|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 30, 2004
- From: Howell, Paul
- Date: Tue Mar 30 17:03:18 2004
Title: Message
Security In The News
LAST UPDATED: 3/30/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
Manchester internet outage to
continue
- vnunet.com, 3/30/04
SCADA security hearing begins today
- SearchSecurity,
3/30/04
GAO: Feds unprepared for calamity
- Federal
Computer Week, 3/29/04
Cybercrime-Hacking
Hackers in demand!
- Cyber
India Online, 3/30/04
Politics-Legislation
VoIP regulation may heat up next
year
- Network
World Fusion, 3/30/04
Utah withdraws from anti-terrorism
network
- Government
Computer News, 3/30/04
Malware
New Netsky variant blames users
- Computerworld,
3/30/04
Technology
Info security manpower demand to rise:
Nasscom
- Hindustan
Times, 3/30/04
Young SAML must conquer business
pressures
- SearchSecurity,
3/29/04
Vulnerabilities & Exploits
ISS slammed for 'selling' security
patches
- ZDNet
UK, 3/30/04
Human Nature vs. Security
- Security Focus,
3/29/04
Civil & Consumer Issues
Music Trade to Sue European, Canadian
File-Sharers
- Reuters,
3/30/04
File-sharing has no impact on CD sales,
says research
- Silicon.com,
3/30/04
One billion people to get biometrics and
RFID tracking by 2015
- Silicon.com,
3/30/04
French Music Industry Prepares to Sue
Net Pirates
- Reuters,
3/30/04
Homeland Security & Infrastructure Protection
- Title: Manchester internet outage to
continue
- Source: vnunet.com
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- More than 130,000 Internet users are offline after a fire destroyed
fiber cables at British Telecom (BT), affecting both modem and ADSL
(Asymmetric Digital Subscriber Line) customers. BT engineers do not know
when service will restart, as they are still assessing the damage from the
fire that happened in tunnels 30 meters below the streets. BT officials have
not yet decided whether customers should be compensated for the down time,
as they are focusing on getting emergency 999 phone services back online.
During the outage, users in the Greater Manchester area should use mobile
phones to contact police. Fire service officers have not yet determined the
cause of the fire, but first signs indicate electrical problems.
- http://www.vnunet.com/News/1153923
- Title: SCADA security hearing begins
today
- Source: SearchSecurity
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- The August 2003 blackout in the northeastern United States highlighted
possible vulnerabilities in SCADA (Supervisory Control and Data Acquisition)
systems used to control electrical grids and other critical infrastructures.
Andre Yee, president of NFR Security, argues that administrators have a
false sense of security regarding their SCADA systems, since they are
specialized, deployed on closed networks, and use proprietary protocols.
However, they are real-time systems that cannot be taken offline for
upgrade, are increasingly web accessible, and use Windows and Unix systems.
Members of a House subcommittee on technology will hear testimony regarding
SCADA systems from two panels. The first includes the General Accounting
Office, the Department of Homeland Security, and a senior Computerworld
writer, while the second includes consultants and an information security
director for American Electric Power.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci957331,00.html
- Title: GAO: Feds unprepared for
calamity
- Source: Federal Computer Week
- Date Written: March 29, 2004
- Date Collected: March 30, 2004
- The General Accounting Office (GAO) has released a report finding that
federal agencies are not prepared to continue operations through a serious
natural disaster or terrorist attack. The GAO criticized the Federal
Emergency Management Agency (FEMA) for failing to provide guidelines and
reviews for agencies' continuity of operations plans (COOPs). Representative
Tom Davis (R-Virginia), chair of the House Government Reform Committee,
expressed concern that agencies have not yet developed such plans; the
committee plans to hold hearings into the report after the April 2004
recess. While 20 of the 23 largest civilian departments had COOPs in whole
or part, none could prove they followed the guidance of Federal Preparedness
Circular 65. GAO recommends that the secretary of Homeland Security set a
May 1 deadline for agencies to develop COOPs with the oversight of the
undersecretary.
- http://www.fcw.com/fcw/articles/2004/0329/web-gao-03-29-04.asp
Cybercrime-Hacking
- Title: Hackers in demand!
- Source: Cyber India Online
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- The International Council of E-Commerce Consultants (EC-Council) has
partnered with India's Ministry of of Information Technology to offer
training for Certified Ethical Hackers (CEH). The CEH Program covers
twenty-two domains of network security from a vendor neutral approach. The
EC-Council has training programs in thirty countries, with ten more to join
in April 2004. India is increasingly realizing the importance of information
technology security as more businesses use Indian firms for back office
operations. The EC-Council also plans to launch Computer Hacking Forensic
Investigator and a Masters in Security Science certifications in India.
- http://www.ciol.com/content/news/2004/104033010.asp
Politics-Legislation
- Title: VoIP regulation may heat up next
year
- Source: Network World Fusion
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- According to speakers at the Voice on Net conference, 2005 should be an
active year for Voice over Internet Protocol (VoIP) regulation. Julie Veach,
assistant chief in the Federal Communications Commission (FCC) wireline
competition bureau, notes several pending petitions that should be decided
within twelve to fifteen months, while Blair Levin, a former FCC official,
does not expect any ruling until after the November 2004 Presidential
elections. Carl Wood, a commissioner at the California Public Utilities
Commission, believes 2005 would be an opportune time to address regulatory
concerns, before users switch to the technology in mass numbers. Some issues
to be addressed are universal access, 911 emergency calls, and wiretapping
for law enforcement. The FCC appears reluctant to regulate VoIP, while state
governments stand to lose revenue as users switch away from traditional
phone networks.
- http://www.nwfusion.com/news/2004/0330voipregul.html
- Title: Utah withdraws from anti-terrorism
network
- Source: Government Computer News
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- Utah governor Olene Walker has announced that the state will not renew
its participation in the Multistate Anti-terrorism Information Exchange
(Matrix). Ms. Walker postponed Utah's involvement January 29, 2004 until the
program could undergo a committee review. Utah is the eleventh state to
leave the Matrix program, citing either financial or privacy concerns.
Connecticut, Florida, Michigan, Ohio, and Pennsylvania are still
participating. Matrix began as a system for state and local law enforcement
to share data from criminal records, public records, and some commercial
databases. The American Civil Liberties Union (ACLU) has objected to the
project on the grounds that there is little to no public oversight. Utah's
review committee recommended withdrawing from the program until such
oversight has been addressed to the satisfaction of the legislature.
- http://www.gcn.com/vol1_no1/daily-updates/25429-1.html
Malware
- Title: New Netsky variant blames users
- Source: Computerworld
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- Antivirus companies are reporting a seventeenth variant of Netsky,
Netsky.Q, programmed to launch a distributed denial of service (DDoS) attack
against peer-to-peer networks, containing a message blaming users for the
spread of viruses. The message also claims that Netsky.Q's authors want to
stop illegal file-trading. Netsky.Q arrives as either a .pif (program
information file) or .zip e-mail attachment, but also exploits a Microsoft
hole that launches files attached to any e-mail a user reads. The e-mail
disguises itself as an automatic "Delivery Error" message. Netsky.Q will
forward itself to e-mail addresses on March 31, April 5, 12, 19, and 26,
2004. It will launch DDoS attacks against Kazaa, and pirated software
websites www.edonkey2000.com and www.cracks.am on April 7 and 12. The worm's
code claims its author is Skynet Antivirus, based in Russia, declaring
opposition to "hacking, sharing with illegal stuff and similar illegal
content."
- http://www.computerworld.com/securitytopics/security/virus/story/0,10801,91751,00.html
Technology
- Title: Info security manpower demand to rise:
Nasscom
- Source: Hindustan Times
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- According to Nasscom (Natioanl Association of Software and Service
Companies), demand for information security specialists will grow in the
Indian information technology sector from 18,000 in 2004 to 77,000 in 2008.
Worldwide demand will rise from 60,000 to 188,000. As demand is increasing,
so is scarcity; the United States will have a shortage between 25,000 and
50,000 professionals. Less than 10,000 professionals will have working
security knowledge, leading to a global shortage of 100,000. Companies are
beginning to realize the importance of security to defend business
operations, increasing demand for professionals from $8 billion in 2001 to
$23.6 billion by 2006.
- http://www.hindustantimes.com/news/181_649955,0003.htm
- Title: Young SAML must conquer business
pressures
- Source: SearchSecurity
- Date Written: March 29, 2004
- Date Collected: March 30, 2004
- OASIS (Organization for the Advancement of Structured Information
Standards) has announced that SAML (Security Assertion Markup Language) 2.0
will be released in summer 2004, incorporating features of the SAML 1.1 web
service security standard with Liberty Alliance specifications into a single
framework. The Burton Group finds SAML to be an effective technology for
single sign-on web service, but only 10% of corporations are using it, due
to the standard's youth and internal business pressures. Early adopters,
such as financial services, manufacturing, government, telecommunications,
higher education, and insurance find federated identities cut down costs.
SAML offers organizations security and interoperability with such standards
as Web Services-Security. However, SAML's youth makes it difficult to audit
for regulatory compliance.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci957001,00.html
Vulnerabilities & Exploits
- Title: ISS slammed for 'selling' security
patches
- Source: ZDNet UK
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- Internet Security Systems (ISS) has received criticism for providing
security patches only to customers with an up to date maintenance contract
as the Witty worm exploited vulnerabilities in BlackIce and RealSecure. The
Witty worm delivered a destructive payload that regularly wrote random data
to the hard drive, eventually crashing the computer. Johan Beckers, an ISS
director of technology solutions, said that customers could have updated
their systems against Witty, but admitted that most of the 12,000 infected
computers were probably companies with expired contracts. Mr. Beckers had no
immediate response when ZDNet UK suggested that it was irresponsible to only
upgrade customers with contracts when ISS had sold flawed products to those
who did not renew the contract. Mr. Beckers promised to study the issue.
Richard Starnes, vice president of Information Systems Security Association
(ISSA) United Kingdom, says he has never heard of a company trying to sell
security patches before.
- http://news.zdnet.co.uk/software/developer/0,39020387,39150016,00.htm
- Title: Human Nature vs. Security
- Source: Security Focus
- Date Written: March 29, 2004
- Date Collected: March 30, 2004
- Daniel Hanson discusses the social engineering tactics used by the
MyDoom, Netsky, and Bagle worms. Mr. Hanson used to believe that the average
user could be made security conscious if given one or two simple rules and
explanations for them. However, the complexity of recent social engineering
attacks has changed that view. In order to be infected with one of the three
viruses going around, a user had to open an e-mail message, open a picture
of a password, open a .zip file, type in the password from the picture, then
run the executable from the .zip file. Security professionals need to change
the social pattern, but no technological solution can do so as long as end
users make the final decision: "Fool the user, fool the technology." It is
human nature to look for the fastest, easiest, most efficient way of doing
something, and most users will not realize the risks of their behavior until
they fall victim to an attack.
- http://www.securityfocus.com/columnists/231
Civil & Consumer Issues
- Title: Music Trade to Sue European, Canadian
File-Sharers
- Source: Reuters
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- The International Federation of Phonographic Industry (IFPI) has
launched lawsuits against 247 people in Germany, Denmark, Italy, and Canada,
alleging that they have put hundreds or thousands of song files on
peer-to-peer (P2P) file-trading networks such as Kazaa and WinMX. The music
industry blames file-traders for a five-year slump in CD sales. Jay Berman,
chair of the IFPI, argued that consumer education efforts have failed,
necessitating the lawsuits. Some analysts, such as Jupiter Research's Mark
Mulligan, question the IFPI's decision to pursue lawsuits before legitimate
download services have had a chance to penetrate European markets. IFPI
expects to target file-traders in more countries in the following weeks.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4697645§ion=news
- Title: File-sharing has no impact on CD sales,
says research
- Source: Silicon.com
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- Professors Felix Oberholzer-Gee, of Harvard Business School, and Koleman
Strumpf, of the University of North Carolina, have released a study
disputing the numbers used by the music industry in its anti-piracy
arguments. The two professors found that file-sharing has "no statistically
significant effect" on album sales, nor should it affect the supply of
recorded music. The study analyzed logs from two OpenNap servers to observe
1.75 million downloads over seventeen weeks in 2002. The research found that
the average user logged in only twice during the study to download about
seventeen songs. Some overshot the average, such as one individual who
logged in 71 times for 5,000 songs. They tracked downloads against sales
charts, and found that it would take 5,000 downloads to displace the sale of
one compact disc.
- http://www.silicon.com/networks/webwatch/0,39024667,39119638,00.htm
- Title: One billion people to get biometrics and
RFID tracking by 2015
- Source: Silicon.com
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- Thirty-nine human rights groups from Europe, North America, Australia,
and Asia have written an open letter to the International Civil Aviation
Organization (ICAO) disapproving of plans to build an international identity
register and to include biometric data and RFID (radio frequency
identification) tags in all passports by 2015. The letter argues that the
ICAO plan may endanger human rights and that the use of facial recognition
may be technically unsound. Among the thirty-nine are such organizations as
Privacy International, the Foundation for Information Policy Research, the
Electronic Frontier Foundation and the American Civil Liberties Union. ICAO
will meet in Cairo, Egypt to discuss the plan, which would make facial maps
and RFID mandatory, with an option for fingerprints for interested
governments. British Home Secretary David Blunkett has already proposed
putting biometrics on identity cards, while the United States fingerprints
and photographs foreign visitors.
- http://www.silicon.com/research/specialreports/protectingid/0,3800002220,39119660,00.htm
- Title: French Music Industry Prepares to Sue
Net Pirates
- Source: Reuters
- Date Written: March 30, 2004
- Date Collected: March 30, 2004
- Hervé Rony, head of France's Syndicat National de l'Edition
Phonographique (SNEP) says the French music industry will soon launch
lawsuits against file-traders, joining the International Federation of the
Phonographic Industry (IFPI) in its legal campaign, which has already
targeted 247 people in Italy, Germany, Denmark and Canada. Mr. Rony said the
French effort would not only pursue file-traders, but also pressure Internet
service providers (ISPs) to implement filters to prevent music piracy. The
SNEP reports that music sales in France have slipped 30% since broadband
Internet took off in October 2002.
- http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4701754
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
