|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 22, 2004
- From: Howell, Paul
- Date: Mon Mar 22 17:22:17 2004
Title: Message
Security In The News
LAST UPDATED: 3/22/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
Amtrak Lags in Implementing Security
Technologies
- Computerworld,
3/22/04
Cybercrime-Hacking
Identity crisis hits UK companies
- vnunet.com, 3/22/04
Vigilantes attack eBay fraud
- news.com.com,
3/21/04
Venture County, Calif., Man Accused of
Threatening Google
- Miami
Herald, 3/20/04
U.S. Shuts Down Internet 'Phishing'
Scam
- Reuters,
3/22/04
Politics-Legislation
The farce of federal cybersecurity
- The
Register, 3/22/04
Security law no cause for carping
- Federal
Computer Week, 3/22/04
Europe tells US: 'Hands off our flyers'
data'
- Silicon.com,
3/22/04
Malware
Fast-Moving Worm Crashes Computers
- EWeek.com,
3/20/04
- Also - ZDNet,
3/22/04
- Also - vnunet.com,
3/22/04
Technology
GAO documents state of IT security
tech
- Government
Computer News, 3/19/04
Vulnerabilities & Exploits
Flaw stymies Norton Internet
Security
- news.com.com,
3/19/04
STATE REVENUE DEPARTMENT: Agency's
computer security too lax
- TwinCities.com,
3/19/04
Best Practices & Risk Management
Nuke agency shines bright in
security
- Federal
Computer Week, 3/22/04
Civil & Consumer Issues
SCO targets federal supercomputer
users
- news.com.com,
3/19/04
Consumers protest over security of
offshore data
- Silicon.com,
3/22/04
Homeland Security & Infrastructure Protection
- Title: Amtrak Lags in Implementing Security
Technologies
- Source: Computerworld
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- Senator Olympia J. Snowe (R-Maine) and Representative Mike Castle
(R-Delaware) have written a letter to Department of Homeland Security (DHS)
Secretary Tom Ridge questioning the allocation of billions of dollars to
protect air and sea ports while the railroad system receives only $115
million. Security professionals have questioned railroad security following
the March 11, 2004, terrorist attacks in Madrid, Spain, that led to the
deaths of 201 train passengers. A DHS spokesman said that rail security is
the responsibility of Amtrak and state and local governments, and
acknowledged that Amtrak passengers are not screened against terrorist watch
lists. Some analysts believe that rail security can be improved with minimal
impact on passenger movement and convenience. ObjectVideo of Reston,
Virginia, can provide a system to monitor existing security cameras to
detect suspicious behavior against a set of rules. Axis Communications of
Lund, Sweden, has a network camera that can work over existing information
technology infrastructures or the excess fiber optic cables running
alongside US railroads. Since kids often vandalize security cameras,
Electronic Data Systems offers a forward-looking sensor to detect problems
on the tracks ahead of a train.
- http://www.computerworld.com/securitytopics/security/story/0,10801,91452,00.html?from=homeheads
Cybercrime-Hacking
- Title: Identity crisis hits UK
companies
- Source: vnunet.com
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- According to the United Kingdom's Department of Trade and Industry's
2004 Information Security Breaches Survey, one in five of large firms admits
to suffering a security breach due to identity theft. 15% of such attacks
cost around £100,000 and disrupt business for more than a month.
PricewaterhouseCoopers, who conducted the report, says the breaches occurred
because of weak identity management policies, and recommended such
authentication measures as tokens, smartcards, and biometrics. The cost
savings are substantial for large companies, but smaller companies could
also see benefits as security budgets grow.
- http://www.vnunet.com/News/1153714
- Title: Vigilantes attack eBay fraud
- Source: news.com.com
- Date Written: March 21, 2004
- Date Collected: March 22, 2004
- Users of online auction sites, such as eBay, are turning to vigilante
tactics to combat frauds and scams. The Federal Trade Commission (FTC)
reports $200 million lost to online fraud in 2003, with half of the 166,000
complaints related to online auctions. This has led some users to combat
fraudsters by overbidding on suspect listings (for example, $2.5 million for
a $2,000 telescope), sending e-mails to bidders warning them that an item is
fraudulent, or denouncing suspected fraudsters in discussion fora. eBay
forbids such activity, and will even suspend the accounts of vigilantes,
warning that such tactics could also be used by fraudsters, leading to a
free-for-all of accusations. eBay says it has 800 people around the world
combatting fraud on its site. Critics, however, say eBay is slow to act on
the problem and is in denial over the extent of the problem. eBay says only
about one hundredth of a percent of the 20 million items on its site are
fraudulent, but some experts believe the number is far higher.
- http://news.com.com/2100-1038_3-5176525.html?tag=nefd_top
- Title: Venture County, Calif., Man Accused of
Threatening Google
- Source: Miami Herald
- Date Written: March 20, 2004
- Date Collected: March 22, 2004
- Federal agents have arrested Michael Anthony Bradley, 32, for attempting
to extort search engine service Google for $100,000 by threatening to
release a program which would cost the company millions in false advertising
clicks. Google pays advertisers for legitimate hits on their pop-up ads
delivered by Google. Mr. Bradley's software allegedly generated false clicks
that would appear legitimate, potentially defrauding Google of millions.
According to a Secret Service affidavit, Mr. Bradley contacted Google in
early March 2004 about the program, and met with Google officials March 10.
At the meeting, he threatened to sell the program to the "top 100 spammers"
unless they paid him $100,000. Mr. Bradley also offered consulting services
to help solve problems related to false advertising clicks. Court papers
allege Mr. Bradley used the software to divert money into his own accounts.
- http://www.miami.com/mld/miamiherald/business/national/8234511.htm
- Title: U.S. Shuts Down Internet 'Phishing'
Scam
- Source: Reuters
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- The Federal Trade Commission reports the arrest and prosecution of
Zachary Hill of Houston, Texas, who has pled guilty to a phishing scam
against customers of PayPal and America Online (AOL). Mr. Hill sent
specially crafted e-mail to PayPal and AOL customers, providing a link to a
spoof website, asking them to update their account information. Using the
personal data he gathered, Mr. Hill then set up credit card accounts and
stole existing accounts. He stole $75,000 from over 400 users before his
operation was shut down on December 4, 2003. Mr. Hill will be sentenced May
17, 2004. Consumers who believe they may be victims of identity theft can
report it at http://www.consumer.gov/idtheft.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4624987§ion=news
Politics-Legislation
- Title: The farce of federal
cybersecurity
- Source: The Register
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- Richard Forno discusses Congressional oversight of information
technology security at federal agencies. Mr. Forno cites a list of articles
of IT security failures at various agencies from 1998 to the present day.
Federal agencies consistently get failing or near failing grades in their
yearly reviews, though some agencies have shown real improvement. However,
in most cases, failed annual reviews only lead to verbal reprimands from
Congressional committees, as well as more reports, studies, and ineffective
legislation and policy initiatives, such as the National Strategy to Secure
Cyberspace. Mr. Forno calls the annual review process a useful tool for
measuring cybersecurity, but adds that such reviews must be acted on "in a
meaningful, lasting way." The problem, in Mr. Forno's view, is not
inadequate technology, but poor management. Chief information officers and
other managers must be held accountable, facing punitive action or even job
termination for failed IT security, rather than being rewarded by Congress
for their mediocrity, Mr. Forno concludes.
- http://www.theregister.co.uk/content/55/36429.html
- Title: Security law no cause for
carping
- Source: Federal Computer Week
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- The Federal Information Security Management Act (FISMA) of 2002 is
changing how federal agencies approach cybersecurity. Daniel Galik, chief of
mission assurance for the Internal Revenue Service (IRS), says he likes the
new workload created by FISMA, including risk management, reporting
requirements, and yearly reviews. Yearly and quarterly reports must be made
to the Office of Management and Budget and any interested members of
Congress. As agencies gain experience complying with FISMA, they are
adapting to the task. Treasury, for example, has developed a web portal for
its agencies to report FISMA data and generate properly formatted reports.
Many security managers find certification and accreditation to be the
biggest challenge; a third party must conduct a technical review to certify
that it meets FISMA requirements, and a designated authority must then
approve it for use for accreditation. Mr. Galik believes the FISMA
requirements are worth the extra cost in time and money, arguing that while
every agency says its systems are secure, FISMA requires them to prove it.
- http://www.fcw.com/fcw/articles/2004/0322/feat-security-03-22-04.asp
- Title: Europe tells US: 'Hands off our flyers'
data'
- Source: Silicon.com
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- The European Parliament has voted overwhelmingly in favor--439 in favor,
39 against--of a report critical of an informal agreement with the United
States to hand over airline passenger data as an anti-terrorist measure,
while a Parliamentary civil liberties commission has recommended that the
agreement be formalized or passenger consent required for the data
transfers. Many in the European Parliament contend that the data transfers
break European data protection laws. Non-European countries must be
certified under certain data protection standards before receiving European
data; the US has not yet been certified. The US has also failed to specify
who the data would be available to, except to say authorities involved with
stopping "serious crime" would see the data.
- http://www.silicon.com/research/specialreports/protectingid/0,3800002220,39119402,00.htm
Malware
- Title: Fast-Moving Worm Crashes
Computers
- Source: EWeek.com
- Date Written: March 20, 2004
- Date Collected: March 22, 2004
- The Witty worm began spreading Saturday, March 20, 2004, generating
large volumes of traffic, targeting a vulnerability in Internet Security
System's (ISS) BlackIce products. Witty's payload, a single 1,025-byte UDP
(User Datagram Protocol) packet, slowly corrupts the hard drive of an
infected machine. The worm attacks random UDP ports, but always comes from
UDP source port 4000. Once it infects a machine, it generates random IP
(Internet Protocol) addresses and sends its payload 20,000 times. After
that, the worm writes 65 kilobytes of data to a random location on the hard
drive, slowly corrupting the system. Rebooting an infected machine appears
to remove the worm. While the BlackIce flaw is found in all ISS products, it
is not certain whether all are vulnerable; ISS reports that its Proventia
appliances are not affected.
- http://www.eweek.com/article2/0,1759,1552000,00.asp
- Also - http://zdnet.com.com/2100-1105-5176595.html
- Also - http://www.vnunet.com/News/1153695
Technology
- Title: GAO documents state of IT security
tech
- Source: Government Computer News
- Date Written: March 19, 2004
- Date Collected: March 22, 2004
- The General Accounting Office (GAO) has released a study of eighteen
different cybersecurity technologies, requested by Representative Adam
Putnam (R-Florida), chair of the House Government Reform Subcommittee on
Technology, Information Policy, Intergovernmental Relations and the Census,
for hearings related to the Federal Information Security Management Act
(FISMA). The report considers tools in five categories: access control, such
as firewalls, biometrics, and smart tokens; system integrity tools, such as
antivirus and integrity checkers; cryptographic tools, such as digital
signatures and virtual private networks; auditing and monitoring tools; and
management tools. The report also discusses best practices for choosing and
implementing security tools.
- http://www.gcn.com/vol1_no1/daily-updates/25352-1.html
Vulnerabilities & Exploits
- Title: Flaw stymies Norton Internet
Security
- Source: news.com.com
- Date Written: March 19, 2004
- Date Collected: March 22, 2004
- Research firm NGSSoftware has released an advisory of a flaw in an
ActiveX component in Symantec's Norton Internet Security that could allow an
attacker to to take control of the computer. An attacker could exploit the
flaw either with a malicious webpage or with a script within an HTML
(hypertext markup language) e-mail. A similar issue with another ActiveX
component affects Symantec's Antispam software. Symantec has released
patches, available through LiveUpdate. Symantec says it has not received any
reports of exploits or exploit code for the flaw, and continues to monitor
the situation.
- http://news.com.com/2100-7355-5176442.html?tag=nefd_hed
- Title: STATE REVENUE DEPARTMENT: Agency's
computer security too lax
- Source: TwinCities.com
- Date Written: March 19, 2004
- Date Collected: March 22, 2004
- A panel of four legislators for the state of Minnesota has found
multiple shortcomings in the Minnesota Revenue Department's computer
systems, used to process $5.5 billion a year in income taxes. The
legislators' eighteen page report recommends limiting access to the
computers only to those employees who need it for their jobs, and patching
security holes. The legislators were satisfied with measures to prevent an
intruder from accessing the data. The most serious security flaws were not
included in the report, but detailed in five confidential memos. Deputy
revenue commissioner Dennis Erno says the systems have the "strongest
protection from outside sources that modern technology permits," but claimed
an 11% budget cut forced less frequent security reviews.
- http://www.twincities.com/mld/pioneerpress/news/politics/8222341.htm
Best Practices & Risk Management
- Title: Nuke agency shines bright in
security
- Source: Federal Computer Week
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- The Department of Transportation (DOT) and the Nuclear Regulatory
Commission (NRC) showed the greatest improvement on Representative Adam
Putnam's (R-Florida) cybersecurity report card issued in December 2003. NRC
got the only 'A' with a score of 94.5, while DOT, still lagging at 'D-',
jumped from a 28 in 2002 to 69 in 2003. Both agencies improved security
through education, teaching everyone from the executives and managers to
computer room employees about security practices. The NRC instituted a
four-level review structure for its systems and a security training and
management program that other agencies, such as the US Mint and Centers for
Medicare and Medicaid Services, are copying. Both NRC and DOT are using a
standardized certification and accreditation process.
- http://www.fcw.com/fcw/articles/2004/0322/mgt-nuke-03-22-04.asp
Civil & Consumer Issues
- Title: SCO targets federal supercomputer
users
- Source: news.com.com
- Date Written: March 19, 2004
- Date Collected: March 22, 2004
- Letters released March 18, 2004, show that the SCO Group, currently
suing a number of companies over claims that the open source Linux operating
system violates its Unix copyrights, has also targeted federal supercomputer
users under the Department of Energy. Letters sent to Lawrence Livermore
National Laboratories and National Energy Research Scientific Computing
Center (NERSC), sent in December 2003 and January 2004, urges the research
facilities to purchase a Linux license from SCO or face the possibility of
legal action. Linux is a popular operating system for building
supercomputers from clusters of low-end machines; Lawrence Livermore's
1,152-computer Multiporgrammatic Capability Cluster ranks seventh on a list
of the world's 500 fastest supercomputers. A Unix system at NERSC is
currently ranked ninth. SCO has argued that open source software and the
General Public License threaten the capitalist system and national security.
- http://news.com.com/2100-7344_3-5176308.html?tag=nefd_top
- Title: Consumers protest over security of
offshore data
- Source: Silicon.com
- Date Written: March 22, 2004
- Date Collected: March 22, 2004
- Consumers are beginning to demand that the United Kingdom's Information
Commission (IC), charged with data protection, prevent corporations from
sending personal data overseas as more companies outsource call centers and
data processing jobs to such countries as India. Unions have long been
concerned about job losses as companies seek low labor costs in other
countries, but some consumers worry about the safety of their data. IC
senior policy development and quality manager Iain Bourne says the IC does
not receive many complaints from consumers, suggesting a lack of concern or
awareness about overseas data processing. Gartner predicts that 2004 will
see a short-term increase in backlash against companies who move data
operations offshore. Mr. Bourne recommends that companies protect data
overseas as well as they would in the United Kingdom, and conduct a proper
audit of data facilities.
- http://www.silicon.com/management/government/0,39024677,39119406,00.htm
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
