|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 11, 2004
- From: Howell, Paul
- Date: Fri Mar 12 03:40:18 2004
Title: Message
Security In The News
LAST UPDATED: 3/11/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
More growing pains seen at DHS
- Computerworld,
3/10/04
Cybercrime-Hacking
Israeli, 19, hacked into Pennsylvania
police system, erased records: police
- Canada.com,
3/10/04
UK companies hit by rise in costly hacking
and phishing attacks
- Silicon.com,
3/11/04
Politics-Legislation
Senators call for paper trail in
e-voting
- CNN,
3/11/04
Intel to Miss China Deadline on Standard
for Wireless
- NY
Times, 3/11/04
E-Gov Act implementation picking up
steam
- Government
Computer News, 3/11/04
Regulators go after wireless spam
- ZDNet, 3/11/04
Two lawmakers urge state to bar e-voting
in fall
- SiliconValley.com,
3/11/04
E-government centre planned
- Gulf
Daily News, 3/11/04
Technology
Symbiot launches DDoS counter-strike
tool
- ZDNet,
3/10/04
Net-centric war needs security
- Federal
Computer Week, 3/11/04
Vulnerabilities & Exploits
Update: Microsoft rethinks latest security
patch
- Computerworld,
3/10/04
Dublin's IFSC is hacker paradise:
survey
- ElectricNews,
3/11/04
Best Practices & Risk Management
What Linux can learn from Windows
- news.com.com,
3/11/04
Army to Gates: Halt the free software
- news.com.com,
3/10/04
Risk management seen key to IT
security
- Computerworld,
3/10/04
Homeland Security & Infrastructure Protection
- Title: More growing pains seen at DHS
- Source: Computerworld
- Date Written: March 10, 2004
- Date Collected: March 11, 2004
- The private sector Cyber Incident Detection and Data Analysis Center
(CIDDAC) says it may drop plans to work with the Department of Homeland
Security (DHS) on a real-time security data analysis project after the agency
botched a meeting with high level executives. When three high-level executives
from CIDDAC met with a group of senior DHS officials to discuss the project,
they found that the agency had no conference room prepared for the meeting,
forcing them to give their briefing in a hallway being vacuumed. Once briefed,
DHS officials said they lacked the authority to issue a letter of interest in
the project or approve funds. Charles Fleming, acting executive director of
CIDDAC, says the department's inability to recognize the project in a timely
fashion may push CIDDAC to keep it entirely within the private sector.
- http://www.computerworld.com/securitytopics/security/story/0,10801,90975,00.html
Cybercrime-Hacking
- Title: Israeli, 19, hacked into Pennsylvania
police system, erased records: police
- Source: Canada.com
- Date Written: March 10, 2004
- Date Collected: March 11, 2004
- Israeli police, on behalf of the American Federal Bureau of Investigation
(FBI), have arrested a nineteen year old Israeli for allegedly cracking a
police computer system in Pennsylvania, and destroying some records. Gil
Kleiman, spokesman for Israeli police, said the youth was released on bond
after a hearing in Beersheba. The youth claimed he did not know he had entered
a police system and that he had no idea what he was doing. Mr. Kleiman did not
know which department in Pennsylvania was affected.
- http://www.canada.com/technology/story.html?id=F54660FA-26CC-4D81-816C-9DBE740DDDE4
- Title: UK companies hit by rise in costly hacking
and phishing attacks
- Source: Silicon.com
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- According to the United Kingdom's Department of Trade and Industry (DTI)
biennial Security Breaches Survey, external attacks from hackers, organized
crime, and phishers has lead to a dramatic increase in the number and severity
of attacks. The survey of 1,000 UK businesses found that while only 10% of
attacks against large businesses were fraud or breach of confidentiality or
identity, these attacks usually led to the most damage; half of those hit say
such an attack was their worst security incident for the year. Confidentiality
breaches took an average of ten to twenty days to investigate, and could cost
over £100,000 in legal fees. Chris Potter, partner at PricewaterhouseCoopers,
was surprised to find that most of these attacks came from external threats
rather than employees.
- http://www.silicon.com/software/security/0,39024655,39119085,00.htm
Politics-Legislation
- Title: Senators call for paper trail in
e-voting
- Source: CNN
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- Senators Hillary Rodham Clinton (D-New York) and Bob Graham (D-Florida)
have drafted legislation to require electronic voting machines throughout the
country to produce a paper trail to enable recounts in the event of election
irregularities. Palm Beach County in Florida experienced some problems during
the March 2, 2004 Democratic primaries when poll workers hit the wrong button
on voting machines, preventing many from voting. Sen. Clinton described the
proposal as a non-partisan issue, and noted reports of security problems that
make some electronic voting machines vulnerable to hacking. 50 million voters
will use touch-screen voting machines in the November elections, according to
Sen. Clinton, making it imperative voters can verify that their votes are
correctly recorded.
- http://www.cnn.com/2004/ALLPOLITICS/03/10/voting/index.html
- Title: Intel to Miss China Deadline on Standard
for Wireless
- Source: NY Times
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- Intel has warned its Chinese customers that it would not meet China's June
1, 2004 deadline to conform to the country's wireless security standard, and
they should begin looking for alternate suppliers of chips for wireless
products. Chuck Molloy, an Intel spokesman, gave technical reasons for Intel's
decision saying that the company wouldn't be able to build a part that met
"requirements for quality," but also noted philosophical problems as well.
Many technology companies see the Chinese standard as an unfair trade barrier,
as it is not compatible with other accepted wireless standards. Companies are
also concerned they may lose intellectual property to Chinese companies they
would have to work with to comply with Beijing's directive. Broadcom has also
announced that it would not make the deadline, while officials in the Bush
administration have sent a letter of protest to China.
- http://www.nytimes.com/2004/03/11/technology/11chip.html
- Title: E-Gov Act implementation picking up
steam
- Source: Government Computer News
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- The Office of Management and Budget (OMB) will require federal agencies to
provide links to www.regulations.gov on agency home pages and in Federal
Register notices. The regulations.gov rulemaking website allows the public to
view regulations under consideration and to comment upon them; public
awareness of E-Rulemaking, one of twenty-five Quicksilver e-government
initiatives, is a goal of the 2002 E-Government Act. In a congressional
report, OMB outlines how it has spent $3.6 million of the $5 million
E-Government Fund, and gives an agency by agency analysis of e-government
accomplishments. Senator Joseph Lieberman of the Government Reform Committee
says much work remains to be done, and will request a General Accounting
Office (GAO) report on e-government initiatives.
- http://www.gcn.com/vol1_no1/daily-updates/25233-1.html
- Title: Regulators go after wireless spam
- Source: ZDNet
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- The Federal Communications Commission (FCC) has unanimously voted to
solicit public opinion on anti-spam regulations for cell phones and other
Internet-enabled portable devices and rule on the matter by the end of 2004.
While mobile spam is nowhere near as problematic as on personal
computers--BrightMail estimates that 62% of all e-mail traffic is spam--the
FCC would like to tackle the matter before it becomes a problem. Cell phone
spam threatens to create more problems than its computer counterpart, since
cell service providers charge for incoming e-mail. A spokesman for the
Cellular Telecommunications and Internet Association (CTIA) welcomed the
inquiry, and noted that most providers already have antispam measures in
place.
- http://zdnet.com.com/2100-1104_2-5172349.html
- Title: Two lawmakers urge state to bar e-voting
in fall
- Source: SiliconValley.com
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- Two California lawmakers have asked Secretary of State Kevin Shelley to
bar the use of electronic voting machines in the November 2004 Presidential
elections, citing the problems found during the March 2 primary elections.
Fifteen counties in California use touch-screen voting machines. State
Senators Ross Johnson (R-Irvine) and Don Perata (D-Oakland) have introduced a
bill to move up the deadline for e-voting machines to produce a paper audit
trail. Some computer scientists have raised concerns that lack of a paper
trail could open elections to fraud and tampering. If Mr. Shelley does not ban
the machines, the lawmakers intend to bring the matter to the Legislature.
- http://www.siliconvalley.com/mld/siliconvalley/8161054.htm
- Title: E-government centre planned
- Source: Gulf Daily News
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- The Central Informatics Organisation (CIO), IBM, and Gulf Business
Machines (GBM) plan to establish an e-government center in Bahrain to serve
the Middle East and Africa, the group announced at the Open Government
conference held at the Ritz Carlton Bahrain Hotel and Spa. The center will be
the third established by IBM, after the United States and Germany, and will be
hosted by the CIO. GCC (Gulf Cooperation Council) e-government teams will have
access to center resources and expertise. According to CIO president Shaikh
Mohammed bin Ateyatalla Al Khalifa, Bahrain's own e-government project has
advanced to the point of consideration of a national smartcard.
- http://www.gulf-daily-news.com/Articles.asp?Article=76328&Sn=BNEW
Technology
- Title: Symbiot launches DDoS counter-strike
tool
- Source: ZDNet
- Date Written: March 10, 2004
- Date Collected: March 11, 2004
- Texas security firm Symbiot has developed a product to launch
counter-strikes against hackers and distributed denial of service (DDoS)
attacks. Symbiot's president, Mike Erwin, and chief scientist, Paco Nathan,
have developed "rules of engagement" to help companies determine their
response to a cyberthreat, based on military principles of "necessity and
proportionality." Mr. Erwin argues that a complete defense must include
offensive tactics. Many security professionals are alarmed by Symbiot's plans.
A counter-attack may not be regarded as self-defense in some areas, but as an
attack, and thus subject to anti-hacking laws. Further, computers are often
hijacked for DDoS attacks, meaning a counter-strike would target innocent
parties. Such action could also cause collateral damage to systems not
involved in the conflict. Jay Heiser of TruSecure warns that no evidence
supports the effectiveness of counter-attacks, and that historical precedent
argues against it.
- http://news.zdnet.co.uk/0,39020330,39148215,00.htm
- Title: Net-centric war needs security
- Source: Federal Computer Week
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- Speaking at the DARPATech 2004 conference, program managers from DARPA's
(Defense Advanced Research Projects Agency) Advanced Technology Office (ATO)
warned that while network-centricity could prove to be the military's greatest
future asset, without strong security it could also prove its greatest
liability. Army Colonel Timothy Gibson calls for practical security now,
rather than perfect security ten years down the road. Reggie Brothers argues
that current communications security thinking is "static and rooted in the
past." DARPA officials are working on the "R3I" of networking: robust,
responsive, reconfigurable, and invisible.
- http://www.fcw.com/fcw/articles/2004/0308/web-darpa-03-11-04.asp
Vulnerabilities & Exploits
- Title: Update: Microsoft rethinks latest security
patch
- Source: Computerworld
- Date Written: March 10, 2004
- Date Collected: March 11, 2004
- One day after releasing three patches for medium-level risks, Microsoft
has upgraded one of the risks to 'critical.' Under Microsoft's classification,
a critical flaw would allow a worm to propagate without user action. The flaw
in question lies in how the Outlook e-mail client handles URLs (uniform
resource locators) with the "mailto" tag, which allows web authors to include
e-mail addresses in their pages to launch e-mail clients. The original
advisory warned that an attacker could view hard drive content with a
specially constructed mailto address if the Outlook home page were set to
Outlook Today, the default for new users. However, Finnish researcher Jouko
Pynnonen warned that the attack could work for other home pages too, prompting
the upgrade to critical.
- http://www.computerworld.com/securitytopics/security/story/0,10801,90992,00.html
- Title: Dublin's IFSC is hacker paradise:
survey
- Source: ElectricNews
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- LAN Communications has surveyed wireless LANs (local area networks) in
business parks in City West, Dublin's International Financial Services Center
(IFSC), and the Cork Airport Business Park. The survey found that 70% of
access points in the IFSC were not using encryption, while 69% across the
entire data set were broadcasting network names and other data attackers could
use to crack a system. 11% were still using the manufacturers' default
configuration. Such wireless access points could give attackers access to an
otherwise protected wired network. Neil Wisdom, sales director for LAN
Communications, argues it took large-scale virus outbreaks such as MyDoom to
make people aware of the importance of antivirus, and that companies may not
heed warnings about wireless security until after a major crisis.
- http://www.electricnews.net/frontpage/news-9403554.html
Best Practices & Risk Management
- Title: What Linux can learn from Windows
- Source: news.com.com
- Date Written: March 11, 2004
- Date Collected: March 11, 2004
- Robert Lemos writes on lessons Linux can learn from Microsoft. Microsoft
has had a bumpy ride fraught with security incidents, such as the Nimda and
Blaster worms, earning the ire of affected customers. Microsoft decided to
focus on security, and the Windows XP Service Pack 2 will not only be security
oriented, but provide ease-of-use for its security features. Linux, as part of
the Unix family of operating systems, has a strong structure and tech-savvy
user base, but as it moves to the desktop environment, will have to adapt to
the average user with little technical experience. Popular tools such as Nmap
and Tripwire, while highly effective, can be difficult to use. Mr. Lemos finds
it hard to find a good data back-up program that does not rely on magnetic
tape. However, some products, such as Nessus, aim for a user-friendly
interface, and offer helpful advice on security configurations. Mr. Lemos
argues that a vendor cannot make "a product too accessible or too conscious
about security."
- http://news.com.com/2010-7355_3-5172209.html?part=rss&tag=feed&subj=news
- Title: Army to Gates: Halt the free
software
- Source: news.com.com
- Date Written: March 10, 2004
- Date Collected: March 11, 2004
- The US Department of the Interior and the Department of Defense have
instructed their employees to return free copies of Office 2003 given to them
by Microsoft, saying their acceptance constitutes a breach of ethics. The
Department of the Army has gone one step further, sending a letter to
Microsoft chair Bill Gates, asking him to halt the gifts. Microsoft spokesman
Keith Hodson argues that the gift program is meant to let users try new
features and see how they might improve business operations. The Defense
Department ruled that the software would constitute a gift from a prohibited
source; the Interior prohibits employees from accepting gifts valued more than
$20 from entities the government does business with or regulates.
- http://news.com.com/2100-1012_3-5171976.html?tag=nefd_lede
- Title: Risk management seen key to IT
security
- Source: Computerworld
- Date Written: March 10, 2004
- Date Collected: March 11, 2004
- Speaking at Computerworld's Premier 100 Information Technology Leaders
Conference, Merrill Lynch's chief information security officer David Bauer
argued that intelligent risk management policies can help organizations meet
threats effectively. Mr. Bauer contrasted the response to the 1988 Morris worm
to the 2004 MyDoom worm. In 1988, organizations had no tools to protect
themselves, no lines of communication, and no coordinated response, leading to
"complete havoc." When MyDoom struck, it was treated as just another event.
The difference, according to Mr. Bauer, is preparation, intelligence driven
prevention and response, security at the data object level, and focus on both
corporate and individual users. Merrill Lynch also keeps an eye on legislation
and regulations, and will actively educate legislators on important topics.
- http://www.computerworld.com/securitytopics/security/story/0,10801,90987,00.html
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error or
omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the ISTS.
Therefore, the ISTS cannot be made responsible for the factual accuracy of the
material presented. The ISTS is not liable for any loss or damage arising from
or in connection with the information contained in this report. It is the
responsibility of the user to evaluate the content and usefulness of this
information. References in this e-mail to any specific commercial products,
processes, or services by trade name, trademark, manufacturer, or otherwise,
does not constitute or imply endorsement, recommendation, or favoring by the
ISTS. ISTS is a research, not operational, organization, and makes its
Security in the News e-mail available as a public service on a best-effort
basis. Security in the News will be sent out on most business days, but not
all.
Institute for Security Technology Studies
Dartmouth
College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646
0700
E-mail: dailyreport@ists.dartmouth.edu
|
|
|
