|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 23, 2004
- From: Howell, Paul
- Date: Wed Mar 24 06:57:44 2004
Title: Message
Security In The News
LAST UPDATED: 3/23/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
Lieberman assails progress in securing
IT infrastructure
- Government
Computer News, 3/22/04
- Also - Federal
Computer Week, 3/23/04
DHS unveils rail measures
- Federal
Computer Week, 3/22/04
Cybercrime-Hacking
Police Investigate Internet Link in
Latest Group Suicide
- Chosun
Ilbo, 3/23/04
World's Toughest Cyber Law on Trial in
Romania
- Reuters,
3/23/04
Politics-Legislation
Privacy Maven Now Works for Feds
- Wired
News, 3/23/04
Malware
Close encounters of the viral kind
- The
Register, 3/22/04
RIAA website nears week-long outage
- vnunet.com, 3/23/04
Technology
Despite Security Flaws, Internet
Explorer Resists Decline and Fall
- ecommerce
times, 3/23/04
Scots police add robo-reporting
- vnunet.com, 3/23/04
Pay Once, Share Often With LWDRM
- Wired
News, 3/23/04
Foundation showcases data-sharing
network, urges action
- GovExec.com,
3/22/04
Vulnerabilities & Exploits
IE flaw exposes weakness in Yahoo!
filtering
- The
Register, 3/23/04
Civil & Consumer Issues
New Zealand to 'legalise CD piracy' -
music biz
- The
Register, 3/23/04
- Also - New
Zealand Herald, 3/23/04
When Gaming is a Gamble
- Security Focus,
3/22/04
Record Industry Sues 532 More
File-Sharers
- Reuters,
3/23/04
Homeland Security & Infrastructure Protection
- Title: Lieberman assails progress in securing
IT infrastructure
- Source: Government Computer News
- Date Written: March 22, 2004
- Date Collected: March 23, 2004
- Senator Joseph Lieberman (D-Connecticut), ranking Democrat on the
Governmental Affairs Committee, has written a letter to Department of
Homeland Security (DHS) Secretary Tom Ridge saying that "far too little
progress has been made" in securing critical information infrastructures,
and demanding an explanation. Mr. Lieberman contends that DHS has made
little progress in translating the "vague generalities" of the National
Strategy to Secure Cyberspace into real policies. Mr. Lieberman raised
similar concerns regarding private sector task forces set up by DHS at the
National Cybersecurity Summit in December 2003. Mr. Lieberman asked for
detailed explanations on how DHS intends to address protecting the Internet,
protecting digital control systems, improving software development, the
relationship between US-CERT and Carnegie Mellon's CERT (Computer Emergency
Response Team), privacy issues, and information technology research and
development.
- http://www.gcn.com/vol1_no1/daily-updates/25363-1.html
- Also - http://www.fcw.com/fcw/articles/2004/0322/web-dhs-03-23-04.asp
- Title: DHS unveils rail measures
- Source: Federal Computer Week
- Date Written: March 22, 2004
- Date Collected: March 23, 2004
- The Department of Homeland Security (DHS) has announced several
initiatives to protect transit and rail systems following the March 11,
2004, terrorist train bombings in Madrid, Spain. The new initiatives focus
on three areas: treat response, such as bomb-sniffing dogs and baggage
screening, public awareness, and technological innovations. $407 million
will go toward biological countermeasures, while $63 million is ear-marked
for chemical and explosive countermeasures. The Urban Areas Security
Initiative has already provided $115 million since May 2003 for rail and
transit security. Only 3% of the Transportation Security Administration's
(TSA) $5.3 billion budget for 2005 is dedicated to non-air transportation.
- http://www.fcw.com/fcw/articles/2004/0322/web-rails-03-22-04.asp
Cybercrime-Hacking
- Title: Police Investigate Internet Link in
Latest Group Suicide
- Source: Chosun Ilbo
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- South Korean police are investigating the suicides of five people, all
in their twenties, in a motel room in Suwom City, Gyeonggi Province. The
police suspect the group may have met each other through a suicide website.
Such websites are intended for suicide prevention and counseling, but are
often misused. Staff of the Suicidal Urge Counsel Club constantly delete
messages offering to sell poison from its web bulletin board. One of the
victims in the motel suicide wrote in his four-page will that poison-sellers
have defrauded him over the suicide website, putting a W3 million ($2600)
debt on his credit card. The Cyber Crime Investigation Unit of the National
Police Agency is planning to close down suicide related websites and
eliminate the word "suicide" from search engine services.
- http://english.chosun.com/w21data/html/news/200403/200403230013.html
- Title: World's Toughest Cyber Law on Trial in
Romania
- Source: Reuters
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Romania has begun the trial of Dan Dumitru Ciobanu, alleged author of
Blaster.F, a tamer variant of August 2003's Blaster worm, testing a Romanian
cybercrime law, thought to be one of the toughest in the world. If
convicted, Mr. Ciobanu, 24, faces three to fifteen years imprisonment, twice
the sentence for rape under Romanian law. Blaster.F infected 1,000 computers
during the Blaster attacks; Mr. Ciobanu has admitted to modifying Blaster
code. The trial resparks a debate regarding the proper punishment of
cybercrimes. "If they are curious how such a program works, young
programmers should also be curious to see the legal consequences," says
Romania's Deputy Communication Minister Adriana Ticau.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4635374
Politics-Legislation
- Title: Privacy Maven Now Works for Feds
- Source: Wired News
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Lisa Dean, Washington policy liaison for the Electronic Frontier
Foundation (EFF), will work as the Transportation Security Administration's
(TSA) chief privacy officer, with the responsibility of writing privacy
policies for CAPPS II (Computer Assisted Passenger Pre-Screening System) and
other TSA projects. Ms. Dean has been a long time critic of CAPPS II,
arguing that function creep would, and has, shifted its focus to matters
unrelated to aviation security. She has also opposed US-VISIT (United States
Visitor and Immigrant Status Indicator Technology), warning that it may
herald similar systems for US citizens. TSA has drawn fire from civil
libertarians for its CAPPS II project and role in the JetBlue scandal,
facilitating the transfer of sensitive passenger data to a defense
contractor to test data-mining algorithms.
- http://www.wired.com/news/politics/0,1283,62763,00.html?tw=wn_tophead_2
Malware
- Title: Close encounters of the viral
kind
- Source: The Register
- Date Written: March 22, 2004
- Date Collected: March 23, 2004
- ICSA (International Computer Security Association) Labs, a division of
TruSecure, has released a survey of 300 organizations, finding that 30%
suffered a serious virus outbreak in 2003, compared to only 15% in 2002.
ICSA defines a serious outbreak as one where 25 or more computers become
infected with the same virus at the same time. Disaster recovery costs
increased by 23% in 2003 to around $100,000. The 300 organizations, managing
over one million desktops, servers, and perimeter gateways, experience a
rate of 108 infection per 1,000 machines per month, up from 105 in 2002. The
rate was as low as 10 in 1996. Larry Bridwell, content security program
manager at ICSA Labs, argues that organizations must take more proactive
security measures and educate employees, while vendors must make more secure
software and antivirus vendors must have more effective heuristics to change
the trend in 2004.
- http://www.theregister.co.uk/content/55/36443.html
- Title: RIAA website nears week-long
outage
- Source: vnunet.com
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Netcraft reports that the website of the Recording Industry Association
of America (RIAA) has been down for nearly a week since March 17, 2004. Many
security experts believe RIAA's site has been targeted by the MyDoom.F worm,
designed to launch distributed denial of service (DDoS) attacks between the
17th and 22nd of any month. Antivirus firm McAfee says that if the cause is
the MyDoom.F worm, it would indicate tens of thousands of infected
computers, mostly in Europe. The RIAA is working to bring its site back
online.
- http://www.vnunet.com/News/1153747
Technology
- Title: Despite Security Flaws, Internet
Explorer Resists Decline and Fall
- Source: ecommerce times
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- While some people are dropping the Internet Explorer web browser in
favor of more secure options, such as Mozilla, many corporate information
technology managers are waiting for the promised security updates of
Microsoft's Window XP Service Pack 2. The service pack fixes for Internet
Explorer promise such features as pop-up blocking, preventing pop-ups from
tampering with the user interface, checking for signatures on downloaded
executables, and tighter MIME (Multipurpose Internet Mail Extensions)
controls to prevent executables from being disguised as .jpg files. Some,
however, are choosing other browsers, which already have these features.
This does mean a trade-off--while ActiveX controls can make Internet
Explorer vulnerable, they also offer functionality desired by most users.
- http://www.ecommercetimes.com/perl/story/33181.html
- Title: Scots police add robo-reporting
- Source: vnunet.com
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Scotland's Strathclyde Police force has deployed WinScribe's VoiceForms
digital dictation system to ease the paperwork officers face when filing
reports, allowing them to spend more time on patrol. Police officers can
file reports over their handsets or mobile phones. The system gives them a
choice of forms to fill out for various crimes. The system digitally records
their reports and queues them for transcription. Officers can file reports
on the scene or on the move, removing the need to return to their desks to
file a report. According to Sylvia Bannigan, project management officer for
the Strathclyde Police, the system only took one week to deploy, mostly to
input details from the personnel database to ensure that only authorized
officers could file reports.
- http://www.vnunet.com/News/1153735
- Title: Pay Once, Share Often With LWDRM
- Source: Wired News
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Germany's Fraunhofer Institute has developed Light Weight Digital Rights
Management (LWDRM) to give consumers choices in their use of .mp3 music
files, while not harming the rights of the music industry. Consumers can buy
.mp3 files, but when they want to transfer it to a portable device or share
it with friends, they would have to also download a digital certificate that
records exactly what is done with it. The Fraunhofer Institute contends that
unlike other digital rights systems, which are designed by the music
industry, LWDRM gives control to the consumer within a framework of fair
use. Fraunhofer plans to release a free and fully integrated online store
with LWDRM, allowing smaller record labels to quickly deploy the technology.
While the music industry has declined to comment on the technology at this
point, Klaas Evelein, a lawyer for Solv, points out that LWDRM recognizes
fair use, and would allow record labels to sue users for transgressing the
limits of the certificate, rather than the vague charge of sharing files.
- http://www.wired.com/news/digiwood/0,1412,62739,00.html?tw=wn_tophead_3
- Title: Foundation showcases data-sharing
network, urges action
- Source: GovExec.com
- Date Written: March 22, 2004
- Date Collected: March 23, 2004
- Members of the Markle Foundation Task Force on National Security in the
Information Age called for a homeland security information network and
demonstrated a prototype at a Stanford University law school discussion
panel. After the September 11 terrorist attacks, many people talked about
the failure of intelligence agencies to "connect the dots," according to
Markle president Zoe Baird. However, government has not yet leveraged
information technology to address the problem. The task force conducted an
eighteen month study of government information practices, finding that
officials rely heavily on paper, tend to compartmentalize information, and
are slow to share it across agencies. The demonstration database system can
make "fuzzy links" between data, and can assign differing security
clearances to different bits of information within the same record,
eliminating the need for agencies to redact their records before sharing
them.
- http://www.govexec.com/dailyfed/0304/032204tdpm2.htm
Vulnerabilities & Exploits
- Title: IE flaw exposes weakness in Yahoo!
filtering
- Source: The Register
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Israeli security firm GreyMagic Software warns users of a "severe"
cross-scripting vulnerability between Internet Explorer's HTML+TIME
(Hypertext Markup Language + Timed Interactive Multimedia Extensions) and
Hotmail and Yahoo! webmail services, which could allow an attacker to run
arbitrary code on a computer by sending it via e-mail to a target. Such code
could allow the attacker to steal passwords or take control of a machine.
The flaw in Explorer's HTML+TIME weaken Hotmail's and Yahoo's filters,
allowing malwares to slip through; users with up to date firewalls and
antivirus are likely to be protected. GreyMagic has worked with Microsoft
and Hotmail to fix the vulnerability, but was unable to contact Yahoo's
security department. Greymagic warns that other webmail services may be
vulnerable.
- http://www.theregister.co.uk/content/55/36462.html
Civil & Consumer Issues
- Title: New Zealand to 'legalise CD piracy' -
music biz
- Source: The Register
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- Music industry companies are criticizing a proposal to alter New Zealand
copyright laws, saying it would, in the words of Sony Music's New Zealand
chief Michael Glading, "open the floodgates" of piracy. The proposal would
allow New Zealand consumers to make a copy of legally purchased compact
discs for personal use, similar to American 'fair use' rights. The measure,
recommended by the Economic Development Ministry, is intended to recognize
an already wide-spread consumer practice. Copying a CD for a third party
would still be illegal. Mr. Glading argues that the measure sends a message
that piracy is permissible, while Australian Recording Industry Association
chief executive Terence O'Neill-Joyce warns that "copycat kiosks" will
appear all over the country if the measure is passed.
- http://www.theregister.co.uk/content/6/36467.html
- Also - http://www.nzherald.co.nz/storydisplay.cfm?storyID=3556361&thesection=news&thesubsection=general
- Title: When Gaming is a Gamble
- Source: Security Focus
- Date Written: March 22, 2004
- Date Collected: March 23, 2004
- US prosecutors have begun pursuing entities--banks, broadcasters,
Internet service providers, advertisers--connected with online casinos for
"aiding and abetting" illegal wagers and knowingly using wire communications
for wagers with interstate and foreign parties. Prosecutors contend that
these laws apply even when the online casinos are legal in their host
countries. This creates a danger for information technology professionals,
who could become targets for prosecution by consulting for the security of a
casino's website. This creates a legal responsibility for security
professionals to inquire why an organization seeks his services, and judge
whether that organization may violate the laws of any country whose citizens
might connect to the site. Thus, a security professional who provides Norton
utilities to executives could be implicated for assisting corporate fraud,
or face capital charges in China for helping to set up a Free Tibet website.
- http://www.securityfocus.com/columnists/229
- Title: Record Industry Sues 532 More
File-Sharers
- Source: Reuters
- Date Written: March 23, 2004
- Date Collected: March 23, 2004
- The Recording Industry Association of America (RIAA) filed 532 lawsuits
against file-sharers March 23, 2004, bringing its 2004 total up to 1,595
lawsuits. The new batch of lawsuits includes 89 users on college networks.
These lawsuits are so called "John Doe" lawsuits, since the RIAA can not yet
obtain the identities of the file-sharers after an appeals court curtailed
the RIAA's subpoena powers in December 2003. The RIAA is now seeking court
issued subpoenas for that purpose.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4637053§ion=news
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
