|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 15, 2004
- From: Howell, Paul
- Date: Mon Mar 15 17:26:18 2004
Title: Message
Security In The News
LAST UPDATED: 3/15/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
House Democrats score DHS on IT
inadequacies
- Government
Computer News, 3/12/04
Cybercrime-Hacking
Alert Heightened on Cyber Terror
- The
Korea Times, 3/15/04
NZ Police lay first charge for
hacking
- Stuff.co.nz,
3/15/04
Aussie faces $68m piracy charges
- news.com.au,
3/14/04
'Card not present' attacks rise
- vnunet.com, 3/14/04
Politics-Legislation
Special skills draft on drawing
board
- San
Francisco Chronicle / San Francisco Gate, 3/13/04
Privacy Safeguards Deep-Sixed
- Wired
(AP), 3/15/04
Malware
Bagle turns to anti-spam trick
- ZDNet UK,
3/15/04
Malicious code threats celebrate bumper
2003
- The
Register, 3/15/04
- Also - EWeek.com,
3/15/04
Worms get mobile
- Australian
IT, 3/16/04
Vulnerabilities & Exploits
Leaked Code Still Could Bear Malicious
Fruit
- EWeek.com,
3/14/04
Best Practices & Risk Management
Voice over IP Security
- Security Focus,
3/12/04
Civil & Consumer Issues
Hosting company reveals hacks, citing
disclosure law
- Security Focus,
3/12/04
Who's Teaming Up Against P2P?
- Wired
News, 3/15/04
- Also - Reuters,
3/15/04
Lost E-Votes Could Flip Napa Race
- Wired
News, 3/12/04
Late-model car codes frustrate
mechanics
- Seattle
Post-Intelligencer, 3/15/04
Homeland Security & Infrastructure Protection
- Title: House Democrats score DHS on IT
inadequacies
- Source: Government Computer News
- Date Written: March 12, 2004
- Date Collected: March 15, 2004
- Democrats on the House Homeland Security Committee say the Department of
Homeland Security (DHS) has not sufficiently addressed defense of the
information infrastructure or leveraged information technology in its own
activities, arguing that DHS should develop a 'network-centric homeland
security' comparable to the Defense Department's network-centric warfare. A
committee report calls for a senior cybersecurity official who reports
directly to the DHS secretary or the President, a chief security officer in
the Office of Management and Budget, and a National Crisis Coordination
Center to manage response to cyberevents. The report also criticizes lack of
an integrated computer network for DHS, leading to difficulties determining
DHS's exact number of employees. The report points to the DHS failure to
create an integrated terrorist watch list as evidence of the department's
inability to manage IT projects.
- http://www.gcn.com/vol1_no1/daily-updates/25249-1.html
Cybercrime-Hacking
- Title: Alert Heightened on Cyber Terror
- Source: The Korea Times
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- South Korean government and private sector organizations are cooperating
to prevent cyberattacks following the impeachment of President Roh Moo-hyun.
The Ministry of Information and Communication (MIC) says it is watching
network traffic for signs of vandalism. The Korea Internet Security Center
(KISC) reports a slowdown at impeachment related websites, but attributes it
to increased public interest rather than malicious attack. SK Telecom and KT
have increased staff to deal with any emergencies that may arise.
- http://times.hankooki.com/lpage/tech/200403/kt2004031518444511780.htm
- Title: NZ Police lay first charge for
hacking
- Source: Stuff.co.nz
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- New Zealand police have for the first time charged a suspect under the
controversial Crimes Amendment (No 6) Act of 2003 for allegedly damaging the
website and systems of an unnamed company in the American state of Maryland.
The man, granted name suppression in Dunedin District Court, faces seven
years imprisonment for damaging a computer system and two years for
unauthorized access. The Crimes Amendment (No 6) Act took four years to pass
through Parliament, creating measures specifically for computer crimes,
which some groups, such as the Green Party, view as too harsh. The
Electronic Crime Lab reports an increasing number of requests from foreign
police agencies to track down New Zealanders involved in cross-border
e-commerce crimes.
- http://www.stuff.co.nz/stuff/0,2106,2845353a6022,00.html
- Title: Aussie faces $68m piracy charges
- Source: news.com.au
- Date Written: March 14, 2004
- Date Collected: March 15, 2004
- Hew Raymond Griffiths, 42, of Berkeley Vale, New South Wales, Australia,
faces extradition to the United States for allegedly heading the Drink or
Die Internet piracy group, accused of breaching copyrights on over US$50
million worth of music, movies, and softwares. Mr. Griffiths is fighting the
extradition; his lawyer argued before a Sydney magistrate that Mr. Griffiths
has never set foot within the United States, and has committed no crime in
Australia. The United States Federal Bureau of Investigation alleges that
between 1999 and 2001, Mr. Griffiths' group broke copy-protection codes on
digital content and distributed it before its commercial release. Four US
members of the group have already been incarcerated. A Downing Centre Local
Court magistrate will rule on extradition within two weeks; if convicted in
the United States, Mr. Griffiths faces a maximum of ten years imprisonment
and US$500,000 in fines.
- http://www.news.com.au/common/story_page/0,4057,8957483^421,00.html
- Title: 'Card not present' attacks rise
- Source: vnunet.com
- Date Written: March 14, 2004
- Date Collected: March 15, 2004
- According to Britain's Association of Payment Clearing Services (Apacs),
the number of 'card not present' (CNP) credit card frauds committed over the
Internet increased 68% between 2002 and 2003, from £28 million to £45
million ($50 million to $81 million). The total number of all types of CNP
fraud increased 6% over the same period. Apacs says that smaller retailers
lack the security resources of larger companies, making them more vulnerable
to frauds. Apacs recommends companies invest in safeguards for their
transactions, such as the Early Warning Scheme, which gathers details on
fraudulently used credit cards.
- http://www.vnunet.com/News/1153470
Politics-Legislation
- Title: Special skills draft on drawing
board
- Source: San Francisco Chronicle / San Francisco Gate
- Date Written: March 13, 2004
- Date Collected: March 15, 2004
- The United States Selective Service System has begun preparations for a
targeted draft of men with computer and language skills after the Pentagon
said it had a shortage of men with such skills. No plans are currently in
place for such a draft; Defense Secretary Donald Rumsfeld says he does not
plan to ask Congress to authorize a draft, and Selective Service officials
stress that a special skills draft is likely far-off. However, Selective
Service wants to have a system in place should Defense request and Congress
authorize a draft of computer experts and linguists, expecting the project
to take two years. Representative Charles Rangel (D-New York) and Senator
Fritz Hollings (D-South Carolina) have both proposed that Congress authorize
a draft, arguing that American forces have been stretched thin since
September 11. The proposals have little support.
- http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/03/13/MNG905K1BC1.DTL
- Title: Privacy Safeguards Deep-Sixed
- Source: Wired (AP)
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- When the United States Congress disbanded the Terrorism Information
Awareness (TIA) project in the fall of 2003, it meant the end of two privacy
protection projects included within TIA. Genisys, intended to scan
government and commercial databases for hints of terrorist activity,
included technology to prevent investigators from viewing the names of
individuals until they had solid evidence of terrorist activity. The
Bio-ALIRT program, designed to scan hospital records, school attendance
records, and grocery sales to detect signs of a biological attack, contained
similar privacy tools. Some data-mining research projects were transferred
to the Advanced Research and Development Activity (ARDA) on behalf of US
intelligence. ARDA has declined to comment on whether it is developing
privacy safeguards with its data-mining projects. Teresa Lunt of the Palo
Alto Research Center, head of the Genisys privacy project, and Professor
LaTanya Sweeney of Carnegie Mellon University, principal researcher for
Bio-ALIRT's privacy, say they have offered to continue their research for
ARDA, but have been declined.
- http://www.wired.com/news/politics/0,1283,62670,00.html?tw=wn_tophead_3
Malware
- Title: Bagle turns to anti-spam trick
- Source: ZDNet UK
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- Three new Bagle variants, N, O, and P, use an anti-spam trick to try to
sneak past antivirus filters. Bagle first started sneaking past antivirus
filters by coming as an encrypted .zip file attachment, with the password to
open it given in the text of the e-mail, tricking unwary users into opening
the attachment. However, antivirus companies quickly modified their products
to grab passwords form the text to open and scan .zip files. The new
variants produce a graphic of the password to prevent the scanners from
reading it; the same trick is often used by websites to make sure viewers
are human rather than a computer trying to harvest e-mail addresses. Graham
Cluley of Sophos says his company has already updated their scanner to grab
passwords from the graphic. The new variants are also using .rar files, a
compression scheme similar to .zip.
- http://news.zdnet.co.uk/0,39020330,39149030,00.htm
- Title: Malicious code threats celebrate bumper
2003
- Source: The Register
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- Symantec has released its Internet Security Threat Report, finding that
virus threats jumped 148% in the last half of 2003. Virus writers
increasingly target backdoors opened by other attackers. Blended threats,
such as Blaster, SoBig.F, and Welchia, accounted for 54% of Symantec's top
ten risks for the second half of 2003. Symantec recorded 2,636 new
vulnerabilities for the year, an average of seven each day, up 2% compared
to 2002; the number of vulnerabilities jumped 81% between 2001 and 2002. One
third of attacking systems targeted the vulnerability exploited by Blaster,
while unpatched systems continue to make older viruses a threat.
- http://www.theregister.co.uk/content/55/36251.html
- Also - http://www.eweek.com/article2/0,1759,1549074,00.asp
- Title: Worms get mobile
- Source: Australian IT
- Date Written: March 16, 2004
- Date Collected: March 15, 2004
- As mobile phones have grown more sophisticated, many have become small
computers, complete with operating system, making them potential targets for
viruses. Mobile phone viruses could hijack a phone, forcing it to send
e-mails, make phone calls, or eavesdrop on conversations. In 2001, a virus
targeted subscribers of Japan's NTT DoCoMo, programming phones to dial the
national emergency services number. In Spain, a worm called Timofonica
caused infected phones to send spurious text messages to everyone in the
phone's address book. Palm users reported a Trojan that deleted information
from their palmtop computers. Many phones use the General Packet Radio
Service (GPRS), connected to the network at all times but charged only for
the amount of data they transmit. Such phones could be vulnerable to viruses
twenty-four hours a day. However, mobile phones currently use a variety of
operating systems, slowing the spread of potential viruses. Experts expect a
standard phone operating system to emerge within the next two years.
- http://australianit.news.com.au/articles/0,7204,8953577^15841^^nbv^,00.html
Vulnerabilities & Exploits
- Title: Leaked Code Still Could Bear Malicious
Fruit
- Source: EWeek.com
- Date Written: March 14, 2004
- Date Collected: March 15, 2004
- After the announcement of a Windows source code leak in February 2004,
security researchers argued that the leak would not lead to many new flaw or
exploit discoveries, citing the age of the code and the size of the leak.
Researchers have been unable to examine the code themselves due to legal
concerns regarding Microsoft. However, iDefense researcher Ken Dunham, who
monitors hacker discussion lists, says several black hat hackers have found
flaws, but are keeping quiet to avoid alerting security professionals. Thor
Larholm, of Pivx Solutions, also argues that hackers have found flaws, but
are staying quiet to avoid legal tangles with Microsoft. Many researchers
are concerned that though the leaked code is ten years old, it is the basis
for code in current operating systems.
- http://www.eweek.com/article2/0,1759,1548990,00.asp
Best Practices & Risk Management
- Title: Voice over IP Security
- Source: Security Focus
- Date Written: March 12, 2004
- Date Collected: March 15, 2004
- VoIP (Voice over Internet Protocol) promises lower phone bills, virtual
offices, centralized management, rapid deployment, and other benefits, but
raises new security issues. Rather than just defending one data network,
administrators must also protect a voice network. Administrators must deal
with new protocols and hardware, while hackers can now target the familiar
IP infrastructure rather then the more obscure PSTN (public switched
telephone network) used by telephone companies. Call metadata can be as
valuable as the voice content. Denial of service attacks, difficult on a
PSTN, become easier with VoIP. Phones themselves become targets for malware.
Although VoIP creates new threats, many of them already have solutions from
data IP. Administrators should enact similar precautions, such as
encryption, regular security reviews, strong router configurations, and
firewalls.
- http://www.securityfocus.com/infocus/1767
Civil & Consumer Issues
- Title: Hosting company reveals hacks, citing
disclosure law
- Source: Security Focus
- Date Written: March 12, 2004
- Date Collected: March 15, 2004
- Texas-based Allegiance Telecom notified 4,000 customers of a security
breach that compromised their usernames and passwords, complying with a
California law requiring organizations doing business in California to
disclose such breaches. The breach did not directly expose sensitive
customer information covered by the law, but exposed passwords for accounts
held by e-commerce sites, which may hold data on Californians. John
Pescatore of research firm Gartner says companies throughout the United
States are notifying customers of security breaches or looking into database
encryption in order to comply with the law. Allegiance Telecom spokesman
Jerry Ostergaard says his company would have informed customers even without
the law. "If there's a potential problem you want people to know about it."
- http://www.securityfocus.com/news/8240
- Title: Who's Teaming Up Against P2P?
- Source: Wired News
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- Wired News reports that it has obtained a draft letter allegedly written
by California Attorney General Bill Lockyer to other state attorneys general
characterizing peer-to-peer (P2P) file-trading software as dangerous to
consumers and regarding failure to label P2P products with warnings as a
deceptive trade practice. A look at the letter's metadata in Microsoft Word
reveals an author named "stevensonv", suggesting that MPAA (Motion Picture
Association of America) president Van Stevenson may be involved. Mr.
Lockyer's office refused to comment on any letters that may or may not be
under development. The letter reportedly is intended for the National
Association of Attorneys General (NAAG) meeting in Washington, DC, from
March 15 to March 17, 2004. Adam Eisgrau, lobbyist for trade group P2P
United says his group will hand deliver a letter to Mr. Lockyer at the NAAG
meeting asking him to clarify whether the leaked draft is genuine, and to
include P2P United for the final version. Mr. Eisgrau notes that accusations
in the letter could be applied to other technologies, such as web browsers,
and that the letter, if authentic, would represent a broad expansion of
product liability laws.
- http://www.wired.com/news/digiwood/0,1412,62665,00.html?tw=wn_tophead_2
- Also - http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4570916§ion=news
- Title: Lost E-Votes Could Flip Napa
Race
- Source: Wired News
- Date Written: March 12, 2004
- Date Collected: March 15, 2004
- Napa County in northern California reports that electronic voting
machines failed to record votes scanned from some electronic ballots during
the March 2, 2004 primary elections, forcing the county to rescan over
11,000 ballots and possibly change the outcome of some races. Sequoia Voting
Systems says the votes were not dropped due to a technical problem with the
machines, but due to a procedural error by technicians. The machines were
calibrated to detect carbon-based ink, but not gel ink used by some voters.
The discrepancy was discovered during a manual recount of 1% of precincts,
done throughout California to verify accuracy. Though procedures detected
the problem, Kim Alexander of the California Voter Foundation notes that
California is one of the few states to require a hand count, and that such a
count would have been impossible on paperless voting machines.
- http://www.wired.com/news/politics/0,1283,62655,00.html?tw=wn_tophead_9
- Title: Late-model car codes frustrate
mechanics
- Source: Seattle Post-Intelligencer
- Date Written: March 15, 2004
- Date Collected: March 15, 2004
- Independent automobile mechanics have increasing difficulties repairing
modern cars since they cannot access the computer equipment that makes them
work, forcing them to send customers to car dealers to fix their problems.
Many mechanics believe car makers are using technology to lock out
independent mechanics and corner the market on car repairs. The technology
affects systems as varied as locks, brakes, and climate control. Senator
Lindsey Graham (R-South Carolina) and Representative Joe Barton (R-Texas)
have both proposed bills that would require auto makers to release access
codes to consumers, allowing them to choose a mechanic to fix their car.
Auto makers oppose the bills, saying aftermarket dealers are trying to get
proprietary calibration codes so they can sell their own versions of
expensive parts. Lawmakers doubt the legislation will pass this year.
- http://seattlepi.nwsource.com/national/164817_gearheads15.html
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
