This site has been created to log references to spam and related technology issues. If you have any suggested additions, please contact me. From New York Times, October 23, 2005 Colleges Protest Call to Upgrade Online Systems By Sam Dillon And Stephen Labaton A U.S. order aimed at facilitating court-ordered monitoring of Internet activity could cost billions, opponents say. Read the article From ACM's TechNews, October 21, 2005 "Sue Companies, Not Coders" Wired News (10/20/05); Schneier, Bruce While some have called for holding individual programmers accountable for security vulnerabilities in the codes they write, a more sensible approach would place the responsibility on their employers, writes Counterpane Internet Security CTO Bruce Schneier. The reason for this is incentive, the same engine that drives all economic activity. If businesses see a financial disincentive for taking the time to ensure that their programs are of the highest quality, they are unlikely to do so. The preponderance of poor software speaks to the decision they have made, namely, that it is more profitable to suffer an occasional spate of bad publicity and short-term loss of sales than it is to invest in the extra programmers and extend the time-to-market to ensure consistently secure software. For consumers, proprietary formats, compatibility issues, and software monopolies make it difficult to exercise a conscious preference for secure software, thereby perpetuating the cycle of insecure products of poor quality foisted on them. Opening up software manufacturers to liability for insecure products would quickly reverse that trend, as they would have to shoulder the entire cost of a poor design, which clearly would be to their economic disadvantage. While some of the higher production costs of more secure software would inevitably pass on to the consumer, they would be no higher than the costs associated with using software rife with vulnerabilities. Click Here to View Full Article "Mother Nature's Storms Postpone DHS' Cyber Storm" Washington Technology (10/19/05); Dizard III, Wilson P. Originally scheduled for November 2005, the Homeland Security Department's (DHS) virtual cyberattack on the United States exercise, known as Cyber Storm, will occur in February 2006 due to resource demands and infrastructure damage related to recent hurricanes in the Gulf Coast region, according to DHS' Michelle Petrovich. The delay of Cyber Storm was requested by the electric utility industry in order to provide them with more time to repair their infrastructure networks, said University of Southern California computer scientist Terry Benzel, whose DETER Internet test bed project is part of Cyber Storm. The inter-agency exercise will test the response to a combined attack involving an Internet-based assault on both the financial sector and the power grid as well as physical attacks. Click Here to View Full Article From ACM's TechNews, October 17, 2005 "At Microsoft, Interlopers Sound off on Security" New York Times (10/17/05) P. C1; Markoff, John Microsoft recently held its second Blue Hat conference, where a small group of independent security researchers are invited to the company's Redmond, Wash., headquarters to share details of their work exposing vulnerabilities in Microsoft's programs. The conference, held last week, comes after a year of intense focus on security that has signaled a clear shift in Microsoft's priorities. The hackers in attendance identified the manner in which Windows operating systems address peripherals, and its forthcoming Xbox 360, as specific targets for hackers. The Blue Hat gathering marks an about-face in the way Microsoft views the hacker community. The Blaster and Slammer worms fundamentally altered Microsoft's position toward security, as they began to compromise the company's stature in the eyes of customers. The white hat hacker community has taken notice of Microsoft's efforts to improve security, and has been largely receptive to the software giant's overtures, though many warn that security could be just entering a new era with the growing use of mobile devices. The widespread, scattershot attacks such as Blaster will also likely become a thing of the past, as profit is now the motive for more precise, targeted attacks, rather than Web-wide assaults designed solely to create chaos. Microsoft has been using a technique known as fuzzing in the development of its software, where tens of thousands of combinations are tested automatically in the search for flaws. According to company officials, Microsoft has significantly reduced the number of security bulletins it has issued in the last few years. Click Here to View Full Article "US Still World's Top Spammer" IDG News Service (10/13/05); McMillan, Robert In a recent report, security vendor Sophos determined that about 26 percent of worldwide spam originated within the United States, which is down from 42 percent in 2004. The reason for the drop, according to Sophos senior technology consultant Graham Cluley, is more effective prevention methods by ISPs and the work of antispam task forces. Meanwhile, spammers are focusing on the growing broadband connections in South Korea and China with the amount of spam originating in South Korea up 8 percent from 2004 to 2005 and the amount in China up 7 percent, according to Cluley, who points to the total amount of spam remaining the same between the two years. Spamhaus Project volunteer John Reid asserts that one way to significantly decrease spam is for ISPs to prohibit almost all of their users from establishing servers running the Internet standard port 25. Reid believes the policy would not affect the vast majority of non-spammers and points to previous attempts in Canada proving the method successful. Click Here to View Full Article From ACM's TechNews, October 14, 2005 "Developers 'Should Be Accountable' for Security Holes" ZDNet UK (10/12/05); Espiner, Tom Former White House cybersecurity advisor Howard Schmidt and the British Computing Society disagreed at Secure London 2005 on who should be accountable for the security of code. Schmidt said software developers should be held accountable for the code they write, while the BCS said companies should be responsible rather than their developers. "I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability," says a spokesperson for the BCS. The spokesperson also noted that code is not static and it can be altered after it has been purchased, security attacks often occur because the latest patch or system has not been installed, and buyers need to make sure their vendor uses their own security product. Schmidt, currently president and chief executive of R&H Security Consulting, believes many software developers lack skills in writing secure code and need better training. "Most university courses traditionally focused on usability, scalability, and manageability, not security," he said. He also cited a Microsoft survey that said 64 percent of software developers lacked confidence in their ability to write secure applications. Click Here to View Full Article From ACM's TechNews, October 7, 2005 "Nematodes: The Making of 'Beneficial' Network Worms" eWeek (10/05/05); Naraine, Ryan At the recent Hack In the Box event in Malaysia, security researcher Dave Aitel showed off a demo of a "Nematode" framework for creating a benign computer worm that he believes organizations will employ to reduce the costs of network security. "With this [Nematode] concept, you can take advantage of automating technologies to get protection for pennies on the dollar," he said. Aitel said the nematodes or nonmalicious worms can be automatically generated from available vulnerability data, and he envisions a time when ISPs, large companies, and government organizations deploy "strictly controlled" nematodes to make security more cost-efficient. Aitel's concept involves the employment of servers or "Nematokens" that only respond to requests from networks cleared for assaults, and the Nematode Intermediate Language (NIL), a programming language for creating the worms. Exploits can be rapidly and simply converted into nematodes through use of the NIL. Prior to his current stint at the Immunity security firm, Aitel worked as a computer scientist at the National Security Agency and then as a code-breaker for @Stake. The commercial technology that enables networks to protect themselves automatically with automated technologies will be available within five years, Aitel reckons. "The Sky Really Is Falling" CIO (10/01/05) Vol. 19, No. 1, P. 80; Worthen, Ben Co-chairman of the President's Information Technology Advisory Committee (PITAC) Ed Lazowska says inaction is the order of the day among government, CIOs, and vendors as far as cybersecurity is concerned. He accuses the Bush administration of undervaluing science, engineering, education, and research, which means that CIOs will be prevented from purchasing desperately needed cybersecurity products unless they pressure the government as well as pay for cutting-edge products as a demonstration of their commitment to cybersecurity. Lazowska says an attack on the nation's IT infrastructure could have serious ramifications for its critical infrastructure, while the military's dependence on commercial vendors for most of its hardware and software makes it highly vulnerable to cyberattacks as well. He cites a PITAC study that singles out three federal agencies as particularly deplorable in terms of cybersecurity funding: The Homeland Security Department, which currently commits a mere $18 million of its approximately $1 billion annual science and technology budget to cybersecurity; the Defense Advanced Research Projects Agency, whose investment in mainly classified cybersecurity programs shuts the door to premier academic researchers and yields products of little immediate value to commercial IT systems; and the National Science Foundation, which could only fund a small portion of its Cyber Trust program. Lazowska says current cybersecurity efforts are all about "Band-Aid" solutions, when what should be developed are new system architectures with long-term applications, static and dynamic vulnerability detection tools, programming languages with basic security functionality, and methods for building trusted software systems from diverse elements. Click Here to View Full Article From EduPage, October 5, 2005 Research Project Will Track Network Attacks Chronicle of Higher Education, 4 October 2005 (sub. req'd) A research project will collect regular snapshots of computer networks from as many as 10 colleges and universities in an effort to improve protections from and responses to Internet attacks. The Information Security in Academic Institutions project, an initiative of the Columbia University Teachers College, uses monitoring technology called DShield and has already been tested at three institutions. The other institutions in the project have yet to be named, and the system may eventually be widely available. The system will give network administrators data about the state of networks, allowing them to gain a better understanding of Internet attacks by comparing data from before, during, and after an attack. Steffani A. Burd, executive director of the project, described it as "a 360-degree view of what's going on." The system will also pool data collected from participating institutions and make it available anonymously on the Web. This aggregation of data will allow a comparison between activity on the Internet generally and what's happening at campuses. http://chronicle.com/daily/2005/10/2005100401t.htm California Passes Anti-Phishing Law InformationWeek, 3 October 2005 A tough new anti-phishing law makes California the first state to pass legislation targeting that particular brand of online scam. The Anti-Phishing Act of 2005 makes it a crime to use "the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business." Identifying information includes Social Security numbers, credit card numbers, passwords, PINs, and other information that can be used to steal from individuals. Those found guilty of phishing are subject to fines of $2,500 per violation, as well as damages to victims of either actual losses or $500,000, whichever is greater. http://informationweek.com/story/showArticle.jhtml?articleID=171202672 FTC Sues For Alleged Spyware MSNBC, 5 October 2005 The Federal Trade Commission (FTC) has sued Odysseus Marketing, accusing the company of engaging in distributing spyware. Odysseus distributed an application called Kazanon, which supposedly allowed users to trade files anonymously, without fear of being identified by record companies. According to the FTC, users who downloaded the application also got a range of adware programs that fed advertisements to those users' computers and added items to the search results pages of popular search engines, including Google and Yahoo. The added items, which were indistinguishable from those supplied by the search engine, directed users to companies that paid Odysseus for the placement. Further, the software did not offer users a simple option to uninstall it. Walter Rines, owner of Odysseus, disputed all of the FTC's claims. He noted that the user agreement informs consumers of what will be installed when they download the Kazanon program. He also said an uninstall tool is available and that his company's software did not remove any search results but merely added to the list. Rines also said the lawsuit was "moot" because his company stopped distributing adware several weeks ago. http://msnbc.msn.com/id/9598897/ From ACM's TechNews, October 5, 2005 "Text Hackers Could Jam Cellphones, a Study Says" New York Times (10/05/05) P. C1; Schwartz, John Metropolitan cell phone networks could be crippled by hackers who launch denial-of-service attacks against the phones' Internet-accessible text-messaging services, according to a study from Pennsylvania State University researchers. The study's lead researcher, computer science and engineering professor Patrick McDaniel, says hackers could hinder voice calls by clogging the control channel for cell phone calls with text messages. McDaniel and colleagues say they validated the feasibility of this scenario by demonstrating it on a small scale with their own cell phones, and their findings were corroborated by government regulators and phone company engineers. Cellular companies insist they have established deterrents to address the threat, though experts such as Cigital CTO Gary McGraw believe the solutions will likely be inelegant. The Penn State researchers' report cites the impracticality of severing the link between the phones' short messaging services and the Internet gateways, but suggests security could be added by restricting the message traffic that is fed into the network. Fencing in voice and data in next-generation cell phones to prevent traffic jams from blocking voice calls is another recommendation of the paper, which will be posted online and presented at the 12th ACM Conference on Computer and Communications Security (CCS'05) in November. Aviel D. Rubin, technical director of Johns Hopkins University's Information Security Institute, says, "Anytime a vulnerability in the physical world exists that can be exploited via computer programs running on the Internet, we have a recipe for disaster." Click Here to View Full Article "Fortifying DOD's Network Defenses" Federal Computer Week (09/26/05) Vol. 19, No. 33, P. 60; Tiboni, Frank As attacks on Defense Department (DOD) computer networks increase, Purdue University computer science professor Eugene Spafford calls for the creation of a new generation of computer systems and security tools. However, such a project will require long-term research. Meanwhile, Spafford recommends six steps to better protect DOD computer networks: Basing security purchases on effectiveness rather than cost; severely limiting access to computer systems; removing all unnecessary systems; narrowing the number of users that can add hardware and software to the networks; requiring training and supervision of all network users; and implementing network-monitoring practices. Spafford laments that the government is not currently funding long-term cybersecurity research that is key to designing a new and highly effective network security system for federal agencies. Most security used to protect federal agency networks is designed for commercial use and not to protect highly sensitive data. SANS Institute research director Alan Paller says network security is not about implementing the latest security methods but more about preventing attacks up to 18 months in advance. An anonymous Defense Information Systems Agency official reports a change in DOD security that involves moving to a service-oriented architecture to facilitate data sharing among agencies as well as more effective IT services. Also, the new structure makes the Joint Task Force-Global Network Operations in charge of defending, operating, and maintaining the DOD's information infrastructure, according to the official who says, "We have many challenges in synchronizing the many IT efforts and security for [networks] across [the DOD's] vast infrastructure." Click Here to View Full Article "Are Attackers Winning the Arms Race?" InfoWorld (09/26/05) Vol. 27, No. 39, P. 22; Grimes, Roger The severity and speed of malware attacks as well the skill of those who orchestrate them is increasing as hacking becomes more professional and profit-oriented. Forty-nine percent of 474 individuals surveyed in this year's InfoWorld Security Research Report said increasingly sophisticated cyberattacks represented the most serious security challenge their companies will face in the next 12 months, while 57% listed viruses as the top network security threat. Respondents noted that each had thwarted an average of 368 intrusions in the preceding 12 months, but an average of 44% of those attacks were successful. Malware's formerly stagnant nature is shifting toward a "mothership approach" in which a malicious program, once it has infected a computer, links to outside servers and downloads new instructions or programs. Hackers are designing worms to configure into bot networks that hijack thousands of PCs, which are "rented out" to criminal businesses or organizations. A lot of present-day malware exploits patched and unpatched vulnerabilities in Internet browsers, while the interim between the announcement of a vulnerability and the emergence of an exploit is shrinking. The InfoWorld poll found that anti-spyware software and appliances will experience the biggest purchasing increases in the next year. Strong adoption continues for intrusion detection and intrusion protection systems, but a greater number of administrators are enabling those products' blocking functionality. Click Here to View Full Article From ACM's TechNews, October 3, 2005 "Microrobots Show Promise in IT, Security" Dartmouth Online (NH) (09/28/05); Beale, Matt Dartmouth researchers have developed the smallest mobile, untethered robot in the world after seven years of effort. The microrobot is a mere one-tenth the thickness of a single human hair, and can crawl like an inchworm and be steered without being connected to a power source. The device walks on a grid of electrodes that serve as both power supply and control mechanism, and it lacks wheels or joints because they are unworkable at such a tiny scale. The research team was awarded a grant by the Department of Homeland Security's Office of Domestic Preparedness to develop the microrobot for possible security applications such as identity verification and information protection. Dartmouth computer science graduate Igor Paprotny envisions a group of people who each carry a vial of microrobots as a means of identification. "They each spread some on a substrate and enter a PIN or something," he explains. "If we're all who we say we are, the microrobots assemble into a key, or message that, say, gives you the code to activate a nuclear weapon." The microrobot was created through cooperation between Dartmouth's computer science and engineering departments. Click Here to View Full Article "The Global State of Information Security 2005" CIO (09/15/05) Vol. 18, No. 23, P. 60; Berinato, Scott; Ware, Lorraine Cosgrove Even as preventative security measures grow more sophisticated, the security industry remains loosely coordinated and decentralized, and struggles continually to keep up with the steady proliferation of threats. A recent study found that many security administrators are indifferent to government compliance regulations, and are often lax about risk management, as only 37 percent responded that they had in place an active security strategy. Much of the problem with cybersecurity is that the daily occurrence of multiple threats has administrators constantly scrambling to put out fires, leaving them with little time to formulate long-term strategies. Though information security remains overwhelmingly reactive, organizations are beginning to pay it more attention, as witnessed by the growing number of executive positions created to deal expressly with security. The results are tangible, as the higher up in the organization the security executive position is, the better the organization's security rating. Having high level security executives in place also tends to align security more closely with the direction of the business. Still, companies with high-level security positions are outnumbered by those that have yet to elevate the role. Larger companies have very recently stepped up their monitoring of employees to rein in risky activities, such as instant messaging. There is also a widespread disregard for the Department of Homeland Security as a leader in cybersecurity. In dealing with government regulations, there is a pervasive ignorance about their scope and intention, as an alarmingly high number of respondents reported either that regulations do not apply to them, or that they are knowingly non-compliant. Though the number of incidents reported held steady, many of those surveyed were unsure of the extent of the damage. Similar uncertainty was reported when respondents were asked about the budgetary allotment reserved for security, and 16 percent were unsure if their security budgets would increase or decrease in the future. Click Here to View Full Article From ACM's TechNews, September 26, 2005 "Basic Training for Anti-Hackers" Chronicle of Higher Education (09/23/05) Vol. 52, No. 5, P. A41; Carnevale, Dan The threat of terrorists penetrating computer networks and wreaking havoc prompted the creation of the Cyber Security Boot Camp, an intense 10-week summer program hosted by the U.S. Air Force and Syracuse University in which participating college students study and practice hacking so that they may learn how to defend against cyberattacks. Air Force Research Laboratory computer engineer Kamal Jabbour says the goal of the program goes far beyond making these cyber-defenders technically proficient: He wants them to become sensitive to the urgency of the threat in order to be decisive in action. Participants take cybersecurity courses that cover cryptography, steganography, network security, wireless security, and digital forensics. Students are required to analyze a security problem and present a solution in a detailed report each week, all the while conforming to a strict writing style. Participants also serve as interns with local companies and organizations in order to be exposed to real-world cybersecurity applications. The boot camp's high-pressure course load is complemented by adherence to stringent rules concerning housing, appearance, and physical fitness, which are laid out in a military regimen. The program climaxes with a hacking contest in which student teams penetrate their opponents' computers to capture virtual flags. Each team is divided into two groups--one dedicated to attack rivals' systems and the other committed to defending their own system. From EduPage, September 23, 2005 Congressmen To Ask For Review Of Higher Ed Antipiracy Efforts Chronicle of Higher Education, 23 September 2005 (sub. req'd) At a U.S. House of Representatives subcommittee meeting this week, lawmakers, campus officials, and representatives of the movie industry and of a provider of legal download services discussed efforts by U.S. colleges and universities to curtail copyright violations on their networks. Reps. Lamar Smith (R-Tex.) and Howard Berman (D-Calif.) said they will ask the Government Accountability Office to issue a formal report on what effects those efforts have had on student file-trading habits. According to Smith, "We will ask for the report so we can increase the scrutiny and increase the public attention to piracy." Also at the hearing, Norbert Dunkel, director of housing at the University of Florida, described his institution's use of an application called Icarus, which automatically restricts usage of the network for students who connect to P2P services. Dunkel said the tool, which the university developed, has led to a 95 percent reduction in outgoing traffic from the university's network and virtually eliminated notices of copyright infringement. Smith applauded the application, but Daniel Updegrove, vice president for information technology at the University of Texas at Austin, expressed concerns that such a blanket approach to the problem could limit the academic freedom and privacy of students. http://chronicle.com/daily/2005/09/2005092301t.htm From ACM's TechNews, September 30, 2005 "Brazilians Blazing Trails With Internet Technology" Knight-Ridder Wire Services (09/26/05); Chang, Jack Despite crippling levels of poverty and violence, Brazil is home to some of the world's most innovative technology, and plays host to some of the most sophisticated hackers. Brazil often finds itself the locus of international debates over intellectual property rights and private media controls, and though it does not have in place the infrastructure that other developing nations do, Brazil has made significant advances in open access technology that place it at the forefront of the Third World. Brazil received a major economic boost when Google acquired the native firm Akwan Information Technologies and established an office in Sao Paolo. There is still a wide gulf between rich and poor in Brazil, and while its 22 million-plus residents with Internet access rank it in the top 10 worldwide, that number still only represents 12 percent of the population. Piracy is also a major issue, as roughly 60 percent of the software and 70 percent of the hardware in use in Brazil infringes on copyright laws; Brazil is also a notorious haven for cyber criminals, as it is estimated that approximately 80 percent of the world's hackers are based in Brazil. The country's emerging IT industry has reached the $10 billion mark in annual sales. The spirit of unfettered access has led to the widespread implementation of the Linux platform in government and private industry, along with a host of other open-source applications. Throughout Brazil, open access movements are seeking to provide free Internet capability to computer users, and its vibrant open-source community draws on innovation from all over the country to maintain Web sites, provide tech support, and develop new technologies. Click Here to View Full Article "Anti-Spyware Gets HIP" IT Architect (09/05) Vol. 20, No. 9, P. 61; Conry-Murray, Andrew Anti-spyware software is expected to transition from threat-specific technologies to Host-based Intrusion Prevention Systems (HIPS) as vendors deploy proactive solutions that block new and unknown spyware programs from PCs. Such solutions are likely to be increasingly compelling for security architects as the development of spyware continues without respite and end users continue to install spyware-laden programs despite repeated warnings. Most anti-spyware programs use signatures and are only effective against programs that are already defined in the threat database, while the increasing difficulty of removing spyware once installed makes proactive prevention all the more urgent. Some vendors offer behavior-based spyware detection technologies that can thwart the installation of spyware on enterprise desktops without the use of signatures, although such solutions carry with them the risk of false positives. "The market is warming up to the notion that existing signature-based solutions aren't providing adequate malware prevention," says Finjan's Nick Sears. "Customers are looking to alternative solutions." Other anti-spyware options deliver protection at the network gateway by scanning incoming Web traffic for spyware and adware, preventing spyware on a PC from linking to a remote server on the Internet, and stopping end users from surfing to established sites for spyware or adware. However, none of the gateway products can protect mobile users outside the corporate environment. Click Here to View Full Article "Destructive Power of Mobile Viruses Could Rise Fast, Experts Say" IDG News Service (09/28/05); Nystedt, Dan As the interconnectedness central to the dream of the digital home rapidly becomes a reality, a host of security and privacy concerns arises. The same Web cams that alert users to suspicious activity within their homes can also be used by hackers seeking to break in to determine if anyone is home. Internet connectivity is being incorporated into a growing number of devices that have not yet evolved to carry the same level of security as PCs and desktops. As attacks on traditional hardware become more sparse, the added functionality in mobile phones makes them a more popular target. The number of reported malware threats menacing mobile devices has grown to 87, up from fewer than 10 at the beginning of last year. Symbian is the most popular operating system for mobile phones in the world, and its series 60 was the target of 82 of the reported viruses, though analysts are quick to point out that that proportion speaks more to the system's popularity than its vulnerability. Faster download speeds elevate the risk of a virus infecting and spreading throughout a mobile phone. It is projected that the threat against mobile devices will increase as more hackers recognize the potential vulnerabilities and turn their attention away from traditional attacks. Click Here to View Full Article From ACM's TechNews, September 28, 2005 "Lawmaker Doesn't Rule Out Cybersecurity Regulation" IDG News Service (09/27/05); Gross, Grant The U.S. government and the private sector have not given cybersecurity adequate emphasis, said Rep. Dan Lungren (R-Calif.), speaking at a Sept. 26 cybersecurity policy forum hosted by Nortel Networks. Although his preference is for companies to voluntarily patch vulnerabilities, Lungren, chairman of the House Economic Security, Infrastructure Protection, and Cybersecurity Subcommittee, did not dismiss the possibility of the government imposing cybersecurity regulations, which he fears would "stifle the kind of innovation that's available to the private sector to come up with their own fixes." Lungren also said the government must gain a better comprehension of cybersecurity risk, especially as it pertains to Internet-powered supervisory control and data acquisition (SCADA) systems responsible for much of the country's critical infrastructure. He urged the government to make a stronger effort to anticipate cyberattacks, particularly those that threaten to cause the worst damage, and channel its resources into preventing such incidents. Nortel CEO Bill Owens noted at the same forum that the likelihood of cyberattacks will rise as increasing numbers of devices transmit information via Internet Protocol. Acting director of the Homeland Security Department's National Cybersecurity Division Andy Purdy claimed his agency is attempting to raise the profile of the cybersecurity issue, citing the creation of a new assistant secretary for cybersecurity as a step in the right direction. But he agreed with Lungren that private companies bear a significant measure of responsibility in the assurance of Internet safety. Click Here to View Full Article "New Security Proposed for Do-it-All Phones" CNet (09/27/05); Evers, Joris The increasing consolidation of functions into mobile phones has placed a premium on safeguarding their security. The Trusted Computing Group (TCG) has developed a hardware-based standard for securing mobile phones that has been backed by industry heavyweights such as Nokia, Motorola, Intel, and Samsung. Addressing security on the hardware level will give users greater confidence in their phones, and the TCG standard would protect data and offer copyright protection for exclusive content. The TCG's plans would support similar features to those offered by the Trusted Platform Module, the chip geared for PCs and servers that enables authentication, secure storage, and protected email. The proposal also contains operational restrictions that would prohibit users from running certain applications on their devices. Mobile phones will become an increasingly tempting target for hackers as their functionality expands, particularly as they start to include credit card payment information, which the TCG standard is expected to address in a future iteration. Meanwhile, the incorporation of digital rights management into a mobile phone security platform has raised the ire of user-rights advocates, who claim that it is an unnecessary restriction of a user's freedom. Despite broad support from major cell phone companies, the fractured nature of the industry makes it unlikely that the new security features will see widespread adoption before 2008. Click Here to View Full Article From ACM's TechNews, September 23, 2005 "Name That Worm--Plan Looks to Cut Through Chaos" CNet (09/22/05); Evers, Joris Last month, a worm with various names wreaked havoc on Windows 2000 operating systems, abetted by the chaotic and fractured attempts to identify it. To address that issue the CME naming system has emerged, which tags a given piece of malware with a unique identifier. The United States Computer Emergency Readiness Team (US-CERT) says its product will provide a common identifier to help users identify which threat is attacking their system, and notify them if they are protected or not. CME promises to fulfill the longstanding goal of the security industry to agree on a unified system to name viruses and worms; industry participation in CME is voluntary, and will be a key factor in the initiative's success. When multiple security companies create different names for the same outbreak, there is often widespread confusion as to whether or not there is one threat or multiple, related threats. Organizations that use multiple security products from different vendors are often confounded by multiple alerts of the same virus or worm with different names. At first, CME will only issue numbers to major threats, though US-CERT plans eventually to cover all attacks. Regardless of the names security vendors produce, CME will assign an attack with a random number within hours of its discovery, and tag it with its associated characteristics; then security companies are urged to include the CME tag with whatever semantic description they produce, so as to create a commonality that helps users understand the actual scope of the threat. Click Here to View Full Article "The Next 50 Years of Computer Security: An Interview With Alan Cox" O'Reilly Network (09/12/05); Dumbill, Edd EuroOSCON keynote speaker and Linux kernel developer Alan Cox describes computer security as "basic" and "reactive," but starting to show signs of improvement. He says the interim between the discovery of bugs and the launch of exploits has shrunk, and exploits will improve in tandem with software tools; because Linux offers greater security than many competitors, it is less vulnerable to exploits, but Cox says no system--Linux included--provides enough protection. Promising developments Cox points to include a significant uptake in code verification and analysis tools, which helps prevent the introduction of errors within production, and a movement toward in-depth defense through the use of SELinux, no-execute flags in processors and software emulation, and randomization of where objects are located in memory. He notes that SELinux can also be employed to make users more security-conscious by turning behavioral advisories into policy. Cox believes the incorporation of security into software development tools can be done without hindering developers' productivity because many improvements automate tedious chores. Cox says the cost of cleaning up the mess caused by system breaches is the current driver of secure software implementation, while the bad publicity this entails as well as statutory duties with data protection are further incentives. He reasons that lawsuits from the government or users harmed by poorly run systems might also encourage security deployments. "In theory as we get better at security the expected standard rises and those who fail to keep up would become more and more exposed to negligence claims," Cox says. Click Here to View Full Article From ACM's Tech News, September 19, 2005 "Now, Every Keystroke Can Betray You" Los Angeles Times (09/18/05) P. A1; Menn, Joseph Cybercriminals have begun to prey on online banking customers, using sophisticated software to record individual keystrokes and obtain passwords and PIN numbers. From June to July, the number of reported phishing attacks dropped, while the number of programs designed to steal passwords, known as crimeware, more than doubled. Though many consumers report that fears of cybercrime will lead them to modify their shopping habits, many banks encourage the use of online transactions because they entail far less cost than a visit to a branch. Crimeware can be installed inadvertently by opening an attachment or an advertising link, after which it can record all keystrokes or only those made at selected financial sites; the information is then relayed back to the hackers, who thus far have largely been using it to access accounts one at a time, though efforts at automating the process have recently emerged. One particularly malicious program, known as Grams, cuts out the step of relaying the information to the hacker and automatically cleans out the account once the information is recorded. In response, the FDIC has implored banks to investigate new security measures, though they respond with the fear that too much security could become a nuisance and cost them customers. As security measures become more sophisticated, criminals are keeping the pace, as efforts to select passwords with a mouse instead of using keystrokes have been met with programs that can take a picture of a computer screen to intercept the mouse clicks; some banks have even taken to calling customers when irregular activity is observed on their accounts. Liability remains a pressing issue, as the FDIC and many banks disagree on the extent to which consumers are covered in the event that their data are compromised. Click Here to View Full Article "False Protection" Software Development (09/05) Vol. 13, No. 9, P. 34; O'Connell, Laurie The software designed to bolster enterprise systems against malware and other cyberthreats has itself become a ripe target for hackers, and analysts such as Cigital CTO and author Gary McGraw say security software providers' failure to be software security practitioners is chiefly to blame. "Vendors have to engineer security into the development application lifecycle, get developers to have core responsibility, and give them the tools to do it," says Yankee Group analyst Andrew Jaquith. He suggests that security software developers perform design reviews early and regularly; run nightly regression tests and frequent code base reviews; maintain focus on privilege levels and authorization management; study component authentication; unearth buffer overflows; and conduct checkpoint reviews with security-savvy personnel. Jaquith also recommends that developers test for functions the application is not supposed to carry out. Furthermore, he advises developers to base their choice of vendor or software security system on hard evidence of best practices and an exhaustive technique for spotting and fixing problems encountered by staff, clients, or third parties. Another way to boost security is to fortify the patching infrastructure and analyze security products' auto-update components. An organization's general security can also be shored up by deploying a diverse assortment of anti-virus products from multiple vendors, as well as multisourced solutions from varying code bases. Click Here to View Full Article From ACM's Tech News, September 16, 2005 "Hacking's a Snap in Legoland" CNet (09/15/05); Terdiman, Daniel Lego executives responded with surprising enthusiasm when adult Lego aficionados hacked and modified one of its development tools for digital designers. Lego's Ronny Scherer says the company welcomes and encourages modifications that show them how to adapt their software to users' needs. The software in question is a free 3D modeling program that fans can download and use to design their own customized Lego models out of digital collections, or palettes, of bricks; Lego then manufactures the bricks and sends them to users. Members of the adult Lego modeling community complained that the design and purchase of these customized models was too expensive because the available palettes usually contained far more bricks than were needed to build the models, and also failed to include important components. Each palette is comprised of several bags of bricks, and software engineer Dan Malec and other Lego enthusiasts believed they could purchase less bricks and reduce their overall costs by lowering the number of bricks in a palette. They compiled a database listing what bags must be bought in order to collect specific bricks, and then tweaked the digital files listing the palettes users would see in the modeling program so they would be listed by bag rather than by palette. Analyst Anita Frazier reasons that Lego welcomed this hack because "it doesn't ultimately hurt the intellectual property, and [the users] aren't modifying the trademark or the core property at all." Click Here to View Full Article "A Human Connection to Intrusion Detection" SearchSecurity.com (09/14/05); McKay, Niall Researchers at the University of Nottingham want to use the human body's immune system as a model for protecting computer systems. Computer science professor Uwe Aickelin and his colleagues are collaborating with immunologists at the University of the West of England in Bristol to build a computer intrusion detection system that has an artificial immune system. "The University of the West of England is carrying out 'wet' experiments to look at various aspects of cell behavior and passing on their findings to us," explains Jamie Twycross, research associate with the Automated Scheduling Optimization and Planning Lab at the University of Nottingham. "We use the results to try and build a computational model." The immunologists are employing the controversial "danger theory," which holds that a complex system that accesses the origin, seriousness, and frequency of the danger signals the human immune system. Twycross is working to recreate, for an artificial immune system, the process in which garbage-collecting dendric cells that roam the body transform into fighter cells to battle an infection. Similarly, the software would be able to assess threats to computer systems by gathering information from a number of sources. Click Here to View Full Article "Fleet-Footed Worm Blocker" Computerworld (09/12/05) P. 36; Anthes, Gary Microsoft Research is developing software designed to defend networks from fast-replicating computer worms. Vigilante can spot even unknown worms in network traffic, erect "filters" against them, and notify other machines on the network so quickly that the worms can be impeded before humans are even conscious of them, according to research software design engineer Manuel Costa. He says the two biggest hurdles his research team had to overcome was to develop algorithms that could identify previously unseen worms, and to generate no false positives that would result in the blockage of legitimate traffic. Costa says further research is required for Vigilante to fully meet the first challenge, but the false positive challenge has been effectively tackled. Once computers running the software detect an attack, they produce "self-certifying alerts" and distribute them to other machines, which can confirm the alerts before taking defensive action. Costa says the computationally intensive algorithms responsible for spotting worms and issuing alerts would usually run on several nonproduction "honeypot" servers, while the protection mechanisms that reply to the alerts would operate on every network-connected machine. BT Group scientist Robert Ghanea-Hercock sees Vigilante as a potentially useful safeguard in large enterprise or government networks, but cautions that the software "is less valuable in the open network or broadband sector due to the lack of cooperation between the security vendors." Click Here to View Full Article From EduPage, September 14, 2005 Sound Of Keyboard Clicks Reveals What Is Typed ZDNet, 14 September 2005 Researchers at the University of California at Berkeley have demonstrated that an audio recording of someone typing on a computer keyboard can reveal with surprising accuracy exactly what they have typed. Using commercially available recording equipment, the researchers captured audio of typing and analyzed the sounds using an algorithm they developed. Because keys make different sounds, the system is able to make educated guesses about what key was pressed in what order. The application then applies some linguistic logic, including spelling and grammar checks, to refine the results. After three rounds of revisions, the application was able to identify 96 percent of the individual characters typed and 88 percent of the words. The application was effective even with background noise, such as music or cell phones ringing. Doug Tygar, UC Berkeley professor of computer science and information management and a principal investigator of the study, said the project should raise concerns about the security risks of such a technology. "If we were able to figure this out," he said, "it's likely that people with less honorable intentions can--or have--as well." http://news.zdnet.com/2100-1009_22-5865318.html From EduPage, September 12, 2005 "Google Hacking" Network World (09/05/05) Vol. 22, No. 35, P. 1; McMillan, Robert The practice of Google hacking--the penetration of computer networks through Google search queries--owes its start to Computer Sciences researcher and author Johnny Long, who created the Google Hacking Database initially as a joke. The database now serves as a repository for about 1,500 queries, while the Google hacking community is composed of approximately 60,000 members. The search engine is used to not only to unearth credit card numbers, passwords, and unguarded Web interfaces to Web sites, routers, and other things, but also to perform hacker reconnaissance. "Nowadays, pretty much any hacking incident most likely begins with Google," says F-Secure chief research officer Mikko Hypponen. One method is for a hacker to await a security bulletin and then employ Google to find Web sites that use the vulnerable software. Google's database can also be employed to map out computer networks and thwart network administrators' attempts to hinder eavesdroppers. Long reasons that Google's greater involvement in the security community could present new business opportunities. Google could, for instance, create a Google Security Alerts system that notifies customers when their Web sites harbor bugs discovered by Long and other Google hackers. Click Here to View Full Article From EduPage, September 7, 2005 UT Hacker Gets Fine, Probation Houston Chronicle, 7 September 2005 A former student at the University of Texas at Austin has been sentenced for hacking into the university computer system, a charge on which a federal jury convicted him in June. Christopher Andrew Phillips has been ordered to pay $170,000 in restitution for his crimes and to serve five years of probation. Phillips was found guilty of damaging the university's computers and of illegally possessing close to 40,000 Social Security numbers. The jury acquitted him of intending to profit from the personal information he obtained. In addition to the fine and probation, Phillips is forbidden from using the Internet for five years except for school or for work and only under the supervision of his parole officer. In a statement, U.S. Attorney Johnny Sutton said, "[Phillips] found out the hard way that breaking into someone else's computer is not a joke." http://www.chron.com/cs/CDA/ssistory.mpl/metropolitan/3342919 From ACM's TechNews, September 7, 2005 "Bug Hunters, Software Firms in Uneasy Alliance" CNet (09/06/05); Reardon, Marguerite The "responsible disclosure" of security flaws can be a contentious issue between software firms and security researchers. Researchers who do not comply with Microsoft's disclosure guidelines and publicly expose a bug in detail before it is fixed can get into trouble, but independent security researcher Tom Ferris argues that Microsoft takes so long to release patches that full disclosure is warranted; critics also say full disclosure puts pressure on software makers to improve the security of their products faster. IDefense Labs director Michael Sutton says relationships between security researchers and software makers have generally improved over the last several years, and Microsoft, for one, is attempting to get into hackers' good graces through "Blue Hat" conferences and other outreach efforts. Cisco and Oracle, on the other hand, have earned researchers' enmity by failing to expeditiously fix bugs after researchers report them, as well as not updating researchers on their progress, in keeping with responsible disclosure guidelines. Director of Germany's Red Database Security Alexander Kornbrust publicly revealed a half-dozen security vulnerabilities in Oracle software when the software maker failed to issue fixes some two years after he first reported them, and he says Oracle only gave him feedback immediately after he alerted the company to the bugs' existence. Former White House cybersecurity adviser Howard Schmidt says responsible disclosure of software bugs is critical, given America's reliance on IT systems. He suggests that technology companies' lack of responsiveness to security researchers' warnings could be addressed through an intermediate government agency, namely the U.S. Computer Emergency Readiness Team. Click Here to View Full Article From EduPage, September 2, 2005 Colleges Dealing With Computer Security Concerns Christian Science Monitor, 1 September 2005 As the number of computers on college campuses rises, and as IT becomes increasingly rooted in campus activities, higher education officials find themselves facing expanding numbers and kinds of threats to vulnerabilities in computer security. According to the Privacy Rights Clearinghouse (PRC), 50 million people have been involved in data breaches over the past seven months, including more than 30 incidents on U.S. college and university campuses. Complicating the challenge to IT security staff is the historically open nature of academic settings, a characteristic often at odds with strong computer security. Another factor making life difficult for IT staff are the computers that students bring to campus with them, often with inadequate or poorly configured security features. Jack Suess, vice president of information technology at the University of Maryland Baltimore County, however, noted that of the 11,000 to 12,000 computers on his campus this year, "there's probably only 200 or 250 I'm really worried about." http://www.csmonitor.com/2005/0901/p12s02-legn.html From ACM's TechNews, September 2, 2005 "The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)" Time (09/05/05) Vol. 166, No. 10, P. 34; Thornburgh, Nathan; Forney, Matthew; Bennett, Brian The revelation that a ring of Chinese hackers, collectively known as Titan Rain, has been launching coordinated attacks on sensitive and seemingly secure U.S. networks to steal data for some time has unsettling implications for U.S. security. The Department of Defense issued a warning that Titan Rain could not only be a coalition of data thieves but also a patrol point for more critical attacks that could hijack or cripple certain U.S. military networks. Such threats are compounded by the fact that federal investigators must jump through bureaucratic hoops to gain authorization to track down and neutralize foreign cyberspies, while concerns of potential international incidents as a result of such probes only add to the delicacy investigators must practice. There is also a lack of experienced investigators, prompting the intelligence community to encourage or at least unofficially sanction freelancers, such as former Sandia National Laboratories computer network security analyst Shawn Carpenter, who traced the Titan Rain intrusions to a trio of Chinese routers in the province of Guangdong, and dutifully informed the FBI. Sandia dismissed Carpenter because his activities constituted hacking into foreign computers, which is unlawful. Carpenter justifies his actions by saying his case shows the need for reforms if the U.S. is to more effectively respond to cyberthreats. Although Washington has no official position on the power behind Titan Rain, Carpenter and other network-security analysts are convinced that the Chinese government masterminded the attacks. Click Here to View Full Article "The Threats Get Nastier" InformationWeek (08/29/05) No. 1053, P. 34; Claburn, Thomas; Garvey, Martin J. Business technology and security professionals are confident their IT systems are adequately protected against cyberthreats, according to InformationWeek Research's U.S. Information Security Survey 2005, but this attitude belies the fact that worms, viruses, and other forms of malware are more insidious and dangerous than ever. The recent Zotob worm epidemic shows that such threats have not gone away, while the motivation behind such attacks has shifted from bragging rights to financial gain. The most common types of security threats and espionage during the past year were viruses and worms, phishing, denial of service, and Web-scripting language violations, while suspected culprits have included hackers, virus writers, unauthorized and former workers, and organized crime. Seventy-eight percent of survey respondents who believe their vulnerability to cyberthreats has increased or remained steady over the past year say the growing sophistication of such threats is their chief concern, while other anxiety-provoking factors include more ways to attack corporate networks, increased volume of attacks, and more malicious intent. Fifty-one percent of businesses plan to boost their IT security budget this year, while 56 percent of respondents say they are approaching IT security in a more structured way due to the need to conform to government regulations. Enhanced application security, secure remote access, and improved access controls are among the top priorities for these companies. Not only are cyberattacks being launched across multiple modes, but virus writers are taking a cue from hackers and using rootkits to conceal their activities from detection systems. Six percent of companies admit hackers gained access to their customer records, but the actual percentage may be higher if one assumes that some companies are hiding the truth or have been compromised without their knowledge. From ACM's TechNews, August 31, 2005 "The Future of Computer Worms" IT Observer (08/30/05); Sancho, David Trend Micro research engineer David Sancho outlines possible future attack strategies of bot worms and what steps can be taken to counter them. He says the modular design of bot worms enables them to exploit vulnerabilities faster, which means the interim between the disclosure of a vulnerability and its exploitation will shrink in the very near future; countermeasures Sancho suggests include the immediate patching of home systems as soon as updates are available, and the deployment of software and hardware designed as protective measures against malware in corporate environments. The author thinks future worms could employ polymorphic shellcode exploit attacks, a method in which bot authors create a module that alters the exploit code so that it always varies, which could thwart vulnerability and intrusion detection systems whose effectiveness hinges on the exploit code never changing. A solution to this threat would be a tool that detects the unique compression methods used by each worm variant, and Trend Micro has a scan engine in the works that promises to spot different compression techniques before isolating specific detection patterns. Sancho also expects future worms to perform RSS feed hijacking, in which worms commandeer the existing configured RSS-feed clients to automatically download new worms and other kinds of malware. The author believes the release of Internet Explorer 7 could make RSS feed hijacking a legitimate threat, and recommends that companies implement a method to scan HTTP traffic as a protective measure. Click Here to View Full Article From EduPage, August 26, 2005 Cyberscam Continues Apace BBC, 26 August 2005 A recently discovered identity-theft scam continues to cause problems for Internet users, despite efforts by security firms and the FBI to stop it. Security firm Sunbelt Software uncovered the scam accidentally while investigating spyware. Sunbelt located an Internet server whose log files contained personal information harvested by keylogging from many thousands of users. The company notified the FBI, and the server was shut down soon afterwards, only to resurface later. Each time the servers are taken down, more of them appear elsewhere. The keylogging software, which is circulated by a computer virus, captures private information from users and transmits it to one of the rogue servers. The FBI is working to find out who is operating the servers. In the meantime, Sunbelt has developed a tool that searches for the malicious software, which is has named Srv.SSA-KeyLogger. http://news.bbc.co.uk/2/hi/technology/4186972.stm From ACM's TechNews, August 26, 2005 "Hackers Attack Via Chinese Web Sites" Washington Post (08/25/05) P. A1; Graham, Bradley; Eggen, Dan Hackers have been focusing attacks on hundreds of unclassified U.S. government systems through Chinese Web sites for several years, reported anonymous government officials. Analysts are split on whether these intrusions are the work of a coordinated Chinese government initiative to breach U.S. networks and monitor government databanks, or other hackers using Chinese networks to mask the attacks' point of origin. "This is an ongoing, organized attempt to siphon off information from our unclassified systems," said one official, who noted that State, Energy, Defense, and Homeland Security Department networks are among those targeted. With roughly 5 million computers spread across the globe, the Pentagon has more computers than any other agency, making its network the most vulnerable target to both foreign and domestic hackers, the officials said. The Pentagon estimates that China is the No. 1 source of Defense Department hacks, though Lt. Col. Mike VanPutte of the U.S. Strategic Command's Joint Task Force for Global Network Operations said this only proves that China is the probes' "last hop" before they strike their targets. One anonymous government official downplayed the severity of the attacks, while another said an FBI investigation has yet to yield any definitive proof of who is orchestrating the intrusions. U.S. concerns about Chinese military initiatives in general are fueling worries about China-based cyberattacks, and the spate of attacks on unclassified systems has added urgency to the Pentagon's effort to acquire new detection software programs and better train computer security specialists, according to several officials. Click Here to View Full Article From ACM's TechNews, August 24, 2005 "Hacker Underground Erupts in Virtual Turf Wars" Christian Science Monitor (08/22/05); Spotts, Peter N. Hacker turf wars sparked by the increasing strategic and monetary value of compromised computers have usually simmered out of the public eye, but such skirmishes were in plain view last week when the Zotob worm infected computers at a major airport, media outlets, and industrial companies, and prompted an all-out battle between competing malware. Zotob appeared a mere six days after Microsoft announced a patch for the security flaw the worm was crafted to take advantage of, and Curtis Franklin Jr. of Secure Enterprise Magazine reports that the average time between the disclosure of a vulnerability and the release of an exploit has shrunk from 21 days to eight days in the last 24 months. Experts say this shorter timeframe can be partially explained by the apparent use of prewritten program "shells" by malware authors, while the patching process can be held up by negotiations between corporate network managers and other parts of the corporation. "Zero-day exploits" in which malware appears on the same day a flaw is announced are generating the most concern, and Franklin says the Zotob turf war illustrates a convergence among the various forms of malware in terms of function. Intelguardians Network Intelligence security consultant Tom Liston says hacker turf wars have increased significantly over the last three years. University of Southern California at Los Angeles professor Peter Reiher adds that such battles used to be primarily over bragging rights, whereas today they indicate a greater interest in controlling infected systems. Click Here to View Full Article From ACM's TechNews, August 19, 2005 "Can a Simple Password Stop Domain Name Hijacking?" Tom's Hardware Guide (08/17/05); Gruener, Wolfgang Using a password at the time of a domain transfer between registrars could safeguard against identity fraud targeting Internet domain names, which has emerged as one of the most significant threats to networks today. Securing the domain name transfer process has been slow, due partially to the lackluster implementation of Extensible Provisioning Protocol (EPP), an XML-based transfer program. VeriSign is moving toward adopting EPP for the .com and .net domains at an unspecified time frame, which will ultimately reduce the vulnerability of top-level domains. Since 2000, Registry Registrar Protocol has been steering the exchange of domain name services, but that program, adopted by VeriSign in 2003, contains no built-in security features. EPP potentially offers greater security through database management systems, whereby the acquiring registrar verifies the customer's identity from the losing registrar through an authInfo code. The key to authInfo's success will be its application to create unique codes for each domain name, rather than registrar-wide generic codes that are easy targets for hackers. ICANN SSAC Fellow Dave Piscitello describes EEP authInfo essentially as a password, as no one other than the receiving registrar could view the transmission in an unencrypted form. The .com and .net domains have been slow to implement EPP, though its use is common in other domains, such as .org, .biz, and .info. It is estimated that .com and .net will not be fully converted to EEP for another year. EEP may not be a universal panacea, however, as the transfer process still depends on WHOIS data of questionable reliability. Ultimately, SSAC says registrants themselves must be accountable for securing domain names, ensuring their information is current, and choosing an appropriate registrar, as well as utilizing EEP authInfo to its full extent. Click Here to View Full Article "Computer Characters Mugged in Virtual Crime Spree" New Scientist (08/18/05); Knight, Will The increasingly porous boundary between the real and virtual worlds is illustrated by the arrest of a Chinese exchange student in Japan on suspicion of controlling software "bots" to assault and rob game characters of virtual possessions, which were then fenced for real money through an auction Web site. Bots can easily best virtual characters controlled by people because they perform tasks in a game very swiftly or repetitively, and such activities can be spotted by countermeasures used by many games companies. Computer games consultant Ren Reynolds comments that bot authors and games firms are locked in an arms race, while the practice of turning virtual worlds into a cash cow is expanding. Computer security expert Bruce Schneier says the line is blurring between real and virtual crime as well, citing recent reports of criminals trying to penetrate games or steal players' account data for money. "I regularly say that every form of theft and fraud in the real world will eventually be duplicated in cyberspace," Schneier writes on his blog. "Perhaps every method of stealing real money will eventually be used to steal imaginary money, too." Reynolds concludes that the rising online game player population will fuel crooks' desire for exploitation even further. Click Here to View Full Article From ACM's TechNews, August 19, 2005 "Al-Qaida Recruiting Target: Skilled Hackers" Investor's Business Daily (08/19/05) P. A4; Tsuruoka, Doug Mark Rasch, chief security counsel for Solutionary, Inc. and former head of the Justice Department's computer crime unit, reports that foreign governments and terrorist organizations such as al-Qaida are attempting to hire Internet hackers to break into commercial and federal computer networks, with an eye toward sabotage or information theft. He says a massive assault against our cyberinfrastructure would disrupt services but not inspire terror; much more effective would be a combination cyberattack and physical attack, which would spread fear as well as hinder response strategies. Rasch says al-Qaida has formulated plans to attack U.S. networks controlling the supervisory control and data acquisition (SCADA) systems underlying the country's utility infrastructure. Terrorists can contact hackers in a variety of ways, including through Internet relay chat channels, anonymous outsourcing, and anonymous remailers that hide the original source of messages. Rasch suggests a number of precautions to defend against cyberterror attacks, such as the installation of disaster recovery and business continuation technology and redundant systems. So that people can understand and identify attack precursors, he recommends an exchange of information. Rasch also suggests improving information sharing networks following an attack. "'War of the Worms' Spurs Latest Cyber-Attack" ABC News (08/17/05); James, Michael S. The attack earlier this week that slowed systems at The New York Times, The Associated Press, and other media outlets may have been an example of battling worms competing for control of major computer networks. The culprit was identified as different strains of the Zotob worm, which targets computers running Windows 2000, though if unprotected, Windows 2003 and XP are also vulnerable. In the latest attacks, the hackers were attempting to seize control of the computers to create botnets, and posted death threats aimed at antivirus companies. The pursuit of unlawful computer armies has led to a virtual turf war, where rival hackers delete each other's worms to clear the way for their own in an effort to build the largest botnet. The recent trend in hacking has been toward personal greed, as simply defacing a Web site or launching a denial of service attack no longer motivates hackers: "Destroying the Internet is not really useful if the Internet is the means to your financial goals," noted Art Manion of the U.S. CERT center at Carnegie Mellon. Botnet operators use the expropriated computers to send out torrents of spam or access personal information, though there is also an underground economy that pays to rent botnets for various purposes, most commonly to send out spam. The use of multiple third-party computers makes it difficult to track the originator of botnet spam. Cybertrust's David Kennedy believes poor laptop security may have facilitated the recent attacks, and cautions businesses to keep security patches updated, and use a special router to manage the connection between the notebook and the providing pipeline; he adds that users should power their notebooks down completely before connecting to the network. Click Here to View Full Article "Computer Virus Writers Moving Faster with Attacks" Reuters (08/17/05); Swartz, Spencer A flood of malware-based attacks against U.S. media companies and other corporations this week has prompted security analysts to warn that the window between the disclosure of vulnerabilities and their exploitation by hackers is shrinking. "These guys have gotten a lot faster...they are doing it faster than managers can keep up with," stated F-Secure virus researcher Eno Carrera. Analysts said the interim between advisories of flaws in Microsoft's Windows operating system and the release of exploitative viruses was several weeks or months a few years ago. However, hackers authored and released exploits of three Windows security vulnerabilities mere days after Microsoft notified users of their existence last week. The malware caused thousands of vulnerable machines to restart repeatedly, and potentially exposed computers to hackers who could hijack a system as a launch-pad for future virus attacks and steal personal data while the user is unaware. Also troubling is the fact that virus writers often release malicious code faster than computer system safeguards can be updated. Hackers have additionally started exploiting instant messaging's popularity among office workers as a vehicle for delivering viruses. Click Here to View Full Article From Microsoft -- "School is in: 7 computer security tips for students". From the Chicago Tribune, Now, Every Keystroke Can Betray You. From New York Times, August 17, 2005 Virus Attacks Windows Computers at Companies By Matt Richtel A handful of digital worms that exploit vulnerabilities in some Microsoft Windows computers spread on Tuesday. Read the article. From New York Times, August 15, 2005 Spyware Heats Up the Debate Over Cookies By Bob Tedeschi Internet users now routinely delete cookies, leaving marketers scrambling to find another tool to measure their effectiveness. Read the article. From EduPage, August 17, 2005 Former AOL Employee Sentenced For Data Theft Reuters, 17 August 2005 A judge in New York has sentenced a former employee of America Online to 15 months in prison for stealing 92 million screen names from AOL and selling them to a spammer. Jason Smathers, who pleaded guilty earlier this year and cooperated with prosecutors, expressed remorse for his actions and asked the judge for leniency. Indeed, the judge could have given Smathers 24 months in prison for his crimes, which included conspiracy and interstate trafficking of stolen property. AOL has said it suffered monetary losses of $300,000 as a result of Smathers's actions. The judge in the case has given the company 10 days to prove those losses, after which he said he will impose a fine, hinting that he is leaning toward a fine of $84,000. http://today.reuters.com/business/newsarticle.aspx?storyID=nN17251689 From ACM's TechNews, August 17, 2005 "'Spear Phishing' Tests Educate People About Online Scams" Wall Street Journal (08/17/05) P. B1; Bank, David To raise user awareness of online scams designed to trick them into revealing sensitive information to data thieves and other miscreants, organizations such as the U.S. Military Academy are conducting exercises in which people are sent phony emails disguised as official requests to link to Web pages and enter confidential data, and then upbraided if they do so. Through this strategy, defenders hope to teach users to be more cognizant of "spear phishing" scams in which attackers craft email messages that would seem to originate from the recipient's company or organization. Last June, over 500 West Point cadets were sent mock emails from a fictitious colonel instructing them to click on a link to confirm that their grades were correct, and more than 80 percent of recipients complied; the cadets were gently reprimanded via email and advised to be more cautious in the future. In recent months, almost 10,000 employees of New York state were sent emails that were supposedly official notices asking them to access sites and enter their passwords and other personal details, and those who did were sent a note explaining the purpose of the exercise. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information," said New York CIO William Pelgrin. However, such methods could potentially erode employees' trust for their organizations' information-security personnel. Still, SANS Institute research director Alan Paller called such exercises "a key defense against large-scale theft of confidential information." From EduPage, August 15, 2005 E-Mail Marketer Convicted Of Stealing 1.6 Billion Names Wall Street Journal, 15 August 2005 A jury in Arkansas has convicted Scott Levine of stealing 1.6 billion computer records from Little Rock-based data vendor Acxiom Corp. The records included names, addresses, phone numbers, and other personal information that Levine's company, Snipermail.com, sought to use in direct e-mail marketing campaigns. In the case, the government presented evidence that Levine had used illegally obtained passwords of about 300 legitimate Acxiom customers to fraudulently access the records. Levine was convicted of 120 counts of unauthorized access to a computer, two counts of fraud for cracking passwords, and one count of obstruction of justice for trying to destroy evidence stored on Snipermail computers. Levine will be sentenced in January. Acxiom said that since the intrusion, it has improved security procedures for protecting data, including strengthening encryption systems and the company's ability to detect when unauthorized access takes place. (sub. req'd) http://online.wsj.com/article/0,,SB112406416615412935,00.html From ACM's TechNews, August 15, 2005 "NIST Creates Online Treasure Trove of Security Woes" Federal Computer Week (08/15/05); Yasin, Rutrell The National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) is a comprehensive repository of cybersecurity data culled from all publicly available vulnerability resources that also supplies references to industry resources. NVD creator and NIST computer scientist Peter Mell says about 12,000 vulnerability entries have been posted on the NVD Web site, with roughly 10 new postings added daily. The public will be able to use NVD to gain detailed information on flaws in specific products and trends in industry segments, while developers who must import vulnerability data into their security offerings could benefit as well, according to Mell. The database is constructed wholly on the Common Vulnerabilities and Exposures (CVE) naming standard maintained by Mitre, and which is used by some 300 security products to spot vulnerabilities and expedite interoperability between those products; Mell says NVD will further assist in the facilitation of compatibility by augmenting the CVE standard with detailed vulnerability data. The public can freely avail themselves of NVD's vulnerability information as an XML feed, and Mell says the database can also produce statistics that extrapolate vulnerability-discovery trends. Unlike the Homeland Security Department's Technical Cyber Security Alerts and Vulnerability Notes, which only notify the public about the most critical flaws, NVD offers "an encyclopedia of everything," reports Mell. SANS Institute research director Alan Paller notes that users can employ NVD to answer difficult queries such as whether software from specific vendors is flawed. NVD is sponsored by the DHS' National Cyber Security Division as a complement to the department's suite of vulnerability management products, Mell says. Click Here to View Full Article "Instant Messaging: A New Target For Hackers" Computer (07/05) Vol. 38, No. 7, P. 20; Leavitt, Neal The growing popularity of instant messaging (IM), especially among businesses, has made it an increasingly attractive target to phishers, malware authors, and other attackers. IMlogic CTO Jon Sakoda says IM attacks can propagate rapidly thanks to IM's real-time capabilities. Other factors encouraging IM attackers include a lack of safe computing practice among users; the false sense of security users feel due to IM's immediacy and informality; growing functionality and complexity of IM systems; and an absence of corporate IM-use policies. Messaging providers and security companies are attempting to thwart or mitigate IM attacks by monitoring and analyzing IM security risks through the IMlogic Threat Center and similar efforts, and are also educating consumers about safe computing practices. Many IM virus outbreaks cannot be halted by traditional antivirus technology, which fails to keep up with the rapid spread of IM communications. However, virus throttling shows promise as a method for slowing down and limiting the damage of messaging worm propagation. Furthermore, major IM networks are amending their clients to combat buffer overflow attacks enabled by substandard programming and memory management. From EduPage, August 12, 2005 New York Adds Disclosure Law The Register, 12 August 2005 New York State has enacted a law requiring corporate or public organizations to notify individuals in the event that personal information about them has been compromised. Similar in concept to a California law that went into effect two years ago, the New York law compels organizations that store sensitive information to contact consumers as quickly as is practical if there is evidence or suspicion that data including Social Security numbers or credit card numbers have been unlawfully accessed. At least 15 other states have passed similar legislation since California did. New York State Assembly member James Brennan, sponsor of the legislation, said, "If a person is not aware that he or she has been a victim of identity theft, then the damage done could be severe and irreversible," noting that the sooner people are made aware of security breaches involving sensitive data, the better their chances are of avoiding the worst repercussions. http://www.theregister.com/2005/08/12/ny_security_breaches_disclosure/ From ACM's TechNews, August 12, 2005 "PluggedIn: Wireless Networks--Easy Hacker Pickings" Reuters (08/05/05); Sullivan, Andy Wireless networks are highly vulnerable to exploitation, so much so that hackers regularly compete to find open Wi-Fi connections. Mapping out wireless access points, a practice known as wardriving, is very popular, as demonstrated by wardriving contests hosted at the recent Defcon hacker conference. Inexpensive wireless routers let consumers surf the Web from home, while a Wi-Fi signal's radius of several hundred feet allows neighbors to access the Internet as well. Very few wireless hotspot owners avail themselves of encryption, password protection, and computer-specific network access features. Wardrivers say the WEP encryption standard employed by many access points is easy to break, while others blame manufacturers such as Linksys for failing to make security a default setting in their products because they are more interested in ease of use. Mike Wagner with Linksys claims new routers enable computers to securely link with other Linksys devices through the simple push of a button, but admits his company cannot ship its products with the security settings activated because most users will not go to the trouble of changing the default password. Numerous laws criminalize accessing computer networks without authorization, but few have been put to the test in court. Wardrivers claim not to approve of unauthorized network use, insisting that the goal of their activities is to raise awareness of wireless security's vulnerability among consumers and manufacturers in the hope of spurring them to make improvements. Click Here to View Full Article From EduPage, August 10, 2005 Hackers Hit Another University San Francisco Chronicle, 9 August 2005 Sonoma State University, an hour north of San Francisco, has become the latest in a growing list of universities to suffer a hacker attack that put personal information of students and staff at risk. At Sonoma State, hackers in July gained access to several computer workstations, which allowed them to access a number of other computers before university staff detected and put an end to the intrusion. In all, the hackers had access to names and Social Security numbers of nearly 62,000 students, applicants, or employees of the university between 1995 and 2002. A spokesperson for the university said the hackers did not have access to financial information and noted that there is currently no evidence that any of the information has been misused. Nevertheless, the university is required by state law to contact individuals whose personal information has been compromised, and the university is working to do just that. The university has set up a Web site with information and is advising affected individuals to contact credit-reporting agencies to be on the lookout for possible identity fraud. http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/08/09/BAGLJE50C81.DTL Students Face Punishment For Computer Tampering Wired News, 9 August 2005 Thirteen high school students in the Kutztown Area School District in Pennsylvania face felony charges of tampering with computers after defeating security measures on laptops issued to them by the school district. The laptops included Internet filters and an application that allowed district administrators to see what students did with the computers. The 13 used administrator passwords--which, for unknown reasons, were taped to the backs of the computers--to override the filters and download software such as iChat that the district policy forbids. The students also modified the monitoring program so that they could see what the administrators did with their computers. The students and their parents argued that the felony charges are unwarranted, but, according to the district, students and parents signed acceptable use policies that clearly state what activities are not allowed and that warn of legal consequences if the policy is violated. The students continued to violate district policies for use of the computers even after detentions, suspensions, and other punishments, according to the district. Only then did school officials contact the police. http://www.wired.com/news/technology/0,1282,68480,00.html Spammer Settles With Microsoft New York Times, 10 August 2005 Microsoft has reached a settlement with Scott Richter, a man once described as one of the top three spammers in the world. Efforts by Microsoft and New York Attorney General Eliot Spitzer in 2003 resulted in the collection of 8,000 e-mail messages containing 40,000 fraudulent statements sent by Richter's company, OptInRealBig. Richter earlier agreed to pay New York State $50,000; under the new settlement, Richter will pay Microsoft $7 million. According to Bradford L. Smith, chief counsel for the software giant, $5 million would be used to "increase our Internet enforcement efforts and expand technical and investigative support to help law enforcement address computer-related crimes," while another $1 million will be spent on improving computer access for the poor in New York State. The settlement also requires Richter to comply with state and federal laws governing e-mail and to submit to oversight of his company's operations for three years. (registration req'd) http://www.nytimes.com/2005/08/10/technology/10spam.html From ACM's TechNews, August 10, 2005 "Critics Say Security Still Lags" Investor's Business Daily (08/09/05) P. A4; Howell, Donna Internet and computer security continues to face heavy criticism four years after Sept. 11, with industry organizations and the Government Accountability Office (GAO) urging the allocation of more federal resources to tech security. A CSO magazine poll of 389 security professionals finds that roughly 59 percent of respondents doubt the government can secure the U.S. information infrastructure, while 45 percent expect hackers or terrorists to launch the digital equivalent of a Pearl Harbor-style attack against the nation's critical infrastructure. The GAO has issued several studies finding fault with federal cybersecurity efforts, and Ron Ross with the National Institute of Standards and Technology says his organization has been developing a set of standards and guidelines designed to help agencies construct improved information systems and safeguards. "There's no long-term vision for what we ought to be doing in cybersecurity research and development," notes Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz. "In the long term, we need to think about our information systems constantly being under attack...And the need to transfer over to other systems." In July, CSIA recommended the development of a 10-year federal plan to enhance the security, reliability, and resiliency of information technology, as well as additional funding for the issue. A recent restructuring of the Homeland Security Department resulted in the creation of an assistant secretary for cybersecurity and telecommunications; both CSIA and the ITAA praised this maneuver, though ITAA President Harris Miller still laments that some federal IT agencies' budgets remain flat. Unisys' Greg Baroni points to increased security audits encouraged by security guidelines mandated by the Federal Information Security Management Act, which will soon obtain a "compliance component." "Annual Hacking Game Teaches Security Lessons" SecurityFocus (08/04/05); Lemos, Robert The annual DEF CON conference hosts a hacker version of Capture the Flag, and this year's bout emphasized more real-world skills, according to University of California at Santa Barbara computer science professor Giovanni Vigna, whose Shellphish team was the victor. "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things," Vigna explained. "It's about analyzing the security posture of a system that is given to you and about which you initially know nothing." This year the organizers courted controversy by running a central server on which each team's virtual server operated, whereas in past tournaments each team was permitted to run their own server; Crispin Cowan with Novell's SUSE division said this meant there was very little defense that could be implemented, and he doubted that anyone with a substantial interest in defense will participate in future tournaments if exclusive concentration on code auditing becomes the norm. One of the organizers defended his year's game with the argument that the bout was a hacking contest. He said finding and exploiting security flaws in custom software via reverse engineering, not just code auditing, is key to being a top hacker. The organizer insisted that defense was not sidelined, noting that some teams successfully deployed Tripwire, a data-integrity checker that can pinpoint altered files, and used an intrusion detection system to monitor traffic. Vigna said the winning team's strategy kept the discovery of flaws and the toughening up of systems services in balance. Click Here to View Full Article "Car Computer Systems at Risk as Viruses Go Mobile" Reuters (07/29/05); Virki, Tarmo; Shields, Michael In-vehicle computer systems could be threatened by malware as hackers' interest in authoring viruses for wireless devices grows, according to automotive industry officials and analysts. Automakers' tweaking of on-board computers to allow consumers to transfer data with mobile phones and MP3 players also increases the cars' vulnerability to mobile viruses that hop between devices through the connective Bluetooth technology, which is employed in car electronics interfaces for service and monitoring. The worst-case scenario is that the computer would no longer be able to control engine performance, emissions, navigation, and entertainment systems, and Symantec mobile virus specialist Guido Sanchidrian says this should not prevent motorists from driving their cars on their own. Thus far there have been no reports of viruses in auto systems, but carmakers say they are giving the matter serious consideration, even though research shows transplanting a virus into a car is not a simple proposition. A BMW representative says such transplants are a possibility, and addressing this problem has been an area of concentration for many years. A Siemens representative claims her company uses systems that screen out unwanted programs and data via encryption. Automakers' growing emphasis on computer security could be a windfall for antivirus firms, and IDC projects that the mobile security software market will skyrocket from $70 million in 2003 to $993 million in 2008. Click Here to View Full Article From EduPage, August 5, 2005 Court Upholds University Block On Spammer Inside Higher Ed, 4 August 2005 A federal appeals court ruled in favor of the University of Texas (UT) in its dispute with White Buffalo Ventures over thousands of spam e-mails sent by the company to students of the institution. In 2003, White Buffalo, which operates an online dating service geared toward UT students, began sending thousands of messages to student e-mail addresses it had obtained through public records. After receiving many complaints from students, the university blocked White Buffalo's e-mails, a move the company said infringed on its First Amendment rights and its rights under the CAN-SPAM Act. A federal judge disagreed with White Buffalo, and the current ruling supports that decision. The three-judge panel of the appeals court found that the institution is within its rights to place restrictions on commercial speech if such restrictions can be shown to legitimately benefit constituents--in this case, UT's students. Observers noted that the court's rejection of White Buffalo's CAN-SPAM argument is important in that it presents a significant roadblock to organizations that would try to use the law to make it easier, rather than more difficult, to send unsolicited e-mail. http://insidehighered.com/news/2005/08/04/ut From EduPage, August 3, 2005 CU Suffers Another Hack The Denver Post, 3 August 2005 Hackers broke into a server at the University of Colorado (CU), marking the third security breach in the past six weeks. The latest attack targeted servers that held information for the school's ID card, known as the Buff OneCard. Those servers included names, Social Security numbers, and photographs but not financial information. Potentially exposed in the attack is personal information for 29,000 students, some former students, and 7,000 staff members. Students who will be entering the university in the fall were not affected. Dan Jones, IT security coordinator, said it was not clear whether this attack was perpetrated by the same people who compromised two other servers recently. In April, CU had decided to move away from using Social Security numbers as identifiers for students, based on security problems at other institutions and the risk of identity theft. Some systems on campus, however, still use Social Security numbers to track students, according to Jones. Officials at the university said they will hire an independent auditing firm to assess the institution's security measures and will also evaluate some 26,000 computers to determine which could be placed behind a firewall. http://www.denverpost.com/news/ci_2909173 Researcher Says Dns Servers Vulnerable CNET, 3 August 2005 In a presentation at the Black Hat conference last week, security researcher Dan Kaminsky argued that domain name system (DNS) servers represent a broad vulnerability in the Internet. Kaminsky said that of 2.5 million DNS servers he tested, nearly 10 percent could be susceptible to so-called DNS cache poisoning. In total, about 9 million DNS servers are operating globally. DNS servers translate typed URLs into numbers necessary to locate Web sites. In cache poisoning, legitimate numeric Web addresses are replaced, causing users to be redirected to sites of the hacker's choosing. Often, users are sent to Web sites that install malware or that deceive users into disclosing personal information, which can then be used in identity theft. Incidents of cache poisoning have disrupted Internet service in the past, including this March, when users trying to access CNN.com and MSN.com were sent to sites that installed spyware. Security experts advise operators of DNS servers to audit their machines and make sure they configure them in the safest manner possible. http://news.com.com/2100-7349_3-5816061.html From New York Times, August 7, 2005 Europe Zips Lips; U.S. Sells ZIPs By Eric Dash, August 7, 2005 The U.S. looks at privacy largely as a consumer and an economic issue; in the rest of the developed world, it is regarded as a fundamental right. Read the article. The Rise of the Digital Thugs By Timothy L. O'brien, August 5, 2005 The newest big corporate menace: disgruntled techies, who find company secrets and will keep them, for a price. Read the article. From ACM's TechNews, August 3, 2005 "The Sniffer vs. the Cybercrooks" New York Times (07/31/05) P. 3-1; Rivlin, Gary As the motivation for hackers shifts from the pursuit of bragging rights to high-stakes economic plundering, many corporations are enlisting the services of sniffers, security analysts who peer through the eyes of a hacker to exploit a system's vulnerabilities in the name of improving its security. A recent survey found that over 87 percent of the companies polled conduct penetration tests, up from 82 percent a year ago; up 14 percent from 2003, companies in North America spent more than $2 billion on security consulting last year, says Gartner analyst Kelly Kavanagh. Sniffers such as independent consultant Mark Seiden often resort to unorthodox techniques to expose a system's vulnerabilities. While he is a former programmer with considerable technical expertise, Seiden may be best known for his innovative methods for gaining access to companies' most sensitive information, such as using disguises to infiltrate restricted places. Once inside, Seiden is an expert at figuring out where a data center is housed, and by blending in, picking locks, and shimmying through air ducts to drop through a ceiling into an otherwise secure room, he has exposed weaknesses in many high-profile companies. The most porous security is most likely to be found in a physical building, where file cabinets with cheap locks and unsecured backup tapes offer a wealth of sensitive information to someone such as Seiden. Though his creativity and uncanny ability to think like a cyber-criminal have kept him in high demand, he acknowledges that "you can't prevent a determined adversary who has unlimited resources from breaching security." But as Gartner analyst Richard Mogull points out, even though 100 percent security will forever be an illusion, sniffers such as Seiden can help companies protect against the vast majority of would-be hackers who "have only rudimentary skills." Click Here to View Full Article Solutions to many of our security problems already exist, so why are we still so vulnerable? Read the article from Queue. From New York Times, July 31, 2005 The Sniffer vs. the Cybercrooks By Gary Rivlin Sniffers, or professionals who test a computer network's security, must do their best to think like an enterprising cyberthief. Read the article. From EduPage, July 29, 2005 Congress Gets Serious About Data Privacy CNET, 28 July 2005 Ahead of its August recess, Congress moved data-security measures to the top of its agenda, with various House and Senate committees considering three different bills dealing with the protection of sensitive information. The broadest legislation being considered is the Personal Data Privacy and Security Act, which would place new restrictions on how personal information may be used and imposes criminal penalties for those found to have violated it. The bill would limit the sale and publication of Social Security numbers, require notification of consumers in the event their personal data is compromised, and restrict the authority of the states in writing their own regulations for data protection. Other bills working their way through the Senate include similar requirements that consumers be notified of data breaches, but they only include civil penalties. The other measures, including one passed by the Senate Commerce Committee, place oversight and enforcement authority with the Federal Trade Commission (FTC). Critics of the proposed legislation argue that it is being rushed through without proper discussion. http://news.com.com/2100-7348_3-5808894.html. From ACM's TechNews, July 27, 2005 "Two Professors Go Fishing for Phishers" San Francisco Chronicle (07/25/05) P. E1; Kirby, Carrie Stanford computer science professors John Mitchell and Dan Boneh are leading a team developing anti-phishing tools designed to help email users avoid bogus Web sites and prevent crooks from stealing other peoples' passwords. The SpoofGuard software plug-in the team created last year examines each site visited by users for signs of phoniness, and alerts them if it spots anything suspicious. A second plug-in, PwdHash (password hash), scrambles the password typed into a site and creates a unique sign-on for each visited site; should a user sign on to a spoofed version of a legitimate site and be fooled into typing in his password, PwdHash will prevent the phishers from acquiring the same password the authentic site got. In addition, PwdHash addresses users' tendency to employ the same password at many different sites, which means thieves' attempts to log on to as many sites as they can with a PwdHash-scrambled password will fail. PwdHash will be unveiled at a Baltimore security conference next week, while Boneh expects to release a third tool, the SpyBlock Trojan horse key-logging software deterrent, in six months. The tools are freely available as browser plug-ins on the Stanford Web site, although the researchers would prefer that such solutions are embedded within the major browsers. Click Here to View Full Article From EduPage, July 25, 2005 Software Hides Passwords From Phishers San Jose Mercury News, 25 July 2005 Two professors at Stanford University are set to unveil software designed to foil phishers by scrambling passwords entered into Web sites. John Mitchell and Dan Boneh developed the software, called PwdHash, to deal with the growing problem of Web sites that lure computer users into disclosing personal information. The software creates a unique password for each Web site a user visits. If the user goes to a bogus version of a legitimate Web site, the software creates a separate password, leaving the operator of the bogus site with a password that will not work at the real site. Previously, the pair of professors have written software that tries to identify fraudulent Web sites and notifies the user when such a site is suspected. http://www.siliconvalley.com/mld/siliconvalley/12218576.htm CU Computers Hacked The Denver Channel, 22 July 2005 Officials at the University of Colorado said hackers gained access to two servers at the university, possibly exposing personal information on nearly 43,000 students and employees of the institution. One server, at the College of Architecture, contained data on 900 individuals; the other, at the university's health center, included information for another 42,000 people. The servers included names, Social Security numbers, addresses, and dates of birth, according to the university, but neither included credit card information. Still, university officials are advising those affected to monitor their credit reports for suspicious activity, and the university has set up a Web site and a hot line to answer questions. Investigators looking into the situation said that one hacker came through a server in France, while the other came through a server in Eastern Europe. University officials have no information so far that any of the personal data on the servers has been misused. http://www.thedenverchannel.com/technology/4757407/detail.html Paying Hackers For Bugs CNET, 24 July 2005 Computer-security firm TippingPoint has begun a program to pay rewards to individuals who report computer vulnerabilities. Not unlike similar programs from other companies, the TippingPoint deal offers a variable amount of money if a reported bug proves valid. The company will use the information to update its own protection software and will notify the maker of the vulnerable product about the problem. David Endler, director of security research at TippingPoint, said the reward program is intended to "reward and encourage independent security research" and to "ensure responsible disclosure of vulnerabilities." Not all security companies believe in bounties. Internet Security Systems, for one, said that paying for such bug reports amounts to having hackers do a company's research for it. An official from Internet Security Systems also noted that the bugs reported in such programs are typically very low-level problems, saying that the more extreme vulnerabilities are worth much more when used for hacking than if turned in to security companies. http://news.com.com/2100-7350_3-5802411.html Hackers Finding New Targets Wall Street Journal, 25 July 2005 According to a new report from the SANS Institute, the number of computer hacking incidents is rising, and the targets of such hacks are increasingly software applications rather than operating systems. The organization found that the number of vulnerabilities reported was up 11 percent from the first quarter of the year to the second, and up nearly 20 percent from a year earlier. Alan Paller, SANS's research director, said the situation is getting worse. As operating systems become more secure, hackers are turning to applications, such as Apple's iTunes and RealNetworks's RealPlayer. Hackers are also focusing efforts on backup systems, particularly those of Computer Associates and Veritas Software. Because backup systems typically contain vast amounts of confidential corporate data, they represent an attractive target. SANS noted that the best way to avoid such hacking threats is to install all software patches, keep antivirus tools up to date, and be prudent in opening e-mail attachments. (sub. req'd) http://online.wsj.com/article/0,,SB112224497897894400,00.html From ACM's TechNews, July 25, 2005 "Retracing Spam Steps Could Halt Mass Emails" New Scientist (07/22/05); Knight, Will A team of researchers from IBM and Cornell University have devised SMTP Path Analysis, a method that traces an email's Internet route by examining Simple Mail Transfer Protocol (SMTP) data embedded within the message's concealed "header," and determines from this information whether the message is spam or authentic. The algorithm at the heart of SMTP Analysis "learns" by studying the chain of Internet Protocol addresses in both spam and legitimate email headers, which enables it to ascertain fairly accurately whether a new incoming email is genuine or junk. Barry Leiba with IBM's Thomas J. Watson Research Center says the algorithm cannot efficiently identify spam by itself, but is effective when it operates in conjunction with content filters; moreover, it can spot material that content filters cannot. The researchers developed a second algorithm to assess the plausibility of the route an email claims to have followed as a countermeasure to spammers' ability to forge the address of the mail server used to send the message out. Microsoft anti-spam researcher Joshua Goodman says spammers should have a hard time inventing a workaround to SMTP Path Analysis, since the technique uses IP information derived from multiple sources. The SMTP Path Analysis software was unveiled at the Second Conference on Email and Anti-Spam on July 22. Other anti-spam proposals suggested by industry groups include having email servers furnish cryptographic keys so that messages can be confirmed upon their arrival in an in-box. Click Here to View Full Article "May I Have Your Identification, Please?" SiliconValley.com (07/25/05); Lee, Dan Several email authentication technologies will go before the Internet Engineering Task Force as candidates for an industry standard. DomainKeys Identified Mail (DKIM) is a joint venture between Yahoo! and Cisco Systems that marries the former's DomainKeys and the latter's Internet Identified Mail into a technology that enables a sender's company or service provider's mail service to assign scrambled digital signatures to outgoing emails that verify the address; the recipient confirms the address by checking that the sender has been registered as genuine through the domain name system. Meanwhile, the Microsoft-backed Sender ID specification checks the numerical IP address of the server sending the email against a published list of servers authorized to send messages by the domain owner. DKIM has experienced difficulty in recognizing messages that are part of email lists employed in discussion groups that may modify a message, while Sender ID cannot always identify email forwarded from one address to another. Experts classify an effective email authentication standard as one that is adopted by a large portion of the world's email senders, and Gartner analyst Arabella Hallawell believes DKIM will emerge as the leading standard because it faces fewer technical problems than Sender ID. However, Yahoo!, Cisco, and Microsoft each expect both technologies to find use. EarthLink's Tripp Cox says the level of industry collaboration surrounding these technologies is "unprecedented." "If we're going to make an impact on spam, it's crucial that the vast majority of Internet senders and receivers implement the technology," he argues. Click Here to View Full Article From EduPage, July 22, 2005 National Cybersecurity Test Scheduled ZDNet, 22 July 2005 The Department of Homeland Security's National Cyber Security division plans a test of the nation's cybersecurity incident response capabilities with an exercise scheduled for November 2005 called Cyber Storm. The announcement came in written testimony by Acting Director Andy Purdy before a Senate subcommittee earlier this week. http://news.zdnet.com/2100-1009_22-5799876.html "Information Security With Colin Percival" O'Reilly ONLamp (07/21/2005); Lucas, Michael W. Simon Fraser University visiting researcher Colin Percival described his research on information security in a recent interview, which deals with the security threat posed by hyperthreading. He demonstrated how this technique can be used to exploit vulnerabilities in a system by a hacker who simply needs to run code concurrent to the running of the program he is trying to spy on. Percival found a fundamental vulnerability in Intel's design that allowed him to penetrate the system, raising considerable concern in the security community; in response, Microsoft and Intel were reluctant to acknowledge the security breach, and have been slow to develop patches. Some critics maintain that Percival's exploitation is largely theoretical, though he claims that it is a very real threat. Percival believes that in the future, the task of sifting through source code in search of security errors will be handled by programs, instead of people. Percival's research, published in a paper entitled "Cache Missing for Fun and Profit," proved the existence of a covert channel running between threads on the same processor core, and demonstrated how it could be used as a side channel, as well as offering solutions on how to guard against it. Percival developed his research while working on his doctoral degree and serving as a deputy security officer for FreeBSD. He has also written an open-source, downloadable security tool called FreeBSD Update that enables users to download and install security updates with little complication, addressing what he believes to be the central obstacle to the adoption of new security tools. Click Here to View Full Article "Call for Homeland Security Cybersecurity Improvements" IDG News Service (07/19/05); Gross, Grant The U.S. Department of Homeland Security (DHS) does not have recovery plans in case of a widespread Internet attack, Government Accountability Office IT management director David Powner said yesterday, speaking before the Senate Homeland Security and Governmental Affairs Committee. Powner told lawmakers that DHS must implement an Internet recovery plan and a national cybersecurity threat assessment to better protect U.S. cybersecurity. Powner also said the GAO believes DHS must develop better relationships with state and local governments, private industry, and other federal agencies to counter cyber threats. Powner said that although DHS is making progress, "large portions of our critical infrastructure are unprepared to effectively handle a cybersecurity attack." Sen. Tom Coburn (R-Okla.) agreed with Powner and called for better coordinated cybersecurity prevention and recovery techniques. Meanwhile, DHS National Cyber Security Division acting director Andy Purdy asserted that the agency is implementing several plans to boost cybersecurity and decrease vulnerability. Sen. Thomas Carper (D-Del.) said DHS must put a higher priority on cyber security issues, cautioning that a joint physical and cyber attack could cripple response efforts. He said, "Cybersecurity plays an important role in the protection of our critical infrastructure." Click Here to View Full Article From ACM's TechNews, July 20, 2005 "Corrupted PC's Discover a Home: The Dumpster" New York Times (07/17/05) P. 13; Richtel, Matt; Markoff, John When faced with the contamination of their PCs by malware and other unwanted programs, many owners are opting to toss their infected machines and replace them with uncorrupted models, rather than go to the trouble of repairing them. Pew Internet and American Life Project director Lee Rainie characterizes such a response as entirely reasonable, given the incessant flood of malicious software, adware, spyware, defective programs, diminishing performance, and system crashes. In addition, Rainie says the threat of system corruption is escalating, and that "the arms race seems to have tilted toward the bad guys." Symantec's Vincent Weafer estimates that the ranks of computer viruses have swelled by more than 100 percent in the last six months alone, while adware and spyware programs have increased by approximately 400 percent; Symantec executives partly attribute this development to the growth of high-speed Internet access. Especially worrying is malware that can conceal itself from cleansing and removal programs, which makes the scrubbing of corrupted PCs a more complicated and often manual task, according to Weafer. Yale computer science professor David Gelernter says the software industry is chiefly responsible for this lamentable state of affairs, and points out that people are less and less willing to clean their PCs. Meanwhile, anti-infection tools such as firewalls, antivirus programs, and spyware-removal software are far from 100 percent effective. Some users, after acquiring new systems, are modifying their behavior to lessen the chances of PC corruption; for instance, San Francisco physician Terrelea Wong refuses to loan her computer out to friends, because she suspects her old system became infected through indiscriminate use of the Internet by her and her friends. Click Here to View Full Article "Between Phishers and the Deep Blue Sea" CNet (07/18/05); Kawamoto, Dawn Hackers are often based in India, Korea, or China, with differing time zones and language barriers increasing the difficulty facing security enforcement agencies in the United States. The most prevalent cyberattacks are carried out by a network of zombies, or compromised computers that are remotely controlled without notification to the computer's owner. Currently, China is home to 21 percent of new zombies with the United States at 17 percent and South Korea at 6.8 percent, according to CipherTrust. Hackers overseas are carrying out attacks due to a high prevalence of broadband in China and South Korea but a lack o