FW: Security In The News - March 17, 2004

[Howell, Paul]

Title: Message

 

-----Original Message-----
From: dailyreport@ists.dartmouth.edu [mailto:dailyreport@ists.dartmouth.edu]
Sent: Wednesday, March 17, 2004 4:29 PM
To: subscriber (2554)
Subject: Security In The News - March 17, 2004

Security In The News
LAST UPDATED: 3/17/04
This report is also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html ,

Homeland Security & Infrastructure Protection

New Homeland Security Guidelines Called Vendor-Driven

EWeek.com, 3/16/04

Cybercrime-Hacking

EBay: online hacker stole customers' data

Washington Times (UPI), 3/16/04

Net Crime Gangs Try to Cash in on UK Horse Festival

Reuters, 3/16/04

FBI analyst faces trial for surfing law enforcement systems

Government Computer News, 3/17/04

Politics-Legislation

Putnam questions OMB oversight

Federal Computer Week, 3/16/04

New Calif. ID-theft bill would toughen earlier law

Computerworld, 3/17/04

Malware

Bugwatch: The virus avalanche

vnunet.com, 3/17/04

Technology

Hey, It's Me! Don't Drop the Bomb

Wired News, 3/17/04

Nokia Embraces RFID

EWeek.com, 3/17/04

Intel to join Liberty Alliance

ZDNet, 3/17/04

Vericept announces anti-fraud product aimed at identity theft problem

Network World Fusion, 3/17/04

Vulnerabilities & Exploits

Serious flaw found in three Symantec products

The Age, 3/16/04

Best Practices & Risk Management

Where to Turn?

Security Focus, 3/15/04

Hacking insurance is a must

vnunet.com, 3/17/04

Civil & Consumer Issues

MP3 Phone Patent Dispute Deepens

The Korea Times, 3/17/04

Homeland Security & Infrastructure Protection

Title: New Homeland Security Guidelines Called Vendor-Driven

Source: EWeek.com

Date Written: March 16, 2004

Date Collected: March 17, 2004

Awareness for Home Users and Small Business, a task force formed by the Department of Homeland Security (DHS) and private industry at 2003's National Cybersecurity Summit, will release its recommendations March 18, 2004 as a follow up to the National Strategy to Secure Cyber Space. The National Strategy was widely criticized for lacking definitive action. Allan Paller, research director at the SANS (SysAdmin, Audit, Network, Security) Institute, says the report will be vendor-driven, and focus on user mistakes rather than flaws in softwares and processes. Many government officials left for the private sector after the release of the National Strategy, frustrated over its results. Some believe something similar will happen to the task forces; one unnamed chief security officer has already quit over the influence technology vendors had over the report.

http://www.eweek.com/article2/0,1759,1549954,00.asp

Cybercrime-Hacking

Title: EBay: online hacker stole customers' data

Source: Washington Times (UPI)

Date Written: March 16, 2004

Date Collected: March 17, 2004

Malicious hackers have used the common phishing tactic higher on the supply chain to steal sensitive customer data, according to online auction company eBay. The hackers tricked several merchants using the PayPal online payment system into revealing their usernames and passwords, giving the hackers access to their customer records, with such data as names, e-mail addresses, home addresses, and transaction histories. eBay would not comment on how many customers were affected, except to say it was a small percentage of its 40 million users. No credit card numbers, Social Security Numbers, or other financial data were compromised, since eBay keeps that information encrypted on a server not accessible to customers. However, eBay warns that the attackers could use the information in further phishing attacks against customers.

http://washingtontimes.com/upi-breaking/20040316-124532-6763r.htm

Title: Net Crime Gangs Try to Cash in on UK Horse Festival

Source: Reuters

Date Written: March 16, 2004

Date Collected: March 17, 2004

Britain's William Hill online betting company was hit with a distributed denial of service attack March 11, 2004, just before the Cheltenham horse races. The company was able to minimize the disruption caused by the attack. Law enforcement officials say organized crime groups are behind a wave a cyber extortion, threatening to knock down online gambling sites just before major sporting events, such as American football's Super Bowl and the Cheltenham horse races. Richard Starnes, director of incident response for Cable & Wireless Internet service provider (ISP), says the attacks are growing in intensity and sophistication. A sustained Internet outage could significantly cut into a betting house's profits. Police say betting sites increasingly report extortion threats, raising the probability an arrest will be made.

http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4581165§ion=news

Title: FBI analyst faces trial for surfing law enforcement systems

Source: Government Computer News

Date Written: March 17, 2004

Date Collected: March 17, 2004

Jeffrey D. Fudge of Lancaster, Texas, faces trial in April 2004 on eight counts of exceeding authorized access to a government computer for allegedly browsing through law enforcement databases and sharing data with friends and family. If convicted, Mr. Fudge faces fifty years imprisonment or fines up to $2.5 million. Prosecutors allege that Mr. Fudge used his status as an FBI (Federal Bureau of Investigation) investigator to access the FBI's Automated Case Support system, the National Crime Information Center, the Texas Crime Information Center, the Texas Law Enforcement Telecommunications System, and the FBI Net between October 1997 and April 2003. He allegedly used the systems to to see whether the FBI was investigating prominent Dallas residents, satisfy his own curiosity about FBI investigations, and shared the information with family and friends. Steven P. Beauchamp of the Justice Department Inspector General's Office comments, "This indictment serves as a reminder that the department will not tolerate the misuse and unauthorized disclosure of sensitive law enforcement information."

http://www.gcn.com/vol1_no1/daily-updates/25279-1.html

Politics-Legislation

Title: Putnam questions OMB oversight

Source: Federal Computer Week

Date Written: March 16, 2004

Date Collected: March 17, 2004

Representative Adam Putnam (R-Florida), chair of Government Reform's Technology, Information Policy, Intergovernmental Relations and the Census subcommittee, directed hard questioning at six cabinet agency officials, including Karen Evans, administrator for electronic government and information technology in the Office of Management and Budget (OMB). Mr. Putnam questioned how OMB handles agencies with low security grades, asking Ms. Evans how much money was withheld from agencies for updating their systems. Ms. Evans was unable to give a figure, but said the OMB planned to move away from status reporting to more detailed understanding of the quality of security work, certification, and accreditation procedures. An official from the National Institute of Standards and Technology (NIST) says they have the funds to provide compliance guidelines for the Federal Information Security Management Act (FISMA) of 2002, but Benjamin Wu, of NIST's parent Commerce Department, said budget constraints forced the NIST to scale back other critical information technology research.

http://www.fcw.com/fcw/articles/2004/0315/web-omb-03-16-04.asp

Title: New Calif. ID-theft bill would toughen earlier law

Source: Computerworld

Date Written: March 17, 2004

Date Collected: March 17, 2004

The State of California is considering Senate Bill 1279, a proposal to expand identity theft protections from databases to voice and paper. California passed a law in 2003--SB 1386--requiring businesses holding data on California residents to inform customers if a computer breach compromises their data. The new bill would also require business to provide credit-monitoring service for two years, free of charge, in the event of an information breach. Many companies affected by the proposed law are nervous about its passage, given the enormous costs posed by credit-monitoring and the operational difficulties of securing voice and paper.

http://www.computerworld.com/governmenttopics/government/legislation/story/0,10801,91309,00.html

Malware

Title: Bugwatch: The virus avalanche

Source: vnunet.com

Date Written: March 17, 2004

Date Collected: March 17, 2004

Jack Clark of McAfee Security discusses the Netsky, Bagle, and MyDoom worms. The first two months of 2004 have been some of the busiest for antivirus researchers. These first two months have seen more virus activity than all of 2003, just from these three worms, due to their unusually high number of variants. Some believe the wide-spread availability of virus-writing kits have allowed unskilled users to create malwares. Virus writers, rather than releasing their worms and disappearing to avoid detection, have decided to release a series of variants to stay ahead of researchers. When Netsky grabbed media attention and deleted Bagle and MyDoom from computers, it sparked a war between their creators, contributing to the high number of attacks. The viruses underscore the need to follow established best practices for virus protection, especially user education.

http://www.vnunet.com/News/1153550

Technology

Title: Hey, It's Me! Don't Drop the Bomb

Source: Wired News

Date Written: March 17, 2004

Date Collected: March 17, 2004

Sandia National Laboratories is working on Athena, a radio tag sensor system designed to reduce friendly fire incidents in battlefield situations. The tags are intended to be about the size of a pack of cigarettes, and cost around $1,000 each. The tags would respond in a certain way to radar pings from aircraft, alerting pilots not to drop ordinance on friendly forces. However, ways must be found to prevent enemy forces from hacking into the system; for example, enemies could steal sensors to protect themselves from attack. Daily changing encryption codes would shorten the time a stolen sensor would be effective. John Pike of GlobalSecurity.org points out that such systems have historically been too expensive and bulky to be cost-effective, but Sandia plans to leverage technology it has already developed to keep down costs.

http://www.wired.com/news/technology/0,1282,62686,00.html?tw=wn_tophead_1

Title: Nokia Embraces RFID

Source: EWeek.com

Date Written: March 17, 2004

Date Collected: March 17, 2004

At the CeBIT show in Hannover, Germany, Nokia unveiled a GSM (Global System for Mobile Communications) mobile phone with radio frequency identification (RFID) tag readers. Nokia plans to market the phone to field workers, such as meter readers for utility companies, who could read RFID tags then transmit the information automatically. The Nokia Mobile RFID Kit will be included in the Nokia Field Force Solution, operate in the 13.56 megahertz range, and use the ISO-14443A standard. The kit will ship in the middle of 2004.

http://www.eweek.com/article2/0,1759,1550108,00.asp

Title: Intel to join Liberty Alliance

Source: ZDNet

Date Written: March 17, 2004

Date Collected: March 17, 2004

The Liberty Alliance is expected to announce March 18, 2004, that chip-maker Intel will join its 160 members, including such technology companies as Sony and Sun Microsystems as well as consumer-oriented businesses like Fidelity Investments and American Express. The Liberty Alliance was originally created in 2001 to develop specifications for federated identity management, but has since branched out into other areas of security, such as mobile phone services. According to Jason Bloomberg, an analyst at ZapThink research firm, joining the Liberty Alliance fits with Intel's strategy to generate demand for its chips by backing companies and technologies driving computer and mobile device usage.

http://zdnet.com.com/2100-1105_2-5173759.html

Title: Vericept announces anti-fraud product aimed at identity theft problem

Source: Network World Fusion

Date Written: March 17, 2004

Date Collected: March 17, 2004

Vericept has released an anti-fraud software to monitor an enterprise's outbound Internet traffic to guard against leaks of sensitive data that could lead to identity theft. The Identity Theft and Fraud Management software runs on a Linux server and passively scans ports on switches and routers for sixty types of personal information, such as dates of birth and Social Security numbers. The software issues an alert to administrators if this sort of information goes out over HTTP (hypertext transfer protocol), FTP (file transfer protocol), e-mail, instant message, or peer-to-peer file-sharing. The software can handle most types of IP (Internet Protocol) traffic, though not UDP (User Datagram Protocol). It can be integrated as a module with Vericept 6.0. The software is designed to guard against such threats as the "disgruntled employee," according to Vericept's Brett Schklar. Pricing starts at $9,500.

http://www.nwfusion.com/news/2004/0317vericept.html

Vulnerabilities & Exploits

Title: Serious flaw found in three Symantec products

Source: The Age

Date Written: March 16, 2004

Date Collected: March 17, 2004

Security firm eEye has discovered flaws in Symantec's Norton Internet Security 2004, Norton Internet Security 2004 Professional, and Norton Personal Firewall 2004 that would allow an attacker to deny service against systems running default configurations of the softwares. Another flaw, found in Internet Security Systems' RealSecure and BlackICE, would allow an attacker to gain the highest level of access. eEye has informed both companies of the flaws, but will not publicly reveal full details until the two companies have had time to make a patch.

http://www.theage.com.au/articles/2004/03/16/1079199206168.html

Best Practices & Risk Management

Title: Where to Turn?

Source: Security Focus

Date Written: March 15, 2004

Date Collected: March 17, 2004

Tim Mullen argues that the security community is frustrating users with security prognostications that point out the dangers of various flaws and threats, offer users an array of products to defend their systems, but provide little guidance on what threats they should guard against. Mr. Mullen gives the example of an administrator ordered to patch systems against the ASN.1 (Abstract Syntax Notation One) flaw as his number one priority during the height of the Netsky, Bagle, and MyDoom attacks. Mr. Mullen argues that the ASN.1 threat was overblown compared to other threats, as researcher took an opportunity be anti-Microsoft rather than pro-security. Such behavior from security researchers only confuses users, preventing them from making good security decisions.

http://www.securityfocus.com/columnists/225

Title: Hacking insurance is a must

Source: vnunet.com

Date Written: March 17, 2004

Date Collected: March 17, 2004

Specialist insurer Hiscox says less than 5% of its large customers are seriously considering the threat hackers pose to digital assets, neglecting to buy insurance against computer attacks. Stephen Ware, manager of the company's aerospace, technology, media and telecoms division in the United Kingdom, says complacency and lack of risk analysis are leading companies away from protecting digital assets as they would physical assets. Such issues need to be discussed at the board level, making it a corporate governance issue. Mr. Ware says his company has seen an increase in extortion and blackmail based hacking.

http://www.vnunet.com/News/1153579

Civil & Consumer Issues

Title: MP3 Phone Patent Dispute Deepens

Source: The Korea Times

Date Written: March 17, 2004

Date Collected: March 17, 2004

South Korea's LG Electronics has released its LP3000 cell phone, capable of storing up to 16 .mp3 files. The Korea Association of Phonogram Producers (KAPP) claims the phone sales violate copyright law and plans to block sales of the phone. LG Electronics counters that it has equipped the phones with digital right management (DRM) to prevent illegal mp3s from being used. The KAPP says that programs to circumvent the DRM are already available over the Internet. Talks between LG Electronics and KAPP, mediated by the Ministry of Information and Communication and the Ministry of Culture and Tourism, failed to find middle ground. Such conflicts should continue as more phone makers release mp3 enabled phones.

http://times.hankooki.com/lpage/tech/200403/kt2004031719131911810.htm

To change your delivery preferences please go to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to stop receiving the 'Security in the News' service please go to:
http://news.ists.dartmouth.edu/substop.html

The Institute for Security Technology Studies (ISTS) accepts no responsibility for any error or omissions in this e-mail. The information presented is a compilation of material from various sources and has not been verified by staff of the ISTS. Therefore, the ISTS cannot be made responsible for the factual accuracy of the material presented. The ISTS is not liable for any loss or damage arising from or in connection with the information contained in this report. It is the responsibility of the user to evaluate the content and usefulness of this information. References in this e-mail to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the ISTS. ISTS is a research, not operational, organization, and makes its Security in the News e-mail available as a public service on a best-effort basis. Security in the News will be sent out on most business days, but not all.

Institute for Security Technology Studies
Dartmouth College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: dailyreport@ists.dartmouth.edu