|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - February 5, 2004
- From: Howell, Paul
- Date: Fri Feb 06 08:43:40 2004
Security In The News
LAST UPDATED: 2/5/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Cybercrime-Hacking
Suspected hacker held over Web site
breach
- Japan
Times, 2/5/04
CAN-SPAM Doesn't Can Spam
- Security
Pipeline, 2/4/04
Politics-Legislation
Lawmakers Push Penalties for False Web
Records
- Reuters,
2/5/04
Senator calls for mandatory reporting of
viruses
- Government
Computer News, 2/4/04
Lawmaker Sees VoIP Classified as Telecom
Carrier
- Internet
News, 2/5/04
Technology
New Web Services Security Spec Under
Way
- Internet
News, 2/5/04
Vulnerabilities & Exploits
ISS warns of holes in Check Point
firewall, VPN server
- Network
World Fusion, 2/5/04
- Also - ZDNet,
2/4/04
Can Apple Keep the Worms Out?
- Business
Week, 2/5/04
Real Player struck by massive security
hole
- Techworld,
2/5/04
Spyware cures may cause more harm than
good
- news.com.com,
2/4/04
Web applications wide open to
hackers
- vnunet.com, 2/5/04
Best Practices & Risk Management
SA schools get security tech boost
- IT
Web, 2/5/04
Civil & Consumer Issues
File-Sharing: Who's to Blame?
- Wired
(AP), 2/4/04
Courts make users liable for security
glitches
- Computerworld,
2/4/04
Cybercrime-Hacking
- Title: Suspected hacker held over Web site
breach
- Source: Japan Times
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Kyoto University researcher Kazuho Kawai, 40, has been arrested under
suspicion of stealing personal data on 1,200 individuals from the
Association of Copyright for Computer Software website. According to law
enforcement, Mr. Kawai has cracked the official website of Prime Minister
Junichiro Koizumi as well as other government officials and some companies,
and regularly publishes vulnerability information on his website. Police say
Mr. Kawai obstructued the business of the association by informing it that
he could break into its website, forcing the association to shut it down.
Mr. Kawai says he hacked into the system to let the association know how
vulnerable its system was. Mr. Kawai worked at Kyoto University researching
copyright issues.
- http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20040205a2.htm
- Title: CAN-SPAM Doesn't Can Spam
- Source: Security Pipeline
- Date Written: February 4, 2004
- Date Collected: February 5, 2004
- A month after the federal CAN-SPAM Act went into effect. anti-spam
companies report that the law has had little effect on the amount of spam
they monitor everyday. Postini records spam as making up 79% of all e-mail
messages in January 2004 among its 2,000 enterprise customers, down 1% from
the previous month. Brightmail shows a 2% increase to 60% of e-mail received
by its 300 million end-users. Brightmail vice-president Francois Lavaste
notes that the anti-spam legislation is only one part of a larger strategy
which includes user education, revised best practices, and anti-spam
technology. Commtouch notes that many spammers are substituting letters with
other characters, such as '@' for 'a', or '8' for 'B', or misspelling words
to get their spams through filters. Mr. Lavaste notes that spammers have
been using deceptive practices for years, and the law may not have much
effect until it is used to prosecute a major spammer.
- http://www.securitypipeline.com/news/17601914jsessionid=GZLARMRJLAUZ0QSNDBCCKHY
Politics-Legislation
- Title: Lawmakers Push Penalties for False Web
Records
- Source: Reuters
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Representatives Lamar Smith (R-Texas) and Howard Berman (D-California)
have introduced a bill to Congress to increase prison time for
cybercriminals who provide false information when registering a website. An
estimated 10% of the web's 30 million domain names are registered under
false identities, using such data as the fictional "Small Wok Way, Chopstick
Town, WI" mailing address. Rather than outlawing false information in
website registrations, the bill would increase penalties for crimes
committed through such websites. Fines in copyright infringement cases would
be tripled, while felony convictions could have up to seven years added to a
prison sentence. Mr. Berman advocates expanding the bill to make domain name
registrars responsible for the accuracy of their records. Mr. Berman backed
away from criminalizing false registrations all together, since, as ICANN's
(Internet Corporation for Assigned Names and Numbers) Kathryn Kleiman points
out, anonymity protects free speech.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4284484
- Title: Senator calls for mandatory reporting of
viruses
- Source: Government Computer News
- Date Written: February 4, 2004
- Date Collected: February 5, 2004
- Senator Charles Schumer (D-New York) has criticized the Department of
Homeland Security's (DHS) plan for a National Cyber Alert System to warn
computer users of virus outbreaks, saying it would "challenge computer
hackers all over the world to put a virus into an e-mail that mimics the DHS
e-mail warnings" Mr. Schumer calls for mandatory virus reports when attacks
reach a certain level, managed by DHS's National Cyber Security Division
(NCSD), to be published over secure lines to managers of critical
infrastructures and service providers. Mr. Schumer argued that cyberthreats
are as dangerous as physical threats, and called for the NCSD to function as
the computer equivalent of the Centers for Disease Control.
- http://www.gcn.com/vol1_no1/daily-updates/24843-1.html
- Title: Lawmaker Sees VoIP Classified as Telecom
Carrier
- Source: Internet News
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Representative John Dingell (D-Michigan) warned that the Federal
Communications Commission (FCC) should not rush to recognize VoIP (voice
over Internet protocol) as an information service too quickly. In December
2003, the FCC began proceedings to determine the legal status of VoIP
services--whether they should be taxed and regulated as a telephone service,
or left mostly free of regulation as an information service, like the
Internet. So far, FCC chair Michael Powell has been leaning towards viewing
it as an information service, but Rep. Dingell is concerned that he is
ignoring such issues as universal service, law enforcement, and 911
emergency calls.
- http://www.internetnews.com/infra/article.php/3308761
Technology
- Title: New Web Services Security Spec Under
Way
- Source: Internet News
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Business standards group OASIS (Organization for the Advancement of
Structured Information Standards) has formed an XRI (Extensible Resource
Identifier) Data Interchange (XDI) committee to work on an identity
management specification based on the Dataweb concept proposed by software
company Cordance. The Dataweb is meant to make XML and web services more
powerful by allowing data to be shared across Internet applications just as
content is shared across the Web. When such documents are updated, the
updates would spread across linked applications as "water flows through
pipes." XDI is meant to track and control these changes and maintain the
identity of a resource despite it location, including its security
attributes.
- http://www.internetnews.com/dev-news/article.php/3308851
Vulnerabilities & Exploits
- Title: ISS warns of holes in Check Point
firewall, VPN server
- Source: Network World Fusion
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Internet Security Systems (ISS) has released details of two flaws in
Check Point firewalls and VPN-1 (virtual private network - 1) that could
allow an attacker to take over the firewall and break into a network. ISS
considers the flaw critical, as Check Point firewalls account for more than
half of the firewalls in corporate networks. The firewall flaw rests in the
HTTP (hypertext transfer protocol) Security Server. Check Point had
announced the vulnerability, but described it as "theory only"; ISS says its
X-Force Labs have leveraged the flaw into a workable exploit. The VPN flaws
would compromise a network and any information flowing over it. While Check
Point has released a patch for the firewall vulnerability, it has not
released one for VPN-1 since it no longer supports that application.
- http://www.nwfusion.com/news/2004/0205isswarns.html
- Also - http://zdnet.com.com/2100-1104_2-5153635.html
- Title: Can Apple Keep the Worms Out?
- Source: Business Week
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- The recent MyDoom worm has re-ignited debate between Macintosh and
Windows advocates--Mac users claim they escaped attack due to the
superiority of their operating system, while Windows users point out that
Macs have little market share, so virus writers ignore them. Both claims
have some degree of truth: the unique protocols and code powering the Mac
are not so interconnected as in Windows systems, meaning a hole in one
program would not compromise another. However, when Apple computers had a
higher market share, they did suffer more attacks. Apple's uniqueness
changed however with OS X (Operating System 10), when it joined the much
larger Unix family of operating systems. Unlike other Unix systems, Macs
often have to provide security for non-tech-savvy users. Several features,
such as the password requirement to install software, administrator
passwords, and a simple automatic update system helps to protect such users.
- http://www.businessweek.com/technology/content/feb2004/tc2004025_4265_tc056.htm
- Title: Real Player struck by massive security
hole
- Source: Techworld
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Jouko Pynnönen and Mark Litchfield of NGSSoftware have discovered a
vulnerability in the popular Real Player media program that could allow an
attacker to run arbitrary code on a machine. Attackers can modify Real Media
files (.rp, .rt, .ram, .rpm, and .smil) to exploit a buffer overflow; users
would only have to click a link to run such a file to fall victim to the
attack. The researchers informed Real Media of the flaw so the company could
develop a patch before disclosing the flaw to the public. The flaw affects
nearly all of the company's media players. Users can update their players by
clicking the "Check for Update" feature under "Tools." Most users turn off
automatic updates due to Real Media's aggressive advertising.
- http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=986
- Title: Spyware cures may cause more harm than
good
- Source: news.com.com
- Date Written: February 4, 2004
- Date Collected: February 5, 2004
- Users wishing to keep their computers clean of spyware, software that
monitors computer use for fraud or to gather marketing data, are falling
victim to so-called antispyware programs that come bundled with spyware. The
Center for Democracy and Technology plans to file complaints with the
Federal Trade Commission (FTC) against offending companies. Many antispyware
companies have been unwilling to disclose their practices, while others put
competitors' software on their lists of programs to remove in spyware scans.
One program, SpyBan, has been discovered to download the Look2Me web-use
monitor. SpyBan's website has gone offline after receiving questions about
Look2Me from reporters.
- http://news.com.com/2100-1032_3-5153485.html?tag=nefd_lede
- Title: Web applications wide open to
hackers
- Source: vnunet.com
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- According to security firm WebCohort's Application Defense Center, at
least 92% of web applications are vulnerable to some form of attack. The
results, based on tests of 250 applications over four years, shows
cross-site scripting vulnerabilities accounting for 80% of weaknesses, SQL
injections at 62%, and parameter tampering at 60%. The applications tested
were on e-commerce, online banking, enterprise collaboration, and supply
chain management websites. WebCohort also found that attackers could steal
valuable data, shut down sites, and create legal liability while avoiding
detection, despite widespread use of firewalls and intrusion detection
systems. WebCohort chief executive Shlomo Kramer argues that tighter network
security has pushed hackers to targeting the weaker web applications.
- http://www.vnunet.com/News/1152521
Best Practices & Risk Management
- Title: SA schools get security tech
boost
- Source: IT Web
- Date Written: February 5, 2004
- Date Collected: February 5, 2004
- Security firm Symantec has signed a deal with the South African
Department of Education to donate R100 million ($14.3 million) in security
tools to 28,000 schools. Schools with fewer than ten workstations will
receive Norton Internet Security, while those with more than ten will deploy
Symantec Anti-virus Enterprise Edition and Symantec Client Security. The
deal includes daily virus definition updates, access to scan engines, and
technical support. Education minister Kader Asmal proclaimed the deal as
part of his department's efforts to bring Internet and computers into
schools to enhance learning. Under department plans, each school must have
at least one computer for administrative purposes by 2007. Symantec's
Giuseppe Verrini says 16,000 schools will have computers by the end of 2004
with access to Symantec products. Symantec regional manager Patrick Evans
notes that schools suffer the same vulnerabilities as businesses, as both
must protect confidential information, but do not have the same resources to
protect their systems.
- http://www.itweb.co.za/sections/internet/2004/0402051252.asp?A=SCR&S=Social
Civil & Consumer Issues
- Title: File-Sharing: Who's to Blame?
- Source: Wired (AP)
- Date Written: February 4, 2004
- Date Collected: February 5, 2004
- A three-judge panel of the Ninth US Circuit Court of Appeals heard
arguments in a suit brought forward by entertainment companies attempting to
hold makers of peer-to-peer (P2P) file-sharing software liable for copyright
infringement over their networks. Russ Frackman, lawyer for the
entertainment companies, argued that 90% of content on P2P networks is
illegal. Judge John Noonan responded that 10% seemed to be a lot of legal
activity, to which Mr. Frackman replied that the P2P makers should build
their business model on that legal 10%. In April 2003, federal judge Stephen
Wilson ruled that Grokster and StreamCast could not be held liable for
copyright infringement, citing the 1984 Supreme Court decision regarding
Sony's Betamax; Sony could not be held liable for copyright infringement
with Betamax tapes, since the technology had legitimate uses. Mr. Frackman
argues that Sony was not liable since the company could not control consumer
use of Betamax, but that P2P providers can, but refuse to filter copyrighted
content so they can profit from the 90% illegal activity.
- http://www.wired.com/news/digiwood/0,1412,62161,00.html?tw=wn_tophead_6
- Title: Courts make users liable for security
glitches
- Source: Computerworld
- Date Written: February 4, 2004
- Date Collected: February 5, 2004
- As insurance agencies drop computer breaches from their general
liability policies and offer specialized computer insurance instead, 2004
can expect to see more cybersecurity lawsuits. The trend began in October
2001, after the summer of the "I Love You" and Nimda viruses, when Hartford
Insurance Company removed computer damages from its general liability plan.
As attacks intensified in 2002, victims began to view the problem as
negligence rather than liability. Lawyer Bill Cook identifies three factors
in future court rulings. First, from the Maine Public Utilities Commission
vs. Verizon case, worm are predictable--the court denied Verizon a utilities
refund for downtime during the Slammer virus, since the company had failed
to patch its systems against the slammer vulnerability. Second, courts can
determine security procedures. In a case over unpaid American Indian
benefits, one federal judge found the Department of the Interior's
cybersecurity conduct so deplorable, he began contempt proceedings. Third, a
case between the American Civil Liberties Union (ACLU) and the State of New
York finds that third-party vendors cannot be blamed for security breaches.
A case against Microsoft for its vulnerabilities may have further
implications for user responsibility.
- http://www.computerworld.com/securitytopics/security/story/0,10801,89854,00.html?SKC=security-89854
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
