|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - February 9, 2004
- From: Howell, Paul
- Date: Tue Feb 10 07:19:07 2004
Title: Message
Security In The News
LAST UPDATED: 2/9/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
DHS launches trio of IT security
groups
- Government
Computer News, 2/9/04
Cybercrime-Hacking
Leniency may encourage more hackers
- vnunet.com, 2/6/04
Malware
IIA funds anti-virus website
- Australian
IT, 2/10/04
MyDoom.C Slams Into Microsoft.com
- EWeek.com,
2/9/04
Technology
EU acts to improve protection of citizens
with security research
- PublicTechnology.net,
2/6/04
Mickey Mouse, Bill Gates join forces
- CNN
Money (Reuters), 2/9/04
Vulnerabilities & Exploits
Reflections on Thompson's
'Reflections'
- EWeek.com,
2/5/04
.zip files putting the zap on antivirus
products
- Computerworld,
2/5/04
'Dumb' users spread viruses - official
- Silicon.com,
2/6/04
Microsoft Issues XML Fix to IE Patch
- EWeek.com,
2/6/04
Nokia admits multiple Bluetooth security
holes
- ZDNet
UK, 2/9/04
Best Practices & Risk Management
Foiling Laptop Data Thieves
- Wired
News (Reuters), 2/8/04
Civil & Consumer Issues
25 Spammers Given Fines for First Time
- The
Korea Times, 2/9/04
SCO ups ante and alters case against
IBM
- vnunet.com, 2/9/04
E-Vote Machines Drop More Ballots
- Wired
News, 2/9/04
Lawmakers Game the System
- Wired
News, 2/9/04
TiVo watchers uneasy after post-Super Bowl
reports
- news.com.com,
2/5/04
Michigan Plans Internet Vote Despite
Hacking Risks
- Reuters,
2/6/04
Homeland Security & Infrastructure Protection
- Title: DHS launches trio of IT security
groups
- Source: Government Computer News
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- The Department of Homeland Security (DHS) has created three new
organizations to protect federal computer systems and coordinate responses to
threats. The Government Forum of Incident Response Teams (G-FIRST) brings
together officials from the US Computer Emergency Response Team (US-CERT), the
Pentagon, and civilian agencies. The Chief Information Security Officers Forum
is made of senior officials in charge of agency cybersecurity and compliance
with the Federal Information Security Management Act, and will help officials
share details on what programs work or fail. The Cyber Interagency Incident
Management Group brings together agencies with "significant capabilities in
cybersecurity," such as law enforcement and national security agencies, to
coordinate responses to major security threats during an attack.
- http://www.gcn.com/vol1_no1/daily-updates/24896-1.html
Cybercrime-Hacking
- Title: Leniency may encourage more
hackers
- Source: vnunet.com
- Date Written: February 6, 2004
- Date Collected: February 9, 2004
- Many security experts are warning that lenient sentences for hackers could
encourage their crimes. Experts are responding to the case of Joseph James
McElroy, who pled guilty to breaking into the computers of Fermilab, a US
Department of Energy nuclear research site. Mr. McElroy received a sentence of
only 200 hours community service for the crack, since the judge found no
malicious intent in Mr. McElroy's motives. David Williamson of managed
security firm Ubizen warns that lack of compensation or custodial sentence
could give a "green light to break the law" to other serial hackers, and leave
attacked firms with the bill for repairs after a break-in.
- http://www.vnunet.com/News/1152551
Malware
- Title: IIA funds anti-virus website
- Source: Australian IT
- Date Written: February 10, 2004
- Date Collected: February 9, 2004
- The Internet Industry Association, a coalition of Australian Internet
service providers (ISP) are launching a public awareness campaign to help
users protect themselves against viruses. Building off of its No Spam
initiative, the IIA has set up a No Virus site (http://www.iia.net.au/novirus)
offering free trial versions of McAfee, Trend Micro, Norman Antivirus, and
BitDefender. IIA chief executive Peter Coroneos says the initiative is driven
by the exasperation many ISPs feel in having to deal with users who endanger
others with unsafe computing practices.
- http://australianit.news.com.au/articles/0,7204,8630511^15318^^nbv^15306,00.html
- Title: MyDoom.C Slams Into Microsoft.com
- Source: EWeek.com
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- MyDoom.C, the third version of the MyDoom mailer worm, is circulating on
the Internet and has launched successful denial of service attacks against
Microsoft's website. The new variant does not spread over e-mail like the
previous two, but uses the backdoor installed by MyDoom.A on TCP (transfer
control protocol) port 3127. Antivirus firm iDefense reports that the worm,
unlike its predecessors, does not install a backdoor or have a kill date. If
activated between February 8 and 12, 2004, the worm sleeps for a random amount
of time, then launches 80 threads on the computer to access www.microsoft.com
at once. iDefense estimates that MyDoom.C could infect 500,000 computers in
the first week, spreading over the machines already infected by MyDoom.A.
- http://www.eweek.com/article2/0,4149,1522236,00.asp
Technology
- Title: EU acts to improve protection of citizens
with security research
- Source: PublicTechnology.net
- Date Written: February 6, 2004
- Date Collected: February 9, 2004
- The European Commission has released a Communication entitled "Towards a
programme to advance European security through Research and Technology,"
outlining the need to coordinate security research at the European Union (EU)
level. The document named anti-terrorism, crisis management, and enhancing the
security, reliability, protection, and interoperability of communication
systems as key research ares, and set aside ?65 million for initial research.
This should lead to a European Security Research Programme by 2007. The
current state of research in the EU leads to fragmentation and inefficient
duplication of security efforts, according to European Research Commissioner
Philippe Busquin.
- http://www.publictechnology.net/modules.php?op=modload&name=News&file=article&sid=560
- Title: Mickey Mouse, Bill Gates join
forces
- Source: CNN Money (Reuters)
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- The Walt Disney company has signed a deal with Microsoft to license
digital rights management technology to prevent pirating of its content.
Disney plans to distribute movies over the Internet by 2005, and does not want
to fall victim to the piracy that has affected the music industry and album
sales. The digital rights system would allow for the legal transfer of content
in the next generation of portable video devices. Microsoft signed a similar
agreement with Time Warner in May 2003.
- http://money.cnn.com/2004/02/09/technology/microsoft_disney.reut/index.htm?cnn=yes
Vulnerabilities & Exploits
- Title: Reflections on Thompson's
'Reflections'
- Source: EWeek.com
- Date Written: February 5, 2004
- Date Collected: February 9, 2004
- In August 1984, Ken Thompson wrote an article called "Reflections on
Trusting Trust," describing a program he wrote to give him super-user access
on Unix machines that could only be discovered if a person had verified the
entire chain of software on the system, including the compiler used to compile
the machine's own compiler. Similarly, the United States sabotaged Soviet
technology theft by planting a Trojan in pipeline control software, causing
"the most monumental non-nuclear explosion and fire ever seen from space." In
1994, Peter Coffee discussed similar vulnerabilities from embedded objects in
documents, which can link users to unknown parties over the web. In 1999,
features in Microsoft Office 2000, such as Outlook's preview pane and active
content in HTML (hypertext markup language) e-mails, further opened computers
to such attacks as the Melissa virus. Each of these attacks exploited people's
trust of other systems rather than technological flaws; the recent MyDoom
attacks suggest that users must remember the role of trust in protecting a
system.
- http://www.eweek.com/article2/0,4149,1517369,00.asp
- Title: .zip files putting the zap on antivirus
products
- Source: Computerworld
- Date Written: February 5, 2004
- Date Collected: February 9, 2004
- Virus writers are turning to .zip compression files to sneak their malware
past virus filters. .zip files are a common format for compressing larger
files or sets of files for storage and transmission. Antivirus firm
MessageLabs reports that the malicious use of .zip files took off in 2003.
Virus writers have long disguised their malware as other file formats, but
avoided .zip since it required special software to install on a target
computer. However, Microsoft's Windows XP offers native support for .zip
files, making them easy targets. .zip files are also important business tools,
making it problematic to filter them. They can also speed up the spread of
mass-mailer worms by shrinking the payload. Some attackers are compressing
gigabytes of data into .zip files, which can crash a machine when it
decompresses the file. No easy technological solution exists for the dangers
of .zip files, leading some to suggest employee education and best practices
to mitigate the threat.
- http://www.computerworld.com/securitytopics/security/story/0,10801,89897,00.html
- Title: 'Dumb' users spread viruses -
official
- Source: Silicon.com
- Date Written: February 6, 2004
- Date Collected: February 9, 2004
- According to a recent study commissioned by Novell, surveying 1,000
British workers, users are mostly responsible for the wide spread of viruses.
60% of those surveyed said they were not aware of basic virus protection
methods, while another third claimed they were too busy to bother with such
protections, whether or not they understood them. 58% said they would forward
a spam to a friend or colleague without a thought. About a third would respond
to the spam. Most did not understand the concept of a phishing scam, while
half could not remember their passwords and a third had them written down on a
Post-It note on their desk. Steve Brown, the United Kingdom managing director
for Novell, says the most surprising part of the study was the "lackadaisical
attitude" of most users; most would not be bothered by an attack and only 5%
would feel bad if they helped spread it.
- http://www.silicon.com/software/security/0,39024655,39118228,00.htm
- Title: Microsoft Issues XML Fix to IE
Patch
- Source: EWeek.com
- Date Written: February 6, 2004
- Date Collected: February 9, 2004
- Microsoft has issued a follow-up patch to its previous Internet Explorer
patches which addressed a spoofing vulnerability, updating the browser's MSXML
(Microsoft Extensible Markup Language) functionality to work properly with the
changes. The new patch affects websites and applications that use the XMLHTTP
(extensible markup language hypertext transfer protocol) for authentication.
- http://www.eweek.com/article2/0,4149,1519007,00.asp
- Title: Nokia admits multiple Bluetooth security
holes
- Source: ZDNet UK
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- Nokia has admitted to Bluetooth vulnerabilities in a number of its
handsets which could allow an attacker to "bluesnarf"--i.e. read, modify, or
copy--data from a phone without the user's knowledge. The vulnerabilities,
announced by AL Digital, can be found in ten phones from Nokia, Sony Ericsson,
and Ericsson, however, Nokia notes that bluesnarfing is only possible when the
phone is in visible mode, set to actively search for other Bluetooth devices.
Nokia's 7650 phone could be used by a Bluetooth attacker to send SMS (short
message service) messages or browse the web. The 6310i could fall victim to
denial of service attacks through malformed Bluetooth messages. Nokia does not
plan to release a fix for the vulnerabilities, since they are limited to a few
handsets, and doe not expect the flaws to pose a widespread threat.
- http://news.zdnet.co.uk/communications/0,39020336,39145886,00.htm
Best Practices & Risk Management
- Title: Foiling Laptop Data Thieves
- Source: Wired News (Reuters)
- Date Written: February 8, 2004
- Date Collected: February 9, 2004
- While laptops and other portable devices make it easy to carry data
around, they also make it easy to lose or compromise that data, since such
devices can be easily lost or stolen. However, users can take several steps to
protect data on portable machines. The first step is to back-up all data
against loss. Several options exist for back-ups, including writable CDs, Zip
disks, and e-mailing a file to oneself. Portable USB drives the size of a
keychain are also available, ranging from $25 for a 32 megabyte drive to $700
for a 2 gigabyte drive. Microdrives, about the size of a saltine cracker, can
fit into a slot on the side of a machine and hold four gigabytes. Users must
also protect the data an a portable machine. USB tokens work to authenticate a
user; without a token present in the USB port, a computer will refuse to open
protected files. Such tokens are now available to consumers for $120.
Fingerprint readers are also available for around $150 to $200, and can plug
into a PC slot or USB port. CyberAngel offers a service to track down
computers when thieves connect them to the Internet.
- http://www.wired.com/news/technology/0,1282,62211,00.html?tw=wn_tophead_8
Civil & Consumer Issues
- Title: 25 Spammers Given Fines for First
Time
- Source: The Korea Times
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- South Korea's Fair Trade Commission (FTC), after an investigation tracking
down 179 spammers, has levied fines ranging between 1 million and 7 million
won ($850 to $6,000) against 25 spammers for violating the E-Commerce Consumer
Protection Law. 4M COmputer, a private education institute for computer design
and e-commerce, received the heaviest fine since it continued to spam
consumers even after they opted out of further e-mails. Two pornography sites
were also fined 7 million won for violating marking rules and deceptive
advertising. The FTC received spam complaints for investigation through its
www.nospam.go.kr website. FTC director-general Son In-ok declared the
Commission's dedication to pursuing disruptive spammers and to strengthening
penalties against spammers.
- http://times.hankooki.com/lpage/biz/200402/kt2004020919282811860.htm
- Title: SCO ups ante and alters case against
IBM
- Source: vnunet.com
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- The SCO Group has amended its allegations against IBM in its intellectual
property case over Unix and Linux, and increased its damages claim to $5
billion. The SCO Group had revoked IBM's license for Unix-variant AIX,
claiming the company had revealed trade secrets. SCO has dropped that claim
and instead charges copyright infringement for putting code from Dynix and AIX
into the open source Linux operating system. SCO also alleges that IBM
encouraged Novell to make copyright counterclaims against SCO. IBM alleges
that SCO has not provided full, complete, and detailed evidence to IBM for the
discovery process--namely, the code alleged to have been contributed to
Linux--while SCO attorney Mark Heise says the evidence was presented in 17
lines of code. SCO claims it needs access to AIX and Dynix code from IBM to
provide more detailed line-by-line evidence. Judge Brooke Wells will rule in
writing on whether SCO can introduce new claims within a week.
- http://www.vnunet.com/News/1152624
- Title: E-Vote Machines Drop More Ballots
- Source: Wired News
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- Election Systems and Software (ES&S) reports that problems in the
firmware of its iVotronic touch-screen voting machines led to 436 lost
absentee ballots in North Carolina's 2002 general elections. Votes were also
lost during a special election in Florida in January 2004. The flaw made the
machines think their memory was full and display an error message, however,
the message displayed so quickly, voters did not realize their votes were not
recorded. ES&S spokeswoman Meghan McCormick says the votes were tabulated
correctly on voting day, and did not effect the outcome of the election.
ES&S found the flaw in Jackson County in October 2002 and fixed it, but
did not report it to Wayne County, where the machines were also deployed. When
the voting irregularity was noticed, Wayne County called in ES&S
technician to recover an audit trail; data from the machines had to be shipped
on a PC card to ES&S central offices to be examined. Such problems have
lead many citizens to call for machines that produce a voter-verified paper
trail to protect against miscast ballots and fraud.
- http://www.wired.com/news/evote/0,2645,62206,00.html?tw=wn_tophead_1
- Title: Lawmakers Game the System
- Source: Wired News
- Date Written: February 9, 2004
- Date Collected: February 9, 2004
- The eRulemaking project seeks to create a portal for the websites of 180
federal agencies to facilitate public comment in the drafting of legislation.
The interface design is an important element, since ease of use would affect
the success of such a portal. The design of the interface may be aided by
video game developers, thanks to a conference held by the New York Law School
called "The State of Play: Law, Games, and Virtual Worlds." At that
conference, a panel of game developers and two Washington officials discussed
the problems of e-government. Professor Beth Noveck recalls having a hard time
getting people to agree to the panel, but once they got together they could
not stop talking--many of the problems faced by e-government are the same
problems faced by game designers. Government and game designers use the same
process to solicit public comment, but the government has the extra difficulty
of protecting privacy and citizens' fear of "the government knowing too much
about you." This can prevent commenters from being identified as experts whose
opinion should be considered accordingly.
- http://www.wired.com/news/politics/0,1283,62199,00.html?tw=wn_tophead_4
- Title: TiVo watchers uneasy after post-Super Bowl
reports
- Source: news.com.com
- Date Written: February 5, 2004
- Date Collected: February 9, 2004
- TiVo, the makers of the popular TiVo digital video recorder (DVR),
reported that during the Super Bowl half-time show, the inadvertent exposure
of Janet Jackson's breast was the most watched moment in the history of TiVo,
which allows users to pause and rewind live television broadcasts. This news
sparked privacy concerns among many TiVo users unaware of the company's
data-gathering practices. TiVo officials say they operate within established
privacy standards, stripping any identifying information from the data they
gather. TiVo says they do not track individual viewing habits, but sometimes
make a random sampling of 20,000 machines during particular broadcasts.
Consumers are growing more aware that media devices such as DVRs can be used
by corporations to gather market data on individuals. Privacy advocates worry
that data gathered for innocent purposes can be abused in unexpected ways.
- http://news.com.com/2100-1041_3-5154219.html?tag=nefd_lede
- Title: Michigan Plans Internet Vote Despite
Hacking Risks
- Source: Reuters
- Date Written: February 6, 2004
- Date Collected: February 9, 2004
- The Michigan Democratic Party will go forward with the votes cast in the
Michigan primaries on the state's Internet voting system, despite the
vulnerabilities that led the Defense Department to call off its own Internet
voting project. Party spokesman Jason Moon says the Michigan system is not the
same as the Pentagon system, and is confident that the system is secure, as it
is protected by two firewalls guarded by Symantec. Voters must enter an
identification number, password, city of birth, and birthdate in order to vote
over the system. All traffic is encrypted. Critics of the system, such as
Johns Hopkins University professor Avi Rubin, point out that the system shares
certain vulnerabilities with the Pentagon system; attackers could redirect
traffic to their own server and then cast different votes or flood the voting
server in a denial of service attack. Even if the voting system could be
completely secured, there is no way to know whether voters' computers have
been compromised.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4304882
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error or
omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the ISTS.
Therefore, the ISTS cannot be made responsible for the factual accuracy of the
material presented. The ISTS is not liable for any loss or damage arising from
or in connection with the information contained in this report. It is the
responsibility of the user to evaluate the content and usefulness of this
information. References in this e-mail to any specific commercial products,
processes, or services by trade name, trademark, manufacturer, or otherwise,
does not constitute or imply endorsement, recommendation, or favoring by the
ISTS. ISTS is a research, not operational, organization, and makes its
Security in the News e-mail available as a public service on a best-effort
basis. Security in the News will be sent out on most business days, but not
all.
Institute for Security Technology Studies
Dartmouth
College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646
0700
E-mail: dailyreport@ists.dartmouth.edu
|
|
|
