|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 12, 2004
- From: Howell, Paul
- Date: Fri Mar 12 15:33:49 2004
Title: Message
Security In The News
LAST UPDATED: 3/12/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
DHS plans for info sharing
- Federal
Computer Week, 3/10/04
Cybercrime-Hacking
Teen Pleads Guilty to Conspiracy, Bank
Fraud
- Los
Angeles Times, 3/10/04
Resume fraud gets slicker and easier
- CNN
(Reuters), 3/11/04
2 arrested over copycat computer hacking
case
- Daily Yomiuri
(Japan), 3/12/04
School officials: 13-year-old hacker
wiped out school records from computer system
- Morning
Journal, 3/11/04
- Also - Newsnet 5,
3/10/04
Banks dismissive of 'phishing'
losses
- ZDNet
News, 3/11/04
Online scammers renew Westpac attack
- Stuff.co.nz,
3/11/04
Feds slap cuffs on Google stock
scammer
- The
Register, 3/12/04
FTC Warns Of New Phishing Scam
- Techweb,
3/12/04
Politics-Legislation
Senate Panel Agrees to Seek Federal
Probe
- Washington
Post, 3/12/04
- Also - Los
Angeles Times (AP), 3/12/04
Spy Block bill would outlaw hidden
spyware
- Government
Computer News, 3/11/04
EU passes tough, new anti-piracy
rules
- MSNBC (AP), 3/9/04
- Also - BBC,
3/9/04
Cyber Crime: Obasanjo Receives Draft
Bill
- All Africa,
3/11/04
- Also - Guardian Nigeria,
3/12/04
FBI pushes for broadband wiretap
powers
- C-Net News,
3/12/04
Kerry's Website Keeps FCC on the Run
- EWeek.com,
3/12/04
Data mining initiative angers US privacy
groups
- Computer
Weekly, 3/12/04
- Also - USA
Today (AP), 3/11/04
Malware
Netsky copycat sparks search for source
code
- ZDNet
News, 3/12/04
- Also - The
Register, 3/11/04
- Also - Techweb,
3/11/04
Economic Damage from Bagle, MyDoom &
NetSky crosses $100bn
- Content-Wire,
3/11/04
Technology
Banks claim progress in fixing PCs to
curb phony money
- USA
Today (AP), 3/9/04
Vulnerabilities & Exploits
Bug exposes Linux users
- vnunet.com, 3/11/04
- Also - SearchEnterpriseLinux,
3/9/04
- Also - eSecurityPlanet,
3/8/04
- Also - The
Register, 3/8/04
IBM Issues Patch for DB2 Security
Flaw
- EWeek.com,
3/10/04
- Also - SearchDatabase,
3/9/04
Identity breach risk accelerates
- vnunet.com, 3/10/04
HP fixes multiple remote takeover
vulnerabilities
- SearchSecurity,
3/9/04
- Also - Computerworld,
3/8/04
Python vulnerability permits remote
attacks
- SearchSecurity,
3/11/04
Solaris flaw in passwd command allows
root privileges
- SearchSecurity,
3/10/04
Best Practices & Risk Management
Microsoft in firing line as US banks
call for higher 'duty of care'
- finextra.com,
3/9/04
Civil & Consumer Issues
Regulator says he's not optimistic about
success for do-not-spam list
- Security Focus (AP),
3/11/04
- Also - Reuters,
3/11/04
Office XP Update Causes Spam
Concerns
- PC
World, 3/12/04
Homeland Security & Infrastructure Protection
- Title: DHS plans for info sharing
- Source: Federal Computer Week
- Date Written: March 10, 2004
- Date Collected: March 12, 2004
- In testimony before the House Select Committee on Homeland Security's
Intelligence and Terrorism Subcommittee on March 10, 2004, retired General
Patrick Hughes, assistant secretary for information analysis in the
Department of Homeland Security's (DHS) Information Analysis and
Infrastructure Protection (IAIP) Directorate, said that DHS plans to improve
information and intelligence sharing among federal, state and local law
enforcement and homeland security agencies. Mr. Hughes added that the
infrastructure to support secure sharing of information, including the Joint
Regional Information Exchange System, the Homeland Security Information
Network and various Defense Department networks, was being put in place and
connected to facilitate the task. Recognizing initial problems, Mr. Hughes
said: "We have not achieved the kind of connectivity yet that we need to
achieve...This is a technical issue, a policy issue...This is an evolving
thing, it's something we're going to have to build over time."
- http://fcw.com/geb/articles/2004/0308/web-sharing-03-10-04.asp
Cybercrime-Hacking
- Title: Teen Pleads Guilty to Conspiracy, Bank
Fraud
- Source: Los Angeles Times
- Date Written: March 10, 2004
- Date Collected: March 12, 2004
- Cole Bartiromo, a 19-year old man from Mission Viejo, California, plead
guilty last week to federal conspiracy and bank fraud charges in connection
with a scheme to defraud a Wells Fargo branch in Mission Viejo of $400,000.
He admitted to conspiracy to commit wire fraud for offering products on
online auction site EBay, collecting payments, but never delivering the
goods. Mr. Bartiromo will be sentenced on May 10, 2004 and could face up to
35 years in federal prison. Two co-defendants, Theo Liu, 20, and Oscar
Godinez, 20, have pleaded not guilty to related charges. Mr. Bartiromo has
been in trouble with the law before in connection with online betting and
stock schemes.
- http://www.latimes.com/technology/la-me-cole10mar10,1,5043919.story
- Title: Resume fraud gets slicker and
easier
- Source: CNN (Reuters)
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- In the current competitive job market, some job applicants appear to be
using criminal, high-tech means to gain an advantage. It seems that some job
applicants, who have listed false education information on their resumes,
are paying hackers to break into university databases and insert their
names. Their claims will then be verified when firms check the information
provided on a resume. Weak database security is helping the perpetrators of
such scams. Job seekers are also providing potential employers with false
phone numbers where specialized firms "verify" inaccurate education data. A
survey in 2003 by background search firm ADP Screening and Selection
Services found that more than 50% of the people on whom it conducted
employment and education checks had submitted false information, up 20% from
2002.
- http://www.cnn.com/2004/TECH/ptech/03/11/resumes.fraud.reut/index.html
- Title: 2 arrested over copycat computer hacking
case
- Source: Daily Yomiuri (Japan)
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- On March 11, 2004, Japan's Metropolitan Police Department sent papers to
the prosecutor's office, charging two men, a 31-year old from Chiba
Prefecture and a 22-year old from Saitama Prefecture, with hacking into the
server of an Osaka-based Internet service provider (ISP) on November 9,
2003. According to police, the men broke the Unauthorized Computer Access
Law and used the same method of attack as Kyoto University researcher Kazuho
Kawai, who was charged under the same law on February 24, 2004.
- http://www.yomiuri.co.jp/newse/20040312wo23.htm
- Title: School officials: 13-year-old hacker
wiped out school records from computer system
- Source: Morning Journal
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- An unnamed 13-year old boy has been suspended for ten days for hacking
into a North Ridgeville Middle School server and deleting hundreds of files
associated with a reading program. School officials are meeting with the
boy's parents to determine whether he should be expelled. "This student made
a conscious choice and willfully destroyed property. That's vandalism,
that's a serious act and that's something we can't tolerate," said North
Ridgeville schools Superintendent Larry Bowersox. According to school
Principal John Komperda, a substitute teacher allowed the eighth-grader to
use a classroom computer after completing an assignment on March 2, 2004.
The cost of the damage has not yet been determined.
- http://www.morningjournal.com/site/news.cfm?newsid=11111924&BRD=1699&PAG=461&dept_id=46371&rfi=6
- Also - http://www.newsnet5.com/news/2910889/detail.html
- Title: Banks dismissive of 'phishing'
losses
- Source: ZDNet News
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- Despite the documented rise of online 'phishing' scams against bank
customers in recent months, the Australian Bankers' Association (ABA)
believes that losses from online banking fraud "are not material enough" to
warrant improving online banking security, such as establishing better
authentication mechanisms. According to the Anti-Phishing Working Group,
phishing attacks around the world have increased from three to about 50 per
week since November 2003. Australian banks are among the prime targets.
However, ABA chief executive officer David Bell thinks that other forms of
financial fraud, such as credit card fraud, pose a much more serious risk to
financial institutions and customers than phishing attacks. Some security
experts disagree and urge banks to implement more sophisticated, multi-layer
authentication systems.
- http://news.zdnet.co.uk/business/0,39020645,39148259,00.htm
- Title: Online scammers renew Westpac
attack
- Source: Stuff.co.nz
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- Customers of Westpac bank have become the targets of an online
'phishing' fraud for the fourth time since September 2003. Hundreds of bank
customers received e-mails asking them to enter their account log-in details
at a spoofed website. Seven customers appear to have fallen for the trick
and the bank is monitoring their accounts. This particular scam should be
easy to spot due to the faulty grammar contained in the e-mail message.
- http://www.stuff.co.nz/stuff/0,2106,2842282a28,00.html
- Title: Feds slap cuffs on Google stock
scammer
- Source: The Register
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- Dutch citizen Shamoon Rafiq, who has been living in New York City since
October 2003, has been arrested by the Federal Bureau of Investigations
(FBI) in connection with a $2.8 million stock fraud scheme, whereby he sold
non-existent stock in Internet company Google. The fraud was perpetrated
between November 2003 and February 2004 and appears to have duped "several
financially successful and sophisticated members of the international
technology and business community," according to the FBI. If convicted, Mr.
Rafiq could face up to 30 years in prison and a fine of $1 million.
- http://www.theregister.co.uk/content/6/36229.html
- Title: FTC Warns Of New Phishing Scam
- Source: Techweb
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- The US Federal Trade Commission (FTC), on March 11, 2004, warned
Internet users of a new type of 'phishing' scam designed to harvest personal
and financial information, including credit card data. The latest variant of
the scam arrives as a e-mail with the subject headings of 'Official
information' or 'Urgent information to all credit card holders!' purporting
to be from regulations.gov, the government website where citizens can
comment on federal rule-making. The message claims that Internet users must
identify themselves to the federal government and links to a spoofed
regulations.gov site where victims are asked to input their personal data.
Such phishing scams have grown in popularity recently as they appear to have
a success rate of about one in 20 messages.
- http://www.techweb.com/wire/story/TWB20040312S0005
Politics-Legislation
- Title: Senate Panel Agrees to Seek Federal
Probe
- Source: Washington Post
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- After a turbulent day, Democrats on the Senate Judiciary Committee
reached agreement with several Republicans, on March 11, 2004, on how the
investigation into how Republican staffers got access to Democratic strategy
memos should proceed. Lawmakers had agreed that the investigation should be
turned over to the US Justice Department for possible criminal prosecution,
but there was initially no agreement on exactly how this should take place.
Earlier in the day, committee chairman Senator Orrin G. Hatch (R-Utah) said
he would leave the issue up to the Senate's sergeant-at-arms, William
Pickle. Lawmakers finally agreed to a letter of request urging Attorney
General John D. Ashcroft to appoint a "professional prosecutor who is free
from all conflicts and appearances of conflict" or even a special prosecutor
to investigate the incident. Initially, it had been proposed to turn the
investigation over to the US attorney in the District of Columbia. Mr.
Pickle's report "blamed two former Republican aides for snooping through a
shared Judiciary Committee computer and downloading memos from Senate
Democrats and Hatch."
- http://www.washingtonpost.com/wp-dyn/articles/A52023-2004Mar11.html
- Also - http://www.latimes.com/technology/la-na-leaks12mar12,1,6343190.story
- Title: Spy Block bill would outlaw hidden
spyware
- Source: Government Computer News
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- The Software Principles Yielding Better Levels of Consumer Knowledge
Act, better known as the Spy Block Act, has been introduced in the US Senate
to protect computer users against the installation of unwanted programs that
monitor web habits and deliver pop-up ads. The bill would make it illegal to
install spyware on a computer without the user's knowledge and permission.
If passed, the law would be enforced primarily by the Federal Trade
Commission (FTC). The bill has been referred to the Senate Commerce
Committee.
- http://www.gcn.com/vol1_no1/daily-updates/25237-1.html
- Title: EU passes tough, new anti-piracy
rules
- Source: MSNBC (AP)
- Date Written: March 9, 2004
- Date Collected: March 12, 2004
- On March 9, 2004, the European Parliament passed a new anti-piracy
directive that would allow the imposition of civil penalties against
counterfeiters and pirates. The directive was passed using fast-track
procedures as it was seen as crucial in the fight against organized crime
groups and terrorists. EU ministers are expected to sign off on the new
rules shortly and member states will then have two years to write them into
national laws. Several controversial parts of the directive were revised or
watered down. Criminal penalties for piracy were removed and it was
clarified that the directive should "be applied only for breaches committed
on a commercial scale," and should not apply to consumers "acting in good
faith" who download music for their own use at home. Piracy is estimated to
have cost the EU's economy about $9.9 billion a year between 1998 and 2001,
according to EU head office.
- http://msnbc.msn.com/id/4488614
- Also - http://news.bbc.co.uk/2/hi/technology/3545839.stm
- Title: Cyber Crime: Obasanjo Receives Draft
Bill
- Source: All Africa
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- Nigeria's President Olusegun Obasanjo, on March 10, 2004, oversaw a
variety of new measures aimed at combating cybercrime in the African country
and restoring commercial trust in the nation's information and
communications infrastructure. The Nigeria Cyber Crime Working Group (NCWG)
was established to raise awareness of cybercrime issues and highlight
government efforts at fighting online fraud, such as the notorious 419
scams. A draft version of a Cyber Crime Act was also presented, which
envisages stricter penalties for online offenses. President Obasanjo also
received the report of the presidential committee on cybercrime, which,
among other things, recommended the creation of a cyber security agency.
- http://allafrica.com/stories/200403110222.html
- Also - http://www.guardiannewsngr.com/business/article04
- Title: FBI pushes for broadband wiretap
powers
- Source: C-Net News
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- A proposal submitted by the Federal Bureau of Investigations (FBI) to
the Federal Communications Commission (FCC) on March 10, 2004 would require
all broadband Internet providers, including cable modem and DSL companies,
to "rewire" their networks to allow for wiretapping by law enforcement.
Under the proposal, existing broadband providers would have 15 months to
comply, while new providers would have to be immediately compliant. If
accepted, the proposal could have far-reaching consequences for broadband
services providers. The FBI, the US Department of Justice and the Drug
Enforcement Administration view the changes as essential in the fight
against crime and terrorism. The proposal states: "The ability of federal,
state and local law enforcement to carry out critical electronic
surveillance is being compromised today." It is unclear when a decision on
the proposal can be expected.
- http://news.com.com/2100-1028_3-5172719.html
- Title: Kerry's Website Keeps FCC on the
Run
- Source: EWeek.com
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- When asked about why John Kerry's website contained vulgarity on several
pages, a spokesman for the campaign told the Boston Herald that he thought
the site had been hit by a computer virus. No other explanation has been
provided for the vulgarity. The claim that an unknown virus would add
vulgarity to the contents of a website, while not impossible, appears
somewhat dubious.
- http://www.eweek.com/article2/0,1759,1548008,00.asp
- Title: Data mining initiative angers US privacy
groups
- Source: Computer Weekly
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- The Multistate Anti-Terrorism Information Exchange (Matrix) project has
drawn fire from civil liberties groups which fear that it will be used to
collect sensitive personal information on US citizens. Matrix is hosted and
run by database products company Seisint, and was developed in cooperation
with various law enforcement agencies, including the FBI, the US Citizenship
and Immigration Services, and the US Secret Service. A number of states have
joined the program that allows law enforcement personnel to search
aggregated data over a secure network. However, civil liberties groups like
the American Civil Liberties Union (ACLU) worry that the project will be
abused by federal law enforcement agencies or used to search private
information, such as credit details. Criticism of the system and other
concerns had led several states, including most recently New York and
Wisconsin, to drop out of the program, now leaving only five states active
in the program.
- http://www.computerweekly.com/articles/article.asp?liArticleID=129112
- Also - http://www.usatoday.com/tech/news/techpolicy/2004-03-11-ny-database_x.htm
Malware
- Title: Netsky copycat sparks search for source
code
- Source: ZDNet News
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- Despite the fact that the eleventh variant of the Netsky worm, Netsky.K,
released on March 9, 2004, promised that no new variants would follow,
Netsky.L and Netsky.M appeared on the Internet on March 10, 2004. This has
led security researchers to speculate that Netsky's author may have posted
the worm's source code to black hat mailing lists. While the first eleven
versions of Netsky all contained text insulting the authors of the MyDoom
and Bagle worms and referencing 'SkyNet', the latest two variants do not,
indicating that they may have been written by someone else. However,
security experts have not found the worm's source code posted at any of the
usual forums. This could mean that the author is either passing out the
worm's source code to a small group of people or that he is trying to give
the appearance that he is not responsible for the latest variants of the
worm. Netsky.L and Netsky.M do not appear to be spreading rapidly at this
time.
- http://news.zdnet.co.uk/internet/security/0,39020375,39148309,00.htm
- Also - http://theregister.co.uk/content/56/36187.html
- Also - http://www.techweb.com/wire/story/TWB20040311S0007
- Title: Economic Damage from Bagle, MyDoom &
NetSky crosses $100bn
- Source: Content-Wire
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- According to the mi2g Intelligence Unit, economic damages from the
Bagle, MyDoom and Netsky virus epidemics have surpassed $100 billion. Mi2g
claims that the MyDoom worm alone - the "most damaging malware of all time"
- caused between $73.3 billion and $89.6 billion of damage worldwide, with
Netsky costing between $26.5 billion and $32.4 billion and Bagle rattling up
between $4.4 billion and $5.3 billion of costs worldwide. The three viruses
have now infected systems in over 215 countries. The last few months have
seen a spike in damaging new viruses. Mi2g believes that the perpetrators of
the latest series of malware threats are not script kiddies as has been
assumed, but more sophisticated hackers motivated by financial gain. Mi2g's
damage figures have been questioned in the past and may be exaggerated.
- http://www.content-wire.com/FreshPicks/Index.cfm?ccs=86&cs=2880
Technology
- Title: Banks claim progress in fixing PCs to
curb phony money
- Source: USA Today (AP)
- Date Written: March 9, 2004
- Date Collected: March 12, 2004
- A statement issued on March 9, 2004 by the Bank for International
Settlements (BIS) in Basel, which represents the world's major central
banks, said that close collaboration with leading computer hardware and
software companies has resulted in the integration of technologies to
prevent the production of counterfeit money into major products. The Group
of Ten central banks has been working on the 'counterfeit deterrence system'
for four years, aided by hardware and software manufacturers who have
adopted anti-counterfeiting technologies. Among other things, the technology
prevents the printing of counterfeit bank notes.
- http://www.usatoday.com/tech/news/techinnovations/2004-03-09-funny-money_x.htm
Vulnerabilities & Exploits
- Title: Bug exposes Linux users
- Source: vnunet.com
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- Researchers at Polish security consultancy ISec have issued a warning to
Linux users about a "critical" kernel vulnerability affecting Linux versions
from 2.2 onwards. The flaw, "in the Linux kernel memory management code in
the mremap(2) system call," is caused by a missing function return value
check. According to the advisory, a malicious attacker with access to a
locally connected PC could exploit the problem to gain root access to a
vulnerable system or cause a denial of service. Patches to fix the flaw have
been released by major Linux vendors, including Suse Linux and Red Hat. Some
media reports dispute whether this is, in fact, a new vulnerability or
simply an update to an advisory about an existing flaw.
- http://www.vnunet.com/News/1153435
- Also - http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci954279,00.html
- Also - http://www.esecurityplanet.com/trends/article.php/3322911
- Also - http://www.theregister.co.uk/content/55/36097.html
- Title: IBM Issues Patch for DB2 Security
Flaw
- Source: EWeek.com
- Date Written: March 10, 2004
- Date Collected: March 12, 2004
- On March 9, 2004, IBM Corp. issued a patch for a potentially serious DB2
database vulnerability, which could allow a user with low privileges to gain
complete control of the database server and its data. The vulnerability
affects DB2 8.1 Enterprise Edition on Microsoft Windows. IBM has included a
fix for the problem in Fixpak 5 at its DB2 technical support website. The
flaw was first discovered by UK-based Next Generation Security Software Ltd.
in September 2003. According to David Litchfield, managing director of Next
Generation Security Software, "through a guest account, an attacker could
run commands as an administrator because the Remote Command Server does not
drop privileges."
- http://www.eweek.com/article2/0,4149,1546937,00.asp
- Also - http://searchdatabase.techtarget.com/originalContent/0,289142,sid13_gci954341,00.html
- Title: Identity breach risk accelerates
- Source: vnunet.com
- Date Written: March 10, 2004
- Date Collected: March 12, 2004
- The UK Department of Trade and Industry's biennial Information Security
Breaches Survey 2004 found that security breaches resulting from identity
management flaws affected 10% of large companies in 2003 and were costly and
time-consuming. Identity management breaches, which involve things like
financial fraud, theft or disclosure of confidential information, are
particularly disruptive to businesses and cost significant time and money to
resolve. The problem is partly self-inflicted as most companies do not use
adequate authentication mechanisms. About 87% of respondents rely solely on
user IDs and passwords to identify users, and only a small number have the
latest authentication tools in place, such as biometrics. Most identity
breaches, about 80%, came from external sources, according to the survey.
- http://www.vnunet.com/News/1153394
- Title: HP fixes multiple remote takeover
vulnerabilities
- Source: SearchSecurity
- Date Written: March 9, 2004
- Date Collected: March 12, 2004
- Hewlett-Packard Co. (HP) has announced several "highly critical"
security vulnerabilities in versions 5.1B PK2(BL22), 5.1B PK3(BL24) and 5.1A
PK6(BL24) of its HP Tru64 Unix operating system (OS). HP did not provide
many details about the flaws, simply saying that "the vulnerabilities are
caused due to unspecified errors within the certificate handling of
IPsec/IKE". The flaws could allow a malicious attacker to gain remote system
access. Patches to fix the problem have been released for versions 5.1A and
5.1B of the OS.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954238,00.html
- Also - http://www.computerworld.com.au/index.php?id=992016212&fp=16%20&fpid=0
- Title: Python vulnerability permits remote
attacks
- Source: SearchSecurity
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- Sebastian Schmidt, developer of the Python programming language commonly
used for scripting, has discovered a vulnerability in Python's "getaddrinfo
function". The buffer overflow flaw could allow a malicious attacker to
execute arbitrary code on a vulnerable system and gain unauthorized system
access. Python runs on Unix, Windows, OS/2, Mac, Amiga and other platforms,
and thousands of applications, "including many large and mission critical
systems at enterprises like Industrial Light & Magic, Google and NASA,"
could be at risk from the vulnerability.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954658,00.html
- Title: Solaris flaw in passwd command allows
root privileges
- Source: SearchSecurity
- Date Written: March 10, 2004
- Date Collected: March 12, 2004
- Sun Microsystems has announced that an unspecified vulnerability exists
associated with the passwd command of the Solaris operating system. The
problem affects Solaris versions 8 and 9 on both SPARC and x86 platforms and
could allow a "local user without advanced privileges to gain unauthorized
root privileges". The passwd command computes the hashes of passwords.
Patches are available from Sun, but there are no workarounds.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci954450,00.html
Best Practices & Risk Management
- Title: Microsoft in firing line as US banks
call for higher 'duty of care'
- Source: finextra.com
- Date Written: March 9, 2004
- Date Collected: March 12, 2004
- US community bank association ICBA is supporting an initiative by
Washington-based banking industry consortium BITS to encourage software
vendors, primarily Microsoft Corp., to improve the security of their
products by offering a higher "duty of care" on sales to the financial
services sector. BITS has developed a set of 'Business Requirements' that
call upon the software industry to "make security a fundamental component of
software design; support older versions of software (such as Microsoft
Windows NT) past the end of their estimated life cycle; and provide better
security-trained and security-certified developers on product teams." Patch
management is also a major issue for the financial services sector.
According to BITS, the financial services industry is forced to shell out as
much as $1 billion per year to address software vulnerabilities and manage
patching.
- http://www.finextra.com/topstory.asp?id=11367
Civil & Consumer Issues
- Title: Regulator says he's not optimistic about
success for do-not-spam list
- Source: Security Focus (AP)
- Date Written: March 11, 2004
- Date Collected: March 12, 2004
- Speaking at a conference sponsored by the Consumer Federation of America
on March 11, 2004, Federal Trade Commission (FTC) Chairman Timothy Muris
said that he is skeptical that a national anti-spam list would cut down on
the number of unsolicited commercial e-mails users receive. According to Mr.
Muris, enforcing anti-spam measures would be almost impossible because it is
difficult to track down spammers, many of whom are overseas, because they
often disguise their identities or send out messages from hacked or
unprotected computers. The CAN-SPAM Act, federal anti-spam legislation that
went into effect on January 1, 2004, encourages the FTC to create a
'do-not-spam' list of e-mail addresses, similar to the agency's
'do-not-call' phone registry. The FTC is due to submit a report to Congress
in June 2004 on establishing such a list.
- http://www.securityfocus.com/news/8235
- Also - http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=4551417§ion=news
- Title: Office XP Update Causes Spam
Concerns
- Source: PC World
- Date Written: March 12, 2004
- Date Collected: March 12, 2004
- According to reports on the Windows NTBugtraq mailing list, users of two
junk mail filtering products, Sunbelt Software's IHateSpam and Cloudmark's
SpamNet, are getting annoying security warnings with each e-mail they
receive after installing Microsoft's Office XP Service Pack 3. The service
pack was released on March 9, 2004 to address security concerns, among other
things. These compatibility problems manifest themselves in the form of "a
dialog alerting the user that a program is trying to access e-mail addresses
stored in Outlook and warning that this could be related to a computer
virus." Sunbelt has released an update to its software to fix the problem
while Cloudmark is working with Microsoft to resolve the issue.
- http://www.pcworld.com/news/article/0,aid,115176,00.asp
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
