Spam and Related Technologies Blog

This site has been created to log references to spam and related technology issues.
If you have any suggested additions, please contact me.

view older entries


Sorry, I am no longer updating this blog ...

You might check with ACM's Tech News for more information.


.From the New York Times, January 30, 2007.

A Lively Market, Legal and Not, for Software Bugs
Brad Stone

Software vulnerabilities are bought and sold online, both by legitimate security companies and by thieves. Read the article

.From ACM's TechNews, October 13, 2006.

Safe Internet Requires Total Network Security, Prof. Says
Wisconsin Technology Network (10/11/06) Plas, Joe Vanden

As Internet security threats change from being recognition-driven to being profit-driven, entire networks must be secured. Those writing malicious code are becoming increasingly motivated and innovative. "It is very clear now that there are people who are making a lot of money by malicious activity, that organized crime is getting involved in malicious activity, and this represents a very, very serious development from the standpoint that it also means that the bad guys are getting much more organized and focused in their activities," says Paul Barford, assistant professor in the University of Wisconsin-Madison Department of Computer Sciences and the school's Advance Internet Laboratory. With hacking software becoming increasingly easier to use for less-than-professionals, businesses must change their approach to security. Simply using firewalls and security software is no longer enough, even with such products becoming more automated and easier to use. What is needed to combat the rising threat is a combination of security that is present at all levels, placing barrier after barrier in the way of potential hackers, says security architect Mark Hartmann. "It's security in depth. Every device has its own role to play in security, from a laptop, to the network, to your firewall, to your applications," Hartmann says. At the Advanced Internet Laboratory, Barford leads a research team working on various projects that could lead to an improved Internet that can defend itself against attacks. The group's DOMINO project is focused on intrusion detection and monitoring, while the Global Environment for Network Innovations (GENI) project is tracking malicious activity. Barford says that "right now we have a significant lack of deployment of security in networks, and as we move forward with deploying the latest technology in networks, the wholistic approach to security is something that's really going to solve a lot of problems." Click Here to View Full Article

Geek Speak Birdles Information Security
Computerworld Australia (10/12/06) Gedda, Rodney

At this year's Australian Unix Users Group (AUUG) conference in Melbourne on Wednesday, software developers discussed the negative effects that a lack of usability has on cybersecurity. "A lot of the security stuff is designed by crypto geeks [and] because of a lack of usability, people can't apply them correctly," said University of Auckland computer scientist Peter Gutmann. Gutmann notes that a good deal of security standards were composed 10 years ago, without usability in mind, and have only been tweaked since then. "They would rather have 100 percent perfect software that's unusable than 99 percent perfect software that is usable," said Gutmann. Open BSD developer Ryan McBride spoke out against intrusion detection systems, saying the technique has no ability of detecting whether a virus is attacking or not. "I do IDS work for a Fortune 50 company and it's a case of 'Oh look, another box has a virus--go turn it off'...It's very hard to automate turning things off in security," McBride says. He believes the problem must be solved within the software, not IDS. An enormous amount of the body of modern software is not safe, and people continue to use it, says Dr. Lawrie Brown, University of NSW School of IT senior lecturer. She adds that most people see computers as relatively new and do not understand the necessity of information security measures. Click Here to View Full Article

.From ACM's TechNews, September 29, 2006.

ACM Security Experts Urge Paper Trails for Electronic Voting
Ascribe Newswire (09/28/06)

Ensuring that the U.S. election process is trustworthy is an important function of voter verified paper trails, stated former ACM President Barbara Simons at a congressional hearing reviewing security for electronic voting systems. Simons, founder of ACM's U.S. Public Policy Committee and co-chair of ACM's study of statewide registered voter databases, testified that all currently available e-voting systems carry risks, such as poor design, lack of thorough testing, limited audit capabilities, and inadequate software engineering. "Technology, if engineered and tested carefully, and if deployed with safeguards against failure, can reduce error rates, provide more accessibility, increase accountability, and strengthen our voting system," she noted, adding that the inclusion of a voter verified paper audit trail (VVPAT) or voter verified paper ballot (VVPB) will improve the security of voting systems and provide for routine audits. Princeton University computer science professor Edward Felten, a member of ACM's U.S. Public Policy Committee, urged that extra care must be taken in securing voting systems throughout the election process, and called for better certification for software updates to e-voting machines and increased employment of independent security experts. Simons and Felten concurred that the election and technical communities must collaborate to develop trustworthy computerized voting and electronic registration systems. Click Here to View Full Article

Study Shows Internet to Be Resilient Against Terror Attacks
Ohio State Research News (09/28/06)

Ohio State professor Morton O'Kelly is co-author of a new study that concludes that a serious attack on Internet network hubs in the U.S. would not likely collapse the Internet, but may degrade its functioning. "There are so many interconnections within the network that it would be difficult to find enough targets, and the right targets, to do serious damage to Internet reliability nationwide," says O'Kelly. Detailed results have been published in the most recent issue of the Environment and Planning B journal. The study used computer modeling to simulate an attack on major Internet backbone facilities, and assumed not all facilities could be attacked at once. Seattle and Boston have the most diverse number of hubs supporting Internet traffic among cities, and therefore are most resilient, the study concludes. The study, conduced with Ohio State graduate student Hyun Kim and professor Changjoo Kim, was a follow-up to a 2003 study by O'Kelly that assumed that selected city network nodes would be completely knocked out by accidents or attacks. O'Kelly says that is not a likely scenario since peering agreements between carriers makes it very difficult to shut down an entire network node. O'Kelly says, "There is a rich web of connections in these Internet nodes, and a hit on a single city node or even several of them is not likely to wipe out Internet connectivity." Click Here to View Full Article

.From ACM's TechNews, August 23, 2006.

Collaborative Spam Filtering Using E-Mail Networks
Computer (08/06) Vol. 39, No. 8, P. 67; Kong, Joseph S.; Rezaei, Benham A.; Sarshar, Nima

UCLA and University of Florida researchers have come up with a distributed, message-based system for filtering spam that allows users to query all their email clients to see if another user in the system has already flagged a suspect email as spam. This scheme permits users to make information queries without inundating the network, keeping bandwidth cost to a minimum while achieving a spam-detection rate of nearly 100 percent, at least in simulation. To address the performance, scalability, and trust issues inherent in collaborative spam filtering systems, the researchers turned to complex networks theory--which facilitates network dynamics analysis with statistical mechanics--to effectively exploit social email networks' topological properties; this was accomplished through the use of the percolation search algorithm, which supports the reliable retrieval of content in an unstructured network by analyzing only a small portion of the network, and the digest-based indexing scheme. The use of social email networks for the purpose of spam filtering proscribes the need for a server as well as a traditional peer-to-peer system. Upon receipt of an email, the client program first tries to ascertain whether the message falls into the categories of DefinitelySpam or DefinitelyNotSpam, which can be done via any traditional spam-filtering technique; if the message is determined to be definitely spam, a digest for the message is generated and then cached. If the email is suspected to be spam by the client program, the system is queried to see whether the email has already been labeled as spam by other network users through the implantation of each query message into the digest, after which the query message is percolated through the email contact network by nodes with an implanted query request. Hits are routed back to the node from where the query originates via the same pathway by which the query message arrived at the hit node, and then the client program quantifies the volume of hits received, tagging the message as spam if a constant threshold value is exceeded. The setup requires all nodes to forward all messages exchanged in the system anonymously to prevent anyone from employing the system to map out social connections. Click Here to View Full Article - Web Link to Publication Homepage

.From ACM's TechNews, August 21, 2006.

A Move to Secure Data by Scattering the Pieces
New York Times (08/21/06) P. C5; Markoff, John

When Chris Gladwin, the software designer who sold his online music store Music Now in 2004, set about trying to digitize and secure the 27 GB of music, photos, and paper documents that he had been accumulating for years, he turned to an old technique employed by early cryptographers. The result was Cleversafe, an open-source project that secures data by breaking it down into pieces so that the files can only be reassembled by the computers that created them. The program could lower the cost of storing data on the Internet, Gladwin claims. "If we distributed data around the world this way, it would be a pretty resilient way to store data," said former ACM President David Patterson, a computer scientist at the University of California, Berkeley. Gladwin is banking on the continued proliferation of digital data of all kinds, including new breeds of digital cameras that will drive demand for more secure and private backup applications. In developing Cleversafe, which will cut the amount of storage space required for secure backup by more than half, Gladwin drew heavily on the landmark paper "How to Share a Secret," written in 1979 by Adi Shamir, a designer of the public-key cryptography algorithm. Gladwin designed a series of software routines to copy PC data into fragments of distributed file systems that could then be retrieved to reconstruct the original. Currently, Cleversafe runs on an experimental research grid located at 11 sites throughout the world, though Gladwin hopes that eventually a commercial network of tens of thousands or even hundreds of thousands of sites will emerge. Unlike existing storage projects, Cleversafe distributes data in encrypted chunks rather than making copies. The approach is similar to the SETI@Home project, which collects idle processing power from a network of computers to power a distributed supercomputer. Click Here to View Full Article

.From EduPage, August 21, 2006.

Romania Arrests 23 For Internet Scams
The Register, 21 August 2006

As part of a move against Internet scam rings operating in Romania, police arrested 23 people in Pitesti, from a group of 63 suspects sought for questioning over accusations of scamming foreigners by posing as well-known firms to clients of those companies. After tricking the e-mail recipients into updating their contact database, the scammers allegedly created false identity documents and collected money from other countries. If convicted, the accused face up to 15 years in prison for identity theft. FBI officials reportedly aided in the investigation. http://www.theregister.co.uk/2006/08/21/romanian_id_fraud_clampdown/

.From New York Times, August 15, 2006.

Marketers Trace Paths Users Leave on Internet
by Saul Hansell

Earlier this year, Yahoo introduced a computer system that uses complex models to analyze records of what each of its 500 million users do on its site: what they search for, what pages they read, what ads they click on. It then tries to show them advertisements that speak directly to their interests and the events in their lives. Read the Article

.From ACM's TechNews, August 14, 2006.

Your Life as an Open Book
New York Times (08/12/06) P. B1; Zeller Jr., Tom

Privacy advocates and industry analysts say a clear position on the confidentiality of users' online search behavior must be made, for there are currently no laws to restrict the exploitation of such data, which is a highly desirable commodity for marketers, law enforcement agencies, and academic researchers. "In many contexts, consumers already have the expectation that information about their cultural consumption will not be sold," notes University of California, Berkeley, research Chris Jay Hoofnagle. "They understand that the library items that they check out, the specific television shows that they watch, the videos that they rent are protected information." AOL's inadvertent disclosure of hundreds of thousands of users' Internet search queries last week is viewed by some privacy proponents as a colossal blunder for the search industry comparable to the Exxon Valdez oil spill. "This AOL breach is just a tiny drop in the giant pool of information that these companies have collected," says Electronic Frontier Foundation lawyer Kevin Bankston. "The sensitivity of this data cannot be overemphasized." Legislative attempts to address the problem have been waylaid by skirmishes between privacy advocates seeking wide-ranging consumer data safeguards, and the financial sector, which wants to evade burdensome legislation and override stricter state laws. Meanwhile, Congress has been debating taking a cue from Europe and requiring the telecom and Internet industries to retain consumer communications records for a set period in case they are needed in law enforcement inquiries. Click Here to View Full Article

. From EduPage, August 11, 2006

Report Points To Malware In Social Networks
The Register, 10 August 2006

A recent monthly report from Internet security firm ScanSafe calls attention to the rising incidence of malware on social networking sites. According to the report, as many as 1 in 600 profile pages contained sypware, adware, or other malicious software. Social networking sites have become extremely popular with children and college students, and Eldar Tuvey, chief executive and cofounder of ScanSafe, said his company's report points to another risk users face. "[B]eyond unsafe contact with harmful adults, these sites are an emerging and potentially ripe threat vector that can expose children to harmful software," he said. The report noted that some sites, including Facebook and LinkedIn, have fewer malware pages than sites without restrictions on who can join. ScanSafe noted that in addition to social networking traffic from teens, use of the sites has also grown to represent about 1 percent of Internet usage in the workplace, potentially exposing corporate networks and users as well. http://www.theregister.com/2006/08/10/social_sites_breed_malware/

.From ACM's TechNews, August 9, 2006.

University of Pennsylvania Researcher Reports JitterBugs Could Turn Your Keyboard Against You, Steal Data
Penn News (08/07/06) Lester, Greg

Peripheral devices such as keyboards, microphones, and mice could pose an entirely new computer vulnerability, researchers at the University of Pennsylvania have found. Using a device known as a JitterBug, the researchers found that a hacker could physically bug a peripheral device and steal chunks of data by creating an all-but-imperceptible processing delay after a keystroke. The researchers built a functional JitterBug keyboard as proof of concept. "This is spy stuff. Someone would need physical access to your keyboard to place a JitterBug device, but it could be quite easy to hide such a bug in plain sight among cables or even replace a keyboard with a bugged version," said Gaurav Shah, a graduate student in Penn's Department of Computers and Information Science. "Although we do not have evidence that anyone has actually been using JitterBugs, our message is that if we were able to build one, so could other, less scrupulous people." Unlike keystroke loggers, which have to be physically installed and then retrieved to collect data, the JitterBug needs only to be installed. The device can use any interactive network-related software application such as email or instant messaging to relay the data, leaking it through split-second keystroke delays. Limited storage space on the device would prevent the JitterBug from recording every keystroke, but could be trained to record a certain type of activity prompted by a specific keystroke. "For example, one could pre-program a JitterBug with the user name of the target as a trigger on the assumption that the following keystrokes would include the user's password," Shah said. In one particularly alarming scenario, a manufacturer of peripheral devices could be compromised, inundating the market with JitterBugged devices. Shah's initial research suggests that cryptography could be used to protect against JitterBugged devices. Click Here to View Full Article

. From EduPage, August 7, 2006

Google Debuts Web Site Warnings
BBC, 7 August 2006

Google has debuted a new service that warns users who click links to visit sites that have been identified by the Stop Badware coalition, itself a project of Google, Lenovo, and Sun Microsystems. The coalition was founded to help address the problems of spyware and other malicious software by helping users know which sites have distributed such software. Users of Google's search engine who try to access a site on Stop Badware's list are shown a warning that the site they want to visit has been flagged as potentially dangerous, though users are not prevented from going to that site. The warning messages are expected to become more detailed over time, including specific information about exactly how the site tries to install malicious software. A product called Scandoo, from company ScanSafe, performs a similar function for users of Google or MSN. http://news.bbc.co.uk/2/hi/technology/5251742.stm

.From ACM's TechNews, July 28, 2006.

Introverted IT Students More Inclined to Cyber-Crime
New Scientist (07/26/06) Marks, Paul

A recent study has found that introverted technology students are more prone to "deviant" computer conduct, contradicting earlier research that suggested that malicious computing activities are most often the product of extroverts. The researchers polled 77 Purdue University computer science students with an anonymous online questionnaire, asking questions about their involvement in deviant computing activities, some of which are unlawful, such as using another person's password, writing and dispatching a virus, and obtaining credit card numbers. "Of 77 students, 68 admitted to engaging in an activity that could be classified as deviant," said Purdue computer scientist Marcus Rogers. In a self-evaluation, the deviant students gave themselves a 10 percent higher ranking on a scale that measured introversion. Acknowledging the limited scope of the study, Marcus cautions against using the results to support sweeping generalizations. Rogers himself was involved in a 2003 survey of arts students at the University of Manitoba, Canada, that found an increased rate of "deviant" activity among extroverts. DataSec's Jon Munsey believes that each personality type has a niche in the realm of computer misuse. Irrespective of the proportion of introverts and extroverts, Marcus says that he is alarmed by the fact that 88 percent of the students polled admitted to engaging in deviant behavior. Click Here to View Full Article

Hack-Proof Design
EDN (07/20/06) P. 47; Webb, Warren

The profusion of networked devices and the refinement of hackers' attack methods are fueling the urgency among embedded-system designers to prioritize security requirements. All security requirements must be addressed during the design phase, prior to the deployment of an embedded system product. The National Institute of Standards and Technology's Computer Security Resource Center offers security-related publications for designers outlining what kinds of challenges need to be met, such as the identification of data or proprietary information in need of protection, and identification of potential attackers and how sophisticated they are. Security measures to be considered include the physical isolation of networked systems, and the containment of sensitive equipment within rugged packaging that cannot be accessed without specialized gear. The Common Criteria for Information Technology Security Evaluation are internationally formulated guidelines for system security standards, which enables consumers, developers, and evaluators to particularize the security functions of a product in standards-protection profiles and evaluation-assurance levels. Users must confirm their identities before they can interact with a secure embedded system via authentication, while data encryption plays an important role when embedded systems link to a network or the Internet. Concurrent with improving security is device manufacturers' experimentation with new business models, such as the pay-as-you-go scheme in which customers agree to pay for a device as they use it and in return receive full functionality. Failure to pay gives the vendor license to withhold network-activation codes and disable the device, while bypassing activation or parts removal is thwarted by a strong security model. Click Here to View Full Article

. From EduPage, July 26, 2006

Brits Consider Prison For Identity Thieves
CNET, 25 July 2006

British legislators are considering amending the Data Protection Act to allow for prison terms for identity thieves in addition to the fines currently allowed by the law. The proposal followed a report from Richard Thomas, data protection watchdog information commissioner, which argued that the existing penalties are insufficient to deter potential identity criminals. The amendment would allow for prison terms of up to two years for those found guilty of intentionally misusing personal information; individuals who mistakenly disclose or otherwise mishandle personal information would not be subject to the new provisions. Thomas welcomed the proposal, saying it would serve to discourage those who might be considering identity theft. A review of the proposal will run through October. http://news.com.com/2100-1029_3-6098246.html

. From EduPage, July 21, 2006

Bill Would Require Notice Of Security Breaches
Federal Computer Week, 19 July 2006

Rep. Tom Davis (R-Va.) has introduced a bill that would outline requirements for federal agencies to disclose computer security breaches that put individuals at risk of identity theft or fraud. The introduction of the bill follows several instances where government computers were compromised but the agency responsible for the system took a long time to notify those affected. In one case, the Energy Department did not make public a security breach until more than a year after it happened. "Sadly, this legislation is necessary to ensure that federal agencies are taking the proper steps to notify the public, the potential victims, and appropriate government officials," according to Davis. Under the legislation, the Office of Management and Budget would implement policies and procedures concerning notification when personal information is lost or stolen. http://www.fcw.com/article95339-07-19-06-Web

.From Knowledge @ Wharton, July 20, 2006.

What's the Future of Desktop Software -- and How Will It Affect Your Privacy? Twenty years ago, the personal computer began to revolutionize the way we work and play. In recent years, though, the Internet has been the primary source of technological innovation, offering us everything from online auctions to networked research libraries. As web-based applications encroach on the desktop's turf and a myriad of smart "devices" perform increasingly computer-like functions, will traditional desktop software begin to fade away? According to panelists at the recent Supernova 2006 conference in San Francisco, it's clear that these technological changes will introduce new challenges for programmers and users alike. Chief among these: balancing the requirement of making an individual's personal information available everywhere while remaining securely under his or her control. Read the article.

.From ACM's TechNews, June 5, 2006.

The Enemy Within: Terror by Computer
New Zealand Herald (06/01/06) Shreeve, Jimmy Lee

If terrorists turn their attention away from the physical to the digital world, there may be even greater damage than the Sept. 11 attacks, say cyber-security experts. Computer network attacks are dangerous enough to kill people and destroy companies, according to Scott Borg at the U.S. Cyber Consequences Unit. "Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," says Borg. "In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for short-term interruptions." In the past, hackers focused on credit cards or personal information found on the Web, but now they are starting to focus on databases. Borg gives examples of possible scenarios such as the tampering of a pharmaceutical company's database or changing specifications at a car factory, which may cause a car to catch on fire. Those kinds of attacks could crash the economy with just the click of a mouse, according to Borg. Officials say their biggest fear is over electronic attacks that focus on the networks that make up the critical national infrastructure. "People claim no one will ever die in a cyber-attack, but they're wrong," says Richard Clarke, a former cyber-security expert in the Bush Administration. "This is a serious threat." Click Here to View Full Article

.From ACM's TechNews, May 26, 2006.

Meet the Hackers
BusinessWeek (05/29/06)No. 3986, P. 58; Ante, Spencer E.; Grow, Brian; Olearchyk, Roman

Russian computer hackers distinct from their predecessors for their youth, organization, and brazenness are among law enforcement's most wanted cybercrooks. Factors contributing to their notoriety and success include their country's strong technical universities, low salaries, and beleaguered court system. Political tension can also hinder local law enforcement's cooperation in bringing these criminals to justice. Dmitry Golubov, a 22-year-old Ukrainian, was arrested last year for a series of cybercrimes, including credit-card fraud, allegedly perpetrated by an international gang of hackers he masterminded; yet he was released on a personal recognizance bond from two Ukrainian politicians who defended his character. Russian-born Leo Kuvayev, 34, was named in a lawsuit filed by the state of Massachusetts last May accusing him and six accomplices of sending millions of spam emails to peddle illicit products through American and international Web-hosting servers, in violation of the 2003 CAN-SPAM Act. State officials think Kuvayev, who Spamhaus ranks as one of the world's three leading spammers, may have taken refuge in Russia, where antispamming laws are nonexistent, before he was sued. Federal law enforcement officials believe Kuvayev was making over $30 million annually through his spamming business, and he and his co-defendants were ordered by the court to pay $37 million in civil restitution for sending approximately 150,000 illegal emails. The 2005 FBI Computer Crime Survey estimated that $67 billion is lost every year to computer crime, while 87 percent of the 2,066 surveyed companies admitted to a security incident. Click Here to View Full Article

.From EduPage, May 24, 2006.

VA Slow In Reporting Data Theft
New York Times, 23 May 2006 (registration req'd)

The theft of personal data on U.S. veterans has caused an uproar after federal officials learned that the Veterans Affairs (VA) Department did not disclose the incident until two weeks after it happened. A VA employee took a number of computer disks home, against agency policy, and they were stolen from his home. The disks contained names, Social Security numbers, and other information on 26.5 million veterans; little else of value was taken from the employee's home. The theft occurred on May 3, but VA officials did not notify the Department of Justice or the FBI for two weeks and took several days more to notify affected veterans. Officials from the VA said representatives of the Justice Department and the FBI were very upset at the way the VA handled the situation, costing investigators valuable time to try to identify those responsible. Veterans, too, were disgusted with the VA's delay. The Senate will hold a hearing on the incident, and it is not clear what actions the government will take to address the problems. http://www.nytimes.com/2006/05/24/washington/24identity.html

.From ACM's TechNews, May 24, 2006.

The Fight Against V1@gra (and Other Spam)
New York Times (05/21/06) P. 3-1; Zeller Jr., Tom

As email filtering technologies have become more sophisticated, bulk emailers have begun sending larger, image-based messages in an attempt to slip past antispam filters. While end users are no longer inundated with the same volume of unwanted email that they faced just a few years ago, spam is still a major problem for network operators. Inbox filters nearly eliminate the amount of bulk messages that users receive, though spam still accounts for around 70 percent of all Internet traffic, in spite of the numerous regulatory initiatives enacted throughout the world designed to combat the problem. Between one-half and three-quarters of all spam is produced by zombie computers. Spammers who work out of countries with lax law enforcement such as Nigeria or Russia have little incentive to cease their operations, particularly when they can turn handsome profits by eliciting responses from less than 1 percent of the up to 200 million messages that they send out daily. Antispam groups have developed technologies to determine whether the borders of images in spam email have been generated randomly, a tactic that bulk emailers have recently adopted to evade filtering tools. "There are loads of different kinds of obfuscation," said MessageLabs senior antispam technologist Nick Johnson. "They've realized that people are looking for V1agra spelled with a '1' and st0ck with a 'zero' and that sort of thing, so they might try some sort of meaning obfuscation," he added, such as "referring to a watch as a 'wrist accessory'" rather than a 'Rolex.' Johnson also described a particularly impressive spam trick in which spammers used incorrect spelling and HTML code in such a way as to evade detection by software programs but appearing correctly to viewers. MessageLabs' Matt Sergeant says the company has also developed a database of "scam DNA" which uses pattern analysis to find spam that uses language common enough to avoid detection otherwise. Click Here to View Full Article - Web Link May Require Free Registration

.From ACM's TechNews, May 22, 2006.

Researchers: Spend to Protect Against One Attack, Not Many
IDG News Service (05/19/06) Kirk, Jeremy

In a scholarly paper to be presented in June at England's University of Cambridge, a research team from Florida Atlantic University will make a strong and somewhat unusual mathematical case for how companies should spend their IT budgets. The researchers studied how firms can assess their vulnerabilities, determine the risk, and figure out the damage potential. The paper places threats into two categories: distributed attacks, which appear in the form of viruses, spyware, and spam, and focused attacks by a hacker. What the researchers determined, through risk analysis and equations, goes against apparently intuitive computer security efforts. Instead of spending evenly to protect against all attacks, it is not automatically the correct approach if one type of breach could create numerous times more harm than another type. While the "eggs in one basket" effort may worry IT administrators, the research paper reveals that with restricted budgets, compiling defenses against one attack may be the smartest way, as focused attacks have typically proven to create more economic damage than distributed attacks. "We're proposing that companies should look at vulnerabilities of a system, and if they are in high-vulnerability and high-loss scenario, they really, really should spend the most money on targeted attacks trying to prevent hackers," professor Qing Hu said. Click Here to View Full Article

.From ACM's TechNews, May 19, 2006.

Cyber Threats to U.S. Business Grow More Dangerous
Reuters (05/14/06) Rothstein, Joel

Scott Borg, director of the Cyber Consequences Unit (CCU), says attacks on U.S. computer networks are becoming more dangerous and could lead to the destruction of companies or even death. The CCU, which is funded by the Homeland Security Department, is trying to figure out how to prevent attacks in regards to plans to cause power blackouts, plots to tamper with pharmaceutical products, or schemes to reprogram machinery to build dangerously defective products. "Up to now, executives and network professionals have been worrying about what adolescents and petty criminals have been doing," said Borg. "They need to start worrying about what grown-ups could do." Some potential attacks may include shutting down computer systems for several days, changing specifications at automobile plants that may cause cars to explode, and tampering with medical data. The CCU uses its resources to figure out how technology can be used to harm the United States by holding cybersecurity classes for U.S. companies, and investigating attacks on computer systems. After consulting with banks, manufacturers, and other industries, the CCU created a security checklist for companies that identifies 16 potential methods of attack. Click Here to View Full Article

'Mashup' Websites Are a Hacker's Dream Come True
New Scientist (05/13/06) Vol. 190, No. 2551, P. 28; Marks, Paul

The proliferation of mashup sites could present a major security threat, warned some participants at last month's Computer-Human Interaction conference in Montreal, Canada. Mashups, or Web applications that combine information from two or more sites, are often hastily thrown together with no guarantees of accuracy, and privacy and security concerns are sometimes just an afterthought. Mashups have become very popular for the local information they provide--neighborhood crime data overlaid on a Google map, for instance--but there is nothing to stop people from using them to collect addresses or other sensitive identifying information. Mashups have appeared that help commuters monitor traffic and travelers map their journeys, and new mashup sites are appearing at the rate of 10 a week. Google, Microsoft, and Yahoo! have all made the application programming interface (API) of their mapping sites freely available, recognizing that mashup sites help broaden the footprint of their service. But mashup creators do not take the precautions to address concerns such as data integrity, system security, and privacy, according to Hart Rossman of Science Applications International. "How do you know the data is real?" Rossman asks. The owners of the sites from which mashup creators pull their data neither know nor care that their information is being used, and the absence of encrypted ID certificates in the exchange between the mashup creator and the source invites the possibility that the data could be coming from a spoofed site, Rossman warns. Mashup sites also do not have rules governing how people's personal information can be used, and viruses could be specifically written to attack mashup sites. A mashup worm could follow the data back to its origin and corrupt its contents, says Rossman. The mounting security concerns come as some mashups, particularly in the travel sector, are growing into huge, multi-million-dollar ventures that play an increasingly important role in people's daily lives. Click Here to View Full Article

.From EduPage, May 17, 2006.

Antispam Outfit Crushed By Spammer Retaliation
BBC, 17 May 2006

An antispam start-up based in Israel has shut its doors after a barrage of retaliatory action from spammers. In July 2005, Blue Security launched the Blue Frog service to fight spam. Users who signed up with the service would submit spam they received, which Blue Security would then use to flood the servers of spammers and the merchants whose products were advertised in those spam messages. If a spammer had a Web site that allowed users to opt out of receiving more messages, Blue Security would swamp those sites with opt-out requests. Officials from Blue Security said their tactic decreased the amount of spam many of its customers received, but it also prompted spammers to respond. Starting in May, Blue Security was the target of a denial-of-service attack, and Blue Security customers began receiving threats from spammers. The prospect of further attacks from spammers, many of whom have deep resources at their disposal, led Blue Security to end operations. "We cannot take the responsibility for an ever-escalating cyber war through our continued operations" said a statement on the company's site. "We believe this is the responsible thing to do." http://news.bbc.co.uk/1/hi/technology/4990622.stm

.From ACM's TechNews, May 15, 2006.

MS Researchers Tackle Automated Malware Classification
eWeek (05/11/06) Naraine, Ryan

At the recent European Institute for Computer Anti-Virus Research conference in Hamburg, Germany, Microsoft researchers announced their plans to develop an automated technique for identifying the thousands of varieties of malware that target Windows computers. Their approach will utilize distance measure and machine learning technologies to improve on the existing methods of classifying different viruses, Trojans, rootkits, and other forms of malware. "In recent years, the number of malware families/variants has exploded dramatically," says Microsoft's Tony Lee. "Virus [and] spyware writers continue to create a large number of new families and variants at an increasingly fast rate." The evolutionary habits of malware families make it extremely difficult to automate static file analysis, Lee said. Microsoft believes that automation would provide a faster, more objective method for malware classification that saves more information than current techniques, which rely heavily on human research and memorization. Microsoft is hoping that its new method will address all aspects of classification holistically, including knowledge consumption, representation, and storage, as well as the generation and selection of classifier models. The technique will require the efficient structuring, storage, and analysis of the classifications so that familiar patterns can be identified immediately. Click Here to View Full Article

Password Security Is Her Game
California State University, Long Beach (05/06) Vol. 58, No. 5,Manly, Richard

Password security is not going anywhere, even though it may not be the most secure form of protection, according to Kim-Phuong Vu of the Psychology Department of California State University, Long Beach. Vu, a human factors expert who specializes in proactive password protection, wants to make passwords more secure and memorable. The editor of the handbook "Human Factors in Web Design" last year, Vu says many people have about six passwords, about half never write them down and have to reset their passwords because they have forgotten them, and she adds that it is not difficult to crack the average password. In fact, she has conducted research that shows 60 percent of passwords can be cracked within a few hours and some can be determined in less time. People tend to choose something that is easy to remember for their passwords, which makes them easy to crack. A password that is easy to figure out puts bank accounts, grades, Web sites, and more at risk, but people have generally embraced password security, which is affordable. Voice recognition is still not ready, and high-fidelity systems are expensive, as are fingerprint and retina scans, which the typical computer user also finds unsettling. Vu says a combination of higher or lower case letters, numbers, and special characters would make for proactive password protection, and suggests that users would have to spend more time committing passwords to memory. Click Here to View Full Article

.From EduPage, May 12, 2006.

Congress Debates Ssn Restrictions
CNET, 11 May 2006

Members of Congress have vowed to enact legislation by the end of the year that will restrict use of Social Security numbers (SSNs), which have become a prime target of identity thieves. Several bills are before Congress now, including one introduced by Edward Markey (D-Mass.) and another by Clay Shaw (R-Fla.). Joe Barton (R-Tex.) said the current practice of allowing data brokers to sell SSNs to anyone able to pay for them should be banned outright. Federal Trade Commissioner Jon Leibowitz said SSNs are "overused" and "underprotected." Officials from financial services institutions cautioned, however, that appropriate use of SSNs is invaluable for sectors such as theirs. Oliver Ireland, representing the Financial Services Coordinating Council, said SSNs "are critical for fraud detection." http://news.com.com/2100-7348_3-6071441.html

Data-Breach Legislation On The Agenda
Internet News, 12 May 2006

Rep. James Sensenbrenner (R-Wis.), chairman of the House Judiciary Committee, has introduced the Cybersecurity Enhancement and Consumer Data Protection Act of 2006, which would require notification of government officials--but not of those affected--any time a computer breach exposes data for 10,000 or more individuals. Data-breach bills have previously been introduced by the House Financial Services Committee and the House Commerce Committee, with varying requirements for notification. In the Senate, two bills have been introduced in the Judiciary Committee and a third in the Commerce Committee. Some observers are concerned that the competing federal legislation, which would likely supersede any state laws concerning data-breach disclosure, risks being reconciled into a law that would be worse than if no law were passed. Susanna Montezemolo of the Consumers Union expressed support for one of the Senate bills, the Personal Data Privacy and Security Act, which has been approved by committee and is waiting for a vote in the full Senate. http://www.internetnews.com/bus-news/article.php/3605666

.From ACM's TechNews, May 10, 2006.

DNS Security: Most Vulnerable and Valuable Assets
IT Observer (05/08/06)

A survey conducted by Cornell University's Computer Science Department mined public data to determine: The most vulnerable assets of the Domain Name System (DNS); the servers most likely to be assaulted because they control the biggest chunk of the namespace; and the existence of servers with known vulnerabilities and the domain names they affect. The survey found that attackers can gain a tremendous advantage by exploiting the architecture of the legacy DNS, which creates many non-obvious dependencies between names and nameservers. The higher the number of nameservers on which a domain name depends, the bigger the trusted computing base, which leads to a larger number of dependencies, a bigger attack profile, and greater susceptibility to attack. According to the survey, a routine DNS name depends on 46 nameservers on average, while the most vulnerable top level domain names are ranked .ua, .by, .al, .sm, .mt, .va, .pl, and .it, from highest to lowest; the bulk of country code TLDs average more than 100 dependencies per name. The survey ascertained the most valuable DNS assets by evaluating how important a role a DNS nameserver plays in name resolution, and found that a nameserver is involved in the resolution of 166 externally visible names, on average. Furthermore, 67 hostnames appearing in Yahoo!+DMOZ depend on the nameserver ranked 5000, 29 publicly visible Web sites rely on the nameserver ranked 10000, and the median number of externally visible names served is four. In addition, institutions that may be ill-equipped or unwilling to assume DNS functionality operate many important servers. Information about the most vulnerable and most valuable DNS assets was then combined with data about established bugs in servers to infer that one in three Internet names can be hijacked by well-known, scripted exploits; among this percentage is www.fbi.gov as well as every other name residing in the fbi.gov domain. Click Here to View Full Article

.From ACM's TechNews, May 10, 2006.

USC Hacker Case Pivotal to Future Web Security
InformationWeek (05/09/06) Greenemeier, Larry

The trial of Eric McCarty, the 25-year-old San Diego resident who claims that he hacked into the University of Southern California computer system only to call attention to its vulnerabilities, could become a referendum on acceptable practices of security research, especially if he is convicted and sentenced to the maximum of 10 years in prison. Everyone agrees that McCarty violated the law, though the ethical legitimacy of his actions is being hotly debated, and many security researchers believe the maximum penalty is extreme, particularly since McCarty has been cooperating with the FBI. McCarty hacked into a SQL database that contained the Social Security numbers, birth dates, and other identifying information for more than 275,000 USC applicants dating to 1997. McCarty initiated a SQL injection after he found a vulnerability in the login system of USC's application Web site. The university then took the site down for two weeks to fix the flaw. Security professionals have mixed feelings about McCarty's actions. "McCarty was trying to prove a point," said Digital Defense's Rick Fleming. "Part of me commends him for saying, 'Hello, wake up.' But he crossed an ethical boundary because he didn't have permission to test that system, and he broke the law." The online document called RFPolicy informally lays out the basic protocols for researchers to communicate with vendors and developers to address vulnerabilities. RFPolicy has no legal authority, however, and it does not provide a method for legally entering someone else's IT environment and testing Web applications. Security experts worry that if McCarty is sentenced to jail, many white-hat researchers will either stop looking for flaws or stop reporting them for fear of legal reprisal. "If the good guys aren't going to do this research, that's a bad thing because the bad guys certainly won't stop," says WhiteHat Security founder Jeremiah Grossman. Click Here to View Full Article

.From ACM's TechNews, May 8, 2006.

Cybersecurity Research Plan Identifies Threats
Federal Computer Week (05/01/06) Vol. 20, No. 13, P. 54; Sternstein, Aliya

Industry leaders who have been urging the Bush administration to devote more resources to cybersecurity are optimistic that a recently issued report by the National Science and Technology Council will lead to increased federal funding. The "Federal Plan for Cyber Security and Information Assurance Research and Development" highlights urgent threats to U.S. technological infrastructure and calls for increased federal funding for research that would help manufacturers incorporate greater security features into their products before they are delivered. "This is the first document that I've seen that focuses on outcomes rather than favorite research projects," said Alan Paller of the SANS Institute. The document recommends exploring security issues that could arise from new broadcast protocols, wireless protocols, and ad hoc networks, while also cautioning against potential threats from optical computing, quantum computing, and pervasively embedded computing. The plan also calls for much needed metrics to gauge the government's ability to hold up against an attack, Paller said, though he criticized the council for not including specific figures for how much the government should pay for the research. Included in the proposal are the public Internet and the networks and systems that control the power grid, communications systems, and other vital elements of infrastructure. The plan identifies software testing, wireless security, access control, and authentication as some of the highest funding priorities. Increased funding is the key to acting on the report's recommendations, says Ed Lazowska, who served as co-chairman of the now-defunct President's IT Advisory Committee. Lazowska said he has a simple message for John Marburger III, the president's science advisor: "Spare me the recommendations and show me the money," adding that "it's time for leadership and investment." Click Here to View Full Article

.From ACM's TechNews, May 1, 2006.

New Weapons Needed for the War on Junk Email
University of Calgary (04/27/06)

Spam filters may be highly effective, but they cannot keep up with spammers who are coming up with new ways to trick people into visiting commercial Web sites or downloading rogue software carrying viruses, worms, spyware, or other dangerous applications, according to John Aycock, an assistant professor of computer science at the University of Calgary. Aycock and his student Nathan Friess performed research that shows it is possible to create a new type of spam, or bulk email, that can go past the best spam filters and trick even the most advanced computer users. Aycock and Friess will present their research during the 15th annual conference of the European Institute for Computer Anti-Virus Research, being held in Hamburg, Germany, on April 30. The goal of the research is to increase awareness of the threat so that anti-spam software that anticipates what spammers will do next can be written. "We want to look at potential threats and see what we can do about them right now, as opposed to getting to the point where we're forced to react," says Aycock. The majority of spam today is sent from zombie computers, which can automatically send large email messages. Aycock predicts that spammers may soon use zombie computers to tap into a person's email account, which was previously thought of as too complex, but research shows that is now possible. Aycock wants companies that make anti-spam software and email programs to take advantage of the new information and use the suggested solutions in their existing software suites. Click Here to View Full Article

Better Organization, Focus Needed for Cybersecurity
Government Computer News (04/27/06) Jackson, William

The U.S. government needs to create clear lines of authority and clarify responsibility for an effective national information assurance policy, according to former presidential adviser Paul Kurtz, who is now executive director of the Cyber Security Industry Alliance. "We have a growing body of law and regulation bearing on information security," said Kurtz during the GovSec conference in Washington on Thursday. "We are not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there." Kurtz suggested a two-tiered framework for cybersecurity where critical functionality could be identified for government attention, and less important issues are given to the private sector. Kurtz and Tom Leighton at Akamai Technologies agree that cyberspace is getting tougher and that an infrastructure needs to be built to better respond to possible attacks. An assistant secretary for cybersecurity is still needed in order to establish an effective policy, according to Kurtz. The position has been vacant for almost a year now. Click Here to View Full Article

Bugs Put Widely Used DNS Software at Risk
IDG News Service (04/26/06) McMillan, Robert

University of Oulu researchers say they found multiple flaws in the software used for administering the Internet's Domain Name System (DNS), which may cause several problems such as crashing the DNS server or giving attackers a way to run unauthorized software. Oulu researchers have come up with a DNS test suite to test for such vulnerabilities. Microsoft, Cisco Systems, and Sun Microsystems are currently testing their products, but there is no word yet on whether customers will be affected. DNS servers have come under fire lately because of such attacks, which may compromise the DNS system and take down several Web sites. Just last month, unknown attackers used computers and DNS servers to spread denial-of-service attacks against about 1,500 organizations, according to VeriSign. Click Here to View Full Article

.From EduPage, April 26, 2006.

Study Says Businesses Making Progress Against Hackers
BBC, 25 April 2006

A survey conducted by PricewaterhouseCoopers for the Department of Trade and Industry indicates that British businesses are making strides in their efforts to thwart computer attacks. Overall, the number of U.K. businesses to suffer computer incidents dropped from 74 percent in 2004 to 62 percent in 2005, according to the Information Security Breaches survey. By far the largest drop was seen in computer viruses, which fell by one-third, while other sorts of attacks and accidental data loss stayed relatively steady, said Chris Potter, who led the survey. He noted that the reduction of incidents follows an increase in security spending in the business sector, which now spends between 4 and 5 percent of technology budgets on security, compared to just 3 percent in 2004. Still, said Potter, many businesses, particularly smaller ones, continue to leave themselves vulnerable to computer attacks. In fact, the survey showed that the number of computer incidents affecting small businesses has risen by 50 percent since 2004. http://news.bbc.co.uk/2/hi/technology/4939386.stm

.From ACM's TechNews, April 26, 2006.

Council Releases Blueprint for Federal Cybersecurity Research
GovExec.com (04/25/06) Pulliam, Daniel

A presidential advisory council has released guidelines for coordinating cybersecurity research and development among different federal agencies. Released last week by the National Science and Technology Council, the Federal Plan for Cyber Security and Information Assurance Research and Development involved members of more than 20 federal entities. The plan calls for the creation of standard cybersecurity metrics and other measures to inform researchers of the government's priorities, said Simon Szykman, director of the National Coordination Office for Networking and Information Technology Research and Development. While the blueprint was developed solely by government officials, true coordination will be an ongoing effort that will include public comments and workshops to provide a forum for the private sector. "Certainly having a plan is one thing and executing it is another," said Szykman. "This group of people was focused on the [research and development] issues and understanding the existing issues and the priorities." The document is notable for its call for metrics and its emphasis on emerging technologies and incorporating security at the beginning of any deployment, though it is remiss in not defining how recipients of federal funding are to be held accountable, said Alan Paller, research director of the SANS Institute. "Researchers are going to look at this as justification for anything they want to do," said Paller. Gartner's John Pescatore says the blueprint should have identified specific areas where the government could fill in the gaps in research and development left by the market. Click Here to View Full Article

Software Insecurity: Plenty of Blame to Go Around
Government Computer News (04/18/06) Jackson, William

Attendees at the recent International Conference of Network Security were unable to agree about who should shoulder the blame for the persistent unreliability of software. Eset Chief Research Officer Andrew Lee attributed the poor quality to the barrier between developers and users, noting that an application that may seem perfectly intuitive to a developer can be put to illogical and destructive ends in the hands of a user. Lee also said most software is too complex to ever receive sufficient testing. Careful deployment could minimize disruptions caused by even the most flawed software, said Lockheed Martin's Eric Cole. "In a lot of cases, even though the bugs are still there, the impact to your organization can be mitigated" with a suitably architected and well-protected network, just as perfectly coded software is still vulnerable if improperly deployed, he explained. In response to an audience member's charge that organizations are more concerned with clever workarounds than with methodologies for solving problems, Stuart Katzke of the National Institute of Standards and Technology (NIST) said his organization could help, noting that the same level of due diligence created by the documents prepared for government users under the Federal Information Security Management Act (FISMA) could also apply to private industry. "The framework that we have established for federal agencies is really applicable to any environment," Katzke said. Participants also debated the relative worth of the Common Criteria program maintained by NIST and the NSA. Supporters claimed that the program enables a comparison between products, while critics charged that it is more about red tape than software quality. Click Here to View Full Article

.From EduPage, April 21, 2006.

Charges Filed In USC Hack
ZDNet, 20 April 2006

Charges have been filed against a network administrator in San Diego related to a June 2005 incident in which a server at the University of Southern California (USC) was compromised. Federal authorities have charged Eric McCarty with gaining unauthorized entry to a USC computer system for applications that contained information on more than 275,000 applicants dating back to 1997. Michael Zweiback, an assistant U.S. attorney in the cybercrimes and intellectual property unit, said, "Universities are becoming bigger and bigger targets to the hacker community," adding that "hackers always want to see if they can beat the technical people on the other side." If found guilty of the alleged hacking, McCarty could be sentenced to 10 years in federal prison. http://news.zdnet.com/2100-1009_22-6063470.html

Publishers Settle Copyright Lawsuits, More Pending
Chronicle of Higher Education, 20 April 2006 (sub. req'd)

Two academic publishers have settled six of 20 lawsuits filed against individuals for selling copies of instructors' manuals online. The manuals accompany specific textbooks but are intended for faculty only because they include answers to homework and quiz questions in the texts. The individuals involved in the settlements were accused of making copies of instructors' manuals and selling them online, according to William Dunnegan, an attorney representing Pearson Education and John Wiley & Sons. Terms of the settlement were not released, nor were the names of the defendants. Other cases are still pending, and the publishers involved said the lawsuits are just one part of a larger campaign to address the problem of illegal online sales of copyrighted academic texts. Dunnegan said he hopes other academic publishers will join Pearson and Wiley, saying, "It will be easier to enforce as part of a group effort." http://chronicle.com/daily/2006/04/2006042001t.htm

.From EduPage, April 19, 2006.

FTC Wins Two More Spam Settlements
Internet News, 18 April 2006

The Federal Trade Commission (FTC) has gotten two new settlements in antispam cases. Matthew Olson and Jennifer LeRoy were accused of violating several provisions of the CAN-SPAM Act, including using others' computers to send spam, inserting bogus "From" information and misleading subject lines in e-mails, and failing to provide recipients with an opt-out provision. Olson and LeRoy were charged in connection with an FTC operation targeting spammers who hijack computers to send their spam. Both defendants settled with the FTC and agreed not to send any more spam. As part of their settlement a judgment of $45,000 against the two has been suspended, based on their inability to pay it. The FTC said that if Olson and LeRoy are found to have misrepresented their financial situation, they will be forced to pay the fine. http://www.internetnews.com/xSP/article.php/3599796

Australia Convicts Spammer Under New Law
The Register, 19 April 2006

Wayne Mansfield, who has been identified by Spamhaus as one of the world's most prolific spammers, has become the first person convicted under a tough antispam law enacted in Australia in April 2004. Mansfield and his company, Clarity1, were accused of sending more than 56 million unsolicited e-mails in violation of the law. In his defense, Mansfield claimed that recipients of his e-mails had agreed to receive them. He also argued that because he harvested the addresses he used in his spamming prior to the antispam law's taking effect, they were exempt from the law. The judge in the case rejected both of those arguments and found Mansfield guilty. Mansfield will be sentenced later. http://www.theregister.co.uk/2006/04/19/oz_spam_conviction/

Settlement Reached In Antispyware Case
Associated Press, 19 April 2006

In a settlement announced by prosecutors in Washington State, Zhijian Chen of Oregon will pay about $84,000 in fines, restitution, and attorneys' fees following a scheme in which Chen sold consumers fraudulent antispyware services. Chen was charged with sending e-mail that led recipients to believe their computers were infected with spyware and that a product called Spyware Cleaner, made by Secure Computer, could clean their machines. Chen then collected a commission when users bought the product. State Attorney General Rob McKenna said, "We will not tolerate those who try to profit by preying on consumers' fears of spyware and other malware." New York-based Secure Computer as well as a number of officials from the company are also named in the lawsuit against Chen. http://news.yahoo.com/s/ap/20060419/ap_on_hi_te/spam_lawsuit

.From ACM's TechNews, April 14, 2006.

Beware the Smart Virus
Byte and Switch (04/07/06) Rogers, James

Attendees at this week's Storage Networking World conference warned of a new kind of smart virus based on advanced mathematical theory that could disrupt storage networks and servers. "It's not far-fetched," said Interval International CIO Sasan Hamidi, who noted that researchers are already able "to create a living computer program and let it have intelligence." With that capability, a smart virus could mutate itself to get around patches and other security measures. Hamidi claimed that hackers could author the viruses based on cellular automation or game theory, among other scientific foundations. Evolutionary computing could lead to a threat that differs from traditional worms and viruses in its ability to alter its own code once detected and redirect the attack to another part of the network. "The code adapts itself to the environment," said Hamidi. This could be a worm that learns from the environment and becomes more intelligent." Since storage and many other computer resources are now IP-based, an evolutionary computing virus could wreak havoc on an organization after entering through a system's TCP packets. IT managers at the convention agreed that few people have the expertise in genetic algorithms to pull off an evolutionary computing attack, though they identified the 1988 Great Worm attack that brought down much of the Internet as an example. However, Hamidi argued that the industry's current lack of preparedness against such an attack is troubling. Even though most hackers currently lack the knowledge of advanced scientific theory to execute such an attack, the attendees grudgingly admitted that it is only a matter of time before the theoretical possibility of an evolutionary computing attack becomes a reality. Click Here to View Full Article

The Worried Executive's Guide: Disaster Recovery Planning for Mixed-Hardware Environments
InformIT (04/07/06) Wrobel, Leo

Protecting a company's computer and data assets is no longer simply about protecting corporate networks at the office because data these days extends onto mobile devices, such as laptops and PDAs. This evolving computer web likely will extend into cell phones soon, opines Leo Wrobel, and one important aspect of mobile technology is how much more vulnerable mobile technology is to physical theft compared to ensconced corporate data centers and server rooms. Companies can use security-minded operating systems to protect mobile data, and thwart data theft from a laptop that may have been taken for its market resale value. This is especially crucial for financial companies and others dealing with sensitive client information, because data theft can lead to bad publicity, and much worse. When a company is configuring how to protect itself, it should consider standardizing the type of programs used. This is easier to control and secure, and a company could standardize employee options into as little as three basic packages. Knowledge workers such as writers, lawyers, Web designers, and managers will need a flexible and diverse set of tools to accomplish their jobs, and they likely will use these tools often. In contrast, production workers such as call center operators, help desk employees, and telemarketers all can use standardized computing tools in a more limited array to accomplish their crucial revenue-generating tasks. Click Here to View Full Article

.From ACM's TechNews, April 12, 2006.

Researcher: Security Risks in Web Services Largely Ignored
IDG News Service (04/07/06) McMillan, Robert

Security professionals should look more closely at Web services, which are being increasingly targeted by attackers, warned Alex Stamos, a founding partner of Information Security Partners in San Francisco, during a presentation at the CanSecWest/core06 conference. "Web application security is the red-headed stepchild of the security industry," he said, adding that hackers could use Web services such as AJAX and the XQuery query language to uncover secret information and attack systems. He explained how a hacker could enter malicious code into a Web form, then have the code dial a customer service number of a company and trick the customer service representative into executing it unintentionally. Stamos also said an attacker could create malicious XML queries that use an enormous amount of memory or overwhelm database applications with requests, in order to carry out denial-of-service attacks. Including filtering capabilities in products, which would help them to detect requests that should not be performed, would be a way for Web applications vendors to help improve security, said Stamos. Web applications were linked to nearly 70 percent of vulnerabilities disclosed during the second half of 2005, according to security vendor Symantec. Click Here to View Full Article - Web Link May Require Free Registration

Research Reveals Phishing Hooks
BBC News (04/05/06)

A recent study found that while most people could identify a phishing site as bogus, sophisticated scams could fool around 90 percent of users, most of whom tend to ignore the visual clues provided by their browsers. The study, which looked specifically at banking Web sites, was conducted by Rachna Dhamija of the Harvard Center for Research on Computation and Society and University of California, Berkeley, computer science professors Doug Tygar and Marti Hearst. The researchers concluded that Web designers must develop new ways of signaling to users that a site is unsecured. Approximately 5 percent of phishing recipients open the email, visit the bogus site, and furnish sensitive information, which provides ample incentive for phishers to keep up their efforts. The researchers recommend that users look at the address bar to check for fake sites that incorporate a well-known name into the URL to lend it an air of legitimacy. They also caution users to retype links instead of clicking on them, check the sites for spelling and grammatical errors, look for "https" on bank sites rather than "http," and to use an anti-phishing toolbar. On average, 40 percent of the 22 test subjects failed to recognize a fake Web site, and the most authentic-looking spoofed site fooled 90 percent. Most participants simply did not know what features typically distinguish fake sites from real ones. Most did not look at the address bar, status bar, or other identifying features, and many ignored explicit security warnings in pop-up windows. "The indicators of trust presented by the browser are trivial to spoof," the researchers concluded. "These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed." Click Here to View Full Article

Forging a National Cyber Security Strategy
SC Magazine (03/01/06) P. 48; Purdy Jr., Andy

Deputy director of the Department of Homeland Security's (DHS) National Cyber Security Division (NCSD) Andy Purdy details his agency's mission of developing a comprehensive and cohesive plan to ensure the security of America's critical data through intense public-private collaboration and the various tools, resources, and insights this effort involves. He describes the first priority of the National Strategy to Secure Cyberspace as the development of a national cyberspace security response system, a core element of which is strong situational awareness in conjunction with information sharing among federal departments as well as between the government and the private sector. The NCSD, in partnership with the Office of Management and Budget (OMB), has released the U.S. Emergency Readiness Team (US-CERT) Federal Concept of Operations (CONOPS) mandating agencies' reportage of cyberincidents, along with data on their initiatives to lower cyber risk in accordance with the Federal Information Security Management Act (FISMA), to the team. DHS also supports the multi-state ISAC to effect information sharing and collaborate on awareness-raising efforts among state and local governments. Pursuant to a national cybersecurity response system's situation awareness component is the construction of an international watch and warning network. Purdy writes that increasing reliance on cyber resources calls for effective disruption recovery planning by federal agencies, enterprises, and private networks. The National Recovery Plan (NRP) offers guidance on such areas as emergency support functions for communications. The DHS' Preparedness Directorate, of which the NCSD is a component, is concentrating on readiness and is working to guarantee proper coordination between the mission areas to expedite general preparedness. Click Here to View Full Article - Web Link to Publication Homepage

.From ACM's TechNews, April 10, 2006.

Why VOIP Needs Crypto
Wired News (04/06/06) Schneier, Bruce

Voice over Internet Protocol (VoIP) phone calls must be encrypted because the scope of the dangers VoIP is vulnerable too far exceeds that of threats to traditional phone calls, writes Counterpane Internet Security CTO Bruce Schneier. He notes that data packets can be intercepted at any point along the route of transmission, and eavesdropped on by governments, corporate competitors, hackers, and criminals. Schneier envisions a multitude of crimes that can be committed through VoIP call eavesdropping, including the hijacking of phone calls, the theft of account information, the accumulation of sensitive material for blackmail or industrial espionage, and insider stock trading. The author criticizes the U.S. government's suggestion of permitting encryption by everyone, provided it owns a copy of the key; he calls this "an amazingly insecure idea for a number of reasons, mostly boiling down to the fact that when you provide a means of access into a security system, you greatly weaken its security." Schneier reports that there are many products that provide VoIP encryption, including built-in encryption from Skype, and Phil Zimmermann's open-source ZFone. However, he cautions that encryption is not a cure-all, in that it cannot address the leading threat of endpoint surveillance. "No amount of IP telephony encryption can prevent a Trojan or worm on your computer--or just a hacker who managed to get access to your machine--from eavesdropping on your phone calls, just as no amount of SSL or email encryption can prevent a Trojan on your computer from eavesdropping--or even modifying--your data," Schneier says. Click Here to View Full Article

.From ACM's TechNews, April 7, 2006.

To Packed Crowd, Speaker Discusses Cyber Security Crisis
The Spectrum (04/07/2006) Halleck, Tom

Speaking at the University at Buffalo, cyber-security expert Eugene Spafford criticized the government and private industry for a haphazard approach to combating cyber crime. "We have people committing (cyber crime) offenses again and again, but it's been calculated as less than five percent of these crimes are prosecuted," Spafford said. Often the victims of cyber crime are large companies reluctant to disclose that their security has been compromised, while law enforcement in the area of computer crime is still in its infancy. A major U.S. Army command center recently scrapped all of its computers because of pervasive security problems. It invested in a new, $36 million system that was reportedly compromised in three weeks, Spafford said. While serving on the President's Information Technology Advisory Committee (PITAC), Spafford realized that no one was adequately addressing the problem of cyber security. "What is Congress doing? They're stopping research and development spending. The amount the PITAC asked for was an estimated $100 million a year. The U.S. spends that much in three days in military operations in Iraq." While the government's response to cyber crime has been lackluster, Spafford takes heart in the growing interest in security among academic researchers. He also notes that public awareness of the problem is slowly beginning to spread, though people continue to respond to unsolicited email asking for personal information. Eugene Spafford is chair of ACM's U.S. Public Policy Commitee; http://www.acm.org/usacm Click Here to View Full Article

Beat Cybercrime, Switch to a Virtual Wallet
New Scientist (04/01/06) Vol. 190, No. 2545, P. 28; Biever, Celeste

To simplify the process of conducting online transactions, Microsoft is promoting the concept of a virtual wallet, a collection of icons on various Web sites that users can click to verify their age, billing information, or other personal details without having to remember multiple user names and passwords. The system should also improve security by eliminating easily hacked passwords and subjecting common Internet transactions to the same cryptographic protocols used in banking and government. "From a user standpoint, it's really simple, it's fast, and it's much more secure," says digital identity expert Drummond Reed. Microsoft intends to include the required software in its next version of Windows, while the Eclipse Foundation is developing a similar application for Apple and Linux systems. The Internet was not built with the idea in mind that people would have to verify each other's identity, and passwords have proven too easy for hackers to crack. Microsoft's earlier attempt at a universal verification scheme, Passport, failed amid concerns that the company would act as the custodian for every consumer's identifying information. Credit card companies and other third parties are responsible for guarding information in Microsoft's new system, just as they are now. After a user registers, the third party furnishes the Web sites with a digital certificate and the user with a virtual card that enables him to obtain a digitally signed certificate to proof his identity whenever necessary. Users access the system, which creates public and private encryption keys, with a master password that never leaves a secure section of the computer. The system will not permit users to enter sensitive information on sites that it suspects are spoofed. By requesting the user's computer to decrypt information with its private key, the card issuer creates a digital certificate, which it signs with a digital signature and relays back to the authenticated site. Click Here to View Full Article

.From EduPage, April 5, 2006.

Probing Why Phishing Remains Successful
ZDNet, 3 April 2006

A new paper published by three academics tries to explain why, after all the press about phishing scams, so many computer users continue to fall for them. "Why Phishing Works," written by Rachna Dhamija of Harvard University and Marti Hearst and J. D. Tygar of the University of California at Berkeley, points out that despite a general awareness of phishing rackets, most users are unable to discern the difference between a legitimate Web site and one spoofed to look like the site of a bank or other financial institution. In one exercise, the researchers created a fake bank site that fooled 91 percent of subjects participating in the experiment. Similarly, 77 percent misidentified a legitimate E*Trade e-mail as fraudulent. Experts attribute some of the problem to ignorance and some to users' not taking simple precautions, such as looking closely at the address bar of Web pages. Bernhard Otupal, a crime intelligence officer for high-tech crime at Interpol, noted that in one recent phishing scam, a number of users went to a site pretending to be that of a prominent bank and entered personal information even though they were not even customers of that bank. http://news.zdnet.com/2100-1009_22-6057000.html

.From ACM's TechNews, April 5, 2006.

US Takes Interest in DDoS Attacks
Computer Business Review (04/03/06) Murphy, Kevin

Recent distributed denial-of-service (DDoS) attacks targeting the Internet's domain name system (DNS) have attracted the attention of high-level officials in the U.S. government, who fear that a new technique enabling attack authors to direct far more traffic at their victims could suggest the work of a new breed of cyber criminal motivated by the desire to bring down the Internet altogether. The alarming series of DNS amplification attacks began in December and rose appreciably in February, using spoofed IP addresses and recursion to broaden the scope of attacks. Traditional DDoS attacks use botnets either recruited through spammed Trojans or worms or purchased on the black market, often sufficient to overwhelm smaller sites, but the amplification attacks use a much larger network to target large companies or critical elements of the DNS infrastructure, such as the .com registry. "We're seeing some very deliberate attacks against some high profile targets right now, to showcase the talent of the attacker, so they can get work for the Russian mafia or whoever it may be," said Internet Systems Consortium President Paul Vixie. The ease with which a home PC can spoof its IP address when sending out a packet enables these attacks, provided the author obtains control of a DNS record. The attacker then instructs the bots to issue requests for a particular piece of malware against open recursive name servers. About 50,000 recursive name servers were used in the recent attacks, estimates CTO of UltraDNS Rodney Joffe, who was recently called away from a presentation at an ICANN meeting to brief top U.S. officials. UltraDNS and VeriSign were both targeted in recent attacks. Experts are debating whether the attacks originate from hackers looking for recruitment or terrorists more concerned with the wholesale disruption of economies. Vixie and ICANN agree that the most effective prevention against such attacks would be for ISPs to routinely validate source IPs. Click Here to View Full Article

Your Secrets Are Safe with Quasar Encryption
New Scientist (03/29/06) Knight, Will

Japanese scientists have encrypted messages using quasars, which emit powerful radio waves and are believed to be produced by black holes. Ken Umeno and colleagues at the National Institute of Information and Communications Technology in Tokyo believe the intergalactic radio signals of quasars have the potential to serve as a cryptographic tool because their strength and frequency make them impossible to determine. "Quasar-based cryptography is based on a physical fact that such a space signal is random and has a very broad frequency spectrum," says Umeno. The researchers view quasar radio signals as a way to create genuine randomness when encrypting information at high speed, and make it easier for two communicating parties to securely share the source of randomness. Users of the method only need to know which quasar to target and when to start in order to encrypt and decrypt a message. A large radio antenna is not required, and the parties can be located in different hemispheres. International financial institutions, governments, and embassies would benefit from quasar encryption, says Umeno. However, some observers have concerns about the practicality of the method, which is untested, and may be vulnerable to an attacker who is able to mimic the radio signal. Click Here to View Full Article

Building Better Applications: Beyond Secure Coding
Enterprise Systems (03/28/06) Schwartz, Mathew

In the face of mounting security breaches, regulatory requirements, and audits, more companies are working to educate their developers about secure coding, with the goal of creating software with as few vulnerabilities as possible. The premise is that improved training will lead to applications with secure data encryption, strong passwords, and complete input validation. Bad code accounts for as many as 80 percent of the security problems in existence today, wrote security consultant Bar Biszick-Lockwood in an IEEE report. As part of an IEEE group commissioned to study secure computing, however, Biszick-Lockwood found that most security problems emerge from constrained budgets, unreasonable deadlines, and a lack of support from executives, rather than inadequate training. Bad code is more often indicative of business problems than a flawed development team. The data breach notification emails that customers receive with alarming frequency speak more to a basic misunderstanding of the business value of security at a decision-maker level than to an error in a specific application. Executive education is the first place to start when trying to develop a culture of secure computing, says Herbert Thompson of Security Innovation. Since selling executives on the value of an education program can be tough, developers can use a calculus that identifies potential flaws at each stage of development, weighing the cost of fixing bad code before it is released compared with fixing it after the release. With senior management on board, development teams must then adjust their thinking to account for what constraints need to be built into the application from the outset, rather than simply focusing on the application's core functionality. Once a project is completed, companies must subject their code to rigorous security testing just as they test for functionality, attacking it as a hacker would. Click Here to View Full Article

An Image of the Future: Graphical Passwords
Information Today (03/06) Vol. 23, No. 3, P. 39; Poulson, Deborah

Computer users frustrated with having to remember a multitude of alphanumeric passwords will welcome the development of graphical passwords, writes Deborah Poulson. First patented by physicist and entrepreneur Greg Blonder in 1996, graphical passwords work by displaying an image on a touch-screen or pen-based computer, and prompting the user to select the areas in the image, called click points, that form a password. To work, the image must be sufficiently complex, such as a city skyline, and users must be on the lookout for password thieves trying to shoulder surf, or steal a password by observing the click points, just as thieves observe keystrokes to steal conventional passwords. But researchers at the University of Rutgers are developing a graphical password that is invulnerable to shoulder surfing. In their tests, users chose 10 icons from a pre-selected list, which were then mixed up on the screen with 200 other icons. Rather than clicking on the icons themselves, the subjects clicked inside the geometric shape that would be formed by lines drawn to connect the icons. Correctly identifying 10 shapes validates the user. Shoulder surfing becomes impossible when a user never clicks on the actual icons, said Rutgers computer science professor Jean-Camille Birget. The problem with the icon-based password is that it takes too long, due to the multiple rounds of selecting icons. Though Birget believes icon-based passwords may only be used in environments where shoulder surfing is a serious problem, he said test subjects in his experiments did not notice the extra time required to select the icons. Click Here to View Full Article - Web Link to Publication Homepage

.From EduPage, April 3, 2006.

Report Estimates Extent Of Identity Theft
PCWorld, 3 April 2006

According to data from the National Crime Victimization Survey, which is conducted by the U.S. Department of Justice, identity theft affected an estimated 3.6 million households--with losses totaling $3.2 billion--in the first six months of 2004. The survey contacts a random sample of 42,000 households every six months and follows them for three years. The new data are from the first instance of the survey to specifically address identity theft. The most common types of theft were from unauthorized use of credit cards. Households with annual incomes of more than $75,000 and those headed by individuals between 18 and 24 years old were more likely to suffer identity theft, though the survey did not investigate the possible reasons behind these trends. http://www.pcworld.com/news/article/0,aid,125291,00.asp

.From ACM's TechNews, April 3, 2006.

The Spies Inside
InformationWeek (03/27/06)No. 1082, P. 34; Chabrow, Eric

Law enforcement officials, IT professionals, and industry watchdogs are taking new approaches to controlling PC adware and spyware, as past efforts have yielded few effective measures. Organized criminal groups are involved in much of the spyware designed to steal individual identities, money, and trade secrets, according to Chris Painter with the U.S. Justice Department. Spyware is a problem with an international scope, and is harder to curb because much of the malware installed on PCs hails from nations where virtual crime is a great temptation to skilled but underemployed people. Adware, meanwhile, is employed to track users' Web habits for marketing and advertising purposes, sometimes without users' consent; critics draw little if any distinction between adware and spyware, given the surreptitious nature of both, according to Overstock.com's Jonathan Johnson. The threat of adware and spyware is prompting PC users to exercise more caution when surfing the Web or trying new software. FTC action against adware company 180solutions was requested by the Center for Democracy and Technology in January on the grounds that the company repeatedly and intentionally attempted to trick Internet users into downloading intrusive software. 180solutions paid Web publishers or affiliates to distribute the software without adequate oversight to make sure installation proceeded only when user permission was secured; 180solutions claims it spent $2.5 million on software to deter this practice, but the software is not foolproof. Criticism from the likes of the Center for Democracy and Technology may spur adware to reform such deceptive methods and attain a measure of legitimacy as an advertising medium, eventually becoming a workable tool for people to access free content. Click Here to View Full Article

.From EduPage, March 29, 2006.

MIT Conference Addresses E-Mail Problems
CNET, 28 March 2006

Attendees at the 2006 Spam Conference at MIT agreed that filters and other technologies designed to prevent spam from reaching its intended targets merely address the symptoms without doing anything about the underlying problem. Many were similarly dismissive of proposals to charge a fee to senders of e-mail, saying that such an approach runs counter to the fundamental tenets of the Internet. Phil Raymond of Vanquish Labs compared a fee system to having first class and cattle cars on a train, suggesting that "some of [the cattle] cars will be left behind completely." Presenters at the conference instead urged adoption of economic incentives that would encourage users to be good e-mail citizens. Raymond, for example, proposed a system under which bulk e-mailers would be required to post a bond, against which recipients of those e-mails could make claims if they deemed messages to be spam. Opinions were mixed, however, about the CAN-SPAM Act. Jon Praed of the Internet Law Group said the legislation has done little to discourage spammers while placing new burdens on legitimate e-mail marketers. In contrast, Aaron Kornblum, a member of Microsoft's antispam legal team, said the law was the basis for 70 civil lawsuits that Microsoft has filed against spammers since January 1, 2004. http://news.com.com/2100-7348_3-6055171.html

.From ACM's TechNews, March 29, 2006.

Professor to Try to Hack Voting Machines
Pittsburgh Post-Gazette (03/27/06) Sherman, Jerome L.

After promising to pay $10,000 to anyone who can hack into a touch-screen voting machine without being detected, Carnegie Mellon computer science professor Michael Shamos is going to try himself. With thousands of computer scientists having raised doubts about the security of voting machines, Shamos will travel to Harrisburg to test the Sequoia AVC Advantage machine that Allegheny County intends to purchase. He has conducted more than 100 tests on voting machines in five states, and feels that he is better qualified than most to assess the vulnerability of e-voting machines. To meet the requirements for federal aid under the Help America Vote Act, Pennsylvania must have updated equipment in all of its counties. "If the system meets the requirements of Pennsylvania law, I'll recommend it," Shamos said. "If it doesn't, I'll have no hesitation in recommending against certification, even though it would throw elections in this county into a tizzy." Shamos has been certifying voting machines in Pennsylvania since 1980, and had been ready to quit the business when the 2000 election fiasco occurred, prompting a new level of concern about voting machine reliability. Shamos has tested the Advantage machine before, and this time he will spend up to nine hours searching for flaws in the machine's security, reliability, or usability. Voting rights advocates in Allegheny County have raised similar concerns as the Verified Voting Foundation, the California-based organization that has led the call for equipping machines with a mechanism to produce a paper trail for voters to confirm the accuracy of their ballot. David Dill, the organization's founder and a former student of Shamos', favors optical scan devices, but Shamos says those systems can fall prey to human error as well, and that no evidence of fraud has yet to appear. Shamos has never approved the addition of a paper trail to any system. A report entitled "Statewide Databases of Registered Voters--Study of Accuracy, Privacy, Usability, Security, and Reliability Issues" by ACM's U.S. Public Policy Committee is available at http://www.acm.org/usacm/VRD Click Here to View Full Article

Council to Draw Up Cyberattack Response
Washington Technology (03/27/06) Lipowicz, Alice

The IT Sector Coordinating Council is in talks to set up a national IT disaster response system as it prepares to draft a sector-specific plan for protecting the nation's computer networks against a terrorist attack or other disasters, says Guy Copeland, the group's chairman and Computer Sciences vice president. The council is asking for ideas from the IT industry and the Homeland Security Department as it starts work on the sector-specific critical infrastructure protection plan at its April 4 meeting, Copeland says. The council expects the plan to be complete by September. One of the main goals during the drafting of the plan is to involve government officials very early on in the process since IT companies have complained in the past that they have not been asked for their input on infrastructure protection by federal agencies until the last minute, says Copeland. Some issues affecting the IT council include if and how IT companies should share sensitive data about their cyber vulnerabilities with the government, how that information will be protected and used, protocols for sharing information with other sectors, and how to assess the vulnerability of IT assets. The council consists of 33 members and was organized back in November 2005 as one of 17 sector councils representing water, energy, financial services, food. and other areas. Click Here to View Full Article

.From EduPage, March 24, 2006.

Survey Suggests Widespread Privacy Violations
Chronicle of Higher Education, 23 March 2006 (sub. req'd)

A study conducted by Bentley College and software company Watchfire indicates that nearly three-quarters of colleges and universities in California fail to comply with a state law concerning the collection and use of personal information. The California Online Privacy Protection Act of 2003 requires organizations that collect such information online to clearly post privacy policies on their home pages and on every page from which personal information is collected. According to the study, which examined the Web sites of 236 institutions, only 28 percent had privacy policies linked from their home pages. Moreover, every one of the 236 institutional Web sites had at least one page that collects personal data without encrypting it. Mary Culnan, management professor at Bentley and author of the report, said she hopes these results serve "as a wake-up call to students, alumni, and prospective students." http://chronicle.com/daily/2006/03/2006032301t.htm

.From ACM's TechNews, March 24, 2006.

DNS Servers Do Hackers' Dirty Work
CNet (03/24/06) Evers, Joris

Hackers have begun using DNS servers to magnify the scope of Internet attacks and disrupt online commerce in a variation on the traditional distributed denial-of-service (DDOS) attack. VeriSign sustained attacks of a larger scale than it had ever seen last year. Rather than the typical bot attack, VeriSign was being targeted by domain name system servers. "DNS is now a major vector for DDOS," said security researcher Dan Kaminsky. "The bar has been lowered. People with fewer resources can now launch potentially crippling attacks." DNS-based DDOS attacks follow the familiar pattern of inundating a system with traffic in an effort to bring it to a halt, though the hackers responsible for the attacks are more likely to be professional criminals looking to extort money than teenagers simply pulling off a prank. In a DNS-based DDOS attack, the user would likely dispatch a botnet to flood open DNS servers with spoofed queries. DNS servers appeal to hackers because they conceal their systems, but also because relaying an attack via a DNS server amplifies the effect by as much as 73 times. DNS inventor Paul Mockapetris likens the DNS reflector and amplification attack to clogging up someone's mailbox. Writing and mailing letters to that person would be traceable and time-consuming, while filling out the person's address on numerous response request cards from magazines will cause large quantities of mail to pile up quickly without divulging the responsible party's identity. In a bot-delivered attack, users can block traffic by identifying the attacking machines, though blocking a DNS server could disrupt the online activities of large numbers of users. The DNS servers that permit queries from anyone on the Internet, known as recursive name servers, are at the core of the problem. Mockapetris called the operators of these open servers the "Typhoid Marys of the Internet," and said "they need to clean up their act." Click Here to View Full Article

.From EduPage, March 20, 2006.

Microsoft Targets Phishers
ZDNet, 20 March 2006

Microsoft has announced its intention to use trademark laws to confront the operators of phishing scams. Phishers set up bogus Web sites designed to look like legitimate sites and trick users into entering confidential information. At a press conference in Brussels, Microsoft said it would level trademark-violation charges against outfits that pose as Microsoft sites such as Hotmail or MSN. The Global Phishing Enforcement Initiative will target more than 100 sites in Europe, the Middle East, and Africa. Also part of the initiative will be stronger ties between Microsoft and international law enforcement agencies, including Interpol, to fight phishers. Microsoft's strategy may prove more successful at defeating phishers than prosecutions that depend on evidence that the sites in question had actually defrauded users. Microsoft's legal approach would simply need to demonstrate that site operators infringed on the company's trademarks. http://news.zdnet.co.uk/internet/security/0,39020375,39258528,00.htm

.From ACM's TechNews, March 20, 2006.

Enigma Project Cracks Second Code
BBC News (03/15/06)

Thousands of online codebreakers continue to use distributed computing power to decrypt three German codes that Allied forces were unable to crack during World War II. Participants in the M4 Project, named after the M4 Enigma machine Germany used to encode its messages, have one remaining code to crack. The remaining code is actually the first message the online codebreakers attempted to crack, and all combinations available on German army and three-ring Enigma machines have been tried. However, they did not try combinations associated with the sophisticated four-ring Enigma used to encode the messages. The online codebreakers recently cracked a message that provided information about the aftermath of a battle with an Allied vessel, and it followed the first breakthrough on Feb. 20, 2006, involving a code that proved to be a confirmation of a message from the commander of a German U-boat. War experts at Bletchley Park were unable to crack the messages sent in 1942 because Germany used a new code book and a different version of the Enigma machine. Amateur historian Ralph Erskine discovered the codes and passed them on to a cryptography journal in 1995 as an exercise for codebreakers. Click Here to View Full Article

.From EduPage, March 17, 2006.

No Improvement For Federal Agencies In Network Security
Federal Computer Week, 16 March 2006

The House Government Reform Committee has once again issued a failing report card on computer security at federal agencies. Despite the fact that five federal agencies were graded A+, overall, agencies earned a D+, the same grade as last year. The grades are based on performance metrics from the Office of Management and Budget. Agencies on "the frontline in the war on terror" were uniformly terrible, according to Rep. Tom Davis (R-Va.), chairman of the committee. The Department of Homeland Security's grade stayed the same this year as last: F. Meanwhile, the grade for the Department of Defense fell from a D to an F, the State Department went from a D+ to an F, and the Department of Justice dropped from a B- to an F. Representatives from federal agencies appeared before the committee, and many of those with failing grades offered explanations about why their scores have remained low. Members of the committee were generally dismissive of the explanations, however, saying that the agencies were simply making excuses. http://www.fcw.com/article92642-03-16-06-Web

Survey Hints At Cybercrime Losses
CNET, 17 March 2006

A recent survey conducted by IBM of CIOs in manufacturing, financial, health-care, and retail industries shows the growing threat of cybercrime on organizational resources. Of the 600 U.S. CIOs in the survey, 57 percent said cybercrime costs their companies more than conventional crime. About 75 percent said the threat from cybercrime comes in part from within their companies. Moreover, 84 percent said hackers are increasingly part of organized crime, not simply individuals working alone. Results from international CIOs in the survey closely followed those of the U.S. companies for most measures, but they diverged on several key points. Among U.S. CIOs, 83 percent said they were prepared to face the threats of cybercriminals, compared to just 53 percent of internationals. http://news.com.com/2100-7350_3-6050875.html

.From ACM's TechNews, March 17, 2006.

Internet Panel Mulls Defenses Against New, Potent Attacks
Associated Press (03/16/06) Bridis, Ted

A new form of cyberattack being dubbed by some as "distributed reflector denial of service" that focuses on the computers that help direct Internet traffic worldwide will be a focus of ICANN's security committee at its upcoming meeting in New Zealand. The attacks, though similar in nature to typical denial of service ones, are far more potent, requiring fewer hacked computers to launch and much simpler to amplify. Researchers have detected around 1,500 such attacks first launched late last year that briefly shuttered commercial Web sites, large ISPs, and leading Internet infrastructure firms. VeriSign chief security officer Ken Silva said that attacks earlier this year used just 6 percent of the Internet's more than a million name servers to flood networks but that the attacks in some instances outpaced 8 gigabits per second, a mega-assault by typical standards. ICANN security committee head Steve Crocker says, "It's like they built a better bomb by having it enriched." Columbia University Internet researcher Steven M. Bellovin says, "A lot of this stuff will take a while to clean up.'' Possible fixes to vulnerabilities include filters that block out forged data traffic and new limits on specialized name server computers. Click Here to View Full Article

.From ACM's TechNews, March 15, 2006.

Study Says Chips in ID Tags Are Vulnerable to Viruses
New York Times (03/15/06) P. C3; Markoff, John

A team of European security researchers has shown that radio frequency identification (RFID) tags contain a vulnerability that a hacker could exploit to transmit a software virus by infecting even a small portion of the chip's memory. The researchers, associated with the computer science department at Vrije Universiteit in Amsterdam, warn that in addition to the host of privacy concerns raised by the widespread use of RFID tags, the newly discovered vulnerability could enable terrorists or smugglers to pass through RFID luggage scanning systems at airports. The researchers tested software intended to replicate the commercial software in RFID tags, and noted that while they did not have a specific flaw to report, they believe that commercial RFID software contains the same potential vulnerabilities that can be found in the rest of the computer industry. The group's leader, American computer scientist Andrew Tanenbaum, warned specifically of the dangers of buffer overflow, a common programming error throughout the software industry where developers fail to verify all of their input data. The low cost of RFID tags, the critical feature that enables their widespread deployment in tracking cargo, merchandise, and even livestock and pets, is also a security concern, according to SRI International's Peter Neumann, co-author of a forthcoming article in the May issue of the Communications of the ACM. "It shouldn't surprise you that a system that is designed to be manufactured as cheaply as possible is designed with no security constraints whatsoever," Neumann said, citing the potential to counterfeit or deactivate tags, insufficient user identification, and the poor encryption of the U.S. passport-tracking system under development, though he had not previously considered the possibility of viruses or malware. Click Here to View Full Article

.From EduPage, March 13, 2006.

Program Teaches High Schoolers About Computer Security
Wired News, 11 March 2006

High school students at a Catholic school in Rome, New York, are the first to participate in a computer-security course developed by the school, the U.S. Air Force's Research Lab in Rome, and Syracuse University. The 20-week course, which covers topics including data protection, network protocols and vulnerabilities, firewalls, data hiding, and wireless security, is based on a 10-week course developed at the Research Lab. Kamal Jabbour, principal computer engineer at the lab, said the new course was designed in part to encourage students to pursue college degrees and careers in computer security. Eric Spina, dean of Syracuse's engineering and computer science programs, said the program is considerably different from the kind of computer course available in many high schools today. This course, he said, exposes high school students to material not seen by many college students until their junior year. "A high school student with this kind of background," said Spina, "would be an asset anywhere they went." Starting next year, the course will be available statewide and could be offered nationally by 2008. http://www.wired.com/news/wireservice/0,70396-0.html

.From EduPage, March 8, 2006.

Attacks On The Rise, With More Money At Risk
Yahoo, 8 March 2006 http://news.yahoo.com/s/nf/20060308/tc_nf/41987
In a new report, computer security firm Symantec says the number of Internet attacks is rising and that the motive for such attacks is increasingly money. The report is based on data gathered from 40,000 security devices from around the world and covers Internet mischief ranging from spam and adware to network attacks and phishing scams. Although many hackers formerly plied their trade merely to demonstrate what they could do, Internet scams such as phishing are designed to put money into the hands of online thieves. Symantec noted that the tools used to launch Internet attacks are becoming very sophisticated, and the report also highlights the fact that many networks remain poorly protected despite simple means to increase security against such threats. Javier Santoyo, development manager at Symantec Security Response, said, "Just letting users know about configuration management and maybe installing heuristics-based solutions on desktops goes a long way." http://news.yahoo.com/s/nf/20060308/tc_nf/41987

.From EduPage, March 6, 2006.

Hacker Accesses Georgetown Server
ComputerWorld, 6 March 2006

An external hacker has accessed a server at Georgetown University, according to officials from the Washington, D.C., institution. The server contained personal information on more than 41,000 individuals being tracked by the District of Columbia’s Office of Aging. The office was working with the university as part of a grant to manage the information. According to the university, the breach was discovered on February 12. Although the server was immediately taken off line, the Office of Aging was not notified until February 24 because school officials did not understand the scope of the exposure for some time. The Secret Service was then notified and is working with the university to try to identify the hacker. David Lambert, CIO at Georgetown, said the university would undertake a thorough review of its computer systems, "focused on enhancing the security of confidential information contained on campus and departmental servers." http://www.computerworld.com/

.From EduPage, March 1, 2006.

New Virus Jumps From Pcs To Mobile Devices
PCWorld, 28 February 2006

The Mobile Antivirus Researchers Association (MARA) announced a new virus that can move from PCs to mobile devices. A text file that comes with the virus says it is a proof-of-concept but hints that others will follow, saying "now it's one big world open to all." On a PC, the virus replicates repeatedly and copies itself into the registry, eventually affecting performance. The virus transfers itself to mobile devices through ActiveSync, Microsoft's application that synchronizes data between computers and portable devices. When the virus reaches a mobile device that is running Windows CE or Mobile OS, it deletes all of the files in the My Documents folder. MARA will provide the virus code to antivirus companies and security experts. http://www.pcworld.com/news/article/0,aid,124887,00.asp

.From the New York Times: "Cyberthieves Silently Copy Your Passwords as You Type," by Tom Zeller -- Read the article.

.From the Washington Post: "Invasion of the Computer Snatchers," by Brian Krebs -- Read the article.

.From the Chicago Tribune: "Apple Hackers Encounter a Poetic Warning," by May Wong -- Read the article.

.From ACM's TechNews, February 10, 2006.

Academics Warn of 'Significant Threat' of Spyware Epidemic
SC Magazine (02/07/06) Eazel, William

University of Washington computer science professor Hank Levy calls spyware the top download for unsuspecting Web surfers. Levy is the co-author of a new study that found that more than one in 20 executable files contained piggyback spyware, and that one in 62 Web addresses engaged in drive-by attacks or forced spyware on those who visited a Web site. The UW research team, which also included associate professor Steven Gribble and graduate students Alexander Moshchuk and Tanya Bragin, examined more than 20 million Internet addresses for the study. "We wanted to look at it from an Internet-wide perspective--what proportion of Web sites out there are trying to infect people?," says Levy. "If our numbers are even close to representative for Web areas frequented by users, then the spyware threat is extensive," says Levy. The researchers found game and celebrity Web sites to be the greatest risk for piggyback spyware, and pirate software sites to represent the foremost threat for a drive-by attack. Although most piggyback spyware was adware, about 14 percent was malicious, the kind of programs that steal passwords and financial information or even disable computers. Click Here to View Full Article

Turning the Worm Secures the Computer
New Scientist (02/04/06) Vol. 189, No. 2537, P. 32; Biever, Celeste

Experts predict that computer worms are set to become a powerful force and that beneficial worms will quickly spread through networks and patch machines before a malicious worm can attack. Researchers have wanted to fight bad worms with good ones for a long time and now it appears they are finally getting their chance. "We're talking about fighting fire with fire," says Immunity's David Aitel. In the past, "patching worms" were used by virus-writing gangs to try to stop the spread of worms deployed by their competitors. Legitimate users have been cautious of releasing patching worms because they are hard to control, raising concerns that the originator would be responsible if one were to crash computers it was not designed to patch. Aitel says he has fixed this problem by programming the beneficial worms to visit only computers on a particular network. He calls the worms "nematodes," which are programmed with a map of the network that tells them the range of IP addresses of all the machines they have permission to invade. The "polite" worms can be programmed to ask a central server to grant them permission to invade. Aitel recommends using the domain name system (DNS) server to guarantee that the infected computer always has access to that central server. Every computer on the network must have access to the DNS server at all times, because they contact it every time they visit a Web page. Click Here to View Full Article

.From ACM's TechNews, February 8, 2006.

Paid E-Mail Seen as Sign of Culture Change
Washington Post (02/07/06) P. D5; Musgrove, Mike

Yahoo! and America Online have announced that they will soon start offering companies the voluntary option of paying for ensured delivery of emails in their subscribers' inboxes, a move that SpamCop founder Julian Haight called "another nail in the coffin of email in general." He said the concept "kills the whole openness of the email system on the Internet," while AOL's Nicholas Graham said the idea is to provide a choice "for people who simply want to have their email delivered in a different way." He added that AOL is providing this service in response to subscriber complaints that they have no way of telling if their emails are legitimate or a ruse by con artists. Emails sent through the new service will be accompanied by a seal of certification to establish confidence among recipients that the messages are authentic. Companies using the service will pay a cent or less per piece to send; Goodmail Systems will handle email sent via the program, and the messages will not be filtered as most emails to AOL subscribers are as part of AOL's anti-spam efforts. Anti-Spam Research Group Chairman John Levine finds the prospect of paid email to be both "depressing and inevitable," while Heller Information Services President Paul Heller said a lot of people are unsettled by the Yahoo! and AOL programs because Web users have always looked upon email as a free and open service. "Logically, it's just an extension of advertising that you see on the page when you log on to AOL," he noted. AOL is slated to roll out its paid email service in the next few months, while Yahoo! remains mute about its program. Click Here to View Full Article

It's Time to Arrest Cyber Crime
Business Week (02/02/06) Horn, Paul

Profits from cyber crime were higher than profits from the sale of illegal drugs for the first time last year, according to Valerie McNiven, the U.S. Treasury Department advisor. "Cyber crime is moving at such a high speed that law enforcement cannot catch up with it," McNiven says. Cyber crime is now driven by profit with an estimated 85 percent of malware created specifically for profit. The FBI lists fighting cyber and technology crime at number three on its list of top 10 priorities. Since cyber criminals are becoming more organized, experts say a new approach to fighting cyber crime is needed in three key areas: people, policies, and technology. The "people factor" aspect of the solution is figuring out how hackers work and what makes them tick. Behavioral insight will help fight intrusions as well as extrusion into the network. Policy is another issue that must be dealt with by organizations by establishing expectations for behaviors and outcomes in order to create a secure business environment. The implementation of security policies allows companies to protect their data. More than 40 organizations recently came together to form the Data Governance Council, a group designed to go beyond the traditional approaches to security, privacy, compliance, and operational-risk policy. Technology such as encryption is another challenging issue companies must face and learn how to extend it to every touchpoint on the network. It is estimated that more than half of all corporate data is on someone's PC, PDA, or cellular phone. Cyber crime is now the crime of the 21st century, but with the right people, policies, and technology in place, it can be fought, writes IBM Research vice president Paul Horn. Click Here to View Full Article - Web Link May Require Free Registration

. From EduPage, February 8, 2006.

Bill Would Forbid Unnecessary Storing Of Data
ZDNet, 8 February 2006

A bill introduced by Rep. Ed Markey (D-Mass.) would require operators of Web sites to delete information about the site's users unless the site had a "legitimate" need to preserve that data. Information covered by the bill includes names, addresses, phone numbers, e-mail addresses, and other data, and all Web sites would be subject to the legislation, including those operated by individuals and nonprofits. According to Markey, the Eliminate Warehousing of Consumer Internet Data Act of 2006 is intended to address two issues: identity theft and government subpoenas of Internet data from Web sites including Google and Yahoo. Markey said personal information about Internet users "should not be needlessly stored to await compromise by data thieves or fraudsters, or disclosure through judicial fishing expeditions." http://news.zdnet.com/2100-9595_22-6036951.html

Mcafee Tackles Bots
TechWorld, 8 February 2006

McAfee has introduced a new tool designed to defend against bots. Most distributed denial-of-service (DDoS) attacks are carried out by networks of computers running automated programs, or bots, that are controlled centrally. So-called botnets typically consist of thousands of computers hijacked by a hacker who can use them to launch DDoS attacks. Most attacks involve bots sending thousands of incomplete packets to the targeted server, which may be overwhelmed by the traffic. Defending against such attacks is difficult because it is not easy to distinguish legitimate traffic from DDoS traffic, and system administrators do not want to inadvertently block legitimate server requests. McAfee said that its new system, called Advanced Botnet Protection, is able to identify traffic that consists of incomplete packets, allowing network operators to separate malicious botnet traffic and avoid DDoS attacks. http://www.techworld.com/security/news/index.cfm?NewsID=5326&inkc=0

. From EduPage, February 1, 2006

Five Companies Cooperate Against Spyware
BBC, 1 February 2006

A group of computer security companies is cooperating on an initiative to help consumers combat the growing problem of spyware, which is estimated to be increasing by 50 to 100 percent per year. ICSA Labs, McAfee, Symantec, Thompson Cyber Security Labs, and Trend Micro will initially offer tools that will help users identify spyware on their systems and effectively remove it. That effort will involve developing a common naming scheme for malicious programs and a coordination of various removal tools. Later, the five members of the group will work on tools that can help users avoid spyware in the first place. A related effort called Stop Badware was announced recently by Google, Sun Microsystems, the Berkman Center for Internet and Society, and the Oxford Internet Institute. http://news.bbc.co.uk/2/hi/technology/4669304.stm

.From ACM's TechNews, February 1, 2006.

The Computer Virus Comes of Age
Financial Times (01/30/06) P. 6; Palmer, Maija

The appearance of the Brain virus 20 years ago touched off an age of computer vulnerability that has advanced from a slow-moving, innocuous virus transmitted via floppy disk to modern estimates of around 120,000 viruses, some of which are capable of bringing down corporate networks and intercepting sensitive personal information. The roughly 1 billion Internet users, many of whom use high-speed connections, enable viruses to travel far more quickly today than they did in the days of Brain. MyDoom, for instance, spread through email, infecting an estimated 250,000 computers a day in 2004. Sophos' Graham Cluley estimates that a computer operating without anti-virus software has a 50 percent chance of being infected by a virus if it is connected to the Internet for just 15 minutes, even if it transmits no email and stays off of the Web. Antivirus software is reasonably effective at keeping intruders out, but it comes at a tremendous expense (spending on antivirus software is expected to reach $5.9 billion by 2009) and drains a computer's processing power. Whereas early viruses were relatively benign, often the product of a teenager showing off for his friends, virus writers have grown more malicious, deploying programs that erase hard drives, crash networks, and swipe identities. Today's viruses do not make the same headlines as the infamous Love Letter and Anna Kournikova viruses early in the decade, but they are far more destructive, and often the product of organized criminal gangs. "Now that the goal is for profit, we are seeing fewer big outbreaks of viruses," said McAfee's Sal Viveros. "The virus writers don't want to make headlines, they want to target a smaller number of people for specific information." The U.S. Treasury advisor reports that revenue from cybercrime now exceeds the illegal drug trade, and the trend is only likely to accelerate should hackers turn their sites to mobile devices. Click Here to View Full Article

Browsers Face Triple Threat
Techworld (01/31/06) Broersma, Matthew

Researcher Michael Zalewski says there are three bugs, which he calls "cross site cooking," in the handling of cookies that could possibly be used to carry out attacks on several commercial Web sites. "Cooking" attacks may be used against commercial sites to overwrite stored preferences, session identifiers, authentication data, and shopping cart contents to commit fraud, according to Zalewski. The bugs are used to create and design cookies, but have not been fixed in the major browsers, even though they were first discovered eight years ago. "These shortcomings make it possible (and alarmingly easy) for malicious sites to plant spoofed cookies that will be relayed by unsuspecting visitors to legitimate, third-party servers," wrote Zalewski in a post to the BugTraq security mailing list. Browsers normally reject cookies where the domain specified is too broad; however, that does not work in Mozilla-based browsers. The bug can attack some sites with international domain names and possibly steal information from e-commerce Web sites around the world, according to Zalewski. He suggests making changes in the HTTP cookie format, and implementing a workaround where browsers could make a list of potentially affected high-ranking domains. Zalewski says browser vendors must take action and strip the "idle" periods out of cookie domain data as a possible solution to the problem. Click Here to View Full Article

.From ACM's TechNews, January 30, 2006.

"Panel: Cybercrime Will Grow in 2006"
Federal Computer Week (01/25/06); Arnone, Michael

Federal cybersecurity experts at a Washington, D.C. discussion on cybersecurity crime, sponsored by Symantec, said cybercrime will increase dramatically this year and have more incidents than in 2005, which can be attributed to the desire to make a profit, rather than fame. Criminals are now going after retirement and 401(K) accounts, says the U.S. Secret Service's Larry Johnson. Symantec's Art Wong says that in the next 12 to 18 months, more cyber attacks will be driven by financial gain with an emphasis on creating malware, bot networks, and other harmful tools that are designed to take down a network. Wong advises consumers to educate themselves on the dangerous environment to avoid becoming victims. Andy Purdy at the Department of Homeland Security (DHS) expects criminals to eventually move from committing financial crimes to attacking critical infrastructure and government operations. Purdy says the DHS has released a revised draft version of the National Infrastructure Protection Plan (NIPP) to help protect the nation's cyber infrastructure. "It's important to realize that there is a tendency to think we know what we're supposed to do," says Purdy. "As attacks become more sophisticated, we need more-sophisticated defenses." Click Here to View Full Article

. From EduPage, January 27, 2006.

Spam Penalties Accrue
Wired News, 26 January 2006

A federal judge has issued a summary judgment in favor of AOL in its lawsuit against a man AOL describes as "the poster child for the CAN-SPAM Act." Christopher William Smith was accused of sending billions of e-mail messages in violation of the federal statute. Smith's attorneys withdrew from the case several months after it was filed, and U.S. District Judge Claude Hilton said that Smith "refused to participate in this case, willfully disregarding...discovery obligations and failing to comply with multiple court orders." In light of Smith's behavior, Hilton issued a $5.3 million judgment against Smith, to be paid to AOL, as well as ordering him to pay $287,000 in legal fees for the ISP. Smith is currently in custody in Minnesota, waiting to be tried for criminal drug charges stemming from his operating an online pharmacy. http://www.wired.com/news/technology/0,70098-0.html

Lawsuits Target Maker Of Bogus Sypware Tools
ZDNet, 25 January 2006

The State of Washington and Microsoft have filed separate lawsuits against Secure Computer, a company they accuse of running a bogus antispyware racket. According to the complaints, Secure Computer used pop-up ads and other tools to tell computer users that their computers were infected with spyware and to offer a service, Spyware Cleaner, that would remove the unwanted software for $49.95. Microsoft and Washington Attorney General Rob McKenna said that the scan that supposedly revealed spyware was bogus and that the removal service in fact left computers more vulnerable to spyware. Moreover, the complaints contend that Secure Computer's messages implied that the service was in some way connected to or endorsed by Microsoft. The lawsuits allege that Secure Computer violated a recently enacted Washington Computer Spyware Act and three other laws. An attorney representing Secure Computer said the company was shocked at the legal action and would respond shortly. http://news.zdnet.com/2100-1009_22-6031108.html

Ameriprise Laptop With Personal Data Stolen
New York Times, 25 January 2006
A laptop containing information on 230,000 individuals was stolen from the car of an employee of Ameriprise Financial in December, according to the company. The computer included names and Social Security numbers for more than 70,000 financial advisors, and names and Ameriprise account numbers for 158,000 customers of the firm, which was spun off of American Express last year. Andy MacMillan, a spokesperson from the company, said that although access to the data is protected by a password, the data were not encrypted, which is a violation of written company policies. MacMillan said the company does not believe that the thief knew about the information contained on the laptop and thinks that it is unlikely any of the information will be accessed or used fraudulently. (registration req'd) http://www.nytimes.com/2006/01/25/business/25cnd-data.html

. From EduPage, January 25, 2006.

Latest Can-Spam Violator Faces 25 Years
Internet News, 24 January 2006

A California man has pleaded guilty to using computer "bots" to surreptitiously take control of 400,000 computers, which were used to distribute adware, spyware, and other unwanted computer code. Jeanson James Ancheta, 20, admitted to earning more than $60,000 from using the illicit system of computers and renting the system to others who used them to launch their own malicious attacks. Ancheta's actions were in violation of the federal CAN-SPAM Act, and they also caused damage to computers at the U.S. Naval Air Warfare Center and the Defense Information Systems Agency. As part of his plea agreement, Ancheta will forfeit $60,000 in cash, a BMW, and computer equipment. He will also pay $15,000 toward damages to federal computers and face a sentence of up to 25 years in prison for his actions. http://www.internetnews.com/security/article.php/3579591

.From ACM's TechNews, January 23, 2006.

"Computer Crime Costs $67 Billion, FBI Says"
CNet (01/19/06); Evers, Joris

Computer security incidents cost companies $24,000 on average, based on a recent FBI survey of 2,066 organizations. The FBI found that 64 percent, or 1,324 respondents, say they have experienced a financial loss from computer security incidents over a 12-month time frame with the total cost for those surveyed hitting $32 million. Companies older than three years, with more than five employees, and more than $1 million in revenue that are located in Iowa, Nebraska, New York, and Texas participated in the survey. "This would be 2.8 million U.S. organizations experiencing at least one computer security incident," states the 2005 FBI Computer Crime Survey. "With each of these 2.8 million organizations incurring a $24,000 average loss, this would total $67.2 billion per year." Javelin Strategy & Research says identity fraud in the U.S. cost Americans $52.6 billion in 2004 alone, while the U.S. Secret Service estimates that telecommunication fraud losses are only $1 billion a year. Worms, viruses, and Trojan horses ranked as the most expensive security threats to fix, followed by computer theft, financial fraud, and network intrusion, according to survey results. Nearly $12 million was spent to cope with virus-related incidents, $3.2 million on theft, $2.8 million on financial fraud, and $2.7 million on network intrusions, according to survey respondents. Antivirus software was listed as the most popular form of security products used, with 98.2 percent saying they used it, followed closely by firewalls with 90.7 percent, and anti-spyware and anti-spam used by 75 percent. Click Here to View Full Article

.From ACM's TechNews, January 20, 2006.

"Indo-U.S. Cooperation to Tackle Cyber Crime"
Cyber India Online (01/18/06)

The Confederation of Indian Industry (CII) and its U.S. counterpart recently announced their decision to set up an India Information Sharing and Analysis Center (ISAC) and an India-Bot Alliance in an effort to increase awareness of new cyberspace threats at the third Plenary of the Indo-U.S. Cyber Security Forum, which was attended by representatives from both sides. CERT-In and the U.S. National Cyber security division will both provide information on artifact analysis, network traffic analysis, and exchange information. The R&D Working Group will focus its attention on issues relating to cybersecurity, cyber forensics, and anti-spam research. Vijay K. Nambiar, the deputy national security advisor, says the Indo-U.S. relationship is now a strategic partnership and that more attention needs to be brought to developing better information security practices due to the increase of IT Enabled Services (ITES) trade between both countries. The Indo-U.S. Cyber Security Forum is currently working on these issues via its Joint Working Groups, according to Nambiar. Several Indo-U.S. seminars, workshops, and expert level discussions are being planned in the near future. Deputy Assistant Secretary of State Michael Coulter led the U.S. delegation, while National Security Council Secretariat joint secretary Arvind Gupta led the Indian delegation. Coulter says during the past three years the Indo-U.S. Cyber Security Forum has grown from philosophy to a more action-themed agenda on ways to protect network information systems. Click Here to View Full Article

"Inside India"
InformationWeek (01/16/06) No. 1072, P. 38; Ricadela, Aaron

Entrepreneurs are molding India into a high-tech economic powerhouse characterized by abundant talent and cheap labor, but fueling growth and prosperity when faced with social turmoil, widespread illiteracy, wage inflation, poor travel conditions, and the investments needed to turn tech graduates into superior professionals represents a major challenge. Tech startups in India must struggle to survive in the shadow of ever-expanding companies such as Tata Consultancy Services, Wipro Technologies, and Infosys, and this problem is compounded by the scarcity of facilities and amenities. Infosys, for example, boasts a well-maintained campus in Bangalore equipped with the latest software, cell phones, and other accessories, while perks such as an on-site gym, swimming pools, library, and game rooms are available to employees. Yet even Infosys chafes against Bangalore's poor infrastructure, which has a negative effect on productivity and business. But the business opportunity in India is undeniable: Infosys CEO Nandan Nilekani notes that Indian consumers bought some 5 million PCs, 70 million cell phones, and 4 million DVD players last year. Although Indian universities turn out around 400,000 tech grads annually by the National Association of Software and Service Companies' estimates, McKinsey & Co. reports that only a quarter of those grads are ready for employment; in the meantime, wages are increasing 10 percent to 15 percent a year in India's IT sector, according to a Nasscom study. Reasons given for grads' lack of readiness include poor faculty at new schools whose training programs range far below those of India's premier universities. Perhaps the biggest challenge for Indian businesses is enabling innovation within the country that also benefits the country. Click Here to View Full Article

.From ACM's TechNews, November 18, 2006.

"It Takes a Hacker to Catch One"
InformationWeek (11/14/05) No. 1064, P. 70; Greenemeier, Larry

Thinking like a criminal may actually lead to catching one, according to several companies that are now training IT professionals to take a hands-on approach to learning security in the fight against hackers. Several commonly used hacking tools include using a reverse shell, which tricks a program into sending the attacker a command prompt for log in, and stealing other hackers' "fuzzer" codes that can be used to look for weak spots in that program's code. Prime View has implemented "Hacking-Defined Training," a 10-day class designed to teach laid-off IT workers how to write exploit code and hack computers. "Technology itself will not stop a hacker," says Mati Aharoni, lead penetration tester for See Security Technologies, and instructor for the class. "Instead, you have to use induction to understand what it takes to secure a network." Aharoni teaches students how to search for bugs, the components of a basic hack, and how to use exploit code. Bessalel Yarjovski, a student in the class, hopes the course will provide an edge to getting a job as a chief information security officer. "The class is opening my eyes not to new technology but to how easy it is to do these exploits and how many there are," says Yarjovski. Aharoni suggests network security can be improved by writing programs that control the type and amount of data that users input, so hackers cannot add too many characters, and improving QA testing after a program is written by applying hacking-defined methods to the code. Click Here to View Full Article

. From EduPage, November 2, 2005

DOS Attacks Okay In Britain
ZDNet, 2 November 2005

A British court has acquitted a teenager of unauthorized data modification and tampering with systems, charges stemming from a denial-of-service (DOS) attack that he allegedly launched against a former employer. The teen was charged under a section of the Computer Misuse Act (CMA), which was enacted in 1990. In the end, the trial hinged on the question of whether DOS attacks are a crime under the CMA, not on whether the attack had taken place. District Judge Kenneth Grant ruled that because the CMA does not specifically address DOS attacks, the actions of the defendant cannot be considered as violating any British law. Many in the United Kingdom have called for an update of the CMA to reflect changes in the past 15 years, and this ruling will add fuel to the fire for such revision. http://news.zdnet.com/2100-1009_22-5928471.html

.From New York Times, November 1, 2005

Data Security Laws Seem Likely, So Consumers and Businesses Vie to Shape Them
By Tom Zeller Jr.

It has been a bad year for data security. In response, more than a dozen bills have been introduced in Congress this year. Read the article

.From ACM's TechNews, October 31, 2005

"White House Urged to Make Cybersecurity a Priority"
GovExec.com (10/27/05); Belopotosky, Danielle

Cyber Security Industry Alliance executive director Paul Kurtz, speaking to a House Armed Services subcommittee on Thursday, called for a presidential directive making cybersecurity a top Bush administration objective and encouraging more coordination among the military and the private sector. Kurtz said, "We need a national policy to secure cyberspace." Others testifying before the committee argued that the current approach to cybersecurity is ineffective because it lacks research funding, has a shortage of suitable researchers, relies too much on vulnerable commercial software and hardware, and does not encourage coordination with any other sectors. Purdue University Center for Education and Research in Information Assurance executive director and professor Eugene Spafford lamented the use of commercial software and hardware, because most manufacturers of such products rely on patches, or quick fixes, to correct vulnerabilities rather than securing vulnerabilities before release. Spafford believes a holistic view is the only way to prevent and effectively respond to a catastrophic cyber attack, which could affect the electric power grid as well as the telecommunications infrastructure. Spafford says, "These systems are interconnected, and we need to protect all of them." Intel's David Rawrock said more certified security professionals are needed. He said, "The number of professionals in the field seems to be shrinking and not expanding." Click Here to View Full Article

"IBM Researchers Take Axe to Computer Security"
IDG News Service (10/28/05); McMillan, Robert

IBM's Assured Execution Environment (Axe) project was the creation of Amit Singh, who set about looking for ways to simplify security in light of the recognition that the operational effectiveness of a PC was being curtailed by the cluttered multitude of security and management software. The program loads the Axe runtime software onto the kernel each time the PC is turned on, regulating the software that runs on the operating system and ensuring that it is only running authorized code. As opposed to antivirus software, Axe blocks out any code that was not written in a format compatible with Axe, which is almost impossible for authors of spyware and viruses to achieve, according to IBM's researchers. Axe is compatible with both the Windows and Mac OS kernels, and can be used to render data unreadable or shield Word or PowerPoint documents from unwanted viewers. Implementing Axe is not an all-or-nothing proposition, as users can configure it to allow unknown code to run if they approve it, or create a virtual environment to run it where it can do no harm. The Axe approach of creating a "whitelist" of preapproved programs will likely become more commonplace as the body of conventional antivirus software becomes too cumbersome to be practical, though some are concerned about the time-consuming re-registration process that could be necessary each time a software update is released. Axe will probably enjoy the most widespread use in applications where users do not need all of the functionality of their operating systems, such as point-of-sale or stock-trading machines. Click Here to View Full Article

"Deciphering the World of Crypto"
Network World (10/24/05) Vol. 22, No. 42, P. 1; Messmer, Ellen

The Internet Engineering Task Force (IETF) has turned its attention toward standards for cryptographic algorithms such as Triple-DES and AES. IETF does not research and test cryptographic algorithms, leaving those tasks to government organizations with the council of outside experts, though the group ensures that only secure algorithms find their way into its protocols. IETF is also evaluating standards from other countries, such as Russia, Japan, and South Korea, and has already awarded RFCs to South Korea's SEED and Russia's GOST. SEED has enjoyed use in VPN applications and digital rights management. GOST is Russia's national standard, but was recently modified to enhance its interoperability, though many view the Soviet-era protocol as archaic, despite the fact that it has yet to be broken. Russia is applying GOST to the public-key infrastructure project at its National Treasury to address document coding and signing. GOST is currently being considered for implementation in OpenPGP. IETF standardization is widely viewed as helping a protocol gain popularity, as well as improving its interoperability by fleshing out its technical depth. Click Here to View Full Article

. From EduPage, October 31, 2005

NIH Exposes Applicant Data
31 October 2005 (sub. req'd)

Following a story last week in the journal "Science," the National Institutes of Health (NIH) acknowledged that information included in grant applications submitted to the agency had been inadvertently exposed online. According to the NIH, an individual who was reviewing the applications downloaded them in such a way that they were indexed by Google and were available on its site. The NIH did not say how many applications were exposed, nor did it comment on how it is dealing with the incident. The NIH said it has changed procedures to prevent such an incident from happening again. Representatives from "Science," which put the number of exposed applications at 140, accused the NIH of being slow to notify affected applicants and to provide them with specifics about when their data were exposed. The incident raises concerns about an NIH plan to migrate to an entirely online application process by 2007, a move designed to save money and streamline the application process. Chronicle of Higher Education, http://chronicle.com/daily/2005/10/2005103103n.htm

Bill Addresses Security Of Patient Records
Federal Computer Week, 28 October 2005

Rep. Nancy Johnson (R-Conn.) has introduced a bill in Congress designed to create federal standards for the protection of personal information that might be included in a national health information network. Currently, such information is subject to varying state laws, and this lack of consistency would likely be a significant roadblock to any national database of health-related data. Among the bill's provisions, it would create the position of National Coordinator of Health IT, require the Department of Health and Human Services to use consistent coding for medical procedures, and allow the distribution of technologies that would help reduce paperwork and permit the electronic exchange of information among health care providers. The e-Health Initiative, the American Health Information Management Association, and the Federation of American Hospitals are among the supporters of Johnson's bill. Other bills addressing similar issues have been introduced, but Johnson's bill might have an easier path through Congress because she is chair of the health subcommittee of the House Ways and Means Committee. http://govhealthit.com/article91233-10-28-05-Web

Banks To Upgrade Online Security
Wired News, 30 October 2005

Responding to an order from federal regulators, U.S. banks have begun employing "two-factor" authentication, which must be in use by all banking institutions by the end of 2006. Credit card companies have for years used various types of authentication that go beyond passwords, but because losses to fraud in the banking industry have been less than the cost of implementing such measures, most online banking transactions still only require a name and a password. In October, the Federal Financial Institutions Examination Council, which includes regulators from groups such as the Federal Reserve and the Federal Deposit Insurance Corporation, said that banks must improve their online security by the end of 2006. Regulators will monitor banks' efforts through periodic inspections. Two-factor strategies work by correlating a security measure such as a password with a secondary factor. The other factor might be a hardware token that includes another password, software solutions that generate one-time passwords, or a check to see where a user request originates. If, for example, a user logs in from the United States one day and Europe the next, the system might ask for further evidence of identity before allowing any transactions. http://www.wired.com/news/business/0,1367,69418,00.html

Insuring Open Source
ZDNet, 31 October 2005

Using open source software exposes organizations to a number of risks not typically encountered with proprietary software, and a group of companies is now offering policies to address that risk. Kiln Risk Solutions, which is a division of Lloyd's of London, is working with Miller Insurance Services and Open Source Risk Management to provide coverage for the kinds of claims that have been seen in recent years over open source technologies. Claims concern issues such as copyright, whether proprietary code is included in an open source application, and failure to meet the terms of open source licenses. Linux operating systems, for example, fall under something known as the General Public License, and organizations using Linux must follow the terms of that license. In some cases, the new policies being offered for open source might cover the costs of bringing code into compliance with applicable licenses. http://news.zdnet.com/2100-3513_22-5924112.html

. From EduPage, October 28, 2005

Anti-Spyware Coalition Releases Guidelines
CNET, 27 October 2005

The Anti-Spyware Coalition has released a definition of what constitutes spyware, as well as guidelines for dealing with spyware. The group's definition says that spyware is an application installed without sufficient consent of the user and that interferes with the user's ability to exert control over such things as security, privacy and personal information, and system resources. Critics had cautioned that a definition of spyware would allow developers of unwanted software to simply sidestep the characteristics included in the definition, thereby legitimizing their applications. The Anti-Spyware Coalition said it understands that concern and drafted a definition with enough latitude to avoid that problem. The group also identified good practices for how organizations should identify and prevent spyware. Included in the resources is guidance on how to rate the severity of particular spyware applications. The group will accept public comments on the newly released documents until November 27 and will release final versions in early 2006. http://news.com.com/2100-7348_3-5918113.html

.From ACM's Tech News, October 28, 2005

"Privacy Survey Puts Online Policies to the Test"
The Privacy Place (10/28/05) Antón, Annie

The Privacy Place, a three-year-old Web site created by privacy researchers to make information about policy issues available to policy makers, software developers, and citizens, is conducting an online survey to test customer knowledge and comprehension of corporate privacy policies. The site is sponsored by the National Science Foundation, North Carolina State University, and is a research affiliate with Purdue University's Center for Education and Research for Information Assurance and Security (CERIAS)-the largest information security university center in the U.S. The online survey focuses on privacy policies and user values. A scenario is established for participants who are asked to imagine they are considering buying medication from an online pharmacy (BrandX) that requires they provide personally identifiable information. Participants are given BrandX's Privacy Policy to read-or not-and then proceed with the survey. Researchers expect results from the survey will establish valuable information regarding privacy policy expression and user comprehension thereof. The group is looking for volunteers to participate in the survey, which should take 5-10 minutes to complete. Click Here to View Full Article

"The Arms Race"
Economist (10/20/05) Vol. 377, No. 8449, P. 6

Intellectual property is now regarded as a business asset throughout the tech sector, and this is fueling a surge in patents and patent enforcement as tech companies seek out royalties. The trend adds to the difficulty of creating new products without unintentionally infringing other patents, raising costs, and increasing the risk of dubious lawsuits. The growth of patents has paralleled that of R&D spending, and the rise in software patents is partly responsible for the increased probability that research will generate patents. Yet economic studies indicate that only about 5 percent of patents ultimately have value, and most patent-generated income comes from a mere smattering of authentically valuable patents; a 2000 report from America's National Bureau for Economic Research also found that secrecy, speed to market, and complementary manufacturing, sales, or service were more effective in shielding innovation than patents. A former search-engine company executive says patent infringement among all the major search firms is unavoidable, so the companies' intellectual-property strategies are geared to maintain a balance of power. ARM's Tudor Brown discourages companies that wish to focus exclusively on the licensing of intellectual property, and says licensing does not yield any significant returns without products or services to complement it. Microsoft's decision to reorganize its approach around innovation and patents has sparked fears that the company intends to wield intellectual property as a weapon against competition by essentially charging an "interconnection fee" to rivals so that their software can interoperate with Microsoft's. Patent-system critics say this signifies a swing that excessively favors intellectual-property holders. Click Here to View Full Article

view older entries



Page Owner: Professor Sauter (Vicki.Sauter@umsl.edu)
© Vicki L. Sauter. All rights Reserved.