|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 31, 2004
- From: Howell, Paul
- Date: Wed Mar 31 17:13:06 2004
Title: Message
Security In The News
LAST UPDATED: 3/31/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
DHS struggles to close vulnerabilities
in nation's infrastructure
- Government
Computer News, 3/31/04
GAO sees threats to industrial
systems
- Federal
Computer Week, 3/31/04
DHS says it can handle cyberattacks
- Federal
Computer Week, 3/30/04
Yoran Rejects Claims Of Slow Progress In
Securing Key IT Systems
- Information
Week, 3/30/04
Cybercrime-Hacking
Cybercrime's True Price: Crime May Not
Pay, But Someone Has To Pick Up The Cost
- Security
Pipeline, 3/29/04
Scientist nabbed for SARS scam: Cops:
Suspect bilked pals
- Boston
Herald, 3/31/04
The rise of the white collar hacker
- The
Register, 3/30/04
Police urge firms to share e-crime
details
- vnunet.com, 3/31/04
Politics-Legislation
NSW bans workplace cyber-snooping
- The
Register, 3/31/04
E-voting gets the chop at the
Pentagon
- Silicon.com,
3/31/04
Vulnerabilities & Exploits
Trademarks lost in computer crash
- Royal
Gazette, 3/31/04
Investigation info kept by Hokkaido
police officer leaked
- Mainichi
Shimbun, 3/31/04
Linux vs. Windows: Which Is More
Secure?
- EWeek.com,
3/30/04
Best Practices & Risk Management
The New Economics of Information
Security
- Security
Pipeline, 3/29/04
Civil & Consumer Issues
MP3 Phone Disputes Show Sign of
Settlement
- The
Korea Times, 3/31/04
Music industry loses in downloading
case
- CTV.ca,
3/31/04
Homeland Security & Infrastructure Protection
- Title: DHS struggles to close vulnerabilities
in nation's infrastructure
- Source: Government Computer News
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- James F. McDonnell, director of DHS (Department of Homeland Security)
Protective Security Division, speaking before a House Government Reform
Subcommittee, said DHS has identified 1,700 facilities across the United
States that pose a risk to critical infrastructures, but lacks the authority
to mandate corrective measures, especially since most are held in the
private sector. Robert F. Dacey, the General Accounting Office's (GAO)
director for information security issues, named supervisory control and data
acquisition (SCADA) systems as a chief source of vulnerabilities as SCADA
softwares become more standardized and include remote connections. A GAO
report recommends that DHS "develop and implement a strategy for
coordinating with the private sector and other governmental agencies to
improve control system security," a job Mr. McDonnell claims as his
responsibility. His division has already established a Control Systems
Section, which identified the 1,700 vulnerable systems, 565 of which have
SCADA controls.
- http://www.gcn.com/vol1_no1/daily-updates/25443-1.html
- Title: GAO sees threats to industrial
systems
- Source: Federal Computer Week
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- The General Accounting Office (GAO) has released a report outlining
dangers to critical infrastructures, such as electrical grids, oil
refineries and pipelines, and water systems, due to the increasing use of
computer control systems. GAO identified four factors to the problem:
controls systems increasingly rely on general purpose Windows and Unix
systems; Supervisory Control and Data Acquisition (SCADA) systems are
connected to the Internet and other networks; connections often lack such
protections as authentication and encryption; and information about control
systems and infrastructure is available to the public through industry and
government publications, as well as the Internet. GAO's director of
information technology issues Robert Dacey notes that SCADA systems have
already been targeted for cyberattacks, as with a sewage treatment plant in
Australia in 1999 and nuclear plant in Ohio.
- http://www.fcw.com/fcw/articles/2004/0329/web-scada-03-30-04.asp
- Title: DHS says it can handle
cyberattacks
- Source: Federal Computer Week
- Date Written: March 30, 2004
- Date Collected: March 31, 2004
- Department of Homeland Security (DHS) officials testified before the
House Select Committee on Homeland Security, arguing that DHS has the means
and authority to respond to a cyberattack against critical infrastructures,
despite recent reports that DHS remains disorganized and lacks coordination
with other federal, state, and local agencies, and the private sector.
Robert Liscouski said that DHS had communications lines ready for an
emergency to coordinate a national response, while Presidential Directive
Number 7 gives DHS the authority. The DHS National Cyber Security Division
has $79 million for fiscal year 2005 to build a national system for
cybersecurity preparedness. The department will use Trusted Agent FISMA to
comply with the Federal Information Security Management Act (FISMA) of 2002.
- http://www.fcw.com/fcw/articles/2004/0329/web-dhs-03-30-04.asp
- Title: Yoran Rejects Claims Of Slow Progress In
Securing Key IT Systems
- Source: Information Week
- Date Written: March 30, 2004
- Date Collected: March 31, 2004
- Amit Yoran, director of Homeland Security's National Cyber Security
Division (NCSD) rejects claims of disorganization at the department and
points out NCSD accomplishments in an interview with InformationWeek. Mr.
Yoran does not believe the sixth month delay in naming someone to his post
has delayed NCSD initiatives, pointing out that the development of the
National Strategy to Secure Cyber Space occurred before the establishment of
Homeland Security, and that Robert Liscouski, assistant secretary for
infrastructure protection, was fully involved in the process before Mr.
Yoran began work there. US-CERT (United States Computer Emergency Response
Team) was created to coordinate cybersecurity activities among government
and private groups, and the National Cyber Alert System was created to
identify and analyze threats, providing information to over one million
people. The National Cyber Security Summit brought government and industry
together to develop a framework for corporate security governance. Homeland
Security also worked with the Institute for Security Technology Studies at
Dartmouth College to conduct Livewire, a simulated cyberattack against
public and private organizations, which pointed to needed processes to
improve security. The department works with a number of colleges and
universities to develop security initiatives.
- http://www.informationweek.com/story/showArticle.jhtml?articleID=18600292
Cybercrime-Hacking
- Title: Cybercrime's True Price: Crime May Not
Pay, But Someone Has To Pick Up The Cost
- Source: Security Pipeline
- Date Written: March 29, 2004
- Date Collected: March 31, 2004
- Most companies that suffer breaches due to cybercrime experience little
direct cost as a result, however, difficult to measure indirect costs can
significantly damage a company. Direct costs include such expenses as
intrusion detection systems, overtime as staff fix the problem, and lost
productivity. Such unexpected costs are part of everyday operations.
Indirect costs come as lost sales, weakened customer relations, and legal
liability. Research led by Professors Lawrence A. Gordon and Martin P. Loeb
found that a company's stock price remained stable after news of a breach,
unless confidential information was leaked. Leaks usually prompt a average
5% loss in market valuation. The research suggests companies should focus
more on protecting confidential data than on preventing cyberattacks.
- http://informationweek.securitypipeline.com/18600229jsessionid=TIGYDJM0U00PKQSNDBCSKHQ
- Title: Scientist nabbed for SARS scam: Cops:
Suspect bilked pals
- Source: Boston Herald
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- Boston police officers have arrested Weldong Xu, a professor at Harvard
University and researcher at the Dana-Farber Cancer Institute, for cheating
$600,000 from 35 friends, students, and colleagues for an Internet scam. Mr.
Xu began the scam in July 2003 after receiving an e-mail claiming to come
from Nigerian businessmen offering $50 million profit, also known as the 419
e-mail scam. Mr. Xu collected the money under the pretense of starting a
SARS (Severe Acute Respiratory Syndrome) research institute in China; one
friend put a second mortgage on his house for Mr. Xu. Mr. Xu had not
realized that he himself had fallen victim to a scam when police arrested
him.
- http://news.bostonherald.com/localRegional/view.bg?articleid=3118
- Title: The rise of the white collar
hacker
- Source: The Register
- Date Written: March 30, 2004
- Date Collected: March 31, 2004
- Assistant Commissioner Tarique Ghaffur, head of Scotland Yard's
specialist crime directorate, speaking at the Computer and Internet Crime
Conference in London, says that computer crimes are increasingly being
committed by information technology professionals. However, most companies,
when they discover employees guilty of fraud or misusing computer systems,
simply fire the employee rather than report the incident to police. Police
often arrests suspect who were fired several times before the arrest. Mr.
Ghaffur says that traditional crimes are increasingly committed in
cyberspace, but police have insufficient funding and resources to
investigate them. Mr. Ghaffur called for a separate cybercrime statistic to
measure the scope of the problem. The Serious and Organized Crime Agency
(SOCA), which will begin operating in 2006, combining the roles of the
National Crime Squad, National Intelligence Service, Immigration and Customs
and Excise, should also address cybercrime according to Mr. Ghaffur.
- http://www.theregister.co.uk/content/55/36663.html
- Title: Police urge firms to share e-crime
details
- Source: vnunet.com
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- Speaking at the Computer and Internet Crime Conference in London,
Tarique Ghaffur, assistant commissioner of the Metropolitan Police, called
for greater intelligence sharing between police and businesses to identify
current and developing crime trends. According to Mr. Ghaffur, police have
"huge intelligence gaps" on the latest scams, which businesses can fill. The
Metropolitan Police says that it will keep details provided by companies
confidential. Mr. Ghaffur welcomed proposals to update the Computer Misuse
Act of 1990, but warned against over-regulation.
- http://www.vnunet.com/News/1153957
Politics-Legislation
- Title: NSW bans workplace
cyber-snooping
- Source: The Register
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- Lawmakers in Australia's New South Wales are considering regulations in
the Exposure Bill that would prohibit employers from covertly surveilling
staff without "reasonable suspicion of wrongdoing by an employee." The
measure would prohibit the use of technology such as video cameras, e-mail
monitoring software, and tracking devices. Employers argue that such
measures are often necessary to protect business interests; one survey found
that four out of five employers monitor e-mails, phone calls, and Internet
usage. Trade unions welcome the measure, as employees expect privacy during
private phone calls and conversations. The United Kingdom Information
commissioner released similar guidelines, the Employment Practices Data
Protection Code, in 2003, but some critics find it too vague to effectively
safeguard workplace privacy.
- http://www.theregister.co.uk/content/55/36700.html
- Title: E-voting gets the chop at the
Pentagon
- Source: Silicon.com
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- The US Defense Department has indefinitely called off plans for overseas
Americans to vote in elections over the Internet, citing security risks.
Over $22 million had been spent on an Internet voting program, with a test
run in fifty countries in February 2004. However, Internet votes were
considered too insecure to count in elections, while their electronic nature
prevents a recount. Deputy Defense Secretary Paul Wolfowitz called off the
project temporarily in January 2004, pending a security review, but has
since halted the program indefinitely. Other electronic voting trials in the
United States have met with mistakes, such as some precincts with a voter
turnout over 100%. Ireland is also experimenting with e-voting, and is
conducting a security study after public concerns about electoral fraud.
- http://www.silicon.com/research/specialreports/protectingid/0,3800002220,39119704,00.htm
Vulnerabilities & Exploits
- Title: Trademarks lost in computer
crash
- Source: Royal Gazette
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- Bermuda's Trademark Registry computer system crashed in early March,
losing data on 37,000 trademarks. The Registry's back-up system also failed,
so only half of the trademarks were restored. Staff at the Registry General
are now restoring the rest of the trademarks by manually inputting all data
collected since 1999. New trademark applications are on hold during the
restoration. Trademark lawyers are currently unable to access the database
for research. The computer crash may cause problems for the Bermudan
government's efforts to market the country as a leading e-business and
intellectual property center.
- http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20040327/NEWS/103270075
- Title: Investigation info kept by Hokkaido
police officer leaked
- Source: Mainichi Shimbun
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- Hokkaido Prefectural Police officials have announced that personal
information on eight individuals kept on a personal computer by an officer
has been leaked and posted on a website. The data come from six cases, and
contains names, birthdates, addresses and workplaces of suspects and
victims. The officer in question denies intentionally leaking the data.
Michio Takahashi, general affairs chief at the prefectural police, plans to
increase training on the proper handling of sensitive data to prevent
similar occurrences. The data cannot be deleted from the website until the
owner has been identified. A similar incident occurred two days previously
when data on ten people leaked from an officer's computer in Kyoto.
- http://mdn.mainichi.co.jp/news/20040331p2a00m0dm005000c.html
- Title: Linux vs. Windows: Which Is More
Secure?
- Source: EWeek.com
- Date Written: March 30, 2004
- Date Collected: March 31, 2004
- Forrester Research has released a study entitled "Is Linux More Secure
than Windows?" finding a more complicated answer than popular belief.
Security vulnerabilities follow a timeline: first the flaw is publicly
disclosed; next developers work up a patch for the flaw; skilled hackers
build an exploit a little bit after patch release, and publish it for
unskilled "script kiddies." It is between the time of exploit publication
and patch application by end users that most breaches occur. Form June 1,
2002 to May 31, 2003, Forrester found that Microsoft fixed 100% of its flaws
within an average of 25 days. 67% of its flaws were considered
high-severity. Red Hat Linux fixed all but one of its 299 vulnerabilities,
99.6%, within 57 days, but only 56% were rated high-severity. Mandrake and
SuSE had high-severity flaw rates of 63% and 60% respectively, and took a
long time to release a patch. Forrester did not make a recommendation, but
recognized Microsoft and Debian Linux as the fastest patch developers.
Forrester is concerned that Microsoft's monthly patch schedule could delay
important fixes.
- http://www.eweek.com/article2/0,1759,1557749,00.asp
Best Practices & Risk Management
- Title: The New Economics of Information
Security
- Source: Security Pipeline
- Date Written: March 29, 2004
- Date Collected: March 31, 2004
- Information technology managers need to make economic decisions when
protecting their networks in order to justify their budgets to chief
financial officers (CFOs). Many have begun using arguments based on return
on investment (ROI) with mixed success. CFOs and other managers tend toward
capital-budgeting techniques such as net present value and internal rate of
return. Many IT managers find these techniques useful in making better
security decisions. Net present value is based on the value of money over
time; receiving $100 today is better than receiving it a year from now,
since a person can invest it and profit during the year. Such thinking shows
how security investments can save a company money over the long term, while
ROI is more of a short term accounting technique. Economics also has
relevance in externalities--just as a factory does not have to bear the cost
of pollution downwind of its smokestacks, so companies do not bear the cost
of another company's security breach resulting from their own breach.
Companies also have little incentive for information sharing due to the
problem of free-riders.
- http://informationweek.securitypipeline.com/18600228jsessionid=TIGYDJM0U00PKQSNDBCSKHQ
Civil & Consumer Issues
- Title: MP3 Phone Disputes Show Sign of
Settlement
- Source: The Korea Times
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- Samsung Electronics is reaching a settlement with the Korea Association
of Phonogram Producers (KAPP) over the sale of mobile phones capable of
playing .mp3 music files. Under government mediation, Samsung agreed that
users could download a file and listen to it for three days; Samsung had
originally argued for four days, while KAPP argued for only two. LG
Electronics continues to argue for a five-day listening period, but KAPP is
negotiating with sister company LG Telecom. After a two month grace period,
both providers will likely switch to lower quality free music files, while
charging for higher quality files.
- http://times.hankooki.com/lpage/tech/200403/kt2004033117544211810.htm
- Title: Music industry loses in downloading
case
- Source: CTV.ca
- Date Written: March 31, 2004
- Date Collected: March 31, 2004
- A Canadian Federal Court has ruled against a Canadian Recording Industry
Association (CRIA) request for a court order requiring Internet service
providers to disclose the identities of of 29 people believed to have traded
music online. CRIA currently has only the alleged traders' nicknames but
hoped to get further details from the court order. However, the judge found
insufficient evidence that the 29 distributed or authorized the reproduction
of sound recordings, or that the ISPs could identify the individuals. The
people in question may have "merely placed personal copies onto shared
directories on their computers which were accessible by other computer users
via an online download service," the judge wrote. Some lawyers believe
CRIA's case suffered from "legal sloppiness," and may have better results if
they revise their case.
- http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1080754657038_76163857///?hub=TopStories
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
