid?
     • Q7 But if I avoid eval(), exec(), popen() and system(), how can I create an interface to my database/search engine/graphics package?
     • Q8 Is it safe to rely on the PATH environment variable to locate external programs?
     • Q9 I hear there's a package called cgiwrap that makes CGI scripts safe?
     • Q10 People can only use scripts if they're accessed from a form that lives on my local system, right?
     • Q11 Can people see or change the values in "hidden" form variables?
     • Q12 Is using the "POST" method for submitting forms more private than "GET"?
     • Q13 Where can I learn more about safe CGI scripting?
   • Safe Scripting in Perl
     • Q14 How do I avoid passing user variables through a shell when calling exec() and system()?
     • Q15 What are Perl taint checks? How do I turn them on?
     • Q16 OK, I turned on taint checks like you said. Now my script dies with the message: "Insecure path at line XX" every time I try to run it!
     • Q17 How do I "untaint" a variable?
     • Q18 I'm removing shell metacharacters from the variable, but Perl still thinks it's tainted!
     • Q19 Is it true that the pattern matching operation $foo=~/$user_variable/ is unsafe?
     • Q20 My CGI script needs more privileges than it's getting as user "nobody". How do I run a Perl script as suid?
7. Protecting Confidential Documents at Your Site
   • Q1 What types of access restrictions are available?
   • Q2 How safe is restriction by IP address or domain name?
   • Q3 How safe is restriction by user name and password?
   • Q4 What is user verification?
   • Q5 How do I restrict access to documents by the IP address or domain name of the remote browser?
   • Q6 How do I add new users and passwords?
   • Q7 Isn't there a CGI script to allow users to change their passwords online?
   • Q8 Using .htaccess to control access in individual directories is so convenient, why should I use access.conf?
   • Q9 How does encryption work?
   • Q10 What are: SSL, SHTTP, Shen?
   • Q11 Are there any "freeware" secure servers?
   • Q12 Can I use Personal Certificates to Control Server Access?
   • Q13 How do I accept credit card orders over the Web?
   • Q14 What are: CyberCash, SET, Open Market?
8. Denial of Service Attacks 
   • Overview
     • Q1 What is a Denial of Service attack?
     • Q2 What is a Distributed Denial of Service attack?
     • Q3 How is a DDoS executed against a website?
     • Q4 Is there a quick and easy way to secure against a DDoS attack?
     • Q5 Can the U.S. Government make a difference?
   • Step-by-Step
     • Q6 How do I check my servers to see if they are active DDoS hosts?
     • Q7 What should I do if I find a DDoS host program on my server?
     • Q8 How can I prevent my servers from being used as DDoS hosts in the future?
     • Q9 How can I prevent my personal computer from being used as a DDoS host?
     • Q10 What is a "smurf attack" and how do I defend against it?
     • Q11 What is "trinoo" and how do I defend against it?
     • Q12 What are "Tribal Flood Network" and "TFN2K" and how do I defend against them?
     • Q13 What is "stacheldraht" and how do I defend against it?
     • Q14 How should I configure my routers, firewalls, and intrusion detection systems against DDoS attacks?
9. Bibliography

   ---

   Corrections and Updates

   We welcome bug reports, updates, reports about broken links, comments and outright disagreements. Please send your comments to lstein@cshl.org and/or jns@digitalisland.net. Please make sure that you are referring to the most recent version of the FAQ (maintained at http://www.w3.org/Security/Faq/); someone else might have caught the problem before you.

   Please understand that we maintain the FAQ on a purely voluntary basis, and that we may fall behind on making updates when other responsibilities intrude. You can help us out by making an attempt to identify replacement links when reporting a broken one, and by suggesting appropriate rewording when you have found an error in the text. Suggestions for new questions and answers are welcomed, particularly if you are willing to contribute the text yourself.

What are the weapons of "information warfare?"

See at http://www.student.seas.gwu.edu/~reto/infowar/info-war.html 

Also see denial of service attacks at http://www.w3.org/Security/Faq/wwwsf6.html 

After four years of haggling over the language, several countries including the United States will sign a cybercrime treaty --- http://www.wired.com/news/politics/0,1283,48556,00.html 

6:57 a.m. Nov. 21, 2001 PST

BUDAPEST -- A European convention to be signed Friday will unite countries in the fight against computer criminals, who have moved on from "innocent" hacking to fraud, embezzlement and life-threatening felonies.

Interior ministers and law enforcement officials from Europe, South Africa, Canada, the United States and Japan will sign the milestone cybercrime convention, which has taken four years to draft, in the Hungarian capital.

"Realistically, we can expect some 30 countries to sign the convention," a Council of Europe official told Reuters. "And this is a major achievement, given that many conventions are signed by 10 to 20 countries at best."

The official said many people still see computer hacking and other electronic crimes as mainly a moral issue, without realizing the associated material damage and risk to life.

"There was a recent case when someone took control of the computer system at a small U.S. airport and switched off the landing lights," the official said. "This could have killed many people."

Related Wired Links:

Liberte, Egalite ... E-Security?
Sep. 27, 2001

Congress Covets Copyright Cops
July 28, 2001

Go Ahead, Make Ashcroft's Day
July 23, 2001

Online Crime a Tough Collar
July 11, 2001

Most Hacking Hides Real Threats
July 3, 2001

U.S.'s Defenseless Department
May 23, 2001

Brit Cops Tackle E-Thievery
April 19, 2001

Complaints involving the Internet crack the top 10 for the first time in a survey conducted by two major consumer advocacy groups --- http://www.wired.com/news/business/0,1367,48520,00.html 

Associated Press 2:35 p.m. Nov. 19, 2001 PST

WASHINGTON -- Internet shopping and services have become a leading source of consumer complaints, joining grievances about auto repair and telemarketing, a survey finds.

Problems with auto sales and household goods shared the top spot in the annual list of consumer complaints released Monday by the National Association of Consumer Agency Administrators and the Consumer Federation of America. Those categories ranked second and third, respectively, in 1999 and have been in the top five since 1997

Consumer complaints involving the Internet broke into the top 10 for the first time, sharing eighth place with grievances about mail order shopping, telemarketing and problems between landlords and tenants.

The most common Internet complaints involved online purchases and auctions, according to reports from 45 federal, state and local consumer agencies who participated in the survey. The third most common type of Internet complaint involved service providers.

"People don't always get what they order over the Internet and sometimes they don't get anything at all," said Wendy Weinberg, executive director of the NACAA. "While there are many benefits to shopping over the Internet, consumers need to be aware of the risks."

She recommended that consumers use credit cards when shopping online, keep records of all transactions and vary passwords among different websites.

The number of Internet-related complaints has been surging for the last two years, Weinberg said.

During the 1999 holiday season, many Internet sellers claimed they could ship extremely quickly, but some failed to meet their promises. The Federal Trade Commission fined companies more than $1.5 million in civil penalties.

The situation improved last year, but the FTC said Monday it had sent warning letters to more than 70 Internet retailers reminding them to live up to their claims.

"There's a lot more consumers being impacted because there are simply more people shopping online," said Harris Miller, president of the Information Technology Association of America, a trade group. He said industry has to work to educate consumers about Internet shopping.

"There are some bad actors out there who prey on consumers and want to take advantage of the excitement of buying online," Miller said. "Consumers have to be smarter and have to go with reputable websites."

The categories generating the most complaints in 2000 were auto sales and household goods, which includes appliances, furniture, electronics and other retail items.

Complaints about household goods involved defective merchandise, deceptive advertising and failure to honor warranties or provide refunds.

Many of the complaints with auto sales involved financing deals. Some consumers complained they would take home a car with a good financing rate only to later get a call from the dealer saying they have to return the car because they didn't qualify for the rate.

The category of home improvement services fell from first place on the list in 1999 to third, but the survey ranked it as the type of business most likely to fail and reopen under another name. Furniture stores and health studios were also types of companies most likely to go out of business.

"Consumers need to check out the company before they make any payments to business in these industries," Weinberg said. "Consumers can lose large amounts of money if a company that they are doing business with closes

See also:
Holiday E-Sales Prospects Not Bad
Net Shoppers Still Complaining
Ads Stay Home for Holidays
There's no biz like E-Biz
Sleighbells & Whistles: More tidings for the season
The Holidays at Lycos

One of the most significant and controversial professional practice areas where Bob Elliott led accounting profession into its new Song of SysTrust.  I don't know if all accountants have noticed the monumental and highly controversial change in attestation services being proposed by the AICPA and the CICA for the public accounting profession.  Most certainly the lyrics are not familiar to non-accountants other than attorneys who, while dancing in their briefs, have difficulty containing their enthusiasm for this new Anthem of the Auditors.  This is the first major shift of the accounting profession into the attestation of complete information services.  Financial audits may eventually be but a small part of the total attestation and assurance service symphony of services.  The proposed new "accounting"-firm service is called SysTrust at http://www.aicpa.org/assurance/systrust/index.htm  .  

Probably the best summary of SysTrust to date is "Reporting on Systems Reliability," by Efrim Boritz, Erin Mackler, and Doug McPhie in the Journal of Accountancy, November 1999, pp. 75-87.  The online version is at http://www.aicpa.org/pubs/jofa/nov1999/boritz.html.  (It might be noted that both Boritz and McPhie are from Canada --- SysTrust is a joint venture with the Canadian Institute of Chartered Accountants and the AICPA in the U.S.)  

How can you protect confidential documents at your Website?

Answer:  See http://www.w3.org/Security/Faq/wwwsf5.html#Q14 

Privacy in eCommerce

Playboy says hacker stole customer info," by Greg Sandoval and Robert Lemos, C|Net News Com, November 20, 2001 --- http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 

Playboy.com has alerted customers that an intruder broke into its Web site and obtained some customer information, including credit card numbers.

The online unit of the nearly 50-year-old men's magazine said in an e-mail to customers that it believed a hacker accessed "a portion" of Playboy.com's computer systems. In the e-mail, a copy of which was reviewed by CNET News.com, Playboy.com President Larry Lux did not disclose how many customers might have been affected.

Playboy.com encouraged customers to contact their credit card companies to check for unauthorized charges. New York-based Playboy.com also said it reported the incident to law enforcement officials and hired a security expert to audit its computer systems and analyze the incident.

Continued at http://news.cnet.com/news/0-1007-200-7932825.html?tag=mn_hd 

For a brief period, Ziff Davis published the personal information -- including credit card numbers -- of thousands of its subscribers on the Web. --- http://www.wired.com/news/ebiz/0,1272,48525,1162b6a.html 
"A Tell-All ZD Would Rather Ignore," by Declan McCullagh, Wired News, November 20, 2001

Because Ziff Davis' 1.3-MB text file included names, mailing addresses, e-mail addresses and in some cases credit card numbers, a thief who downloaded it would have enough information to make fraudulent mail-order purchases. An executive at one New York magazine firm called the error "a bush-league mistake for a major online publisher."

Zane said Ziff Davis relies on EDS and Omeda database technology to protect subscriber information. He refused to provide details, except to say that "we were doing a promotion not using the EDS and Omeda products."

In interviews, two people who appeared on the Ziff Davis list said they had typed in their information when responding to a promotion for Electronic Gaming Monthly.

"I went to the site and signed up for the free year, but did not sign up for the second year, which was not free," said Jerry Leon of Spokane, Washington, whose Visa number and expiration date appeared in the file. "I get the feeling that this was one huge scam, but that card is now dead, and any charges made on it will be refused."

"If it was just a stupid accident, they are going to regret failing a community that worries about this stuff ever happening, but if something less innocent has occurred, they may as well fold the tents," said Leon, who signed up through AnandTech's hot deals forum.

Rob Robinson, whose address information -- but not credit card number -- was on display, says he subscribed to Electronic Gaming Monthly through a promotion on ebgames.com.

"I'm annoyed that my home info as well as a valid e-mail is available to anyone. That's quite a valuable list of gamers' personal data up for grabs. I feel really bad for the poor folks who are going to have to cancel their credit cards," Robinson said.

It's not clear whether Electronic Gaming Monthly subscribers were the only ones affected by the security snafu, and Ziff Davis refused to provide details. The file appeared at the address http://www.zdmcirc.com/formcollect/ebxbegamfile.dat until around noon EST on Monday.

That address began circulating around Home Theater Forum discussion groups over the weekend, and Ziff Davis at first erased the contents of the database at around 9 a.m. EST Monday. But its system continued to add new subscribers to the public file until Ziff Davis administrators blocked access to that address around midday Monday.

"Every week we learn of new cases where companies used insecure technology or unsecure servers to handle business that utilizes financial information or customer information," says Jericho, who edits the security news site attrition.org. "In the rush to be e-appealing for e-business they e-screw up time and time again."

Jericho has compiled a list of miscreant firms whose shoddy security practices have exposed customer information. The hall of shame includes notables such as Amazon, Gateway, Hotmail and Verizon.

Ziff Davis Media publishes 11 print magazines. It is a separate company from ZDNet, which is owned by CNET Networks.

See also:
HQ for Exposed Credit Numbers
Students Expose Bank ATM Hole
E-Commerce Fears? Good Reasons

Privacy in eCommerce:  Personal Certificates

For discussion of cookies and how to Surf the Web anonymously, see Cookies.

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 

What is WebTrust?  What are its major competitors?  

Hint: See the following:

• http://www.aicpa.org/assurance/webtrust/princip.htm 
• http://dir.yahoo.com/Computers_and_Internet/Internet/Issues/Privacy/Privacy_Seal_Programs/ 
• http://www.truste.org/ 
• http://www.bbbonline.org/ 
• http://dir.yahoo.com/Computers_and_Internet/Internet/Issues/Privacy/ 

Question:  
What makes WebTrust more "trusted" vis-a-vis its competitors (aside from being CPA or CICA firms)?

Answer:  
WebTrust is the only service that requires random site visits by independent CPA firms to spot check if privacy policies are being adhered to by the WebTrust client.

Truste Network Authenication Security in Question

Even one of the originators of the Internet's wannabe consumer seal -- ubiquitous technologist Esther Dyson -- is disappointed in the way the service has panned out.

"Just How Trusty Is Truste?," by Paul Boutin, Wired News, April 10, 2002 --- http://www.wired.com/news/exec/0,1370,51624,00.html 

Enron had Arthur Andersen. Yahoo has Truste, the nonprofit privacy organization whose seal of approval is designed to assuage consumer fears about giving personal information to websites.

But Yahoo's recent announcement of sweeping changes in the way it will use customer data collected under previous policies has many calling Truste's seal as meaningless as an Andersen audit.

Even Esther Dyson, the high-profile technologist who played a major role in Truste's launch five years ago, says she is "disappointed in what ended up becoming of it."

By its own account, Truste was conceived at Dyson's industry-leading PC Forum conference in 1996. Dyson credits others with the concept, but she pushed both publicly and privately for the establishment of the nonprofit company and adoption of its "trustmark," which certifies that online companies comply with their own stated privacy policies.

Truste makes no attempt to set privacy policies. It merely ensures that companies clearly state their own rules for handling customer data, and then adhere to them.

"We thought disclosure would be enough," Dyson said.

Web surfers, her reasoning went, would read the various companies' policies themselves and make their own choices, letting companies use privacy policies as a competitive differentiator. Truste's seal would simply ensure that the policy was being followed, so that "between two sites I've never heard of, I'd rather pick the one that has the Truste logo," she explained.

But over the years, a series of Truste clients have managed to violate the spirit, if not the letter, of their Truste-approved policies.

Rather than revoking seals left and right, Truste officials often seemed to be covering for their clients -– explaining, in one case, that a Real Networks media player which reported users' video selections back to Real headquarters in Seattle was "outside of the scope of Truste's current privacy seal."

Their reasoning: The program uploaded data not to Real's website, but to a nearby set of servers.

"That symbol is meaningless, because of the number of institutions it has been associated with and the things they've gotten away with," said Yahoo user Jenifer Jenkins, who claims she stopped using Yahoo mail and other services last week after learning of the company's policy changes. "If (Yahoo) wants to be the first place people go on the Internet, they need to clean up their act."

Dyson agreed that, despite being co-founded by outspoken privacy advocates the Electronic Frontier Foundation, Truste's image has slipped from consumer advocate to corporate apologist. "The board ended up being a little too corporate, and didn't have any moral courage," she said.

"Clearly, if you're hostile all the time you're not very effective. But you have to have the moral courage to say, 'This is wrong, even if it's not in our contract.'"

Truste executive director Fran Maier argued that in Yahoo's case, critics don't recognize how much work her organization did to keep the megaportal in line -- not only with its own policy, but with generally acceptable behavior. "I can't tell you all the things they wanted to do, but believe me, we were there," she said.

"We reviewed a number of proposed changes, some of which were made, some weren't," she added. "It went through the highest level of oversight at Truste. Before they can launch or relaunch something with our seal on it, they have to deal with our review."

Continued at  http://www.wired.com/news/exec/0,1370,51624,00.html 

---

Question:  What is the most popular and less costly privacy seal alternative relative to WebTrust?

Answer:  The Better Business Bureau --- http://www.bbbonline.org/privacy/index.asp 

 Of the many challenges facing the Internet, privacy has risen above them all as the number one concern (and barrier) voiced by web users when going online. Participants in the BBBOnLine Privacy Program are addressing this concern head-on with responsive and effective self-regulation. By subscribing to responsible information practices, BBBOnLine Privacy participants are promoting the vital trust and confidence necessary for their own and future success of the Internet.

Taking advantage of the significant expertise the Council of Better Business Bureaus wields in self-regulation and dispute resolution, the BBBOnLine Privacy Program features verification, monitoring and review, consumer dispute resolution, a compliance seal, enforcement mechanisms and an educational component. The BBBOnLine Privacy Program offers consumers a user-friendly tool that helps increase their comfort while on the Internet and is a reasonably priced and a simple, one-stop, non-intrusive way for business to demonstrate compliance with credible online privacy

Question on Website (Provider) Authentication
How can you find out that you are not at a phony site that pretends to be legitimate?

Answer:
Look for a logo verification seal on at the site.  Although the AICPA's WebTrust seal is primarily a Web privacy seal (credit card information, medical information, etc.), the WebTrust seal is also a seal that assures users that the site is not a phony imitation of a real site --- http://www.aicpa.org/assurance/webtrust/princip.htm 
The WebTrust privacy and logo verification seal contains the following image on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

A less costly  logo verification seal is the VeriSign seal if it appears on a document (the image below is for illustration only and is not valid on Bob Jensen's Web documents).

"VeriSign Delivers Protections for Digital CPA Documents," by Wayne Harding, Journal of Accountancy, May 2002 ---  http://www.aicpa.org/pubs/jofa/may2002/cpa2biz.htm 

CPA2Biz, the AICPA, and VeriSign are now offering Authentic Document Service to CPAs. Through the use of Authentic Document IDs CPAs can notarize electronic documents. This notarization prevents any changes— a paragraph being deleted, a sentence added, even a space changed.

VeriSign --- http://www.verisign.com/ 
Get VeriSign's free white paper at https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0714&toc=w093325300714000&email= .

Learn From the Experts VeriSign's Training Courses cover all areas of enterprise security including Firewalls, PKI, VPNs, Applied Hacking, and Web Security. Our small classes, hands-on labs, and world-class instructors ensure the highest level of security for your networks. Download our FREE White Paper, "VeriSign Internet Security Education: E-Commerce Survival Training" outlining the benefits of security education.

Retail Services   SSL Certificates   Payment Services   Domain Names     Web Site Services     Secure E-Mail Certificates     Authentic Document IDs     Code Signing IDs     Wireless Server Certificates    Enterprise Services   SSL ID Management for Multiple Servers     Authentication and PKI   Authorization Services     Payment Services   Online Brand Protection Services   Managed DNS Services

Professional Services   Consulting     Training  Solutions   Financial Services   Government   Healthcare   Wireless   B2B   Smart Card   Cable Modem

The Better Business Bureau (BBB):  Another Source of Website (Provider) Authentication --- http://www.bbb.org/ 

Although the BBB is best known as a place where consumers and businesses can file complaints about unethical, deceptive, and illegal commerce and charitable practices, the BBB also provides an Internet seal of Website (Provider) Authentication.  

For a general discussion of personal certificates, see http://www.w3.org/Security/Faq/wwwsf5.html#CON-Q12 

Advantages of and risks of cookies --- see Cookies.

What is user authentication?

Answer See Question 4 at http://www.w3.org/Security/Faq/wwwsf5.html#Q14 

User verification is any system that for determining, and verifying, the identity of a remote user. User name and password is a simple form of user authentication. Public key cryptographic systems, described below, provide a more sophisticated form authentication that uses an unforgettable electronic signature.

Continued at at http://www.w3.org/Security/Faq/wwwsf5.html#Q14  

What Dollar Rental Car Company now requires from persons who rent cars might be extended to people who conduct transactions on Websites.  Dollar Rent A Car is currently making customers give a thumbprint before they give them the keys, another example of biometrics being used for ID purposes.

"No Thumbprint, No Rental Car," by Julia Scheeres, Wired News, November 21, 2001 --- http://www.wired.com/news/privacy/0,1848,48552,00.html 

My other electronic Business links are at http://faculty.trinity.edu/rjensen/ecommerce.htm 

Crime and Justice Data Online --- BJS http://149.101.22.40/dataonline/ 

Ten Ways to Reduce Chargebacks and Fraud Merchants' concern about online credit card fraud and chargebacks is rising at a significant rate. According to the 2001 Online Fraud Report conducted by Mindwave Research, 41 percent of merchants say the issue of online credit card fraud is "very serious" to their business. http://www.newmedia.com/default.asp?articleID=3443 

Bob Jensen's threads on fraud are at http://faculty.trinity.edu/rjensen/fraud.htm 

Bob Jensen's e-Commerce threads are at http://faculty.trinity.edu/rjensen/ecommerce.htm

Threads on Firewalls

Note that firewalls are not generally intended to protect against viruses.  The protect against invasion of the computer by hackers intent on doing bad things such as creating entry trap doors to your systems.  For more information on firewalls, go to  http://www.w3.org/Security/Faq/wwwsf3.html#SVR-Q6 

Zone Alarm --- http://www.zone-alarm-pro.com/ 
In reply to a message about installing a firewall on a home computer, Chula King wrote the following in reply to a firewall question posed by Amy Dunbar:

I too use Zone Alarm, and have been quite pleased with it. I've also tried Black Ice Defender and don't think that it does nearly as good a job as Zone Alarm.

While not anti virus software, Zone Alarm will quarantine "suspicious" e-mail attachments. In addition, it blocks both incoming scans to one's computer and outgoing messages produced by spyware.

Chula King 
The University of West Florida

Reply from Amelia Baldwin

Amy,

as for hacking and such, another vote for zonealarm on your cable internet enabled computer. it is not difficult to use. yes, your cable company probes your IP a few times a day but that's NOTHING compared to the number of times you will get pinged or probed or God know what else by seemingly random attempts from total strangers. :o( Zonealarm blocks and tracks these things and if you weren't frightened before you put up a firewall, you will be when you seen how many accesses were going on or at least attempted!

as for anti-virus, keep an anti-virus program running and keep it's virus signatures up to date (the number of folks who have the software but never update it just astounds me) and never ever open an email attachment that you are not expecting even if it IS from someone you know. some viruses send seemingly random attachments via the email software of the infected computer to folks on the address list, thus you might actually receive what looks like a legitimate attachment from a known user and it will have a virus.

just my $0.02

Amelia

Reply from Bill Spinks

If you have a high speed continuous connection, you need a fire wall! (ZoneAlarm is free and pretty good). I monitor my log of blocked hits and probably get 10 or 15 a day during the week and 20 to 30 on a weekend days. Interestingly enough when I have checked the reverse address of those URLs that are trying to connect with my computer, a large number of them are from China, Korea, and Taiwan -- some have even come from middleschool computers (or so it is reported on http://samspade.org .)

If like stamp collectors you like to travel the world in symbolic form, you can report your "intrusion" back to the tech supervisor of those sites. Sometimes you hear, most times you don't, but it makes for some interesting correspondence from interesting places.

billspinks

You can read some Zone Alarm reviews at 
http://www.epinions.com/cmsw-Utilities-All-Zone_Alarm/display_~reviews 

Reply from Brian Zwicker

In the Untouchables, Sean Connery said something like: "... never bring a knife to a gunfight" (I have removed the ethnic/racial slur)

Faced with the same incredibly high number of approaches to my home computer setup, I decided to bypass emulating a firewall, and go for the real thing - a firewall.

It turns out not to be very expensive, because I used an older pentium 2 computer I nad in the basement, a couple of ethernet cards, and some software from gnatbox. The computer, by the way boots and runs from a floppy disk! You do not even need a dedicated monitor, except for setting up. The whole system now runs from my desktop computer and you can reset various parameters from there.

Some caveats are that to do e-mail, I had to obtain the real address of my cable provider's mail server, because the gnatbox software could not be made to work without this. It also took a couple of weekends to get everything wotking. I also don't know how, or even if, this would work with many educational computer networks.

On the plus side, since the firewall computer talks to the outside world, and I talk to the firewall, it seems it would take a verrrry determined hacker to get past this setup, and although I did have a number of virus problems prior to the firewall going in, I have had nothing since.

One other thing is the list that gnatbox will show on demand of attempted accesses to the firewall. It dumps the older attempts after 12 hours, but the available list is always many screens long. I would say that if even 99.99% of all attempts are benign, at least 4 or 5 each week would be a real attempt to get through in order to damage something. Pretty scary.

Cheers,

Brian Zwicker

"Product Round-up:  Firewalls," Syllabus, February 22, 2002, pp. 40-41 --- http://www.syllabus.com/syllabusmagazine/article.asp?id=6091 

Two Cases Selected for Presentation and Publication in the AICPA Academic/Practioner Case Competition

I also converted the draft of two technology assurance services cases that I presented (with the help of my co-authors John Howland and Bruce Sidlinger) at the 1998 AICPA Accounting Educators Conference. The motivation for these cases was to highlight the dangers of CPA ventures into providing assurance services for computers and networking systems. The cases were written for my ACCT 5342 Accounting Information Systems students. I would appreciate feedback on this case from readers who venture to http://faculty.trinity.edu/rjensen/acct5342/262wp/262case1.htm

You can now link to the solutions from the cases themselves.   Also see Jensen, Howland, and Sidlinger solutions at http://www.aicpa.org/members/div/career/edu/caselist.htm#98 .

The AICPA's Assurance Services Website is at http://www.aicpa.org/assurance/index.htm 

Return to http://faculty.trinity.edu/rjensen/ecommerce/000start.htm