Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - February 26, 2004
- From: Howell, Paul
- Date: Thu Feb 26 17:37:27 2004
-----Original Message-----
From: dailyreport@ists.dartmouth.edu
To: subscriber (2554)
Sent: 2/26/2004 4:51 PM
Subject: Security In The News - February 26, 2004
Security In The News
LAST UPDATED: 2/26/04
This report is also available on the Internet at
http://news.ists.dartmouth.edu/todaysnews.html
<http://news.ists.dartmouth.edu/todaysnews.html> ,
Homeland Security & Infrastructure Protection
Homeland insecurity starts at home
The Register, 2/25/04
<http://www.theregister.co.uk/content/55/35851.html>
Cybercrime-Hacking
Documents: Hopkins youth hacked other firms
Star Tribune, 2/26/04
<http://www.startribune.com/stories/789/4630324.html>
Politics-Legislation
Lawmakers Alarmed by RFID Spying
Wired News, 2/26/04
<http://www.wired.com/news/privacy/0,1848,62433,00.html?tw=wn_tophead_2>
Malware
Netsky.C worm starts to spread
vnunet.com, 2/26/04 <http://www.vnunet.com/News/1153066>
Also - EWeek.com, 2/25/04
<http://www.eweek.com/article2/0,4149,1538954,00.asp>
Technology
RSA: VeriSign links with Microsoft on authentication
security.itworld.com, 2/26/04
<http://security.itworld.com/4360/040226verisignms/page_1.html>
VeriSign under Oath for stronger ID checks
vnunet.com, 2/26/04 <http://www.vnunet.com/News/1153068>
Also - EWeek.com, 2/25/04
<http://www.eweek.com/article2/0,4149,1539158,00.asp>
PostX Is Poised to Foil Phishing Attacks
EWeek.com, 2/26/04 <http://www.eweek.com/article2/0,4149,1539417,00.asp>
Military certifies biometric profile
Federal Computer Week, 2/25/04
<http://www.fcw.com/fcw/articles/2004/0223/web-biomet-02-25-04.asp>
Vulnerabilities & Exploits
Businesses are under attack, says MS security head
InfoWorld, 2/24/04
<http://www.infoworld.com/article/04/02/24/HNunderattack_1.html>
SMEs the weakest link on security
IT Week, 2/26/04 <http://www.itweek.co.uk/News/1153067>
Is Microsoft ignoring the biggest source of security threats?
Computerworld, 2/25/04
<http://computerworld.com/securitytopics/security/story/0,10801,90466,00
.html>
Best Practices & Risk Management
Yukon to Ship with Features Securely Off
EWeek.com, 2/25/04 <http://www.eweek.com/article2/0,4149,1539058,00.asp>
Patching 'still too difficult'
ZDNet, 2/25/04
<http://news.zdnet.co.uk/internet/security/0,39020375,39147340,00.htm>
Civil & Consumer Issues
Piracy on wireless Internet raises legal challenges
Canada.com, 2/25/04
<http://www.canada.com/technology/story.html?id=0BE75329-1A0C-4FEB-A602-
C579A191B3EC>
Homeland Security & Infrastructure Protection
Title: internal13354Homeland insecurity starts at home
Source: The Register
Date Written: February 25, 2004
Date Collected: February 26, 2004
Speaking at the RSA Conference, John Gordon, retired US Air Force
General and current advisor to President Bush on Homeland Security, says
that the information technology industry needs to focus on making
security software easier to use and more reliable, rather than on the
identity of attackers. Mr. Gordon recommends that industry be
"intolerant" of security flaws in all software, to encourage a higher
standard of code. Mr. Gordon also argued for protecting the nation's
critical infrastructures against cyberterrorism, noting that terrorists
are only one group that can exploit vulnerabilities. Mr. Gordon believes
most Americans have a pre-1993 understanding of cyberthreats, referring
to the first attacks against the World Trade Center. To better protect
cyberspace, industry should make personal security easier.
http://www.theregister.co.uk/content/55/35851.html
<http://www.theregister.co.uk/content/55/35851.html>
Cybercrime-Hacking
Title: internal13364Documents: Hopkins youth hacked other firms
Source: Star Tribune
Date Written: February 26, 2004
Date Collected: February 26, 2004
Federal prosecutors allege that Jeffrey Parson, 18, currently on trial
for releasing a worm that infected 7,000 computers, also broke into the
computers of the Motion Picture Association of America (MPAA) and the
Recording Industry Association of America (RIAA). Mr. Parson admitted
breaking into computers to store pirated movies, games, and music, and
prosecutors are using Internet chat logs found on Mr. Parson's computers
as evidence for the charge. Prosecutors also charged that Mr. Parson
installed backdoors on over 1,200 computers, enabling him to download
personal, medical, and financial records, though they do not allege that
he actually did so.
http://www.startribune.com/stories/789/4630324.html
<http://www.startribune.com/stories/789/4630324.html>
Politics-Legislation
Title: internal13366Lawmakers Alarmed by RFID Spying
Source: Wired News
Date Written: February 26, 2004
Date Collected: February 26, 2004
Utah's House of Representatives has passed the Radio Frequency
Identification Right to Know Act, requiring all goods carrying RFID
(radio frequency identification) tags to be clearly labeled. California
state Senator Debra Bowen has introduced a bill to prohibit matching
RFID product data with consumers' personal data. Consumer advocacy
groups, such as Consumers Against Supermarket Privacy Invasion and
Numbering (CASPIAN), are concerned that RFID tags can be used to track
consumers' movements within a store, and tailor marketing pitches to the
items a shopper is carrying. CASPIAN also warned the Federal Reserve
Bank of Boston that RFID tags in clothing could be used to by spies to
track citizens. Wal-mart, Procter & Gamble, and Gillette want to use
RFID to streamline their supply chains, but underestimated consumer
backlash over privacy. Companies are formulating privacy policies, but
some, such as Barry Steinhardt, director of the Technology and Liberty
Program at the American Civil Liberties Union, want government
enforcement instead.
http://www.wired.com/news/privacy/0,1848,62433,00.html?tw=wn_tophead_2
<http://www.wired.com/news/privacy/0,1848,62433,00.html?tw=wn_tophead_2>
Malware
Title: internal13357Netsky.C worm starts to spread
Source: vnunet.com
Date Written: February 26, 2004
Date Collected: February 26, 2004
A new variation of the Netsky worm, Netsky.C is spreading across the
Internet, according to antivirus firms. Like its predecessors, Netsky.C
travels either as an e-mail attachment or through shared network
folders. Once activated, the worm scans drives C: to Z: on infected
computers, looking for more e-mail addresses to send itself to, and
copying itself into shared network and peer-to-peer folders. Antivirus
firm Central Command believes Netsky.C has the potential to become a
major outbreak, with reports of 1,500 infection in the first 40 minutes
after its discovery.
http://www.vnunet.com/News/1153066 <http://www.vnunet.com/News/1153066>
Also - http://www.eweek.com/article2/0,4149,1538954,00.asp
<http://www.eweek.com/article2/0,4149,1538954,00.asp>
Technology
Title: internal13355RSA: VeriSign links with Microsoft on authentication
Source: security.itworld.com
Date Written: February 26, 2004
Date Collected: February 26, 2004
VeriSign has announced a partnership with Microsoft to provide cheaper
and easier to install authentication for Windows Server 2003, building
on an existing relationship to provide PKI (public key infrastructure)
services to Server 2003. Users will be able to distribute desktop PKI
credentials, and use other authentication instruments, such as smart
cards and tokens. These tools will interoperate with Microsoft
applications such as VPN (virtual private network), wireless network,
and secured e-mail. The authentication services implement one of the
first stages of the Open Authentication Reference Architecture (OATH),
intended to replace the patchwork of proprietary authentication
products.
http://security.itworld.com/4360/040226verisignms/page_1.html
<http://security.itworld.com/4360/040226verisignms/page_1.html>
Title: internal13356VeriSign under Oath for stronger ID checks
Source: vnunet.com
Date Written: February 26, 2004
Date Collected: February 26, 2004
VeriSign has announced its Open Authentication reference architecture
(OATH) to provide strong authentication across different networks and
products.� OATH is built on open standards, such as the Lightweight
Directory Access Protocol and the Remote Authentication Dial-in User
Service, to build interoperability with a wide variety of softwares and
hardwares. VeriSign says that static passwords are not enough to prevent
break-ins anymore, arguing for combining user identity with tokens.
VeriSign chief executive Stratton Sclavos argues that "ubiquitous
adoption of any technology requires a fundamental shift from proprietary
to open architecture."
http://www.vnunet.com/News/1153068 <http://www.vnunet.com/News/1153068>
Also - http://www.eweek.com/article2/0,4149,1539158,00.asp
<http://www.eweek.com/article2/0,4149,1539158,00.asp>
Title: internal13360PostX Is Poised to Foil Phishing Attacks
Source: EWeek.com
Date Written: February 26, 2004
Date Collected: February 26, 2004
PostX has joined the Coalition on Online Identity Theft and released its
new Trusted Dialog product. Trusted Dialog is both a server- and a
client-side e-mail delivery system designed to verify e-mails and guard
against phishing scams; however, the company would not indemnify clients
or guarantee the product. Trusted Dialog allows e-mail senders to sign
their messages with an identifying hash. A helper application will
provide risk assessments for e-mails, rating their probably authenticity
as--from highest to lowest--green, yellow, or red. PostX vice president
Scott Olechowski believes that e-mail can be protected without a revamp
of the entire system, as Microsoft chairman Bill Gates has suggested.
http://www.eweek.com/article2/0,4149,1539417,00.asp
<http://www.eweek.com/article2/0,4149,1539417,00.asp>
Title: internal13361Military certifies biometric profile
Source: Federal Computer Week
Date Written: February 25, 2004
Date Collected: February 26, 2004
The Defense Department's Biometrics Management Office has certified the
first five biometric protection profiles under the National Information
Assurance Partnership for use at Defense and other government agencies.
The U.S. Government Biometric Verification Mode Protection Profile for
Medium Robustness Environments specifies minimum security requirements
and establishes criteria for purchasing biometric products. Defense has
also launched a website, www.biometrics.dod.mil, to provide tutorials
and policy updates on the technologies and consolidate information in
one site.
http://www.fcw.com/fcw/articles/2004/0223/web-biomet-02-25-04.asp
<http://www.fcw.com/fcw/articles/2004/0223/web-biomet-02-25-04.asp>
Vulnerabilities & Exploits
Title: internal13353Businesses are under attack, says MS security head
Source: InfoWorld
Date Written: February 24, 2004
Date Collected: February 26, 2004
David Aucsmith, Security Architect and Chief Technology Officer at
Microsoft's Security Business Unit, speaking at the E-Crime Congress in
London, said that businesses face threats of online extortion and fraud
due to vulnerable software. While admitting that Microsoft software has
a reputation for vulnerability, Mr. Aucsmith argued that much of the
software predates known security issues; Windows 95 and NT were written
before the World Wide Web, while Windows Server 2003 was written before
buffer overflows were commonly exploited, according to Mr. Aucsmith.
People who want more secure software should upgrade. Mr. Aucsmith
posited that current vulnerabilities are the result of a changing
software industry and the growing sophistication of hackers, rather than
vendor negligence. Many black hats can now make a career out of illegal
hacking. In addition to keeping software up to date, Mr. Aucsmith says
Microsoft is improving the patching process to help users protect their
systems.
http://www.infoworld.com/article/04/02/24/HNunderattack_1.html
<http://www.infoworld.com/article/04/02/24/HNunderattack_1.html>
Title: internal13358SMEs the weakest link on security
Source: IT Week
Date Written: February 26, 2004
Date Collected: February 26, 2004
According to Jim Paice, United Kingdom's Conservative Party shadow
minister for home, legal, and constitutional affairs, small and medium
enterprises (SMEs) have weaker security than their larger corporate
counterparts, possibly creating backdoors into the networks of larger
enterprises. Large businesses have more money to spend on security, but
smaller businesses are included in their supply chains. Small businesses
and 2.6 million sole traders make up about 99% of the UK's firms and 40%
of its workforce; half of small businesses suffer a compromise each
year. Companies must look at their policies governing network use.
http://www.itweek.co.uk/News/1153067
<http://www.itweek.co.uk/News/1153067>
Title: internal13363Is Microsoft ignoring the biggest source of security
threats?
Source: Computerworld
Date Written: February 25, 2004
Date Collected: February 26, 2004
Peter H. Gregory discusses insider threats and the attention given to
them in Microsoft's security initiatives. At the RSA Conference,
Microsoft chair Bill Gates outlined new security features in the
upcoming Windows XP Service Pack 2, such as two-factor authentication,
new firewall components, and Active Protection Technology. These
features, while certainly needed, only address external threats to a
computer network; FBI (Federal Bureau of Investigation) surveys show
that most security incidents are done by insiders who already have been
given access to a system. However, these threats have not received the
same media attention as hackers and viruses. Mr. Gregory notes that
nothing in Microsoft's stated short-term and long-term plans address
insider threats, and questions whether this means Microsoft is still
just researching the issue, or ignoring it for bigger headline threats.
Mr. Gregory believes technology to monitor suspicious changes in
employee behavior should be a research priority.
http://computerworld.com/securitytopics/security/story/0,10801,90466,00.
html
<http://computerworld.com/securitytopics/security/story/0,10801,90466,00
.html>
Best Practices & Risk Management
Title: internal13359Yukon to Ship with Features Securely Off
Source: EWeek.com
Date Written: February 25, 2004
Date Collected: February 26, 2004
According to Tom Rizzo, Microsoft Director of Product Management for SQL
Server, Microsoft's next SQL Server version, code-named "Yukon," will
come with certain features turned off in the default installation, for
better security. Certain core functionality will be left on so the
database works out of the box. Engineers are also building a simple
interface for switching features on and off. Yukon is currently in beta
testing, ahead of its scheduled late spring/early summer 2004 deadline.
http://www.eweek.com/article2/0,4149,1539058,00.asp
<http://www.eweek.com/article2/0,4149,1539058,00.asp>
Title: internal13362Patching 'still too difficult'
Source: ZDNet
Date Written: February 25, 2004
Date Collected: February 26, 2004
According to data collected by vulnerability assessment firm Qualys over
two years, it takes about one month to halve the number of computers
affected by a newly discovered security hole, largely due to the
difficulty of applying new patches. The patching process takes time,
leaving a system vulnerable. Microsoft announced to mixed reviews in
October 2003 that it would move to a monthly patch cycle in response to
customers' failure to regularly update their systems. Philip Harris,
vice president for information security for the Safeway supermarket
chain notes that people exploiting vulnerabilities are not on a
schedule. However, Dennis Devlin, of the Thomson Corporation, believes
taking the time to develop a problem-free patch could go a long way
toward simplifying the patching process. Mary Ann Davidson, chief
security officer for Oracle, argues that users should demand higher
quality software for their money.
http://news.zdnet.co.uk/internet/security/0,39020375,39147340,00.htm
<http://news.zdnet.co.uk/internet/security/0,39020375,39147340,00.htm>
Civil & Consumer Issues
Title: internal13365Piracy on wireless Internet raises legal challenges
Source: Canada.com
Date Written: February 25, 2004
Date Collected: February 26, 2004
The Canadian Recording Industry Association (CRIA) is running into some
difficult legal questions as it tries to compel Internet service
providers (ISPs) to hand over the identities connected to Internet
addresses CRIA has logged as engaging in illegal music downloads. Home
users often have low-cost routers which allow multiple computers to
share a single Internet connection, while wireless access points could
allow outsiders to sneak through a home wireless network. ISPs argue
that they can identify customers associated with an Internet address,
but technology makes it impossible to determine who was actually
connected through that address at any given time. Richard Pfohl, general
counsel for CRIA, argues a computer owner is responsible for any
Internet use of that computer. Canadian ISPs do not log Internet
addresses unless directed to do so by a warrant, leading them to
question what technology CRIA used to gather the addresses.
http://www.canada.com/technology/story.html?id=0BE75329-1A0C-4FEB-A602-C
579A191B3EC
<http://www.canada.com/technology/story.html?id=0BE75329-1A0C-4FEB-A602-
C579A191B3EC>
To change your delivery preferences please go to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to stop receiving the 'Security in the News' service please
go to:
http://news.ists.dartmouth.edu/substop.html
The Institute for Security Technology Studies (ISTS) accepts no
responsibility for any error or omissions in this e-mail. The
information presented is a compilation of material from various sources
and has not been verified by staff of the ISTS. Therefore, the ISTS
cannot be made responsible for the factual accuracy of the material
presented. The ISTS is not liable for any loss or damage arising from or
in connection with the information contained in this report. It is the
responsibility of the user to evaluate the content and usefulness of
this information. References in this e-mail to any specific commercial
products, processes, or services by trade name, trademark, manufacturer,
or otherwise, does not constitute or imply endorsement, recommendation,
or favoring by the ISTS. ISTS is a research, not operational,
organization, and makes its Security in the News e-mail available as a
public service on a best-effort basis. Security in the News will be sent
out on most business days, but not all.
Institute for Security Technology Studies
Dartmouth College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: dailyreport@ists.dartmouth.edu
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
