|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 16, 2004
- From: Howell, Paul
- Date: Wed Mar 17 07:34:58 2004
Title: Message
Security In The News
LAST UPDATED: 3/16/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Cybercrime-Hacking
BJ's Wholesale suspects credit card
leak
- MSNBC, 3/12/04
Australia is main hacker source
- The
Courier-Mail, 3/17/04
Politics-Legislation
Judge once again orders shutdown of
Interior computers
- USA
Today (AP), 3/16/04
- Also - Government
Computer News, 3/16/04
Cable taps into wiretap law
- news.com.com,
3/16/04
MPs look at revising Computer Misuse
Act
- ZDNet
UK, 3/16/04
Malware
Bagle eats Netsky as the worm turns
- ZDNet
UK, 3/16/04
Vulnerabilities & Exploits
Plaxo plugs phishing vulnerability
- ZDNet
UK, 3/16/04
Macromedia struck by two security
holes
- Techworld,
3/16/04
Phishing scams 'likely to target
corporate info soon'
- Sydney
Morning Herald, 3/16/04
Best Practices & Risk Management
Outsourcing: Losing Control
- Computerworld,
3/15/04
Experts publish 'how to' book for
software exploits
- Network
World Fusion, 3/15/04
Civil & Consumer Issues
U.S. Threatens Action Against Online
Gambling
- NY
Times, 3/15/04
The Eolas-Microsoft case--patent
ending?
- ZDNet,
3/16/04
Record industry case threatens
everyone's anonymity online: lawyer
- National
Post, 3/16/04
Cybercrime-Hacking
- Title: BJ's Wholesale suspects credit card
leak
- Source: MSNBC
- Date Written: March 12, 2004
- Date Collected: March 16, 2004
- BJ's Wholesale is investigating a possible computer breach that may have
compromised customers' credit card data, and is working with credit card
companies and law enforcement to address the matter. BJ's has also brought
on additional staff to handle calls from customers who believe their data
may have been stolen. Both Visa and Mastercard have warned their customers
to check their credit card bills for signs of fraud. One bank affected by
the breach says stolen account numbers have already been used "around the
globe," and that thousands of its customers were compromised. BJ's estimates
that the breach only affected a small fraction of it eight million members,
and assured customers that it was not the result of a centralized security
breach.
- http://www.msnbc.msn.com/id/4516301
- Title: Australia is main hacker source
- Source: The Courier-Mail
- Date Written: March 17, 2004
- Date Collected: March 16, 2004
- Symantec, in its report covering cyber incidents for the second half of
2003, ranked Australia fifth on its list of 180 countries for Internet
attacks, following the United States, Canada, China, and Japan. This makes
Australia the top source for computer attacks in the Asia-Pacific region.
Threats to steal information from personal computers increased 519% compared
to the same period in 2002. Symantec Australia managing director John
Donovan says the increase is due to the number of vulnerable computers, and
notes that it is usually daylight in Australia when viruses are launched,
while most American users are asleep. Though Australia is the top source of
attacks for the Pacific region, Mr. Donovan points out that attackers in
other countries could be using Australia as a platform.
- http://www.thecouriermail.news.com.au/common/story_page/0,5936,8989104^8362,00.html
Politics-Legislation
- Title: Judge once again orders shutdown of
Interior computers
- Source: USA Today (AP)
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Federal judge Royce Lamberth has for a third time ordered the US
Department of the Interior to disconnect its systems from the Internet to
protect data on oil, gas, timber, and grazing royalties owed to American
Indians. This will leave the public unable to access information about
popular national parks, and will choke communications within the department.
Judge Lamberth argues that the benefit of protecting the 300,000 royalty
beneficiaries outweighs the inconvenience of the shutdown. Emergency
services will remain connected, as will the National Park Service, the US
Geological Survey, and Interior's budget office, since they convinced the
judge they have adequate security in place. Lamberth says the shutdown is
necessary, since Interior refuses to work with Special Master Alan Balaran
to fix security flaws they've reported to the Office of Management and
Budget.
- http://www.usatoday.com/tech/news/computersecurity/2004-03-16-interior-comp-sec-again_x.htm
- Also - http://www.gcn.com/vol1_no1/daily-updates/25261-1.html
- Title: Cable taps into wiretap law
- Source: news.com.com
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Cable operators are beginning to comply with a federal law that requires
telecommunications providers to structure their networks to enable police to
conduct electronic surveillance. Though cable companies are not yet covered
by the Communications Assistance for Law Enforcement Act (CALEA), a
broad-reaching FBI (Federal Bureau of Investigation) proposal would bring
all broadband Internet providers under the law's coverage. Federal
Communications Committee chair Michael Powell argues that law enforcement
access to Internet communications is "essential." The FBI proposal has the
backing of the Bush administration.
- http://news.com.com/2100-1034_3-5173320.html
- Title: MPs look at revising Computer Misuse
Act
- Source: ZDNet UK
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- The All-Party Internet Group (APIG), an organization bringing together
media companies and British Members of Parliament, will hold a public
hearing in the House of Commons to discuss what changes, if any, should be
made to the 1990 Computer Misuse Act (CMA). Richard Allan MP argues that the
Internet has become an essential part of everyday life, making effective
legislation necessary to prosecute those who attack computer networks. Derek
Wyatt MP, chair of APIG, notes that while some activities, such as hacking
and virus writing, are clearly illegal, there exist some vague legal areas,
such as jurisdiction.
- http://news.zdnet.co.uk/internet/security/0,39020375,39149315,00.htm
Malware
- Title: Bagle eats Netsky as the worm
turns
- Source: ZDNet UK
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Three new Bagle variants, N, O, and P, are circulating on the Internet
with new code to delete the Netsky virus from infected machines. The war
between Netsky and Bagle started when the Netsky worm deleted Bagle and
MyDoom from computers. Both worms retaliated with insults, but this is the
first time one responded by removing Netsky. The Bagle variants kill Netsky
processes and remove its start-up key from the Windows Registry. Mikko
Hyppönen of antivirus firm F-Secure says that although viruses are always
bad, Netsky may have reduced the amount of spam on the Internet by removing
e-mail proxies installed by MyDoom and Bagle. Netsky's author retired from
the virus war, but independent versions of NetSky have since popped up.
- http://news.zdnet.co.uk/internet/security/0,39020375,39149316,00.htm
Vulnerabilities & Exploits
- Title: Plaxo plugs phishing
vulnerability
- Source: ZDNet UK
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Plaxo, an online contact management service, has fixed a serious
security vulnerability in its website that would allow an attacker to steal,
modify, or delete data in a user's address book. Lodoga security researcher
Jeremy Wood discovered the vulnerability, which would let an attacker put a
Javascript layer over Plaxo's sign-on page, sending any data the user inputs
to the attacker and then to Plaxo to let the user sign on. This exploit can
be used in a phishing attack; while banks can tell customers to ignore
e-mails pretending to come from the bank, e-mail is an essential part of
Plaxo's system. Plaxo says it fixed the flaw within a few hours of
discovery, and does not believe any users have fallen victim to an attack.
- http://news.zdnet.co.uk/internet/security/0,39020375,39149309,00.htm
- Title: Macromedia struck by two security
holes
- Source: Techworld
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Macromedia has announced the discovery of two flaws in its softwares and
ColdFusion developer language. The first flaw, which Macromedia rates as
moderate, involves e-licensing on its installation software, and could allow
a user to steal another user's privileges if a software is installed on a
multi-user machine. This flaw affects all Macromedia softwares, including
Flash MX, Dreamweaver MX, Studio MX, and Fireworks MX. The second flaw,
rated "critical," affects ColdFusion MX and JRun. A specially constructed
SOAP (Simple Object Access Protocol) message can consume processor cycles
and memory, denying service on a machine. Macromedia urges its customers to
apply the latest patches.
- http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1214
- Title: Phishing scams 'likely to target
corporate info soon'
- Source: Sydney Morning Herald
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Richard Turner, Asia-Pacific vice-president for RSA Security, says
phishing scams will shift focus from stealing personal data for bank
accounts to stealing corporate secrets. As corporations open their networks
to remote workers, clients, and business partners, attackers may use
phishing tactics to access corporate networks, making strong authentication
policies and software configurations a business necessity. Basic hacking
tools are widely available, making attacks possible despite lack of
technical expertise.
- http://www.smh.com.au/articles/2004/03/16/1079199195657.html
Best Practices & Risk Management
- Title: Outsourcing: Losing Control
- Source: Computerworld
- Date Written: March 15, 2004
- Date Collected: March 16, 2004
- Without strong security controls beyond the encrypted domain level,
outsourcing business processes, such a billing, could compromise customer
data. For example, a woman in Pakistan threatened to post data on patients
at the University of California, San Francisco, Medical Center to the
Internet unless she was paid more money; she got the data from a medical
transcription subcontractor who employed her. Federal law requires companies
to have an information security plan when handling health and financial
data, therefore, companies should ask to see a security audit before
outsourcing to third parties. Companies can also set up a clean room--thin
clients connected to the servers within the United States, with no output
devices allowed, thus preventing employees from copying data. Strong access
control policies ensure that outsourced workers only see the information
necessary for their jobs. Finally, companies should know their workers,
providing necessary training and visiting the outsourcing site from time to
time.
- http://www.computerworld.com/securitytopics/security/story/0,10801,91085,00.html
- Title: Experts publish 'how to' book for
software exploits
- Source: Network World Fusion
- Date Written: March 15, 2004
- Date Collected: March 16, 2004
- "The Shellcoder's Handbook: Discovering and Exploiting Security Holes,"
scheduled for release March 22, 2004, is intended to help administrators
defend their networks against malicious attack, and gives examples of
working code for common exploits. Such common attacks as the buffer overflow
are covered, as well as some more obscure attacks, such as format string
bugs in C, tampering with cryptographic services, and "fuzzing" network
protocols. The book also includes previously unpublished exploits, such as
the heap overflow and kernel attacks. The book has sparked debate among
researchers on whether certain security holes should be publicly disclosed;
some fear that the book could become a primer for hackers. The book's
authors argue, however, that administrators must understand the threats
facing them in order to make good security decisions.
- http://www.nwfusion.com/news/2004/0315experpubli.html
Civil & Consumer Issues
- Title: U.S. Threatens Action Against Online
Gambling
- Source: NY Times
- Date Written: March 15, 2004
- Date Collected: March 16, 2004
- Federal prosecutors are cracking down on offshore online casinos by
threatening to sue domestic companies that advertise the casinos, arguing
that the advertisements could be considered 'aiding and abetting' the online
casinos. Such casinos are illegal in the United States, however, most
operate in Costa Rica, the Caribbean, or the Isle of Man, outside US
jurisdiction. Several media companies, such as Infinity Broadcasting, Clear
Channel Communications, and Discovery Networks, have dropped advertisements
for online casinos in response to legal threats. Legal experts say the
advertisers may protect themselves under the First Amendment's free speech
guarantees, but prosecutors could argue that they are profiting from illegal
activities. The legal actions raise questions of jurisdiction on the
borderless Internet, as the online casinos operate legally within their home
countries.
- http://www.nytimes.com/2004/03/15/technology/15GAMB.html
- Title: The Eolas-Microsoft case--patent
ending?
- Source: ZDNet
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- In February 2004, the US Patent and Trademark Office (USPTO) ruled that
a patent granted to Eolas Technologies for a key Internet technology may
have been wrongfully granted and launched a review of the patent. If the
patent is upheld, Microsoft stands to lose $521 million for infringing the
patent, and would be forced to rewrite portions of Internet Explorer. The
World Wide Web Consortium (W3C) has joined Microsoft in the legal battle,
arguing that upholding the patent would disrupt the Internet. The review
process is a dialogue between the USPTO and the patent holder, in which the
holder gets to file arguments for its patent without rebuttal from third
parties. In 1999, USPTO changed policies to allow rebuttals, but those
policies do not apply to the Eolas patent, which was filed prior to 1999.
Only 2% of patent reviews are initiated by the USPTO; in such cases, the
patent is invalidated or altered 87% of the time. Even so, the procedural
rules favor the patent holder.
- http://zdnet.com.com/2100-1104-5173287.html?
- Title: Record industry case threatens
everyone's anonymity online: lawyer
- Source: National Post
- Date Written: March 16, 2004
- Date Collected: March 16, 2004
- Two lawyers representing the Canadian Internet Policy and Public
Interest Clinic (CIPPIC) presented arguments against the Canadian Recording
Industry Association (CRIA) regarding its suit against Internet service
providers (ISPs) to reveal the identities and addresses of 29 individuals
accused of copyright infringement for downloading songs through file-trading
networks such as Kazaa. Alex Cameron argued that requiring the ISPs to
reveal customer data would remove the expectation of anonymity from Internet
transactions. CRIA lawyers argued that customers' contracts with ISPs permit
disclosure in certain situations. CIPPIC lawyer Howard Knopf portrayed the
CRIA's lawsuits as a "war against file-sharing" pointing out that most
file-sharers are civilians without the resources to protect themselves from
a CRIA lawsuit, forcing them to settle. Mr. Knopf also pointed out the
Copyright Board has ruled that downloading music is legal under Canadian
law.
- http://www.canada.com/national/nationalpost/news/artslife/story.html?id=c5ffc6a9-6088-42e0-91fe-ae6fe8b66401
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
