|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 5, 2004
- From: Howell, Paul
- Date: Fri Mar 05 17:27:05 2004
Title: Message
Security In The News
LAST UPDATED: 3/5/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
DHS slammed on database merger
- Government
Computer News, 3/5/04
Cybercrime-Hacking
Pranksters snow TV weather announcement
system
- Security Focus,
3/4/04
Hacking Incident Riles Democrats
- LA
Times, 3/5/04
- Also - Government
Computer News, 3/5/04
"Most devious" bank email phishing scam
discovered
- Silicon.com,
3/4/04
Politics-Legislation
Donner turns up heat on computer
hackers
- Expatica,
3/2/04
Justice could get privacy boss
- Federal
Computer Week, 3/4/04
Malware
Antivirus vendors unzip encrypted email
viruses
- Silicon.com,
3/5/04
Best Practices & Risk Management
Microsoft calls for antivirus
education
- vnunet.com, 3/5/04
Survey shows security improvements in
private sector
- Computerworld,
3/5/04
Civil & Consumer Issues
Firms Look to Limit Liability for Online
Security Breaches
- Washington
Post, 3/5/04
Caller ID: step forward or Microsoft
Trojan horse?
- Techworld,
3/5/04
Making Sense of the SCO Suits
- EWeek.com,
3/5/04
Homeland Security & Infrastructure Protection
- Title: DHS slammed on database merger
- Source: Government Computer News
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- Representative Harold Rogers (R-Kentucky) criticized the Department of
Homeland Security (DHS) for its failure to integrate intelligence and law
enforcement databases, while a Department of Justice Inspector General
report estimated the project would take another four years. Mr. Rogers cited
the recent case of Victor Manuel Batres, a Mexican citizen, who was stopped
by Border Control twice in January 2002, and taken back to Mexico. In
September 2002, Mr. Batres again entered the United States and traveled to
Oregon, where he raped and murdered two nuns. Mr. Rogers noted that Mr.
Batres had a fifteen-year criminal record including several counts of
aggravated assault. Mr. Rogers argues that Border Control access to the FBI
(Federal Bureau of Investigation) fingerprint database could have prevented
this incident. DHS Secretary Tom Ridge denied the project would take four
years, and offered that Border Control could be quickly connected with FBI
databases.
- http://www.gcn.com/vol1_no1/daily-updates/25162-1.html
Cybercrime-Hacking
- Title: Pranksters snow TV weather announcement
system
- Source: Security Focus
- Date Written: March 4, 2004
- Date Collected: March 5, 2004
- Cable channel News 14 Carolina, based in Raleigh, North Carolina, shut
down a Web application designed to let schools and business report
weather-related closings after some North Carolina State University students
learned how to put their own messages into the system. According to News
14's Charlie Schell, an announcement had to pass review before it would be
posted, but after accepted, businesses could log on and change their names
at will. The students pretended to be legitimate businesses, then changed
their names, often using the so-called "leet" style of typing. Messages
included "h4x0r3d Computer Services," "1337 5p34k Linguistic Services," and
"All Your Base Are Belong To Us." Businesses now have to call in weather
closings over telephone.
- http://www.securityfocus.com/news/8191
- Title: Hacking Incident Riles Democrats
- Source: LA Times
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- The Senate Judiciary Committee has released the report of
Sergeant-at-Arms William Pickle which found that two Republican staffers,
Manuel Miranda and Jason Lundell, accessed more than 4,000 Democratic Party
documents from a server shared by members of the Judiciary Committee over a
span of eighteen months. The server was set up so most files were open to
all users. My Lundell says he learned to access the files while watching the
systems administrator do maintenance. When Mr. Miranda joined Mr. Lundell on
Senator Orin Hatch's (R-Utah) staff, he assured Mr. Lundell that the access
was neither wrong nor improper. The report found circumstantial evidence
that Mr. Miranda leaked the documents to the Wall Street Journal, the
Washington Times, and several conservative groups. The report finds no
evidence of criminal hacking.
- http://www.latimes.com/technology/la-na-hacker5mar05,1,1348701.story?coll=la-headlines-technology
- Also - http://www.gcn.com/vol1_no1/daily-updates/25196-1.html
- Title: "Most devious" bank email phishing scam
discovered
- Source: Silicon.com
- Date Written: March 4, 2004
- Date Collected: March 5, 2004
- A new phishing scam against customers of Australia's Westpac bank marks
a new degree of sophistication in phishing scams. A typical phishing scam
sends an e-mail to a bank's customers, pretending to come from the bank,
tricking users to enter personal data into a spoof website. The latest scam
mimics the language Westpac uses in its e-mail advisories--including the
line "Westpac will never ask for your personal or login details by email."
The link in the e-mail not only opens the spoof site, but also the real bank
site behind it; when users enter their data into the spoof site, it returns
an false error message and sends the user on to the real site. Andreas
Baumhof, chief technical officer at Microdasys, notes that advice given to
the public about phishing scams is often harmful, such as when the American
Federal Trade Commission advised users that any site with a lock icon was
"definitely" safe, giving users a false sense of security.
- http://www.silicon.com/software/security/0,39024655,39118902,00.htm
Politics-Legislation
- Title: Donner turns up heat on computer
hackers
- Source: Expatica
- Date Written: March 2, 2004
- Date Collected: March 5, 2004
- Dutch Justice Minister Piet Hein Donner has called for tougher laws
against cyber criminals, suggesting that anyone convicted of a computer
crime be sentenced to one year imprisonment. Preparations for a cyberattack
and sending large amounts of e-mail to crash a server would also be made
prosecutable, though the minister proposes no new laws against spam, arguing
that current telecommunications laws are sufficient. Under the proposals,
prosecutors would have the power to demand customer data from Internet
service providers, tap phone lines, and seize equipment. The proposed laws
come from the Cyber Crime Treaty of 2001. The Ministry of Justice hopes to
have the bill in Parliament before summer 2004.
- http://www.expatica.com/source/site_article.asp?subchannel_id=19&story_id=5221
- Title: Justice could get privacy boss
- Source: Federal Computer Week
- Date Written: March 4, 2004
- Date Collected: March 5, 2004
- The House Judiciary Committee has approved a reauthorization bill for
the Department of Justice that includes the creation of a senior privacy
officer, similar in function to the Homeland Security's chief privacy
officer. James Dempsey, executive director of the Center for Democracy and
Technology, argues that the position, with congressional oversight, will
help address public concerns about privacy as the government responds to the
threat of terrorism. While many agencies have a privacy officer, only
Homeland Security's is mandated by law. A Justice Department privacy officer
would monitor government collection of data on potential terrorist activity.
- http://www.fcw.com/fcw/articles/2004/0301/web-doj-03-04-04.asp
Malware
- Title: Antivirus vendors unzip encrypted email
viruses
- Source: Silicon.com
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- A Bagle variant has been sneaking past antivirus filters by packaging
itself in an encrypted .zip file, and giving users the password to open it.
Antivirus firms BitDefender and Kapersky Labs have updated their virus
scanners to read the password from the e-mail text and open the .zip file
for scanning. Eugene Kapersky and BitDefender head Viorel Canja say their
updated products will protect users from the new trend virus writers are
using to bypass filters. Network Box has similarly upgraded its security
appliance.
- http://www.silicon.com/software/security/0,39024655,39118922,00.htm
Best Practices & Risk Management
- Title: Microsoft calls for antivirus
education
- Source: vnunet.com
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- Stuart Okin, head of security for Microsoft United Kingdom, says
business and government should work together to educate users about computer
viruses. Viruses such as MyDoom were able to spread not because of a
computer vulnerability, but because users were fooled into opening an e-mail
attachment. Mr. Okin says the government has the authority for a nation-wide
campaign, while businesses have the resources. Mr. Okin also noted
cooperation between information technology firms and Leeds University to
develop a computer security degree program.
- http://www.vnunet.com/News/1153285
- Title: Survey shows security improvements in
private sector
- Source: Computerworld
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- The Business Roundtable has released a survey of 100 chief executive
officers (CEOs), representing a labor force of 10 million and $3.7 trillion
in revenues, finding that the majority of CEOs have improved cybersecurity
since the September 11 terrorist attacks. The CEOs have increased
cybersecurity spending by an average of 10%, and expect it to rise or stay
steady through 2004. 99% have crisis communications in place for employees,
78% for suppliers, and 88% plan to put them in place for customers. 97% say
they have updated their security response plans. 90% test their plans each
year--40% test them twice each year. The changes represent the incorporation
of security into business operations, according to C. Michael Armstrong,
chairman of both Comcast Corp. and the Roundtable's Security Task Force.
- http://www.computerworld.com/securitytopics/security/story/0,10801,90852,00.html
Civil & Consumer Issues
- Title: Firms Look to Limit Liability for Online
Security Breaches
- Source: Washington Post
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- Many companies have begun asking customers to waive the right to sue if
personal customer data is stolen from company networks, regardless of
whatever security may be in place. Such waivers are often contained in terms
of service agreements users click through without reading. Chris Jay
Hoofnagle, associate director of the Electronic Privacy Information Center
(EPIC), argues that such agreement could be invalidated as unfair to
consumers if companies do not take responsibility for data collection.
Attacks against corporate networks often go unreported; a survey by the
Computer Security Institute and the FBI (Federal Bureau of Investigation)
found that only 30% of companies that have suffered an attack report it.
While some companies inform customers affected by a break-in, no national
disclosure standard exists. Many companies fear making security guarantees
since failure could mean litigation from the FTC (Federal Trade Commission).
- http://www.washingtonpost.com/wp-dyn/articles/A31874-2004Mar4.html
- Title: Caller ID: step forward or Microsoft
Trojan horse?
- Source: Techworld
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- E-mail and legal experts have criticized Microsoft's Caller ID e-mail
authentication architecture over its licensing structure. Microsoft owns
several patents related to Caller ID, and offers a fully paid, royalty-free
license to make, use, sell, offer to sell, import, and otherwise distribute
licensed implementations of Caller ID. John Levine, of the IETF (Internet
Engineering Task Force) Anti Spam Research Group, questions why Microsoft
does not submit the technology to a recognized standards body, and notes
that the licenses cannot be transferred, making Microsoft the final arbiter
of licenses. Microsoft says while it does not plan to profit from Caller ID,
it wants to make sure that no one else does either. Mr. Levine offers that
even if Microsoft does not go through a standards body, a clearer license
would ease industry concerns over a possible Microsoft power grab.
- http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1150
- Title: Making Sense of the SCO Suits
- Source: EWeek.com
- Date Written: March 5, 2004
- Date Collected: March 5, 2004
- Legal experts examine the several SCO Group cases against Linux vendors
and users, and how the final result rests in how these cases come out. SCO
is suing AutoZone for copyright infringement, arguing that SCO owns the
copyrights for the Unix operating system, and thus the Unix-based Linux. The
AutoZone suit depends on a suit against Novell, who claims that it sold Unix
copyrights to SCO under certain conditions, allowing Novell to "amend,
supplement, modify or waive" SCO's licenses. The suit against
DaimlerChrysler does not depend on the Novell case, since it alleges breach
of contract; however, SCO's demand that DaimlerChrysler provide a
certification may go beyond the terms of that contract. SCO's suit against
IBM alleges copyright infringement, but also several contractual issues that
would not be decided by the result of the Novell case. SCO is suing present
and former customers, suggesting that the company does not expect to be in
business long.
- http://www.eweek.com/article2/0,1759,1543158,00.asp
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
