This site has been created to log references to spam and related technology issues. If you have any suggested additions, please contact me. From New York Times, October 23, 2005 Colleges Protest Call to Upgrade Online Systems By Sam Dillon And Stephen Labaton A U.S. order aimed at facilitating court-ordered monitoring of Internet activity could cost billions, opponents say. Read the article From ACM's TechNews, October 21, 2005 "Sue Companies, Not Coders" Wired News (10/20/05); Schneier, Bruce While some have called for holding individual programmers accountable for security vulnerabilities in the codes they write, a more sensible approach would place the responsibility on their employers, writes Counterpane Internet Security CTO Bruce Schneier. The reason for this is incentive, the same engine that drives all economic activity. If businesses see a financial disincentive for taking the time to ensure that their programs are of the highest quality, they are unlikely to do so. The preponderance of poor software speaks to the decision they have made, namely, that it is more profitable to suffer an occasional spate of bad publicity and short-term loss of sales than it is to invest in the extra programmers and extend the time-to-market to ensure consistently secure software. For consumers, proprietary formats, compatibility issues, and software monopolies make it difficult to exercise a conscious preference for secure software, thereby perpetuating the cycle of insecure products of poor quality foisted on them. Opening up software manufacturers to liability for insecure products would quickly reverse that trend, as they would have to shoulder the entire cost of a poor design, which clearly would be to their economic disadvantage. While some of the higher production costs of more secure software would inevitably pass on to the consumer, they would be no higher than the costs associated with using software rife with vulnerabilities. Click Here to View Full Article "Mother Nature's Storms Postpone DHS' Cyber Storm" Washington Technology (10/19/05); Dizard III, Wilson P. Originally scheduled for November 2005, the Homeland Security Department's (DHS) virtual cyberattack on the United States exercise, known as Cyber Storm, will occur in February 2006 due to resource demands and infrastructure damage related to recent hurricanes in the Gulf Coast region, according to DHS' Michelle Petrovich. The delay of Cyber Storm was requested by the electric utility industry in order to provide them with more time to repair their infrastructure networks, said University of Southern California computer scientist Terry Benzel, whose DETER Internet test bed project is part of Cyber Storm. The inter-agency exercise will test the response to a combined attack involving an Internet-based assault on both the financial sector and the power grid as well as physical attacks. Click Here to View Full Article From ACM's TechNews, October 17, 2005 "At Microsoft, Interlopers Sound off on Security" New York Times (10/17/05) P. C1; Markoff, John Microsoft recently held its second Blue Hat conference, where a small group of independent security researchers are invited to the company's Redmond, Wash., headquarters to share details of their work exposing vulnerabilities in Microsoft's programs. The conference, held last week, comes after a year of intense focus on security that has signaled a clear shift in Microsoft's priorities. The hackers in attendance identified the manner in which Windows operating systems address peripherals, and its forthcoming Xbox 360, as specific targets for hackers. The Blue Hat gathering marks an about-face in the way Microsoft views the hacker community. The Blaster and Slammer worms fundamentally altered Microsoft's position toward security, as they began to compromise the company's stature in the eyes of customers. The white hat hacker community has taken notice of Microsoft's efforts to improve security, and has been largely receptive to the software giant's overtures, though many warn that security could be just entering a new era with the growing use of mobile devices. The widespread, scattershot attacks such as Blaster will also likely become a thing of the past, as profit is now the motive for more precise, targeted attacks, rather than Web-wide assaults designed solely to create chaos. Microsoft has been using a technique known as fuzzing in the development of its software, where tens of thousands of combinations are tested automatically in the search for flaws. According to company officials, Microsoft has significantly reduced the number of security bulletins it has issued in the last few years. Click Here to View Full Article "US Still World's Top Spammer" IDG News Service (10/13/05); McMillan, Robert In a recent report, security vendor Sophos determined that about 26 percent of worldwide spam originated within the United States, which is down from 42 percent in 2004. The reason for the drop, according to Sophos senior technology consultant Graham Cluley, is more effective prevention methods by ISPs and the work of antispam task forces. Meanwhile, spammers are focusing on the growing broadband connections in South Korea and China with the amount of spam originating in South Korea up 8 percent from 2004 to 2005 and the amount in China up 7 percent, according to Cluley, who points to the total amount of spam remaining the same between the two years. Spamhaus Project volunteer John Reid asserts that one way to significantly decrease spam is for ISPs to prohibit almost all of their users from establishing servers running the Internet standard port 25. Reid believes the policy would not affect the vast majority of non-spammers and points to previous attempts in Canada proving the method successful. Click Here to View Full Article From ACM's TechNews, October 14, 2005 "Developers 'Should Be Accountable' for Security Holes" ZDNet UK (10/12/05); Espiner, Tom Former White House cybersecurity advisor Howard Schmidt and the British Computing Society disagreed at Secure London 2005 on who should be accountable for the security of code. Schmidt said software developers should be held accountable for the code they write, while the BCS said companies should be responsible rather than their developers. "I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability," says a spokesperson for the BCS. The spokesperson also noted that code is not static and it can be altered after it has been purchased, security attacks often occur because the latest patch or system has not been installed, and buyers need to make sure their vendor uses their own security product. Schmidt, currently president and chief executive of R&H Security Consulting, believes many software developers lack skills in writing secure code and need better training. "Most university courses traditionally focused on usability, scalability, and manageability, not security," he said. He also cited a Microsoft survey that said 64 percent of software developers lacked confidence in their ability to write secure applications. Click Here to View Full Article From ACM's TechNews, October 7, 2005 "Nematodes: The Making of 'Beneficial' Network Worms" eWeek (10/05/05); Naraine, Ryan At the recent Hack In the Box event in Malaysia, security researcher Dave Aitel showed off a demo of a "Nematode" framework for creating a benign computer worm that he believes organizations will employ to reduce the costs of network security. "With this [Nematode] concept, you can take advantage of automating technologies to get protection for pennies on the dollar," he said. Aitel said the nematodes or nonmalicious worms can be automatically generated from available vulnerability data, and he envisions a time when ISPs, large companies, and government organizations deploy "strictly controlled" nematodes to make security more cost-efficient. Aitel's concept involves the employment of servers or "Nematokens" that only respond to requests from networks cleared for assaults, and the Nematode Intermediate Language (NIL), a programming language for creating the worms. Exploits can be rapidly and simply converted into nematodes through use of the NIL. Prior to his current stint at the Immunity security firm, Aitel worked as a computer scientist at the National Security Agency and then as a code-breaker for @Stake. The commercial technology that enables networks to protect themselves automatically with automated technologies will be available within five years, Aitel reckons. "The Sky Really Is Falling" CIO (10/01/05) Vol. 19, No. 1, P. 80; Worthen, Ben Co-chairman of the President's Information Technology Advisory Committee (PITAC) Ed Lazowska says inaction is the order of the day among government, CIOs, and vendors as far as cybersecurity is concerned. He accuses the Bush administration of undervaluing science, engineering, education, and research, which means that CIOs will be prevented from purchasing desperately needed cybersecurity products unless they pressure the government as well as pay for cutting-edge products as a demonstration of their commitment to cybersecurity. Lazowska says an attack on the nation's IT infrastructure could have serious ramifications for its critical infrastructure, while the military's dependence on commercial vendors for most of its hardware and software makes it highly vulnerable to cyberattacks as well. He cites a PITAC study that singles out three federal agencies as particularly deplorable in terms of cybersecurity funding: The Homeland Security Department, which currently commits a mere $18 million of its approximately $1 billion annual science and technology budget to cybersecurity; the Defense Advanced Research Projects Agency, whose investment in mainly classified cybersecurity programs shuts the door to premier academic researchers and yields products of little immediate value to commercial IT systems; and the National Science Foundation, which could only fund a small portion of its Cyber Trust program. Lazowska says current cybersecurity efforts are all about "Band-Aid" solutions, when what should be developed are new system architectures with long-term applications, static and dynamic vulnerability detection tools, programming languages with basic security functionality, and methods for building trusted software systems from diverse elements. Click Here to View Full Article From EduPage, October 5, 2005 Research Project Will Track Network Attacks Chronicle of Higher Education, 4 October 2005 (sub. req'd) A research project will collect regular snapshots of computer networks from as many as 10 colleges and universities in an effort to improve protections from and responses to Internet attacks. The Information Security in Academic Institutions project, an initiative of the Columbia University Teachers College, uses monitoring technology called DShield and has already been tested at three institutions. The other institutions in the project have yet to be named, and the system may eventually be widely available. The system will give network administrators data about the state of networks, allowing them to gain a better understanding of Internet attacks by comparing data from before, during, and after an attack. Steffani A. Burd, executive director of the project, described it as "a 360-degree view of what's going on." The system will also pool data collected from participating institutions and make it available anonymously on the Web. This aggregation of data will allow a comparison between activity on the Internet generally and what's happening at campuses. http://chronicle.com/daily/2005/10/2005100401t.htm California Passes Anti-Phishing Law InformationWeek, 3 October 2005 A tough new anti-phishing law makes California the first state to pass legislation targeting that particular brand of online scam. The Anti-Phishing Act of 2005 makes it a crime to use "the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business." Identifying information includes Social Security numbers, credit card numbers, passwords, PINs, and other information that can be used to steal from individuals. Those found guilty of phishing are subject to fines of $2,500 per violation, as well as damages to victims of either actual losses or $500,000, whichever is greater. http://informationweek.com/story/showArticle.jhtml?articleID=171202672 FTC Sues For Alleged Spyware MSNBC, 5 October 2005 The Federal Trade Commission (FTC) has sued Odysseus Marketing, accusing the company of engaging in distributing spyware. Odysseus distributed an application called Kazanon, which supposedly allowed users to trade files anonymously, without fear of being identified by record companies. According to the FTC, users who downloaded the application also got a range of adware programs that fed advertisements to those users' computers and added items to the search results pages of popular search engines, including Google and Yahoo. The added items, which were indistinguishable from those supplied by the search engine, directed users to companies that paid Odysseus for the placement. Further, the software did not offer users a simple option to uninstall it. Walter Rines, owner of Odysseus, disputed all of the FTC's claims. He noted that the user agreement informs consumers of what will be installed when they download the Kazanon program. He also said an uninstall tool is available and that his company's software did not remove any search results but merely added to the list. Rines also said the lawsuit was "moot" because his company stopped distributing adware several weeks ago. http://msnbc.msn.com/id/9598897/ From ACM's TechNews, October 5, 2005 "Text Hackers Could Jam Cellphones, a Study Says" New York Times (10/05/05) P. C1; Schwartz, John Metropolitan cell phone networks could be crippled by hackers who launch denial-of-service attacks against the phones' Internet-accessible text-messaging services, according to a study from Pennsylvania State University researchers. The study's lead researcher, computer science and engineering professor Patrick McDaniel, says hackers could hinder voice calls by clogging the control channel for cell phone calls with text messages. McDaniel and colleagues say they validated the feasibility of this scenario by demonstrating it on a small scale with their own cell phones, and their findings were corroborated by government regulators and phone company engineers. Cellular companies insist they have established deterrents to address the threat, though experts such as Cigital CTO Gary McGraw believe the solutions will likely be inelegant. The Penn State researchers' report cites the impracticality of severing the link between the phones' short messaging services and the Internet gateways, but suggests security could be added by restricting the message traffic that is fed into the network. Fencing in voice and data in next-generation cell phones to prevent traffic jams from blocking voice calls is another recommendation of the paper, which will be posted online and presented at the 12th ACM Conference on Computer and Communications Security (CCS'05) in November. Aviel D. Rubin, technical director of Johns Hopkins University's Information Security Institute, says, "Anytime a vulnerability in the physical world exists that can be exploited via computer programs running on the Internet, we have a recipe for disaster." Click Here to View Full Article "Fortifying DOD's Network Defenses" Federal Computer Week (09/26/05) Vol. 19, No. 33, P. 60; Tiboni, Frank As attacks on Defense Department (DOD) computer networks increase, Purdue University computer science professor Eugene Spafford calls for the creation of a new generation of computer systems and security tools. However, such a project will require long-term research. Meanwhile, Spafford recommends six steps to better protect DOD computer networks: Basing security purchases on effectiveness rather than cost; severely limiting access to computer systems; removing all unnecessary systems; narrowing the number of users that can add hardware and software to the networks; requiring training and supervision of all network users; and implementing network-monitoring practices. Spafford laments that the government is not currently funding long-term cybersecurity research that is key to designing a new and highly effective network security system for federal agencies. Most security used to protect federal agency networks is designed for commercial use and not to protect highly sensitive data. SANS Institute research director Alan Paller says network security is not about implementing the latest security methods but more about preventing attacks up to 18 months in advance. An anonymous Defense Information Systems Agency official reports a change in DOD security that involves moving to a service-oriented architecture to facilitate data sharing among agencies as well as more effective IT services. Also, the new structure makes the Joint Task Force-Global Network Operations in charge of defending, operating, and maintaining the DOD's information infrastructure, according to the official who says, "We have many challenges in synchronizing the many IT efforts and security for [networks] across [the DOD's] vast infrastructure." Click Here to View Full Article "Are Attackers Winning the Arms Race?" InfoWorld (09/26/05) Vol. 27, No. 39, P. 22; Grimes, Roger The severity and speed of malware attacks as well the skill of those who orchestrate them is increasing as hacking becomes more professional and profit-oriented. Forty-nine percent of 474 individuals surveyed in this year's InfoWorld Security Research Report said increasingly sophisticated cyberattacks represented the most serious security challenge their companies will face in the next 12 months, while 57% listed viruses as the top network security threat. Respondents noted that each had thwarted an average of 368 intrusions in the preceding 12 months, but an average of 44% of those attacks were successful. Malware's formerly stagnant nature is shifting toward a "mothership approach" in which a malicious program, once it has infected a computer, links to outside servers and downloads new instructions or programs. Hackers are designing worms to configure into bot networks that hijack thousands of PCs, which are "rented out" to criminal businesses or organizations. A lot of present-day malware exploits patched and unpatched vulnerabilities in Internet browsers, while the interim between the announcement of a vulnerability and the emergence of an exploit is shrinking. The InfoWorld poll found that anti-spyware software and appliances will experience the biggest purchasing increases in the next year. Strong adoption continues for intrusion detection and intrusion protection systems, but a greater number of administrators are enabling those products' blocking functionality. Click Here to View Full Article From ACM's TechNews, October 3, 2005 "Microrobots Show Promise in IT, Security" Dartmouth Online (NH) (09/28/05); Beale, Matt Dartmouth researchers have developed the smallest mobile, untethered robot in the world after seven years of effort. The microrobot is a mere one-tenth the thickness of a single human hair, and can crawl like an inchworm and be steered without being connected to a power source. The device walks on a grid of electrodes that serve as both power supply and control mechanism, and it lacks wheels or joints because they are unworkable at such a tiny scale. The research team was awarded a grant by the Department of Homeland Security's Office of Domestic Preparedness to develop the microrobot for possible security applications such as identity verification and information protection. Dartmouth computer science graduate Igor Paprotny envisions a group of people who each carry a vial of microrobots as a means of identification. "They each spread some on a substrate and enter a PIN or something," he explains. "If we're all who we say we are, the microrobots assemble into a key, or message that, say, gives you the code to activate a nuclear weapon." The microrobot was created through cooperation between Dartmouth's computer science and engineering departments. Click Here to View Full Article "The Global State of Information Security 2005" CIO (09/15/05) Vol. 18, No. 23, P. 60; Berinato, Scott; Ware, Lorraine Cosgrove Even as preventative security measures grow more sophisticated, the security industry remains loosely coordinated and decentralized, and struggles continually to keep up with the steady proliferation of threats. A recent study found that many security administrators are indifferent to government compliance regulations, and are often lax about risk management, as only 37 percent responded that they had in place an active security strategy. Much of the problem with cybersecurity is that the daily occurrence of multiple threats has administrators constantly scrambling to put out fires, leaving them with little time to formulate long-term strategies. Though information security remains overwhelmingly reactive, organizations are beginning to pay it more attention, as witnessed by the growing number of executive positions created to deal expressly with security. The results are tangible, as the higher up in the organization the security executive position is, the better the organization's security rating. Having high level security executives in place also tends to align security more closely with the direction of the business. Still, companies with high-level security positions are outnumbered by those that have yet to elevate the role. Larger companies have very recently stepped up their monitoring of employees to rein in risky activities, such as instant messaging. There is also a widespread disregard for the Department of Homeland Security as a leader in cybersecurity. In dealing with government regulations, there is a pervasive ignorance about their scope and intention, as an alarmingly high number of respondents reported either that regulations do not apply to them, or that they are knowingly non-compliant. Though the number of incidents reported held steady, many of those surveyed were unsure of the extent of the damage. Similar uncertainty was reported when respondents were asked about the budgetary allotment reserved for security, and 16 percent were unsure if their security budgets would increase or decrease in the future. Click Here to View Full Article From ACM's TechNews, September 26, 2005 "Basic Training for Anti-Hackers" Chronicle of Higher Education (09/23/05) Vol. 52, No. 5, P. A41; Carnevale, Dan The threat of terrorists penetrating computer networks and wreaking havoc prompted the creation of the Cyber Security Boot Camp, an intense 10-week summer program hosted by the U.S. Air Force and Syracuse University in which participating college students study and practice hacking so that they may learn how to defend against cyberattacks. Air Force Research Laboratory computer engineer Kamal Jabbour says the goal of the program goes far beyond making these cyber-defenders technically proficient: He wants them to become sensitive to the urgency of the threat in order to be decisive in action. Participants take cybersecurity courses that cover cryptography, steganography, network security, wireless security, and digital forensics. Students are required to analyze a security problem and present a solution in a detailed report each week, all the while conforming to a strict writing style. Participants also serve as interns with local companies and organizations in order to be exposed to real-world cybersecurity applications. The boot camp's high-pressure course load is complemented by adherence to stringent rules concerning housing, appearance, and physical fitness, which are laid out in a military regimen. The program climaxes with a hacking contest in which student teams penetrate their opponents' computers to capture virtual flags. Each team is divided into two groups--one dedicated to attack rivals' systems and the other committed to defending their own system. From EduPage, September 23, 2005 Congressmen To Ask For Review Of Higher Ed Antipiracy Efforts Chronicle of Higher Education, 23 September 2005 (sub. req'd) At a U.S. House of Representatives subcommittee meeting this week, lawmakers, campus officials, and representatives of the movie industry and of a provider of legal download services discussed efforts by U.S. colleges and universities to curtail copyright violations on their networks. Reps. Lamar Smith (R-Tex.) and Howard Berman (D-Calif.) said they will ask the Government Accountability Office to issue a formal report on what effects those efforts have had on student file-trading habits. According to Smith, "We will ask for the report so we can increase the scrutiny and increase the public attention to piracy." Also at the hearing, Norbert Dunkel, director of housing at the University of Florida, described his institution's use of an application called Icarus, which automatically restricts usage of the network for students who connect to P2P services. Dunkel said the tool, which the university developed, has led to a 95 percent reduction in outgoing traffic from the university's network and virtually eliminated notices of copyright infringement. Smith applauded the application, but Daniel Updegrove, vice president for information technology at the University of Texas at Austin, expressed concerns that such a blanket approach to the problem could limit the academic freedom and privacy of students. http://chronicle.com/daily/2005/09/2005092301t.htm From ACM's TechNews, September 30, 2005 "Brazilians Blazing Trails With Internet Technology" Knight-Ridder Wire Services (09/26/05); Chang, Jack Despite crippling levels of poverty and violence, Brazil is home to some of the world's most innovative technology, and plays host to some of the most sophisticated hackers. Brazil often finds itself the locus of international debates over intellectual property rights and private media controls, and though it does not have in place the infrastructure that other developing nations do, Brazil has made significant advances in open access technology that place it at the forefront of the Third World. Brazil received a major economic boost when Google acquired the native firm Akwan Information Technologies and established an office in Sao Paolo. There is still a wide gulf between rich and poor in Brazil, and while its 22 million-plus residents with Internet access rank it in the top 10 worldwide, that number still only represents 12 percent of the population. Piracy is also a major issue, as roughly 60 percent of the software and 70 percent of the hardware in use in Brazil infringes on copyright laws; Brazil is also a notorious haven for cyber criminals, as it is estimated that approximately 80 percent of the world's hackers are based in Brazil. The country's emerging IT industry has reached the $10 billion mark in annual sales. The spirit of unfettered access has led to the widespread implementation of the Linux platform in government and private industry, along with a host of other open-source applications. Throughout Brazil, open access movements are seeking to provide free Internet capability to computer users, and its vibrant open-source community draws on innovation from all over the country to maintain Web sites, provide tech support, and develop new technologies. Click Here to View Full Article "Anti-Spyware Gets HIP" IT Architect (09/05) Vol. 20, No. 9, P. 61; Conry-Murray, Andrew Anti-spyware software is expected to transition from threat-specific technologies to Host-based Intrusion Prevention Systems (HIPS) as vendors deploy proactive solutions that block new and unknown spyware programs from PCs. Such solutions are likely to be increasingly compelling for security architects as the development of spyware continues without respite and end users continue to install spyware-laden programs despite repeated warnings. Most anti-spyware programs use signatures and are only effective against programs that are already defined in the threat database, while the increasing difficulty of removing spyware once installed makes proactive prevention all the more urgent. Some vendors offer behavior-based spyware detection technologies that can thwart the installation of spyware on enterprise desktops without the use of signatures, although such solutions carry with them the risk of false positives. "The market is warming up to the notion that existing signature-based solutions aren't providing adequate malware prevention," says Finjan's Nick Sears. "Customers are looking to alternative solutions." Other anti-spyware options deliver protection at the network gateway by scanning incoming Web traffic for spyware and adware, preventing spyware on a PC from linking to a remote server on the Internet, and stopping end users from surfing to established sites for spyware or adware. However, none of the gateway products can protect mobile users outside the corporate environment. Click Here to View Full Article "Destructive Power of Mobile Viruses Could Rise Fast, Experts Say" IDG News Service (09/28/05); Nystedt, Dan As the interconnectedness central to the dream of the digital home rapidly becomes a reality, a host of security and privacy concerns arises. The same Web cams that alert users to suspicious activity within their homes can also be used by hackers seeking to break in to determine if anyone is home. Internet connectivity is being incorporated into a growing number of devices that have not yet evolved to carry the same level of security as PCs and desktops. As attacks on traditional hardware become more sparse, the added functionality in mobile phones makes them a more popular target. The number of reported malware threats menacing mobile devices has grown to 87, up from fewer than 10 at the beginning of last year. Symbian is the most popular operating system for mobile phones in the world, and its series 60 was the target of 82 of the reported viruses, though analysts are quick to point out that that proportion speaks more to the system's popularity than its vulnerability. Faster download speeds elevate the risk of a virus infecting and spreading throughout a mobile phone. It is projected that the threat against mobile devices will increase as more hackers recognize the potential vulnerabilities and turn their attention away from traditional attacks. Click Here to View Full Article From ACM's TechNews, September 28, 2005 "Lawmaker Doesn't Rule Out Cybersecurity Regulation" IDG News Service (09/27/05); Gross, Grant The U.S. government and the private sector have not given cybersecurity adequate emphasis, said Rep. Dan Lungren (R-Calif.), speaking at a Sept. 26 cybersecurity policy forum hosted by Nortel Networks. Although his preference is for companies to voluntarily patch vulnerabilities, Lungren, chairman of the House Economic Security, Infrastructure Protection, and Cybersecurity Subcommittee, did not dismiss the possibility of the government imposing cybersecurity regulations, which he fears would "stifle the kind of innovation that's available to the private sector to come up with their own fixes." Lungren also said the government must gain a better comprehension of cybersecurity risk, especially as it pertains to Internet-powered supervisory control and data acquisition (SCADA) systems responsible for much of the country's critical infrastructure. He urged the government to make a stronger effort to anticipate cyberattacks, particularly those that threaten to cause the worst damage, and channel its resources into preventing such incidents. Nortel CEO Bill Owens noted at the same forum that the likelihood of cyberattacks will rise as increasing numbers of devices transmit information via Internet Protocol. Acting director of the Homeland Security Department's National Cybersecurity Division Andy Purdy claimed his agency is attempting to raise the profile of the cybersecurity issue, citing the creation of a new assistant secretary for cybersecurity as a step in the right direction. But he agreed with Lungren that private companies bear a significant measure of responsibility in the assurance of Internet safety. Click Here to View Full Article "New Security Proposed for Do-it-All Phones" CNet (09/27/05); Evers, Joris The increasing consolidation of functions into mobile phones has placed a premium on safeguarding their security. The Trusted Computing Group (TCG) has developed a hardware-based standard for securing mobile phones that has been backed by industry heavyweights such as Nokia, Motorola, Intel, and Samsung. Addressing security on the hardware level will give users greater confidence in their phones, and the TCG standard would protect data and offer copyright protection for exclusive content. The TCG's plans would support similar features to those offered by the Trusted Platform Module, the chip geared for PCs and servers that enables authentication, secure storage, and protected email. The proposal also contains operational restrictions that would prohibit users from running certain applications on their devices. Mobile phones will become an increasingly tempting target for hackers as their functionality expands, particularly as they start to include credit card payment information, which the TCG standard is expected to address in a future iteration. Meanwhile, the incorporation of digital rights management into a mobile phone security platform has raised the ire of user-rights advocates, who claim that it is an unnecessary restriction of a user's freedom. Despite broad support from major cell phone companies, the fractured nature of the industry makes it unlikely that the new security features will see widespread adoption before 2008. Click Here to View Full Article From ACM's TechNews, September 23, 2005 "Name That Worm--Plan Looks to Cut Through Chaos" CNet (09/22/05); Evers, Joris Last month, a worm with various names wreaked havoc on Windows 2000 operating systems, abetted by the chaotic and fractured attempts to identify it. To address that issue the CME naming system has emerged, which tags a given piece of malware with a unique identifier. The United States Computer Emergency Readiness Team (US-CERT) says its product will provide a common identifier to help users identify which threat is attacking their system, and notify them if they are protected or not. CME promises to fulfill the longstanding goal of the security industry to agree on a unified system to name viruses and worms; industry participation in CME is voluntary, and will be a key factor in the initiative's success. When multiple security companies create different names for the same outbreak, there is often widespread confusion as to whether or not there is one threat or multiple, related threats. Organizations that use multiple security products from different vendors are often confounded by multiple alerts of the same virus or worm with different names. At first, CME will only issue numbers to major threats, though US-CERT plans eventually to cover all attacks. Regardless of the names security vendors produce, CME will assign an attack with a random number within hours of its discovery, and tag it with its associated characteristics; then security companies are urged to include the CME tag with whatever semantic description they produce, so as to create a commonality that helps users understand the actual scope of the threat. Click Here to View Full Article "The Next 50 Years of Computer Security: An Interview With Alan Cox" O'Reilly Network (09/12/05); Dumbill, Edd EuroOSCON keynote speaker and Linux kernel developer Alan Cox describes computer security as "basic" and "reactive," but starting to show signs of improvement. He says the interim between the discovery of bugs and the launch of exploits has shrunk, and exploits will improve in tandem with software tools; because Linux offers greater security than many competitors, it is less vulnerable to exploits, but Cox says no system--Linux included--provides enough protection. Promising developments Cox points to include a significant uptake in code verification and analysis tools, which helps prevent the introduction of errors within production, and a movement toward in-depth defense through the use of SELinux, no-execute flags in processors and software emulation, and randomization of where objects are located in memory. He notes that SELinux can also be employed to make users more security-conscious by turning behavioral advisories into policy. Cox believes the incorporation of security into software development tools can be done without hindering developers' productivity because many improvements automate tedious chores. Cox says the cost of cleaning up the mess caused by system breaches is the current driver of secure software implementation, while the bad publicity this entails as well as statutory duties with data protection are further incentives. He reasons that lawsuits from the government or users harmed by poorly run systems might also encourage security deployments. "In theory as we get better at security the expected standard rises and those who fail to keep up would become more and more exposed to negligence claims," Cox says. Click Here to View Full Article From ACM's Tech News, September 19, 2005 "Now, Every Keystroke Can Betray You" Los Angeles Times (09/18/05) P. A1; Menn, Joseph Cybercriminals have begun to prey on online banking customers, using sophisticated software to record individual keystrokes and obtain passwords and PIN numbers. From June to July, the number of reported phishing attacks dropped, while the number of programs designed to steal passwords, known as crimeware, more than doubled. Though many consumers report that fears of cybercrime will lead them to modify their shopping habits, many banks encourage the use of online transactions because they entail far less cost than a visit to a branch. Crimeware can be installed inadvertently by opening an attachment or an advertising link, after which it can record all keystrokes or only those made at selected financial sites; the information is then relayed back to the hackers, who thus far have largely been using it to access accounts one at a time, though efforts at automating the process have recently emerged. One particularly malicious program, known as Grams, cuts out the step of relaying the information to the hacker and automatically cleans out the account once the information is recorded. In response, the FDIC has implored banks to investigate new security measures, though they respond with the fear that too much security could become a nuisance and cost them customers. As security measures become more sophisticated, criminals are keeping the pace, as efforts to select passwords with a mouse instead of using keystrokes have been met with programs that can take a picture of a computer screen to intercept the mouse clicks; some banks have even taken to calling customers when irregular activity is observed on their accounts. Liability remains a pressing issue, as the FDIC and many banks disagree on the extent to which consumers are covered in the event that their data are compromised. Click Here to View Full Article "False Protection" Software Development (09/05) Vol. 13, No. 9, P. 34; O'Connell, Laurie The software designed to bolster enterprise systems against malware and other cyberthreats has itself become a ripe target for hackers, and analysts such as Cigital CTO and author Gary McGraw say security software providers' failure to be software security practitioners is chiefly to blame. "Vendors have to engineer security into the development application lifecycle, get developers to have core responsibility, and give them the tools to do it," says Yankee Group analyst Andrew Jaquith. He suggests that security software developers perform design reviews early and regularly; run nightly regression tests and frequent code base reviews; maintain focus on privilege levels and authorization management; study component authentication; unearth buffer overflows; and conduct checkpoint reviews with security-savvy personnel. Jaquith also recommends that developers test for functions the application is not supposed to carry out. Furthermore, he advises developers to base their choice of vendor or software security system on hard evidence of best practices and an exhaustive technique for spotting and fixing problems encountered by staff, clients, or third parties. Another way to boost security is to fortify the patching infrastructure and analyze security products' auto-update components. An organization's general security can also be shored up by deploying a diverse assortment of anti-virus products from multiple vendors, as well as multisourced solutions from varying code bases. Click Here to View Full Article From ACM's Tech News, September 16, 2005 "Hacking's a Snap in Legoland" CNet (09/15/05); Terdiman, Daniel Lego executives responded with surprising enthusiasm when adult Lego aficionados hacked and modified one of its development tools for digital designers. Lego's Ronny Scherer says the company welcomes and encourages modifications that show them how to adapt their software to users' needs. The software in question is a free 3D modeling program that fans can download and use to design their own customized Lego models out of digital collections, or palettes, of bricks; Lego then manufactures the bricks and sends them to users. Members of the adult Lego modeling community complained that the design and purchase of these customized models was too expensive because the available palettes usually contained far more bricks than were needed to build the models, and also failed to include important components. Each palette is comprised of several bags of bricks, and software engineer Dan Malec and other Lego enthusiasts believed they could purchase less bricks and reduce their overall costs by lowering the number of bricks in a palette. They compiled a database listing what bags must be bought in order to collect specific bricks, and then tweaked the digital files listing the palettes users would see in the modeling program so they would be listed by bag rather than by palette. Analyst Anita Frazier reasons that Lego welcomed this hack because "it doesn't ultimately hurt the intellectual property, and [the users] aren't modifying the trademark or the core property at all." Click Here to View Full Article "A Human Connection to Intrusion Detection" SearchSecurity.com (09/14/05); McKay, Niall Researchers at the University of Nottingham want to use the human body's immune system as a model for protecting computer systems. Computer science professor Uwe Aickelin and his colleagues are collaborating with immunologists at the University of the West of England in Bristol to build a computer intrusion detection system that has an artificial immune system. "The University of the West of England is carrying out 'wet' experiments to look at various aspects of cell behavior and passing on their findings to us," explains Jamie Twycross, research associate with the Automated Scheduling Optimization and Planning Lab at the University of Nottingham. "We use the results to try and build a computational model." The immunologists are employing the controversial "danger theory," which holds that a complex system that accesses the origin, seriousness, and frequency of the danger signals the human immune system. Twycross is working to recreate, for an artificial immune system, the process in which garbage-collecting dendric cells that roam the body transform into fighter cells to battle an infection. Similarly, the software would be able to assess threats to computer systems by gathering information from a number of sources. Click Here to View Full Article "Fleet-Footed Worm Blocker" Computerworld (09/12/05) P. 36; Anthes, Gary Microsoft Research is developing software designed to defend networks from fast-replicating computer worms. Vigilante can spot even unknown worms in network traffic, erect "filters" against them, and notify other machines on the network so quickly that the worms can be impeded before humans are even conscious of them, according to research software design engineer Manuel Costa. He says the two biggest hurdles his research team had to overcome was to develop algorithms that could identify previously unseen worms, and to generate no false positives that would result in the blockage of legitimate traffic. Costa says further research is required for Vigilante to fully meet the first challenge, but the false positive challenge has been effectively tackled. Once computers running the software detect an attack, they produce "self-certifying alerts" and distribute them to other machines, which can confirm the alerts before taking defensive action. Costa says the computationally intensive algorithms responsible for spotting worms and issuing alerts would usually run on several nonproduction "honeypot" servers, while the protection mechanisms that reply to the alerts would operate on every network-connected machine. BT Group scientist Robert Ghanea-Hercock sees Vigilante as a potentially useful safeguard in large enterprise or government networks, but cautions that the software "is less valuable in the open network or broadband sector due to the lack of cooperation between the security vendors." Click Here to View Full Article From EduPage, September 14, 2005 Sound Of Keyboard Clicks Reveals What Is Typed ZDNet, 14 September 2005 Researchers at the University of California at Berkeley have demonstrated that an audio recording of someone typing on a computer keyboard can reveal with surprising accuracy exactly what they have typed. Using commercially available recording equipment, the researchers captured audio of typing and analyzed the sounds using an algorithm they developed. Because keys make different sounds, the system is able to make educated guesses about what key was pressed in what order. The application then applies some linguistic logic, including spelling and grammar checks, to refine the results. After three rounds of revisions, the application was able to identify 96 percent of the individual characters typed and 88 percent of the words. The application was effective even with background noise, such as music or cell phones ringing. Doug Tygar, UC Berkeley professor of computer science and information management and a principal investigator of the study, said the project should raise concerns about the security risks of such a technology. "If we were able to figure this out," he said, "it's likely that people with less honorable intentions can--or have--as well." http://news.zdnet.com/2100-1009_22-5865318.html From EduPage, September 12, 2005 "Google Hacking" Network World (09/05/05) Vol. 22, No. 35, P. 1; McMillan, Robert The practice of Google hacking--the penetration of computer networks through Google search queries--owes its start to Computer Sciences researcher and author Johnny Long, who created the Google Hacking Database initially as a joke. The database now serves as a repository for about 1,500 queries, while the Google hacking community is composed of approximately 60,000 members. The search engine is used to not only to unearth credit card numbers, passwords, and unguarded Web interfaces to Web sites, routers, and other things, but also to perform hacker reconnaissance. "Nowadays, pretty much any hacking incident most likely begins with Google," says F-Secure chief research officer Mikko Hypponen. One method is for a hacker to await a security bulletin and then employ Google to find Web sites that use the vulnerable software. Google's database can also be employed to map out computer networks and thwart network administrators' attempts to hinder eavesdroppers. Long reasons that Google's greater involvement in the security community could present new business opportunities. Google could, for instance, create a Google Security Alerts system that notifies customers when their Web sites harbor bugs discovered by Long and other Google hackers. Click Here to View Full Article From EduPage, September 7, 2005 UT Hacker Gets Fine, Probation Houston Chronicle, 7 September 2005 A former student at the University of Texas at Austin has been sentenced for hacking into the university computer system, a charge on which a federal jury convicted him in June. Christopher Andrew Phillips has been ordered to pay $170,000 in restitution for his crimes and to serve five years of probation. Phillips was found guilty of damaging the university's computers and of illegally possessing close to 40,000 Social Security numbers. The jury acquitted him of intending to profit from the personal information he obtained. In addition to the fine and probation, Phillips is forbidden from using the Internet for five years except for school or for work and only under the supervision of his parole officer. In a statement, U.S. Attorney Johnny Sutton said, "[Phillips] found out the hard way that breaking into someone else's computer is not a joke." http://www.chron.com/cs/CDA/ssistory.mpl/metropolitan/3342919 From ACM's TechNews, September 7, 2005 "Bug Hunters, Software Firms in Uneasy Alliance" CNet (09/06/05); Reardon, Marguerite The "responsible disclosure" of security flaws can be a contentious issue between software firms and security researchers. Researchers who do not comply with Microsoft's disclosure guidelines and publicly expose a bug in detail before it is fixed can get into trouble, but independent security researcher Tom Ferris argues that Microsoft takes so long to release patches that full disclosure is warranted; critics also say full disclosure puts pressure on software makers to improve the security of their products faster. IDefense Labs director Michael Sutton says relationships between security researchers and software makers have generally improved over the last several years, and Microsoft, for one, is attempting to get into hackers' good graces through "Blue Hat" conferences and other outreach efforts. Cisco and Oracle, on the other hand, have earned researchers' enmity by failing to expeditiously fix bugs after researchers report them, as well as not updating researchers on their progress, in keeping with responsible disclosure guidelines. Director of Germany's Red Database Security Alexander Kornbrust publicly revealed a half-dozen security vulnerabilities in Oracle software when the software maker failed to issue fixes some two years after he first reported them, and he says Oracle only gave him feedback immediately after he alerted the company to the bugs' existence. Former White House cybersecurity adviser Howard Schmidt says responsible disclosure of software bugs is critical, given America's reliance on IT systems. He suggests that technology companies' lack of responsiveness to security researchers' warnings could be addressed through an intermediate government agency, namely the U.S. Computer Emergency Readiness Team. Click Here to View Full Article From EduPage, September 2, 2005 Colleges Dealing With Computer Security Concerns Christian Science Monitor, 1 September 2005 As the number of computers on college campuses rises, and as IT becomes increasingly rooted in campus activities, higher education officials find themselves facing expanding numbers and kinds of threats to vulnerabilities in computer security. According to the Privacy Rights Clearinghouse (PRC), 50 million people have been involved in data breaches over the past seven months, including more than 30 incidents on U.S. college and university campuses. Complicating the challenge to IT security staff is the historically open nature of academic settings, a characteristic often at odds with strong computer security. Another factor making life difficult for IT staff are the computers that students bring to campus with them, often with inadequate or poorly configured security features. Jack Suess, vice president of information technology at the University of Maryland Baltimore County, however, noted that of the 11,000 to 12,000 computers on his campus this year, "there's probably only 200 or 250 I'm really worried about." http://www.csmonitor.com/2005/0901/p12s02-legn.html From ACM's TechNews, September 2, 2005 "The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)" Time (09/05/05) Vol. 166, No. 10, P. 34; Thornburgh, Nathan; Forney, Matthew; Bennett, Brian The revelation that a ring of Chinese hackers, collectively known as Titan Rain, has been launching coordinated attacks on sensitive and seemingly secure U.S. networks to steal data for some time has unsettling implications for U.S. security. The Department of Defense issued a warning that Titan Rain could not only be a coalition of data thieves but also a patrol point for more critical attacks that could hijack or cripple certain U.S. military networks. Such threats are compounded by the fact that federal investigators must jump through bureaucratic hoops to gain authorization to track down and neutralize foreign cyberspies, while concerns of potential international incidents as a result of such probes only add to the delicacy investigators must practice. There is also a lack of experienced investigators, prompting the intelligence community to encourage or at least unofficially sanction freelancers, such as former Sandia National Laboratories computer network security analyst Shawn Carpenter, who traced the Titan Rain intrusions to a trio of Chinese routers in the province of Guangdong, and dutifully informed the FBI. Sandia dismissed Carpenter because his activities constituted hacking into foreign computers, which is unlawful. Carpenter justifies his actions by saying his case shows the need for reforms if the U.S. is to more effectively respond to cyberthreats. Although Washington has no official position on the power behind Titan Rain, Carpenter and other network-security analysts are convinced that the Chinese government masterminded the attacks. Click Here to View Full Article "The Threats Get Nastier" InformationWeek (08/29/05) No. 1053, P. 34; Claburn, Thomas; Garvey, Martin J. Business technology and security professionals are confident their IT systems are adequately protected against cyberthreats, according to InformationWeek Research's U.S. Information Security Survey 2005, but this attitude belies the fact that worms, viruses, and other forms of malware are more insidious and dangerous than ever. The recent Zotob worm epidemic shows that such threats have not gone away, while the motivation behind such attacks has shifted from bragging rights to financial gain. The most common types of security threats and espionage during the past year were viruses and worms, phishing, denial of service, and Web-scripting language violations, while suspected culprits have included hackers, virus writers, unauthorized and former workers, and organized crime. Seventy-eight percent of survey respondents who believe their vulnerability to cyberthreats has increased or remained steady over the past year say the growing sophistication of such threats is their chief concern, while other anxiety-provoking factors include more ways to attack corporate networks, increased volume of attacks, and more malicious intent. Fifty-one percent of businesses plan to boost their IT security budget this year, while 56 percent of respondents say they are approaching IT security in a more structured way due to the need to conform to government regulations. Enhanced application security, secure remote access, and improved access controls are among the top priorities for these companies. Not only are cyberattacks being launched across multiple modes, but virus writers are taking a cue from hackers and using rootkits to conceal their activities from detection systems. Six percent of companies admit hackers gained access to their customer records, but the actual percentage may be higher if one assumes that some companies are hiding the truth or have been compromised without their knowledge. From ACM's TechNews, August 31, 2005 "The Future of Computer Worms" IT Observer (08/30/05); Sancho, David Trend Micro research engineer David Sancho outlines possible future attack strategies of bot worms and what steps can be taken to counter them. He says the modular design of bot worms enables them to exploit vulnerabilities faster, which means the interim between the disclosure of a vulnerability and its exploitation will shrink in the very near future; countermeasures Sancho suggests include the immediate patching of home systems as soon as updates are available, and the deployment of software and hardware designed as protective measures against malware in corporate environments. The author thinks future worms could employ polymorphic shellcode exploit attacks, a method in which bot authors create a module that alters the exploit code so that it always varies, which could thwart vulnerability and intrusion detection systems whose effectiveness hinges on the exploit code never changing. A solution to this threat would be a tool that detects the unique compression methods used by each worm variant, and Trend Micro has a scan engine in the works that promises to spot different compression techniques before isolating specific detection patterns. Sancho also expects future worms to perform RSS feed hijacking, in which worms commandeer the existing configured RSS-feed clients to automatically download new worms and other kinds of malware. The author believes the release of Internet Explorer 7 could make RSS feed hijacking a legitimate threat, and recommends that companies implement a method to scan HTTP traffic as a protective measure. Click Here to View Full Article From EduPage, August 26, 2005 Cyberscam Continues Apace BBC, 26 August 2005 A recently discovered identity-theft scam continues to cause problems for Internet users, despite efforts by security firms and the FBI to stop it. Security firm Sunbelt Software uncovered the scam accidentally while investigating spyware. Sunbelt located an Internet server whose log files contained personal information harvested by keylogging from many thousands of users. The company notified the FBI, and the server was shut down soon afterwards, only to resurface later. Each time the servers are taken down, more of them appear elsewhere. The keylogging software, which is circulated by a computer virus, captures private information from users and transmits it to one of the rogue servers. The FBI is working to find out who is operating the servers. In the meantime, Sunbelt has developed a tool that searches for the malicious software, which is has named Srv.SSA-KeyLogger. http://news.bbc.co.uk/2/hi/technology/4186972.stm From ACM's TechNews, August 26, 2005 "Hackers Attack Via Chinese Web Sites" Washington Post (08/25/05) P. A1; Graham, Bradley; Eggen, Dan Hackers have been focusing attacks on hundreds of unclassified U.S. government systems through Chinese Web sites for several years, reported anonymous government officials. Analysts are split on whether these intrusions are the work of a coordinated Chinese government initiative to breach U.S. networks and monitor government databanks, or other hackers using Chinese networks to mask the attacks' point of origin. "This is an ongoing, organized attempt to siphon off information from our unclassified systems," said one official, who noted that State, Energy, Defense, and Homeland Security Department networks are among those targeted. With roughly 5 million computers spread across the globe, the Pentagon has more computers than any other agency, making its network the most vulnerable target to both foreign and domestic hackers, the officials said. The Pentagon estimates that China is the No. 1 source of Defense Department hacks, though Lt. Col. Mike VanPutte of the U.S. Strategic Command's Joint Task Force for Global Network Operations said this only proves that China is the probes' "last hop" before they strike their targets. One anonymous government official downplayed the severity of the attacks, while another said an FBI investigation has yet to yield any definitive proof of who is orchestrating the intrusions. U.S. concerns about Chinese military initiatives in general are fueling worries about China-based cyberattacks, and the spate of attacks on unclassified systems has added urgency to the Pentagon's effort to acquire new detection software programs and better train computer security specialists, according to several officials. Click Here to View Full Article From ACM's TechNews, August 24, 2005 "Hacker Underground Erupts in Virtual Turf Wars" Christian Science Monitor (08/22/05); Spotts, Peter N. Hacker turf wars sparked by the increasing strategic and monetary value of compromised computers have usually simmered out of the public eye, but such skirmishes were in plain view last week when the Zotob worm infected computers at a major airport, media outlets, and industrial companies, and prompted an all-out battle between competing malware. Zotob appeared a mere six days after Microsoft announced a patch for the security flaw the worm was crafted to take advantage of, and Curtis Franklin Jr. of Secure Enterprise Magazine reports that the average time between the disclosure of a vulnerability and the release of an exploit has shrunk from 21 days to eight days in the last 24 months. Experts say this shorter timeframe can be partially explained by the apparent use of prewritten program "shells" by malware authors, while the patching process can be held up by negotiations between corporate network managers and other parts of the corporation. "Zero-day exploits" in which malware appears on the same day a flaw is announced are generating the most concern, and Franklin says the Zotob turf war illustrates a convergence among the various forms of malware in terms of function. Intelguardians Network Intelligence security consultant Tom Liston says hacker turf wars have increased significantly over the last three years. University of Southern California at Los Angeles professor Peter Reiher adds that such battles used to be primarily over bragging rights, whereas today they indicate a greater interest in controlling infected systems. Click Here to View Full Article From ACM's TechNews, August 19, 2005 "Can a Simple Password Stop Domain Name Hijacking?" Tom's Hardware Guide (08/17/05); Gruener, Wolfgang Using a password at the time of a domain transfer between registrars could safeguard against identity fraud targeting Internet domain names, which has emerged as one of the most significant threats to networks today. Securing the domain name transfer process has been slow, due partially to the lackluster implementation of Extensible Provisioning Protocol (EPP), an XML-based transfer program. VeriSign is moving toward adopting EPP for the .com and .net domains at an unspecified time frame, which will ultimately reduce the vulnerability of top-level domains. Since 2000, Registry Registrar Protocol has been steering the exchange of domain name services, but that program, adopted by VeriSign in 2003, contains no built-in security features. EPP potentially offers greater security through database management systems, whereby the acquiring registrar verifies the customer's identity from the losing registrar through an authInfo code. The key to authInfo's success will be its application to create unique codes for each domain name, rather than registrar-wide generic codes that are easy targets for hackers. ICANN SSAC Fellow Dave Piscitello describes EEP authInfo essentially as a password, as no one other than the receiving registrar could view the transmission in an unencrypted form. The .com and .net domains have been slow to implement EPP, though its use is common in other domains, such as .org, .biz, and .info. It is estimated that .com and .net will not be fully converted to EEP for another year. EEP may not be a universal panacea, however, as the transfer process still depends on WHOIS data of questionable reliability. Ultimately, SSAC says registrants themselves must be accountable for securing domain names, ensuring their information is current, and choosing an appropriate registrar, as well as utilizing EEP authInfo to its full extent. Click Here to View Full Article "Computer Characters Mugged in Virtual Crime Spree" New Scientist (08/18/05); Knight, Will The increasingly porous boundary between the real and virtual worlds is illustrated by the arrest of a Chinese exchange student in Japan on suspicion of controlling software "bots" to assault and rob game characters of virtual possessions, which were then fenced for real money through an auction Web site. Bots can easily best virtual characters controlled by people because they perform tasks in a game very swiftly or repetitively, and such activities can be spotted by countermeasures used by many games companies. Computer games consultant Ren Reynolds comments that bot authors and games firms are locked in an arms race, while the practice of turning virtual worlds into a cash cow is expanding. Computer security expert Bruce Schneier says the line is blurring between real and virtual crime as well, citing recent reports of criminals trying to penetrate games or steal players' account data for money. "I regularly say that every form of theft and fraud in the real world will eventually be duplicated in cyberspace," Schneier writes on his blog. "Perhaps every method of stealing real money will eventually be used to steal imaginary money, too." Reynolds concludes that the rising online game player population will fuel crooks' desire for exploitation even further. Click Here to View Full Article From ACM's TechNews, August 19, 2005 "Al-Qaida Recruiting Target: Skilled Hackers" Investor's Business Daily (08/19/05) P. A4; Tsuruoka, Doug Mark Rasch, chief security counsel for Solutionary, Inc. and former head of the Justice Department's computer crime unit, reports that foreign governments and terrorist organizations such as al-Qaida are attempting to hire Internet hackers to break into commercial and federal computer networks, with an eye toward sabotage or information theft. He says a massive assault against our cyberinfrastructure would disrupt services but not inspire terror; much more effective would be a combination cyberattack and physical attack, which would spread fear as well as hinder response strategies. Rasch says al-Qaida has formulated plans to attack U.S. networks controlling the supervisory control and data acquisition (SCADA) systems underlying the country's utility infrastructure. Terrorists can contact hackers in a variety of ways, including through Internet relay chat channels, anonymous outsourcing, and anonymous remailers that hide the original source of messages. Rasch suggests a number of precautions to defend against cyberterror attacks, such as the installation of disaster recovery and business continuation technology and redundant systems. So that people can understand and identify attack precursors, he recommends an exchange of information. Rasch also suggests improving information sharing networks following an attack. "'War of the Worms' Spurs Latest Cyber-Attack" ABC News (08/17/05); James, Michael S. The attack earlier this week that slowed systems at The New York Times, The Associated Press, and other media outlets may have been an example of battling worms competing for control of major computer networks. The culprit was identified as different strains of the Zotob worm, which targets computers running Windows 2000, though if unprotected, Windows 2003 and XP are also vulnerable. In the latest attacks, the hackers were attempting to seize control of the computers to create botnets, and posted death threats aimed at antivirus companies. The pursuit of unlawful computer armies has led to a virtual turf war, where rival hackers delete each other's worms to clear the way for their own in an effort to build the largest botnet. The recent trend in hacking has been toward personal greed, as simply defacing a Web site or launching a denial of service attack no longer motivates hackers: "Destroying the Internet is not really useful if the Internet is the means to your financial goals," noted Art Manion of the U.S. CERT center at Carnegie Mellon. Botnet operators use the expropriated computers to send out torrents of spam or access personal information, though there is also an underground economy that pays to rent botnets for various purposes, most commonly to send out spam. The use of multiple third-party computers makes it difficult to track the originator of botnet spam. Cybertrust's David Kennedy believes poor laptop security may have facilitated the recent attacks, and cautions businesses to keep security patches updated, and use a special router to manage the connection between the notebook and the providing pipeline; he adds that users should power their notebooks down completely before connecting to the network. Click Here to View Full Article "Computer Virus Writers Moving Faster with Attacks" Reuters (08/17/05); Swartz, Spencer A flood of malware-based attacks against U.S. media companies and other corporations this week has prompted security analysts to warn that the window between the disclosure of vulnerabilities and their exploitation by hackers is shrinking. "These guys have gotten a lot faster...they are doing it faster than managers can keep up with," stated F-Secure virus researcher Eno Carrera. Analysts said the interim between advisories of flaws in Microsoft's Windows operating system and the release of exploitative viruses was several weeks or months a few years ago. However, hackers authored and released exploits of three Windows security vulnerabilities mere days after Microsoft notified users of their existence last week. The malware caused thousands of vulnerable machines to restart repeatedly, and potentially exposed computers to hackers who could hijack a system as a launch-pad for future virus attacks and steal personal data while the user is unaware. Also troubling is the fact that virus writers often release malicious code faster than computer system safeguards can be updated. Hackers have additionally started exploiting instant messaging's popularity among office workers as a vehicle for delivering viruses. Click Here to View Full Article From Microsoft -- "School is in: 7 computer security tips for students". From the Chicago Tribune, Now, Every Keystroke Can Betray You. From New York Times, August 17, 2005 Virus Attacks Windows Computers at Companies By Matt Richtel A handful of digital worms that exploit vulnerabilities in some Microsoft Windows computers spread on Tuesday. Read the article. From New York Times, August 15, 2005 Spyware Heats Up the Debate Over Cookies By Bob Tedeschi Internet users now routinely delete cookies, leaving marketers scrambling to find another tool to measure their effectiveness. Read the article. From EduPage, August 17, 2005 Former AOL Employee Sentenced For Data Theft Reuters, 17 August 2005 A judge in New York has sentenced a former employee of America Online to 15 months in prison for stealing 92 million screen names from AOL and selling them to a spammer. Jason Smathers, who pleaded guilty earlier this year and cooperated with prosecutors, expressed remorse for his actions and asked the judge for leniency. Indeed, the judge could have given Smathers 24 months in prison for his crimes, which included conspiracy and interstate trafficking of stolen property. AOL has said it suffered monetary losses of $300,000 as a result of Smathers's actions. The judge in the case has given the company 10 days to prove those losses, after which he said he will impose a fine, hinting that he is leaning toward a fine of $84,000. http://today.reuters.com/business/newsarticle.aspx?storyID=nN17251689 From ACM's TechNews, August 17, 2005 "'Spear Phishing' Tests Educate People About Online Scams" Wall Street Journal (08/17/05) P. B1; Bank, David To raise user awareness of online scams designed to trick them into revealing sensitive information to data thieves and other miscreants, organizations such as the U.S. Military Academy are conducting exercises in which people are sent phony emails disguised as official requests to link to Web pages and enter confidential data, and then upbraided if they do so. Through this strategy, defenders hope to teach users to be more cognizant of "spear phishing" scams in which attackers craft email messages that would seem to originate from the recipient's company or organization. Last June, over 500 West Point cadets were sent mock emails from a fictitious colonel instructing them to click on a link to confirm that their grades were correct, and more than 80 percent of recipients complied; the cadets were gently reprimanded via email and advised to be more cautious in the future. In recent months, almost 10,000 employees of New York state were sent emails that were supposedly official notices asking them to access sites and enter their passwords and other personal details, and those who did were sent a note explaining the purpose of the exercise. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information," said New York CIO William Pelgrin. However, such methods could potentially erode employees' trust for their organizations' information-security personnel. Still, SANS Institute research director Alan Paller called such exercises "a key defense against large-scale theft of confidential information." From EduPage, August 15, 2005 E-Mail Marketer Convicted Of Stealing 1.6 Billion Names Wall Street Journal, 15 August 2005 A jury in Arkansas has convicted Scott Levine of stealing 1.6 billion computer records from Little Rock-based data vendor Acxiom Corp. The records included names, addresses, phone numbers, and other personal information that Levine's company, Snipermail.com, sought to use in direct e-mail marketing campaigns. In the case, the government presented evidence that Levine had used illegally obtained passwords of about 300 legitimate Acxiom customers to fraudulently access the records. Levine was convicted of 120 counts of unauthorized access to a computer, two counts of fraud for cracking passwords, and one count of obstruction of justice for trying to destroy evidence stored on Snipermail computers. Levine will be sentenced in January. Acxiom said that since the intrusion, it has improved security procedures for protecting data, including strengthening encryption systems and the company's ability to detect when unauthorized access takes place. (sub. req'd) http://online.wsj.com/article/0,,SB112406416615412935,00.html From ACM's TechNews, August 15, 2005 "NIST Creates Online Treasure Trove of Security Woes" Federal Computer Week (08/15/05); Yasin, Rutrell The National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) is a comprehensive repository of cybersecurity data culled from all publicly available vulnerability resources that also supplies references to industry resources. NVD creator and NIST computer scientist Peter Mell says about 12,000 vulnerability entries have been posted on the NVD Web site, with roughly 10 new postings added daily. The public will be able to use NVD to gain detailed information on flaws in specific products and trends in industry segments, while developers who must import vulnerability data into their security offerings could benefit as well, according to Mell. The database is constructed wholly on the Common Vulnerabilities and Exposures (CVE) naming standard maintained by Mitre, and which is used by some 300 security products to spot vulnerabilities and expedite interoperability between those products; Mell says NVD will further assist in the facilitation of compatibility by augmenting the CVE standard with detailed vulnerability data. The public can freely avail themselves of NVD's vulnerability information as an XML feed, and Mell says the database can also produce statistics that extrapolate vulnerability-discovery trends. Unlike the Homeland Security Department's Technical Cyber Security Alerts and Vulnerability Notes, which only notify the public about the most critical flaws, NVD offers "an encyclopedia of everything," reports Mell. SANS Institute research director Alan Paller notes that users can employ NVD to answer difficult queries such as whether software from specific vendors is flawed. NVD is sponsored by the DHS' National Cyber Security Division as a complement to the department's suite of vulnerability management products, Mell says. Click Here to View Full Article "Instant Messaging: A New Target For Hackers" Computer (07/05) Vol. 38, No. 7, P. 20; Leavitt, Neal The growing popularity of instant messaging (IM), especially among businesses, has made it an increasingly attractive target to phishers, malware authors, and other attackers. IMlogic CTO Jon Sakoda says IM attacks can propagate rapidly thanks to IM's real-time capabilities. Other factors encouraging IM attackers include a lack of safe computing practice among users; the false sense of security users feel due to IM's immediacy and informality; growing functionality and complexity of IM systems; and an absence of corporate IM-use policies. Messaging providers and security companies are attempting to thwart or mitigate IM attacks by monitoring and analyzing IM security risks through the IMlogic Threat Center and similar efforts, and are also educating consumers about safe computing practices. Many IM virus outbreaks cannot be halted by traditional antivirus technology, which fails to keep up with the rapid spread of IM communications. However, virus throttling shows promise as a method for slowing down and limiting the damage of messaging worm propagation. Furthermore, major IM networks are amending their clients to combat buffer overflow attacks enabled by substandard programming and memory management. From EduPage, August 12, 2005 New York Adds Disclosure Law The Register, 12 August 2005 New York State has enacted a law requiring corporate or public organizations to notify individuals in the event that personal information about them has been compromised. Similar in concept to a California law that went into effect two years ago, the New York law compels organizations that store sensitive information to contact consumers as quickly as is practical if there is evidence or suspicion that data including Social Security numbers or credit card numbers have been unlawfully accessed. At least 15 other states have passed similar legislation since California did. New York State Assembly member James Brennan, sponsor of the legislation, said, "If a person is not aware that he or she has been a victim of identity theft, then the damage done could be severe and irreversible," noting that the sooner people are made aware of security breaches involving sensitive data, the better their chances are of avoiding the worst repercussions. http://www.theregister.com/2005/08/12/ny_security_breaches_disclosure/ From ACM's TechNews, August 12, 2005 "PluggedIn: Wireless Networks--Easy Hacker Pickings" Reuters (08/05/05); Sullivan, Andy Wireless networks are highly vulnerable to exploitation, so much so that hackers regularly compete to find open Wi-Fi connections. Mapping out wireless access points, a practice known as wardriving, is very popular, as demonstrated by wardriving contests hosted at the recent Defcon hacker conference. Inexpensive wireless routers let consumers surf the Web from home, while a Wi-Fi signal's radius of several hundred feet allows neighbors to access the Internet as well. Very few wireless hotspot owners avail themselves of encryption, password protection, and computer-specific network access features. Wardrivers say the WEP encryption standard employed by many access points is easy to break, while others blame manufacturers such as Linksys for failing to make security a default setting in their products because they are more interested in ease of use. Mike Wagner with Linksys claims new routers enable computers to securely link with other Linksys devices through the simple push of a button, but admits his company cannot ship its products with the security settings activated because most users will not go to the trouble of changing the default password. Numerous laws criminalize accessing computer networks without authorization, but few have been put to the test in court. Wardrivers claim not to approve of unauthorized network use, insisting that the goal of their activities is to raise awareness of wireless security's vulnerability among consumers and manufacturers in the hope of spurring them to make improvements. Click Here to View Full Article From EduPage, August 10, 2005 Hackers Hit Another University San Francisco Chronicle, 9 August 2005 Sonoma State University, an hour north of San Francisco, has become the latest in a growing list of universities to suffer a hacker attack that put personal information of students and staff at risk. At Sonoma State, hackers in July gained access to several computer workstations, which allowed them to access a number of other computers before university staff detected and put an end to the intrusion. In all, the hackers had access to names and Social Security numbers of nearly 62,000 students, applicants, or employees of the university between 1995 and 2002. A spokesperson for the university said the hackers did not have access to financial information and noted that there is currently no evidence that any of the information has been misused. Nevertheless, the university is required by state law to contact individuals whose personal information has been compromised, and the university is working to do just that. The university has set up a Web site with information and is advising affected individuals to contact credit-reporting agencies to be on the lookout for possible identity fraud. http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/08/09/BAGLJE50C81.DTL Students Face Punishment For Computer Tampering Wired News, 9 August 2005 Thirteen high school students in the Kutztown Area School District in Pennsylvania face felony charges of tampering with computers after defeating security measures on laptops issued to them by the school district. The laptops included Internet filters and an application that allowed district administrators to see what students did with the computers. The 13 used administrator passwords--which, for unknown reasons, were taped to the backs of the computers--to override the filters and download software such as iChat that the district policy forbids. The students also modified the monitoring program so that they could see what the administrators did with their computers. The students and their parents argued that the felony charges are unwarranted, but, according to the district, students and parents signed acceptable use policies that clearly state what activities are not allowed and that warn of legal consequences if the policy is violated. The students continued to violate district policies for use of the computers even after detentions, suspensions, and other punishments, according to the district. Only then did school officials contact the police. http://www.wired.com/news/technology/0,1282,68480,00.html Spammer Settles With Microsoft New York Times, 10 August 2005 Microsoft has reached a settlement with Scott Richter, a man once described as one of the top three spammers in the world. Efforts by Microsoft and New York Attorney General Eliot Spitzer in 2003 resulted in the collection of 8,000 e-mail messages containing 40,000 fraudulent statements sent by Richter's company, OptInRealBig. Richter earlier agreed to pay New York State $50,000; under the new settlement, Richter will pay Microsoft $7 million. According to Bradford L. Smith, chief counsel for the software giant, $5 million would be used to "increase our Internet enforcement efforts and expand technical and investigative support to help law enforcement address computer-related crimes," while another $1 million will be spent on improving computer access for the poor in New York State. The settlement also requires Richter to comply with state and federal laws governing e-mail and to submit to oversight of his company's operations for three years. (registration req'd) http://www.nytimes.com/2005/08/10/technology/10spam.html From ACM's TechNews, August 10, 2005 "Critics Say Security Still Lags" Investor's Business Daily (08/09/05) P. A4; Howell, Donna Internet and computer security continues to face heavy criticism four years after Sept. 11, with industry organizations and the Government Accountability Office (GAO) urging the allocation of more federal resources to tech security. A CSO magazine poll of 389 security professionals finds that roughly 59 percent of respondents doubt the government can secure the U.S. information infrastructure, while 45 percent expect hackers or terrorists to launch the digital equivalent of a Pearl Harbor-style attack against the nation's critical infrastructure. The GAO has issued several studies finding fault with federal cybersecurity efforts, and Ron Ross with the National Institute of Standards and Technology says his organization has been developing a set of standards and guidelines designed to help agencies construct improved information systems and safeguards. "There's no long-term vision for what we ought to be doing in cybersecurity research and development," notes Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz. "In the long term, we need to think about our information systems constantly being under attack...And the need to transfer over to other systems." In July, CSIA recommended the development of a 10-year federal plan to enhance the security, reliability, and resiliency of information technology, as well as additional funding for the issue. A recent restructuring of the Homeland Security Department resulted in the creation of an assistant secretary for cybersecurity and telecommunications; both CSIA and the ITAA praised this maneuver, though ITAA President Harris Miller still laments that some federal IT agencies' budgets remain flat. Unisys' Greg Baroni points to increased security audits encouraged by security guidelines mandated by the Federal Information Security Management Act, which will soon obtain a "compliance component." "Annual Hacking Game Teaches Security Lessons" SecurityFocus (08/04/05); Lemos, Robert The annual DEF CON conference hosts a hacker version of Capture the Flag, and this year's bout emphasized more real-world skills, according to University of California at Santa Barbara computer science professor Giovanni Vigna, whose Shellphish team was the victor. "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things," Vigna explained. "It's about analyzing the security posture of a system that is given to you and about which you initially know nothing." This year the organizers courted controversy by running a central server on which each team's virtual server operated, whereas in past tournaments each team was permitted to run their own server; Crispin Cowan with Novell's SUSE division said this meant there was very little defense that could be implemented, and he doubted that anyone with a substantial interest in defense will participate in future tournaments if exclusive concentration on code auditing becomes the norm. One of the organizers defended his year's game with the argument that the bout was a hacking contest. He said finding and exploiting security flaws in custom software via reverse engineering, not just code auditing, is key to being a top hacker. The organizer insisted that defense was not sidelined, noting that some teams successfully deployed Tripwire, a data-integrity checker that can pinpoint altered files, and used an intrusion detection system to monitor traffic. Vigna said the winning team's strategy kept the discovery of flaws and the toughening up of systems services in balance. Click Here to View Full Article "Car Computer Systems at Risk as Viruses Go Mobile" Reuters (07/29/05); Virki, Tarmo; Shields, Michael In-vehicle computer systems could be threatened by malware as hackers' interest in authoring viruses for wireless devices grows, according to automotive industry officials and analysts. Automakers' tweaking of on-board computers to allow consumers to transfer data with mobile phones and MP3 players also increases the cars' vulnerability to mobile viruses that hop between devices through the connective Bluetooth technology, which is employed in car electronics interfaces for service and monitoring. The worst-case scenario is that the computer would no longer be able to control engine performance, emissions, navigation, and entertainment systems, and Symantec mobile virus specialist Guido Sanchidrian says this should not prevent motorists from driving their cars on their own. Thus far there have been no reports of viruses in auto systems, but carmakers say they are giving the matter serious consideration, even though research shows transplanting a virus into a car is not a simple proposition. A BMW representative says such transplants are a possibility, and addressing this problem has been an area of concentration for many years. A Siemens representative claims her company uses systems that screen out unwanted programs and data via encryption. Automakers' growing emphasis on computer security could be a windfall for antivirus firms, and IDC projects that the mobile security software market will skyrocket from $70 million in 2003 to $993 million in 2008. Click Here to View Full Article From EduPage, August 5, 2005 Court Upholds University Block On Spammer Inside Higher Ed, 4 August 2005 A federal appeals court ruled in favor of the University of Texas (UT) in its dispute with White Buffalo Ventures over thousands of spam e-mails sent by the company to students of the institution. In 2003, White Buffalo, which operates an online dating service geared toward UT students, began sending thousands of messages to student e-mail addresses it had obtained through public records. After receiving many complaints from students, the university blocked White Buffalo's e-mails, a move the company said infringed on its First Amendment rights and its rights under the CAN-SPAM Act. A federal judge disagreed with White Buffalo, and the current ruling supports that decision. The three-judge panel of the appeals court found that the institution is within its rights to place restrictions on commercial speech if such restrictions can be shown to legitimately benefit constituents--in this case, UT's students. Observers noted that the court's rejection of White Buffalo's CAN-SPAM argument is important in that it presents a significant roadblock to organizations that would try to use the law to make it easier, rather than more difficult, to send unsolicited e-mail. http://insidehighered.com/news/2005/08/04/ut From EduPage, August 3, 2005 CU Suffers Another Hack The Denver Post, 3 August 2005 Hackers broke into a server at the University of Colorado (CU), marking the third security breach in the past six weeks. The latest attack targeted servers that held information for the school's ID card, known as the Buff OneCard. Those servers included names, Social Security numbers, and photographs but not financial information. Potentially exposed in the attack is personal information for 29,000 students, some former students, and 7,000 staff members. Students who will be entering the university in the fall were not affected. Dan Jones, IT security coordinator, said it was not clear whether this attack was perpetrated by the same people who compromised two other servers recently. In April, CU had decided to move away from using Social Security numbers as identifiers for students, based on security problems at other institutions and the risk of identity theft. Some systems on campus, however, still use Social Security numbers to track students, according to Jones. Officials at the university said they will hire an independent auditing firm to assess the institution's security measures and will also evaluate some 26,000 computers to determine which could be placed behind a firewall. http://www.denverpost.com/news/ci_2909173 Researcher Says Dns Servers Vulnerable CNET, 3 August 2005 In a presentation at the Black Hat conference last week, security researcher Dan Kaminsky argued that domain name system (DNS) servers represent a broad vulnerability in the Internet. Kaminsky said that of 2.5 million DNS servers he tested, nearly 10 percent could be susceptible to so-called DNS cache poisoning. In total, about 9 million DNS servers are operating globally. DNS servers translate typed URLs into numbers necessary to locate Web sites. In cache poisoning, legitimate numeric Web addresses are replaced, causing users to be redirected to sites of the hacker's choosing. Often, users are sent to Web sites that install malware or that deceive users into disclosing personal information, which can then be used in identity theft. Incidents of cache poisoning have disrupted Internet service in the past, including this March, when users trying to access CNN.com and MSN.com were sent to sites that installed spyware. Security experts advise operators of DNS servers to audit their machines and make sure they configure them in the safest manner possible. http://news.com.com/2100-7349_3-5816061.html From New York Times, August 7, 2005 Europe Zips Lips; U.S. Sells ZIPs By Eric Dash, August 7, 2005 The U.S. looks at privacy largely as a consumer and an economic issue; in the rest of the developed world, it is regarded as a fundamental right. Read the article. The Rise of the Digital Thugs By Timothy L. O'brien, August 5, 2005 The newest big corporate menace: disgruntled techies, who find company secrets and will keep them, for a price. Read the article. From ACM's TechNews, August 3, 2005 "The Sniffer vs. the Cybercrooks" New York Times (07/31/05) P. 3-1; Rivlin, Gary As the motivation for hackers shifts from the pursuit of bragging rights to high-stakes economic plundering, many corporations are enlisting the services of sniffers, security analysts who peer through the eyes of a hacker to exploit a system's vulnerabilities in the name of improving its security. A recent survey found that over 87 percent of the companies polled conduct penetration tests, up from 82 percent a year ago; up 14 percent from 2003, companies in North America spent more than $2 billion on security consulting last year, says Gartner analyst Kelly Kavanagh. Sniffers such as independent consultant Mark Seiden often resort to unorthodox techniques to expose a system's vulnerabilities. While he is a former programmer with considerable technical expertise, Seiden may be best known for his innovative methods for gaining access to companies' most sensitive information, such as using disguises to infiltrate restricted places. Once inside, Seiden is an expert at figuring out where a data center is housed, and by blending in, picking locks, and shimmying through air ducts to drop through a ceiling into an otherwise secure room, he has exposed weaknesses in many high-profile companies. The most porous security is most likely to be found in a physical building, where file cabinets with cheap locks and unsecured backup tapes offer a wealth of sensitive information to someone such as Seiden. Though his creativity and uncanny ability to think like a cyber-criminal have kept him in high demand, he acknowledges that "you can't prevent a determined adversary who has unlimited resources from breaching security." But as Gartner analyst Richard Mogull points out, even though 100 percent security will forever be an illusion, sniffers such as Seiden can help companies protect against the vast majority of would-be hackers who "have only rudimentary skills." Click Here to View Full Article Solutions to many of our security problems already exist, so why are we still so vulnerable? Read the article from Queue. From New York Times, July 31, 2005 The Sniffer vs. the Cybercrooks By Gary Rivlin Sniffers, or professionals who test a computer network's security, must do their best to think like an enterprising cyberthief. Read the article. From EduPage, July 29, 2005 Congress Gets Serious About Data Privacy CNET, 28 July 2005 Ahead of its August recess, Congress moved data-security measures to the top of its agenda, with various House and Senate committees considering three different bills dealing with the protection of sensitive information. The broadest legislation being considered is the Personal Data Privacy and Security Act, which would place new restrictions on how personal information may be used and imposes criminal penalties for those found to have violated it. The bill would limit the sale and publication of Social Security numbers, require notification of consumers in the event their personal data is compromised, and restrict the authority of the states in writing their own regulations for data protection. Other bills working their way through the Senate include similar requirements that consumers be notified of data breaches, but they only include civil penalties. The other measures, including one passed by the Senate Commerce Committee, place oversight and enforcement authority with the Federal Trade Commission (FTC). Critics of the proposed legislation argue that it is being rushed through without proper discussion. http://news.com.com/2100-7348_3-5808894.html. From ACM's TechNews, July 27, 2005 "Two Professors Go Fishing for Phishers" San Francisco Chronicle (07/25/05) P. E1; Kirby, Carrie Stanford computer science professors John Mitchell and Dan Boneh are leading a team developing anti-phishing tools designed to help email users avoid bogus Web sites and prevent crooks from stealing other peoples' passwords. The SpoofGuard software plug-in the team created last year examines each site visited by users for signs of phoniness, and alerts them if it spots anything suspicious. A second plug-in, PwdHash (password hash), scrambles the password typed into a site and creates a unique sign-on for each visited site; should a user sign on to a spoofed version of a legitimate site and be fooled into typing in his password, PwdHash will prevent the phishers from acquiring the same password the authentic site got. In addition, PwdHash addresses users' tendency to employ the same password at many different sites, which means thieves' attempts to log on to as many sites as they can with a PwdHash-scrambled password will fail. PwdHash will be unveiled at a Baltimore security conference next week, while Boneh expects to release a third tool, the SpyBlock Trojan horse key-logging software deterrent, in six months. The tools are freely available as browser plug-ins on the Stanford Web site, although the researchers would prefer that such solutions are embedded within the major browsers. Click Here to View Full Article From EduPage, July 25, 2005 Software Hides Passwords From Phishers San Jose Mercury News, 25 July 2005 Two professors at Stanford University are set to unveil software designed to foil phishers by scrambling passwords entered into Web sites. John Mitchell and Dan Boneh developed the software, called PwdHash, to deal with the growing problem of Web sites that lure computer users into disclosing personal information. The software creates a unique password for each Web site a user visits. If the user goes to a bogus version of a legitimate Web site, the software creates a separate password, leaving the operator of the bogus site with a password that will not work at the real site. Previously, the pair of professors have written software that tries to identify fraudulent Web sites and notifies the user when such a site is suspected. http://www.siliconvalley.com/mld/siliconvalley/12218576.htm CU Computers Hacked The Denver Channel, 22 July 2005 Officials at the University of Colorado said hackers gained access to two servers at the university, possibly exposing personal information on nearly 43,000 students and employees of the institution. One server, at the College of Architecture, contained data on 900 individuals; the other, at the university's health center, included information for another 42,000 people. The servers included names, Social Security numbers, addresses, and dates of birth, according to the university, but neither included credit card information. Still, university officials are advising those affected to monitor their credit reports for suspicious activity, and the university has set up a Web site and a hot line to answer questions. Investigators looking into the situation said that one hacker came through a server in France, while the other came through a server in Eastern Europe. University officials have no information so far that any of the personal data on the servers has been misused. http://www.thedenverchannel.com/technology/4757407/detail.html Paying Hackers For Bugs CNET, 24 July 2005 Computer-security firm TippingPoint has begun a program to pay rewards to individuals who report computer vulnerabilities. Not unlike similar programs from other companies, the TippingPoint deal offers a variable amount of money if a reported bug proves valid. The company will use the information to update its own protection software and will notify the maker of the vulnerable product about the problem. David Endler, director of security research at TippingPoint, said the reward program is intended to "reward and encourage independent security research" and to "ensure responsible disclosure of vulnerabilities." Not all security companies believe in bounties. Internet Security Systems, for one, said that paying for such bug reports amounts to having hackers do a company's research for it. An official from Internet Security Systems also noted that the bugs reported in such programs are typically very low-level problems, saying that the more extreme vulnerabilities are worth much more when used for hacking than if turned in to security companies. http://news.com.com/2100-7350_3-5802411.html Hackers Finding New Targets Wall Street Journal, 25 July 2005 According to a new report from the SANS Institute, the number of computer hacking incidents is rising, and the targets of such hacks are increasingly software applications rather than operating systems. The organization found that the number of vulnerabilities reported was up 11 percent from the first quarter of the year to the second, and up nearly 20 percent from a year earlier. Alan Paller, SANS's research director, said the situation is getting worse. As operating systems become more secure, hackers are turning to applications, such as Apple's iTunes and RealNetworks's RealPlayer. Hackers are also focusing efforts on backup systems, particularly those of Computer Associates and Veritas Software. Because backup systems typically contain vast amounts of confidential corporate data, they represent an attractive target. SANS noted that the best way to avoid such hacking threats is to install all software patches, keep antivirus tools up to date, and be prudent in opening e-mail attachments. (sub. req'd) http://online.wsj.com/article/0,,SB112224497897894400,00.html From ACM's TechNews, July 25, 2005 "Retracing Spam Steps Could Halt Mass Emails" New Scientist (07/22/05); Knight, Will A team of researchers from IBM and Cornell University have devised SMTP Path Analysis, a method that traces an email's Internet route by examining Simple Mail Transfer Protocol (SMTP) data embedded within the message's concealed "header," and determines from this information whether the message is spam or authentic. The algorithm at the heart of SMTP Analysis "learns" by studying the chain of Internet Protocol addresses in both spam and legitimate email headers, which enables it to ascertain fairly accurately whether a new incoming email is genuine or junk. Barry Leiba with IBM's Thomas J. Watson Research Center says the algorithm cannot efficiently identify spam by itself, but is effective when it operates in conjunction with content filters; moreover, it can spot material that content filters cannot. The researchers developed a second algorithm to assess the plausibility of the route an email claims to have followed as a countermeasure to spammers' ability to forge the address of the mail server used to send the message out. Microsoft anti-spam researcher Joshua Goodman says spammers should have a hard time inventing a workaround to SMTP Path Analysis, since the technique uses IP information derived from multiple sources. The SMTP Path Analysis software was unveiled at the Second Conference on Email and Anti-Spam on July 22. Other anti-spam proposals suggested by industry groups include having email servers furnish cryptographic keys so that messages can be confirmed upon their arrival in an in-box. Click Here to View Full Article "May I Have Your Identification, Please?" SiliconValley.com (07/25/05); Lee, Dan Several email authentication technologies will go before the Internet Engineering Task Force as candidates for an industry standard. DomainKeys Identified Mail (DKIM) is a joint venture between Yahoo! and Cisco Systems that marries the former's DomainKeys and the latter's Internet Identified Mail into a technology that enables a sender's company or service provider's mail service to assign scrambled digital signatures to outgoing emails that verify the address; the recipient confirms the address by checking that the sender has been registered as genuine through the domain name system. Meanwhile, the Microsoft-backed Sender ID specification checks the numerical IP address of the server sending the email against a published list of servers authorized to send messages by the domain owner. DKIM has experienced difficulty in recognizing messages that are part of email lists employed in discussion groups that may modify a message, while Sender ID cannot always identify email forwarded from one address to another. Experts classify an effective email authentication standard as one that is adopted by a large portion of the world's email senders, and Gartner analyst Arabella Hallawell believes DKIM will emerge as the leading standard because it faces fewer technical problems than Sender ID. However, Yahoo!, Cisco, and Microsoft each expect both technologies to find use. EarthLink's Tripp Cox says the level of industry collaboration surrounding these technologies is "unprecedented." "If we're going to make an impact on spam, it's crucial that the vast majority of Internet senders and receivers implement the technology," he argues. Click Here to View Full Article From EduPage, July 22, 2005 National Cybersecurity Test Scheduled ZDNet, 22 July 2005 The Department of Homeland Security's National Cyber Security division plans a test of the nation's cybersecurity incident response capabilities with an exercise scheduled for November 2005 called Cyber Storm. The announcement came in written testimony by Acting Director Andy Purdy before a Senate subcommittee earlier this week. http://news.zdnet.com/2100-1009_22-5799876.html "Information Security With Colin Percival" O'Reilly ONLamp (07/21/2005); Lucas, Michael W. Simon Fraser University visiting researcher Colin Percival described his research on information security in a recent interview, which deals with the security threat posed by hyperthreading. He demonstrated how this technique can be used to exploit vulnerabilities in a system by a hacker who simply needs to run code concurrent to the running of the program he is trying to spy on. Percival found a fundamental vulnerability in Intel's design that allowed him to penetrate the system, raising considerable concern in the security community; in response, Microsoft and Intel were reluctant to acknowledge the security breach, and have been slow to develop patches. Some critics maintain that Percival's exploitation is largely theoretical, though he claims that it is a very real threat. Percival believes that in the future, the task of sifting through source code in search of security errors will be handled by programs, instead of people. Percival's research, published in a paper entitled "Cache Missing for Fun and Profit," proved the existence of a covert channel running between threads on the same processor core, and demonstrated how it could be used as a side channel, as well as offering solutions on how to guard against it. Percival developed his research while working on his doctoral degree and serving as a deputy security officer for FreeBSD. He has also written an open-source, downloadable security tool called FreeBSD Update that enables users to download and install security updates with little complication, addressing what he believes to be the central obstacle to the adoption of new security tools. Click Here to View Full Article "Call for Homeland Security Cybersecurity Improvements" IDG News Service (07/19/05); Gross, Grant The U.S. Department of Homeland Security (DHS) does not have recovery plans in case of a widespread Internet attack, Government Accountability Office IT management director David Powner said yesterday, speaking before the Senate Homeland Security and Governmental Affairs Committee. Powner told lawmakers that DHS must implement an Internet recovery plan and a national cybersecurity threat assessment to better protect U.S. cybersecurity. Powner also said the GAO believes DHS must develop better relationships with state and local governments, private industry, and other federal agencies to counter cyber threats. Powner said that although DHS is making progress, "large portions of our critical infrastructure are unprepared to effectively handle a cybersecurity attack." Sen. Tom Coburn (R-Okla.) agreed with Powner and called for better coordinated cybersecurity prevention and recovery techniques. Meanwhile, DHS National Cyber Security Division acting director Andy Purdy asserted that the agency is implementing several plans to boost cybersecurity and decrease vulnerability. Sen. Thomas Carper (D-Del.) said DHS must put a higher priority on cyber security issues, cautioning that a joint physical and cyber attack could cripple response efforts. He said, "Cybersecurity plays an important role in the protection of our critical infrastructure." Click Here to View Full Article From ACM's TechNews, July 20, 2005 "Corrupted PC's Discover a Home: The Dumpster" New York Times (07/17/05) P. 13; Richtel, Matt; Markoff, John When faced with the contamination of their PCs by malware and other unwanted programs, many owners are opting to toss their infected machines and replace them with uncorrupted models, rather than go to the trouble of repairing them. Pew Internet and American Life Project director Lee Rainie characterizes such a response as entirely reasonable, given the incessant flood of malicious software, adware, spyware, defective programs, diminishing performance, and system crashes. In addition, Rainie says the threat of system corruption is escalating, and that "the arms race seems to have tilted toward the bad guys." Symantec's Vincent Weafer estimates that the ranks of computer viruses have swelled by more than 100 percent in the last six months alone, while adware and spyware programs have increased by approximately 400 percent; Symantec executives partly attribute this development to the growth of high-speed Internet access. Especially worrying is malware that can conceal itself from cleansing and removal programs, which makes the scrubbing of corrupted PCs a more complicated and often manual task, according to Weafer. Yale computer science professor David Gelernter says the software industry is chiefly responsible for this lamentable state of affairs, and points out that people are less and less willing to clean their PCs. Meanwhile, anti-infection tools such as firewalls, antivirus programs, and spyware-removal software are far from 100 percent effective. Some users, after acquiring new systems, are modifying their behavior to lessen the chances of PC corruption; for instance, San Francisco physician Terrelea Wong refuses to loan her computer out to friends, because she suspects her old system became infected through indiscriminate use of the Internet by her and her friends. Click Here to View Full Article "Between Phishers and the Deep Blue Sea" CNet (07/18/05); Kawamoto, Dawn Hackers are often based in India, Korea, or China, with differing time zones and language barriers increasing the difficulty facing security enforcement agencies in the United States. The most prevalent cyberattacks are carried out by a network of zombies, or compromised computers that are remotely controlled without notification to the computer's owner. Currently, China is home to 21 percent of new zombies with the United States at 17 percent and South Korea at 6.8 percent, according to CipherTrust. Hackers overseas are carrying out attacks due to a high prevalence of broadband in China and South Korea but a lack of proper security software, according to Anti-Phishing Working Group Chairman David Jevans. Another factor boosting the prevalence of overseas attackers is the fact that even small amounts of money provide significant incentive to a hacker in a developing country than to a hacker in the United States. The Forum of Incident Response & Security Teams, an international clearinghouse for response to security incidents among government agencies, universities, and organizations, recommends companies implement a computer security incident response team, keep security patches and antivirus software updated, monitor network traffic for strange behavior, and join security groups in order to share valuable security information among members. Meanwhile, a broad, international coalition of trade groups, companies, and law enforcement organizations are working to stem cyberattacks from abroad by tightening global cooperation and establishing automatic filtering systems to block email traffic from specific regions. HoneyNet Project President Lance Spitzner says today's hackers are in it for the money not fame. He says, "It's not so much a security issue. It's a crime issue now." Click Here to View Full Article From New York Times, July 17, 2005 A Pass on Privacy? by Christopher Caldwell E-ZPass is one of many innovations that give you the option of trading a bit of privacy for a load of convenience. Read the article. From New York Times, July 16, 2005 What to Do After Your Data Is Stolen by M.P. Dunleavey Another kind of headache started with some of the advice given to me as an identity theft victim - advice that sounds solid and sensible, but does nothing or may even make matters worse. Someone should really test-drive this stuff, so allow me .... Read the article. From EduPage, July 18, 2005 University Charges Cybersquatting Detroit News, 18 July 2005 A Minnesota-based company has raised the ire of a number of colleges and universities after registering more than 23,000 URLs, many of which imply a connection to the schools that does not exist. BDC Capital Inc. has registered such URLs as www.universityofmichiganwolverines.com, which is not affiliated with the University of Michigan at all, and www.uofmgophers.com, which has no connection with the University of Minnesota. Marvin Krislov, general counsel at the University of Michigan, which has sent the company a cease-and-desist order, called the URLs a "pretty clear violation of trademark," noting that reasonable people would likely assume a connection between the site and the institution. A spokesperson from BDC said the company does not believe it has violated any trademarks. He said the company believes that the URLs "represent a significant asset to both BDC and the schools," saying that BDC anticipates a "partnership" with the schools to sell souvenirs and other items. http://www.detnews.com/2005/technology/0507/18/0tech-250797.htm Study Shows Drop In Damages From Cyber Attacks The Register, 18 July 2005 A new study shows a significant drop in the amount of damage caused by cyber attacks as well as a shift in the kinds of attacks that are most commonly reported. Researchers from the University of Maryland conducted the Computer Crime and Security Survey on behalf of the Computer Security Institute (CSI), with consultation from security experts at the FBI. The survey questioned IT security officials at 700 private companies, governmental agencies, and universities and found that the average cost per security incident was $204,000, down from $526,000 a year earlier. Viruses remain the most frequent type of attack (32 percent), but unauthorized access rose to second on the list at 24 percent. Chris Keating, director of CSI, noted that schemes to steal individuals' identities are a growing concern. The survey, he said, indicates "more financial damage due to theft of sensitive company data," a trend that should press network managers to ensure the security of enterprise systems. http://www.theregister.com/2005/07/18/csi_fbi_security_survey/ While Computer Attack Costs are Down, Data Theft Costs Increase Computerworld 18 July 2005 A survey from the Computer Security Institute (CSI) and the FBI found that the average losses due to computer attacks dropped 61% in 2004. The 700 companies and government agencies who responded to the survey reported an average cost for cyber attacks of US$204,000 in 2004 compared to an average of US$526,000 in 2003. This is the fourth consecutive year in which the cost has dropped. However, the cost associated with information theft has increased more than US$51,000 from last year. Theft of proprietary information cost the respondents an average of US$355,000 in 2004, compared to US$169,000 in 2003. http://www.computerworld.com/printthis/2005/0,4814,103301,00.html From ACM's TechNews, July 18, 2005 "How to Make Safer Software" Wall Street Journal (07/18/05) P. R4; Guth, Robert A. As software has filtered down to virtually every aspect of our lives, developers have begun to realize that the bells and whistles that used to drive sales of their products must take a backseat to fundamental security and quality provisions. In a recent interview, Cigital CTO Gary McGraw highlights the shift toward accountability that is defining today's software industry, as evidenced by the Sarbanes-Oxley Act and other standards of security-driven compliance. The trend is to knit security measures into the fabric of the software, rather than to address it after implementation through firewalls and antivirus programs whose vulnerabilities have already been exposed. Also, more companies in non-software industries are starting to look at software development in house, such as banks, credit card companies, and automobile manufacturers. McGraw cites Microsoft as having emerged from its earlier practice of relying on features to drive software sales to a more responsible, quality-focused approach that has enhanced the security of their software and further solidified their dominance in the market, even if the company is still not perfect. McGraw recommends that developers incorporate software assurance throughout the design of every package, which entails considering the end requirements of a system as well as the potential threats hackers may pose to it. To fully integrate software with the business community, developers must also overcome the language barrier and speak in terms that have instant relevance to bottom line, instead of burying themselves in impenetrable technical rhetoric. In the face of foreign competition, McGraw believes U.S. software companies can retain their preeminence through forward-looking risk management and needs assessment, even if India and China can offer coders who work for lower wages. From EduPage, July 13, 2005 Coalition To Release Spyware Definition CNET, 12 July 2005 The recently created Anti-Spyware Coalition is set to release a definition of spyware. According to officials from the group, the first step toward dealing with the growing problem of spyware and adware is to define very clearly what it is. The group's proposed definition, which the public can comment on until August 12, identifies spyware as software that is installed without adequate notification and that monitors computer users' activities. The group also proposes a broader definition that would include software that interferes with users' abilities to properly control their systems. Critics of the group's definitions argue that makers of spyware and adware stand to benefit the most from such a definition because it clearly delineates what they could do and get away with. After the comment period is closed, officials of the Anti-Spyware Coalition will incorporate the best suggestions into the final definitions. http://news.com.com/2100-1029_3-5783926.html From EduPage, June 29, 2005 Security Community Bemoans Loss Of Hacker Magazine Silicon.com, 11 July 2005 Long-time hacker magazine "Phrack" will stop being published this year after nearly 20 years as an information exchange for computer mischief, and at least some computer security experts believe computer users will be less safe after it is gone. Hackers have routinely undermined their own efforts by revealing their successes at compromising systems or causing other damage. Pete Simpson of computer security firm Clearswift noted that although the magazine makes computer exploits available to those who would use them to cause harm, by definition it also makes them available to the community of users working to protect computers from hackers. Simon Perry, vice president of security strategy at Computer Associates, said that security experts will still be able to find information about new exploits but that "Phrack was great as a one-stop shop" for such information. Simpson commented that after Phrack shuts down, younger hackers are likely to develop new vehicles to tell the world about their triumphs, once again leveling the playing field. http://software.silicon.com/security/0,39024655,39150241,00.htm From Queue, June 25, 2005 The Answer is 42 of Course If we want our networks to be sufficiently difficult to penetrate, we've got to ask the right questions. Read the Article. From ACM's TechNews, July 8, 2005 "Schools Looking for Ways to Lure More Minorities" Triangle Business Journal (07/01/05); Sutker, Colin Undergraduate enrollments in computer science programs, which have tended to lean toward the white male demographic, are shrinking. This is spurring computer science departments to study their student populations in order to ascertain the reasons why they are failing to lure minorities, so that they can take action. University of Virginia professor Joanne Cohoon believes white males' attraction to computer science and the erosion of the white male majority in the United States are draining the pool from which the U.S. IT workforce is drawn from. Auburn University computer science professor Juan Gilbert says innovation in computer science programs is suffering because diversity is lacking, since students with common backgrounds follow a common problem-solving model that limits their creativity. He adds that minorities are often discouraged from pursuing computer science because they have few peers or role models, which perpetuates the stereotype that their mathematical skills are sub-par. Getting more minorities interested in computer science by providing role models to young students is the mission of organizations such as the Coalition to Diversify Computing and the Institute for African-American E-Culture. Meanwhile, the National Science Foundation has taken a leading role in national initiatives to boost minority enrollment by establishing the Broadening Participation in Computing program, which apportions grants to colleges for programs designed to increase minority participation from a $14 million fund. Click Here to View Full Article From ACM's TechNews, July 8, 2005 "How Secure Is Federal 'Cybersecurity'?" Fox News (07/07/05); Vlahos, Kelley Beaucar Although the protection of America's cyber-infrastructure has been of primary concern since 9-11, official reports and industry experts concur that the U.S. government's cybersecurity effort comes up drastically short, focusing on short-term "band-aid" solutions instead of a long-term strategy. Observers blame a dearth of leadership and a failure to keep pace with the rapid appearance of new dangers. A February report from the President's Information Technology Advisory Committee (PITAC) attributed America's cybersecurity woes to inadequate R&D funding, refusal to share Federally developed technologies with the private sector, and general apathy in Washington; critics and PITAC co-chairman Edward Lazowska say little has been done to address these issues in the five months since the report was submitted. A May report from the Government Accountability Office (GAO) concluded that the 13 critical security protocol implementation objectives the GAO recommended to the Department of Homeland Security remain unrealized, citing the continued lack of national cyberthreat and vulnerability evaluations or government-industry contingency recovery strategies. Beefing up the cybersecurity of America's critical infrastructure will remain an elusive goal until DHS tackles the challenges of organizational stability, information-sharing between government agencies as well as the government and the private sector, and the demonstration of effective cyberattack prevention, according to the GAO. Also in May, DHS took issue with an earlier DHS Inspector General's report that spotlighted security problems in several DHS agencies, arguing that significant improvement to U.S. cybersecurity has been made. Click Here to View Full Article From ACM's TechNews, July 1, 2005 "Antispam Proposals Advance" CNet (06/29/05); Festa, Paul The Internet Engineering Steering Group (IESG) announced that it has adopted two competing antispam technologies, citing both as still "experimental." Microsoft, AOL, and others have been competing for control of the antispam market, which now appears to be divided between the Sender Policy Framework (SPF) and Sender ID. Microsoft backs Sender ID, which it sees as a more sophisticated version of SPF. Microsoft's Samantha McManus says, "We're glad to see Sender ID's experimental status, and we think email authentication is very important for addressing spam and phishing. That said, we definitely have more to do." Both technologies have been accepted by email providers, though the IESG, a division of the Internet Engineering Task Force (IETF), believes the experimental trial is necessary to solidify standards. As an alternative, Cisco backs Yahoo's DomainKeys as its authentication and antispam application. The IESG said, "Given the importance of the worldwide email and DNS systems, it is critical that future standards support their continued stability and smooth operation." Click Here to View Full Article "The Answer Is 42 of Course" Queue (06/05) Vol. 3, No. 5, P. 34; Wadlow, Thomas Independent security consultant Thomas Wadlow writes that the role people play in online security makes absolutes irrelevant, and he advises companies to base the defense of their security systems on the fundamental question of how the network can be designed so that is it "safe enough." Many cases of successful network intrusions stem from either lax design or highly motivated hackers, leading Wadlow to formulate a two-pronged strategy to defend against intruders with sufficient skill, motivation, and opportunity: The first goal is to design the network to require a very high level of skill and motivation for an attacker and present as little opportunity as possible for successful attacks, while the second goal is to determine where and how much effort to devote to the process. In the category of skill, questions to be asked include how hackers build their skills with off-the-shelf software; how companies can maximize the amount of skill hackers need to breach networks and minimize the amount of skill needed to operate network defenses; how the acquisition of network knowledge by attackers can be prevented; and how to tell that a network is under attack. Questions to be raised on the subject of motivation include how or why people are provoked to attack the network; whether the company's defensive actions encourage or discourage an attacker's motivation; and what would motivate people not to attempt intrusions. To keep a hacker's opportunities to attempt a break-in as low as possible, the company should clearly identify opportunities, and determine if all network entrances and exits are known and that the network is built in accordance with company assumptions through constant measurement. Because the most skilled, motivated, and opportunistic hackers often work for the company, care must be taken to establish who are trustworthy and untrustworthy employees or ex-employees, the most potentially dangerous insiders, and how to keep the people who can cause a security problem happy, engaged, and mindful of the potential for trouble as well as the fallout from an intrusion. From EduPage, June 29, 2005 Phishers Locked Up CNET, 29 June 2005 Two men have been sentenced to prison in Britain for orchestrating a phishing scheme that used stolen identities to pilfer as much as 6.5 million pounds over two years. Douglas Harvard and Lee Elwood were sentenced to six and four years respectively for their parts in the phishing ring, which authorities said garnered at least 750,000 pounds during one 10-month period. The men allegedly worked with individuals in Russia to traffic in personal information and the money stolen using that information. Mick Deat, deputy head of Britain's National Hi-Tech Crime Unit, issued a statement thanking the U.S. Secret Service and the FBI for their assistance in the investigation. The statement also expressed Deat's hope that the convictions will discourage others who might consider such scams. http://news.com.com/2100-7348_3-5766860.html From ACM's TechNews, June 29, 2005 "Cybersecurity Group Looks to Europe for Help" IDG News Service (06/27/05); Pruitt, Scarlet Former White House security director and current Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz on Friday called the global information systems security threat "high risk," and warned that federal agencies are "taking information security for granted." Kurtz left his position at the White House because he disagreed with the emphasis on physical security over information security. At CSIA, Kurtz is working along with CEOs from security companies on global cybersecurity issues, such as developing policies with cooperation from a variety of concerned players and improving prevention standards. Kurtz laments the U.S. government's reduced spending on cybersecurity research and development, and says some in government wrongly believe that most cyber mischief is the work of geek teenagers instead of professional criminals. Kurtz says CSIA is pushing the private sector to develop strategies to mitigate cyberthreats, focusing on a holistic approach that involves many affected parties. CSIA is already working with the European Union's Article 29 working group on data protection, and plans to eventually extend their work into Asia. In the U.S., Kurtz hopes CSIA's efforts will push the U.S. government to take more action. He says, "We need to raise these issues, but at the same time, we need to make sure that the government doesn't overreact." Click Here to View Full Article From ACM's TechNews, June 27, 2005 "Microsoft Pushing Spam-Fighting System" Associated Press (06/22/05); Jesdanun, Anick Despite the fact that Microsoft's spam-fighting technology Sender ID delivers about 10 percent of legitimate email messages to junk folders, the company announced plans to become more aggressive at rejecting mail sent through company or service providers not registered with the Sender ID system by the end of this year. The system requires that ISPs, companies, and other domain name holders submit their mail servers' unique IP addresses, so the Sender ID system can verify emails were sent from those particular IP addresses, but only about 25 percent of email currently has the necessary Sender ID data. The Internet Engineering Task Force disbanded its Sender ID task force last September amid patent disputes, but nevertheless encouraged Microsoft and others to continue developing their spam-fighting systems. The Direct Marketing Association's Jerry Cerasale believes Microsoft's move is "a necessary step to protect both corporate brands and consumer confidence." Microsoft's Craig Spiezle acknowledged that some critics of the Sender ID system are concerned about disruption of mail-forwarding services or "send to a friend" links. Spiezle asserts that Microsoft is monitoring the situation to prevent any such disruptions. Click Here to View Full Article From ACM's TechNews, June 27, 2005 "Viruses, Security Issues Undermine Internet" Washington Post (06/26/05) P. A1; Cha, Ariana Eunjung The Internet is falling prey to a growing body of security threats, as the network with a billion users but no owner still relies essentially on a global honor system. "The Internet is stuck in the flower-power days of the '60s during which people thought the world would be beautiful if you are just nice," says Karl Auerbach, a computer scientist working actively to improve the security of the Internet. Increased security concerns and the growing feeling that the current Internet will never realize its promise are leading many to advocate a second look at the network, a so-called Internet 2.0. As the Carnegie Mellon CERT Coordination Center reported an increase in the number of vulnerabilities from 1,090 in 2000 to 3,780 in 2004, a unified response has been hindered by disputes over property ownership and profits. The Internet's architects never spent much time thinking of defenses to internal attacks, focusing instead on external threats, such as natural disasters, while ignoring the central threat the network now faces. As the number of users proliferates and hackers develop increasingly devious ways to attack Web sites and compromise security, some have speculated that instead of applying temporary patches, portions of the Internet will need to be rebuilt from the ground up. As current governing bodies exert only a tenuous regulatory authority over the Internet, there have been calls for turning control over to an established central organization, such as the United Nations. Amidst the scramble to define the next generation of the Internet, security remains the prime mover in a field of diffuse visions. Some companies are heralding "return addresses" for emails that would remove the mystery of a sender's identity, and others, such as the small academic coalition Internet2, advocate a compartmentalized Internet where users would convene in small groups created for very specific purposes, such as a chat room for parents of children on the same soccer team or some other easily-defined group that would deny access to anyone not of that community. Click Here to View Full Article From ACM's TechNews, June 24, 2005 "Better PC Security Years Away" TechNewsWorld (06/22/05); Mello, John P. The immediate future of secure computing will more closely resemble a mainframe than a PC, until an enhanced operating system and better hardware are developed. In the meantime, researchers are working on technologies to improve PC security, such as the Trusted Platform Module (TPM), which establishes a secure hardware zone inside a PC to confidently support security programs. Intel, AMD, and Microsoft are also jumping on board with their own PC security applications. Intel's Chad Taggard said, "What we're doing with this hardware and the Trusted Platform Module is taking best known security methods and putting them where people can't tamper with them." AMD's technology solves the "warm boot hole" problem that opened the door to hackers accessing data in a computer that had just been restarted, with its power still on, by wiping the immediate memory. Microsoft's next Windows version, code-named Longhorn, will be vital to their own Next-Generation Security Base (NGSCB), as well as the future of the secure PC in general, though by some estimates the technology will not be fully actualized until 2009 or 2010. Computer Associates' John Bedrick cautioned, "These aren't going to be a panacea for everything." He adds that while there are no sure bets, "what we all try to do is improve what we have and try to get ahead of the curve as much as possible," allowing that hackers will evolve just as security technologies do. Click Here to View Full Article From ACM's TechNews, June 22, 2005 "Snoozing About Security" CNet (06/17/05); Cooper, Charles The two-year-old Department of Homeland Security (DHS) cybersecurity division has gone through three cyberczars and millions of taxpayer dollars with no progress in the quest to control the increasing number of worm and virus attacks, writes CNet executive editor Charles Cooper. In an Internet poll, most Americans doubt the U.S. government is doing enough in terms of cybersecurity with just 28 percent reporting that the government is doing a good job. Pending legislation establishing an Assistant Secretary for Cybersecurity and the DHS Cybersecurity Enhancement Act of 2005 increasing funding and authority are both meant to help improve cybersecurity. A report from the Government Accountability Office (GAO) determined significant structural and cultural problems among federal agencies. The GAO suggests creation of security milestones to help improve progress in cybersecurity, but the DHS rejected the recommendations and called for more "clarifications." GAO report author David Powner and other security experts fear a combined cybersecurity and physical terrorist attack due to ongoing vulnerabilities. Powner says, "If you look at the recovery plans (DHS has in place), more work needs to be done. If you look at reconstituting the Internet if there were an event that took down the network, there's still not a plan in place." Click Here to View Full Article "Common Criteria or Common Confusion?" SD Times (06/01/05) No. 127, P. 5; de Jong, Jennifer The process of certifying the security of commercial software is not necessarily flawed, but the two dimensions of the Common Criteria results in some confusion, according to Mike Wolf, general manager of the advanced products engineering group at software vendor Green Hills. Common Criteria, which consists of a process for evaluating technical remedies to security threats and a set of standards for specifying the threats, is confusing because it has two dimensions to its rankings, says Wolf. While the first dimension, the Protection Profile, refers to the specific security requirements that were tested, the second dimension, the Evaluation Assurance Level, ranges from EAL1 (low) to EAL7 (high) to indicate how confident evaluators are about the product's ability to deliver on its security claims. People often focus on the second dimension, but it must be considered in relation to the first dimension. For example, Microsoft received a Common Criteria certification for Windows 2004 at the competitive EAL4 ranking, but its first dimension Controlled Access Protection Profile (CAPP) represents a minimal level of security functions. As IBM's Dan Frye explains, "you can have a high level of confidence about a minimal set of security functions." CC became an international standard in 1993 as the introduction of country-specific security initiatives fell out of favor in the United States, Canada, and European countries. Click Here to View Full Article From EduPage, June 27, 2005 University Of Connecticut Discovers Security Breach New York Times, 24 June 2005 Officials at the University of Connecticut have discovered a breach of one of the university's servers, which contained personal information for about 72,000 individuals. According to Michael Kerntke, a spokesperson for the school, the university found a program on the server that could have given a hacker access to the information on that computer, which included names, addresses, phone numbers, Social Security numbers, and dates of birth. Although the program has evidently been on the server since October 2003, officials said there was no evidence that any of the data had actually been taken. Kerntke noted that the program seems to have been part of a broad Internet attack rather than one specifically directed at the university. As a result, he said, "the attacker most likely had no knowledge of the kind of data stored on the server." (registration req'd) http://www.nytimes.com/2005/06/25/technology/25conn.html From EduPage, June 24, 2005 Choicepoint Changes Practices To Avoid Repeat Disclosure Wall Street Journal, 24 June 2005 Following the high-profile loss of personal information on nearly 145,000 individuals, data broker ChoicePoint said it will make significant changes to its business procedures to prevent future security breaches. In its reports, the company will begin masking Social Security numbers, and it will limit the amount of business it conducts with certain customers, including private investigators, collection agencies, and small financial companies. ChoicePoint has also begun offering access to individuals--at no charge--to the information that the company keeps on them. Though not widely advertised, the new service provides one annual report of "personal public records" searches. ChoicePoint currently maintains a vast database of information culled from public and business records on nearly every adult in the United States. After the security breach that exposed so many individuals to identity theft, Congress held hearings on ChoicePoint and other data brokers and is considering tightening regulation of the data industry. (sub. req'd) http://online.wsj.com/article/0,,SB111957007176668246,00.html From EduPage, June 15, 2005 Spyware Charges Result In $7.5 Million Settlement Reuters, 15 June 2005 California-based Intermix Media will pay New York State $7.5 million over three years to settle a spyware lawsuit. In the suit, New York Attorney General Eliot Spitzer had charged the company with violating state false-advertising and deceptive-practices laws. Intermix acknowledged that it formerly distributed software that was surreptitiously installed on users' computers, though as part of the settlement the company admitted no wrongdoing. Intermix had previously suspended the distribution of the software at issue; with the settlement, the company will permanently discontinue the practice. Intermix has also created a position of chief privacy officer since the lawsuit was originally filed, and officials from the company said they have cooperated with federal regulators. Read the article Survey Shows More Bad Guys Turning To Browser Attacks CNET, 14 June 2005 According to a new survey by the Computing Technology Industry Association (CompTIA), the incidence of browser-based attacks rose sharply last year, while that of viruses and worms fell slightly. Browser-based attacks exploit the naivety of computer users, as in the case of phishing attacks, or technical vulnerabilities in browser or operating system software. Phishing scams work by fooling users into disclosing private information; other attacks attempt to download malicious code to the computers of visitors to a Web site to steal information or take control of the computer. According to CompTIA's survey of nearly 500 organizations, 56.6 percent have been targets of browser-based attacks, up from 36.8 percent one year ago. Viruses and worms continue to head the list of computer security threats, at 66 percent, which is just down from last year's number of 68.6 percent. Read the article From EduPage, June 13, 2005 Former Student Convicted Of Stealing Data Chronicle of Higher Education, 13 June 2005 A former student of The University of Texas at Austin has been found guilty of writing a computer program that stole names and Social Security numbers from about 37,000 students, faculty, and others associated with the university. The jury found Christopher Andrews Phillips not guilty, however, of intending to profit from the data he stole. Phillips, who is now a senior at the University of Houston, said he wrote the program as part of his computer training and never had any intention of using the information. The theft took place in 2002 and 2003, when Phillips's program made more than 600,000 inquiries to a UT database, trying to match names with Social Security numbers. UT officials detected the activity and traced it to Phillips, whose computer was seized with the program he wrote and the data it had harvested. Phillips faces up to six years in prison; had he been convicted of the other charges, he would have faced close to 30 years. (sub. req'd) http://chronicle.com/prm/daily/2005/06/2005061301t.htm Liberty Alliance Addresses Id Theft CNET, 13 June 2005 The Liberty Alliance has announced the formation of an Identity Theft Protection Group, intended to address the problem of identity theft. The alliance was created in 2001 to establish standards for online authentication and now has a membership of more than 150 companies, nonprofits, and government organizations. Michael Barrett, co-chairman of the new group and a security executive at American Express, said he believes the problem of identity theft will continue to worsen such that "it is no longer a question if your identity gets stolen, but when." The new group will initially work to clearly define the problem and its parameters and later will try to develop solutions, which, according to Barrett, might include technical specifications, best practices, or business guidelines. James Van Dyke of Javelin Strategy and Research, which covers identity fraud, noted that despite perceptions otherwise, the incidence of identity theft has been decreasing over the past few years. Read the article From EduPage, June 6, 2005 Spam Fighters Form New Coalition Silicon.com, 3 June 2005 A new group tentatively called the Anti-Spyware Coalition plans to publish guidelines to define spyware, best practices for software development, and a lexicon of common terms by the end of the summer. The guidelines will be open to public comment. The Center for Democracy and Technology, a public advocacy group based in Washington, is running the new initiative. The coalition formed two months after the collapse of the Consortium of Anti-Spyware Technology Vendors, which admitted a company suspected of making adware. According to David Fewer, staff counsel at the Ottawa-based Canadian Internet Policy and Public Interest Clinic, which is affiliated with the new consortium, judging whether software is spyware comes down to notice, consent, and control. Many adware and spyware products fail to meet all three requirements. Read the article From ACM's TechNews, June 13, 2005 "Internet Security...Writ Very Small" Network World (06/06/05) Vol. 22, No. 22, P. 1; Messmer, Ellen Iowa State University researchers have developed a version of the Internet in microcosm to be used as a cyber-defense test bed, according to computing professor and project leader Doug Jacobson. The Internet-Simulation Event and Attack Generation Environment (Iseage) was funded primarily by a $500,000 grant from the Justice Department, which has promised an additional $700,000 for this summer. Iseage, which resides on a high-speed LAN, was used by students engaged in Iowa State's Cyber Defense Competition last month. The contest involved teams who defended Web sites running on Windows, Unix, and open source operating systems against security professionals representing hackers. Iowa State student and winning team member Sean Howard says the battle waged on Iseage imparted the experience of defending a corporate network. Jacobson says simulating the complexities of real-life cyberattacks is commercially desirable; "Our goal is to have [Iseage] as a point where organizations can test security paradigms," he explains. Iowa State will permit organizations to use Iseage to model their networks with defense in mind, for an as-yet undisclosed fee. It is also expected that the state of Iowa will employ Iseage to assess its network's resiliency against various cyberattack scenarios. Click Here to View Full Article "The Looming Threat of Pharming" InfoWorld (06/06/05) Vol. 27, No. 23, P. 39; Leon, Mark Pharming exploits the requirement that all URLs must be converted into IP addresses via the domain name system (DNS), and the hacker who successfully "poisons" a DNS server will cause that server to respond to an authentic URL request with a bogus IP address. Upon arriving at the phony site, the victim enters an ID, password, and personal identification number, only to receive a pop-up window that claims the password is invalid; the victim then re-enters the data, by which time he has been sent back to the real site, unaware that his account is now open to the hacker. Security experts and analysts agree that the most effective deterrent against DNS poisoning is to ensure that one has the latest DNS software and security patch updates, and they recommend that users running Berkeley Internet Name Domain (BIND) should upgrade to Version 9, which is more or less immune to poisoning compared to earlier iterations. "If you lock down all your servers and make sure they are only pulling off root cache servers, it is going to be very difficult for a hacker to pharm you," says TraceSecurity CTO Jim Stickley. SANS Institute analyst Johannes Ullrich cautions that this do-it-yourself strategy entails a lot of work, given the complexity of maintaining the DNS. The IETF's decade-old DNS Security (DNSSEC) protocol is acknowledged by many experts to be the ultimate defense against pharming, because it facilitates the encryption and signing of DNS data. However, Ullrich says this solution is impractical, a conclusion echoed by Burton Group analyst Dan Golding, who describes DNSSEC as "horrendously complex." He also notes that the inherent difficulty and cost of pharming is such that the number of pharming hackers should be relatively small, though Stickley says the presence of vulnerable DNS servers ensures that pharming will explode, sooner or later. Click Here to View Full Article From ACM's TechNews, June 10, 2005 "Computer Viruses Become Hacker Informants" New Scientist (06/09/05); Marks, Paul Security experts have discovered an emerging class of malware called vulnerability assessment worms that keep hackers apprised of the latest computer-network vulnerabilities so they can refine their cyberattack strategies or even target individual machines. Once the worms contaminate a network, they scan for security holes and report back to hackers via an Internet chatroom; scores of computers compromised by "bot" viruses are frequently directed through a chatroom link, and are often used to distribute spam or knock out Web sites with a denial of service attack. Symantec's Kevin Hogan says new viruses are coming out of the woodwork in ever-increasing numbers because the source code for many programs is freely available online. Computer security expert Bruce Schneier notes in the June 2005 edition of the ACM's Queue magazine that over 1,000 new viruses and worms were uncovered in just the last six months, and points to the SpyBot.KEG worm as one of the most advanced forms of vulnerability assessment malware. The program informs its creator about vulnerabilities through an Internet Relay Chat (IRC) channel, and Schneier anticipates the emergence of even more complex IRC worms of a similar nature, as well as the use of peer-to-peer file-trading networks as launching platforms for new viruses. Hogan says the bot-hacker communication channel can be blocked with strong firewalls, while the IRC these hackers use can also be their undoing, since a hacker can be easily tracked once the authentic IP address of the IRC channel host is learned. Click Here to View Full Article From ACM's TechNews, June 6, 2005 "Device Drivers Filled With Flaws, Threaten Security" Security Focus (05/26/05); Lemos, Robert Although operating system code has improved in recent years, device drivers still have numerous flaws that threaten operating system security. The responsibility of securing device driver code lies primarily with the third-party hardware vendors that create the drivers, but also with Microsoft and the Linux development community. Automated code-checking firm Coverity said an audit of the Linux 2.6.9 kernel code revealed that over 50 percent of the discovered flaws existed in device drivers. Though those flaws may not have been exploitable, they do reflect on the overall quality of code, says Coverity CEO Seth Hallem. Microsoft's Windows software development process includes provisions for checking third-party code shipped with the operating system and the company has an initiative to improve device driver development. The Linux kernel has been consistently audited for security, but the kernel source tree contains huge numbers of outdated device drivers, says Novell software engineering director Crispin Cowan. Of particular concern are drivers with direct memory access such as USB drivers, graphics drivers, and sound drivers, since code launched from those can overwrite system memory. Networking, wireless, and Bluetooth drivers are the only ones that are vulnerable to remote access, however. Open Source Development Labs Linux evangelist Bill Weinberg says driver exploits are also limited by the fact that many of them will simply crash the system. From New York Times, June 9, 2005 The Scramble to Protect Personal Data by Tom Zeller Jr. The problem of data security goes well beyond couriers and data tapes. And improving things takes time and money. Read the article. From ACM's TechNews, June 3, 2005 "Has Ransomware Learned From Cryptovirology?" NewsFactor Network (06/02/05); Young, Adam L. The Trojan recently reported in the media to hold victims' data hostage is probably not a true cryptovirus, writes infosec researcher Adam Young, who pioneered cryptovirology research along with his Columbia University professor Moti Yung. But the news shows criminal hackers are likely to begin wielding cryptographic tools more frequently in their activities, especially public-key cryptography. According to the Associated Press and F-Secure, the so-called "Ransomware" attack was actually easily foiled--F-Secure said its anti-virus product was able to detect the Trojan and decrypt the hostage files; however, cryptoviruses such as those demonstrated in Young's research promise to be much more powerful because they leverage pubic-key cryptography instead of symmetric encryption alone. With true cryptoviruses, victims would necessarily have to cooperate with the hacker to decrypt the symmetric key using the hacker's private key. Young wrote his thesis on cryptovirus attacks in 1995 and published a paper together with Yung at the 1996 IEEE Symposium on Security & Privacy, and over the next decade they gathered more research and evidence of cryptovirus attacks and documented attempts to hold data hostage. In February 2004, the researchers published their compiled work in the book "Malicious Cryptography: Exposing Cryptovirology." Because of his experience in the field, Young warns that it is only a matter of time before an attacker develops and releases a true cryptovirus or cryptoworm that could affect thousands of users. He urges the IT industry to take previously collected research seriously and begin building in defenses against such attacks. Click Here to View Full Article "'Silent Horizon' War Games Wrap Up for the CIA" Associated Press (05/26/05); Bridis, Ted The CIA's Information Operations Center is conducting a three-day exercise dubbed "Silent Horizon" that simulates a prolonged cyberterrorist attack that could potentially cause as much damage and disruption as the Sept. 11, 2001, attacks, say exercise participants who want to remain anonymous. Although the government seems more concerned about biological attacks and physical threats from terrorists, FBI director Robert Mueller admits terrorists are actively recruiting computer scientists. Mueller says terrorists currently lack the resources for such a large-scale electronic attack on the United States. A previous cyberterrorism exercise, known as Livewire, determined government agencies may remain unaware of early-stage cyberterrorist attacks without the support of private technology companies. Dennis McGrath, who helped coordinate similar exercises for Dartmouth College's Institute for Security Technology Studies, says, "You hear less and less about the digital Pearl Harbor...It's just not at the top of the list." About 75 people took part in Silent Horizon at the secretive Information Operations Center, which studies cyber threats to the U.S.'s computer networks. Click Here to View Full Article From ACM's TechNews, June 1, 2005 "Privacy Matters" Washington Technology (05/23/05) Vol. 20, No. 10, P. 1; Lipowicz, Alice Privacy proponents' increased emphasis on enhancing the collection, storage, and sharing of personal information with more protective measures has sparked expectations of a legislative mandate for more rigorous controls over personal information. However, it remains uncertain as to how the government plans to balance out the often antagonistic goals of privacy rights and national security. "The question is: How do you do what you need to do while minimizing the damage to civil liberties and rights?" says consultant Ramon Barquin. Better data security alone does not adequately address privacy concerns, which have been key factors in the delay, reassessment, or cancellation of high-profile anti-terrorism projects such as the Transportation Security Administration's CAPPS II airline passenger screening initiative, the Pentagon's Total Information Awareness data mining program, and the Justice Department's Terrorist Information and Prevention System. Homeland Security officials insist that their department's privacy office has stepped up efforts to address privacy issues earlier; DHS Privacy Officer Nuala Kelly earned some credibility with a report on certain improprieties of TSA staff during the early development of CAPPS II that probably helped hasten the program's termination, yet many say her office does not carry sufficient clout. "The chief privacy officer needs the independence and adequate authority to properly evaluate the privacy concerns of the department, outside political pressures," noted the House Homeland Security Committee's Rep. Bennie Thompson (D-Miss.) last month. Congress is mulling a batch of proposals to reduce ID theft while strengthening privacy protections, including the establishment of a national privacy and civil rights oversight board. Click Here to View Full Article "Hacker Hunters" BusinessWeek (05/30/05) No. 3935, P. 74; Grow, Brian; Bush, Jason To counter the growing threat of professional, profit-driven cyber-criminals, enforcement agents or "hacker hunters" are combining the latest cybercrime deterrents with traditional tactics such as infiltration and the Internet equivalent of wire-tapping to topple and successfully prosecute online crime rings. The need to prevent cybercrime has never been more crucial, as the damage caused by hackers is growing steadily worse, while enforcement agencies are underfunded and underequipped. The urgency of the situation has not only helped cultivate smarter federal, state, and local agencies, but greater collaboration between them; in addition, cybercrime legislation is being pursued more aggressively. The highly publicized takedown of the ShadowCrew hacker gang by the Secret Service is a case study in how both the nature of cybercrime and anti-cybercrime strategy is changing. ShadowCrew's suspected ringleaders allegedly ran shadowcrew.com as an international clearinghouse for stolen credit cards and identity documents, and the gang reportedly had 4,000 members worldwide: Two people administered the Web site and recruited members; "moderators" hosted online forums where members could share tips on hacking and ID theft; "reviewers" obtained and tested merchandise; and "vendors" bought and sold on the site, mostly through online auctions. The Secret Service enlisted an insider to act as an informant, created and used a gateway to locate gang members, and coordinated an international crackdown on ShadowCrew by state and local police and authorities in six foreign countries. The biggest obstacle law enforcement faces in curbing cybercrime is its worldwide scope. Countries with weak hacking laws and flimsy enforcement are havens for cyber-criminals, who can also tangle up the trail for investigators by keeping servers in a separate country. Click Here to View Full Article From EduPage, June 1, 2005 Colleges Learn About Identity Theft From An Identity Thief New York Times, 29 May 2005 As part of its efforts to increase awareness about student loan fraud, the Department of Education is distributing a DVD to colleges and universities of an interview with a convicted identity thief. As part of his plea agreement, John E. Christensen was interviewed by authorities to create the DVD, in which he describes how, over a period of three and a half years, he used the identities of more than 50 individuals to defraud the government of more than $300,000 in federal student grants and loans. Each year, the Department of Education disburses about $65 billion in financial aid. In the interview, Christensen, who is serving his prison sentence in Arizona, explains how he fraudulently obtained personal information and used it to register for classes and apply for financial aid. Because financial aid processes take place largely online, defrauding the government is "becoming easier and easier all the time," said Christensen. "You never have to see anybody." (registration req'd) http://www.nytimes.com/2005/05/30/national/30fraud.html The DOE website is at http://www.ed.gov/about/offices/list/oig/misused/index.html. From EduPage, May 27, 2005 Hackers Hit Stanford Silicon.com, 26 May 2005 Officials at Stanford University and the FBI are investigating a computer breach at the university's Career Development Center (CDC) earlier this month that may have exposed personal information on as many as 10,000 individuals. Most of those affected are students, though a small number are recruiters who had registered with the CDC. Information that might have been improperly accessed includes names, Social Security numbers, financial information, and, in some cases, credit card numbers. The university is notifying those possibly affected by the breach, in compliance with the 2003 Security Breach Information Act. That law requires organizations to inform California residents any time their personal information might have been accessed without authorization. http://software.silicon.com/security/0,39024655,39130758,00.htm Gao Says Dhs Unprepared For Cybersecurity CNET, 26 May 2005 The Government Accountability Office (GAO) has issued a report strongly critical of the readiness of the Department of Homeland Security (DHS) to deal with threats to the nation's cybersecurity. According to the report, DHS "has not fully addressed any" of 13 areas of cybersecurity, including bot networks, criminal gangs, foreign intelligence services, spammers, and spyware. "DHS cannot effectively function as the cybersecurity focal point intended by law and national policy," said the authors of the report. During the past year, DHS has seen the departure of a number of high-level officials, including the director and deputy director of Homeland Security's National Cyber Security Division, the undersecretary for infrastructure protection, and the assistant secretary responsible for information protection. A representative of DHS refuted the GAO's findings, saying that DHS has made improvements to the "nation's cybersecurity posture." He noted that DHS, as a new federal agency, measures progress in nonquantitative, less formal ways. http://news.com.com/2100-7348_3-5722227.html From ACM's TechNews, May 27, 2005 "Collaboration Is a Necessity for a Secure Infrastructure" Computing (05/26/05); Nash, Emma Now that IT is considered an integral part of the business, it is time for collaboration between industry users and vendors to establish best practices, says Oracle chief security officer Mary Ann Davidson. As one of the 10 charter members of the Global CSO Council, Davidson is taking a lead role in fostering collaboration between industry users, vendors, and government; other Global CSO Council members including New York cybersecurity head William Pelgrin, eBay CSO Howard Schmidt, and Bank of America information security director Rhonda MacLean. Davidson is working with the National Institute of Standards and Technology to create secure software development auditing standards that could be applied to commercial software, and is representing the industry on Capitol Hill to push for funding of such efforts. Software development auditing standards are an essential building block to better overall security, she says. Another important critical issue for improving IT security is improved software development education at universities. Currently, hiring companies are left with the burden of training new programmers in secure development practices; university programs should be certified, so that software developers create stable products similar to how architects and civil engineers also focus on stability and security. Finally, Davidson points out that IT security awareness is starting to increase due to issues such as regulatory compliance, and that new security products are preventative in nature. Click Here to View Full Article "House Approves Spyware Penalties" TechNews.com (05/24/05); McGuire, David The House of Representatives voted overwhelmingly in favor of Rep. Mary Bono's (R-Calif.) Spy Act and Rep. Bob Goodlatte's (R-Va.) Internet Spyware Prevention Act on May 23. The anti-spyware proposals are nearly identical, although Bono's bill requires businesses to use an "opt-in" policy in which they must ask people's permission to install spyware on their computers. Goodlatte's measure offers no such provision, and it has garnered much more industry support as a result. Bono's bill bans some of the more egregious spyware tactics, and sets a maximum penalty of $3 million for each violation; Goodlatte's legislation would send some spyware distributors to prison for up to five years. An inability to reach a compromise on the "opt-in" issue scuttled the hopes of merging the two proposals, according to Bono. She says, "I believe it's one of the most important parts of the bill. I think we own the computer and we ought to have a say about who installs what on your computer." The Information Technology Association of America has been a frequent adversary of anti-spyware legislation, but President Harris Miller acknowledges the need for a national standard, since several states have started promoting their own anti-spyware measures that could lead to balkanization if left unchecked. America Online and the National Cyber Security Alliance found spyware installed in 85 percent of 329 randomly selected Internet users' computers last October, with the average "infected" computer hosting over 90 spyware and adware programs; last year IDC predicted that annual anti-spyware software expenditures will skyrocket from $12 million in 2003 to $305 million in 2008. Sen. Conrad Burns (R-Mont.) has sponsored anti-spyware legislation in the Senate, and says passage of the House bills shows progress on the issue. Click Here to View Full Article From EduPage, May 2, 2005 Spreading Spyware Through An Affiliate Program TechWeb, 24 May 2005 A business based in Russia is adopting the affiliate-program approach to spreading spyware around the globe. Called iframeDOLLARS, the company is offering Web site operators 6.1 cents for every computer on which the Web site installs code that exploits vulnerabilities in Windows and Internet Explorer. Microsoft has issued patches for the weaknesses, but unpatched computers remain at risk. The malicious code includes backdoors, Trojans, spyware, and adware. Operators of the iframeDOLLARS site claim to have paid out nearly $12,000 last week alone, which would translate to nearly 200,000 infected computers. Although spyware expert Richard Stiennon called the tactic "brazen" and said iframeDOLLARS might be making quite a bit of money from its scheme, Dan Hubbard, the head of security at Websense, gave iframeDOLLARS less credit. He noted that the company has been around for a while, trying various methods to install malicious code, and he said a number of others have tried similar affiliate programs to accomplish the same thing. http://www.techweb.com/wire/security/163700705 House Takes Two Steps Against Spyware CNET, 23 May 2005 The House of Representatives overwhelmingly passed two separate bills this week designed to address the growing problem of spyware. HR 29, introduced by Mary Bono (R-Calif.), would impose stiff fines on anyone found guilty of distributing computer code that results in browser hijacking, modifying bookmarks, collecting personal information without permission, and disabling security mechanisms. Violators can be fined as much as $3 million per incident. One of only four Representatives who voted against Bono's bill, Zoe Lofgren (D-Calif.) had introduced another bill, HR 744, that also prohibits installing spyware. Lofgren's bill, which passed 395 to 1, would impose fines and jail time to anyone found guilty. Both bills now go to the Senate, which failed to act on a spyware bill sent by the House last year. Senators have said they will not allow a similar situation this year. http://news.com.com/2100-1028_3-5717658.html From ACM's TechNews, May 25, 2005 "Database Hackers Reveal Tactics" Wired News (05/25/05); Zetter, Kim Three young hackers suspected of breaking into the LexisNexis database claim the intrusion was done to make a name for themselves rather than to commit identity theft. One of the suspects is also a member of the Defonic Crew hacking group, and says his hack of America Online encouraged him and other Defonic members to take on bigger hacking challenges; "Shasta," a hacker who is not a suspect in the LexisNexis case, says the successful AOL intrusions bred carelessness among Defonic Crew when it came to not leaving a trail. Last March, LexisNexis admitted that intruders penetrated a database belonging to its Seisint subsidiary and used name searches to appropriate the personal data of up to 310,000 people, but the hacker suspects claim they were unaware of this until a friend of one of them, pretending to be a teenaged girl, engaged in an online chat session with a Florida policeman with a Seisint account. The suspect coaxed the officer to click on an attachment containing a Trojan horse with promises of erotic content, and the program downloaded to his computer and gave the hacker total access to his files, including one linking to Seisint's Accurint service. Another suspect in the LexisNexis breach used a Java script to find other active Accurint accounts, and uncovered an account belonging to a Texas police department; he then contacted Seisint posing as a LexisNexis tech administrator and coaxed an employee to reset the account's password so he could create new accounts in the police department's name. A separate investigation that may be related to the LexisNexis case led to several arrests in California, and Santa Clara County Deputy District Attorney Jim Sibley theorizes that more than one hacker group may have breached LexisNexis, given its shoddy security. Click Here to View Full Article "Scientist Blames Web Security Issues on Repeated Mistakes" E-Commerce Times (05/24/05); Germain, Jack M. BBN Technologies researcher Peiter Zatko believes the Internet's vulnerability to catastrophic failure is rooted in scientists and engineers repeatedly committing the same mistakes, but he does think this situation can be remedied and is heartened by industry's growing awareness of the problem. His view is that programmers must stop coding programs riddled with access holes that stem from calls within a program for certain convenience actions. Zatko says the abuse of the Internet's critical infrastructure makes an all-in-one security solution impossible, and partially attributes the infrastructure's weakness to engineers overworking the Internet's intended use. He says the addition of utilities and telephone service to the Internet puts further strain on the network. Zatko recommends that scientists cross-field their knowledge in order to find effective solutions to the Internet's security flaws, insisting that "We need to break up the old boy network." He sees the technology industry's reversion to dedicated services instead of multipurpose devices as a positive step, and advises the continuation of this trend. Zatko expects the repeated abuse of the Internet to halt once it becomes too dangerous, too complicated, and too costly to use safely. Once that point is reached, people will start clamoring for government regulation, he predicts. Click Here to View Full Article From SAN's NewsBites, 7(21), May 25, 2005. Hackers Holding Computer Files 'Hostage' (23 May 2005) A new type of extortion plot has been identified, unlike any other cyber extortion, according to the FBI. Hackers used an infected website to infect computers with a program that encrypts the users file. Then the criminal demanded money for the key to decrypt the files. Enhanced versions of this attack threaten large numbers of users with loss of important data, loss of money, or both. http://news.yahoo.com/s/ap/20050524/ap_on_hi_te/internet_ransom [Editors' Note (Paller and Dhamankar): This is a substantial expansion of the extortion threat. Previously large organizations were targeted. Now because infection is indiscriminant, everyone is at risk. To protect your systems: (1) ensure your back ups are current and retrievable, (2) ensure your operating system and browser are fully patched (through automated patching), (3) refrain from opening *any* attachments unless you are expecting them.] GAO Report Finds Wireless Security Lacking at Federal Agencies (17 May 2005) A Government Accountability Office study found that federal agencies lack adequate wireless network security. In its report, GAO recommends that the Office of Management and Budget require agencies to incorporate wireless security into their information security programs under the Federal Information Security Management Act. This would include policies in wireless network implementation and use, configuration requirements for wireless security tools and training employees and contractors on wireless policies. Of 24 executive branch agencies, nine had no wireless network policies and 13 had no wireless equipment security configuration requirements. At six agency headquarters in downtown Washington, DC, the GAO found wireless signals leaking outside of buildings, unsecured wireless equipment configuration and unauthorized wireless devices operating on the network. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=ndaily2&story.id5827 http://www.gao.gov/new.items/d05383.pdf [Editor's Note (Schultz): What amazes me is that so many organizations continue to have cleartext wireless communications despite the inherent danger of eavesdropping and the availability of suitable encryption solutions. (Shpantzer): Most places have either a 'no wireless' policy or a 'wireless with XYZ security' policy. Both require monitoring and enforcement. If you have no policy at all, you're virtually guaranteed to have insecure wireless in place, set up for convenience and mobility by enterprising employees. If you have no policy, what can you can do to those employees? Not much.] Court Rules German ISPs Do Not Have to Provide Record Companies with Customer Data (17 May 2005) The Higher Regional Court in Hamburg, Germany has ruled that German ISPs are not required to provide record companies with information about their customers' identities. The court argued that ISPs "merely provide access to the web," but are not themselves a part of copyright infringement acts. This overturns a District Court ruling, based on Germany's Copyright Act, which allowed record companies access to ISP customer information after the discovery of an FTP server where songs were available for free download. http://www.theregister.co.uk/2005/05/17/hamburg_isp_ruling/print.html From ACM's TechNews, May 18, 2005 "Instant Messaging Falls Prey to Worms" New Scientist (05/14/05) Vol. 186, No. 2499, P. 26; Biever, Celeste Instant messaging (IM) technology is fertile new ground for hackers, according to experts. In 2001, 141 million people were using IM applications, but that number has since grown to 863 million people, making IM-based hacks more appealing. Security experts had hoped that limited approved contact lists would hinder IM-based attacks, but now worms are increasingly targeting linked email accounts. Compared to 2004, security company IMlogic reports a significant increase in IM-based worms in the first three months of this year. Attacks often use an application programming interface to detect Microsoft IM networks and spread malicious messages that look as if they are coming from a friend. However, clicking on the link automatically downloads a virus, giving hackers remote control over victims' computers. Some hacks are sophisticated, with code trained to chat with victims prior to sending the malicious link, though the chat is often fragmented and illogical. "It always shocks me how well these social engineering attacks end up working," says Nicholas Weaver, a security expert at the International Computer Science Institute in Berkeley, California. Hackers are also targeting IM applications via application vulnerabilities. Analysts say email viruses are still a bigger threat, but they that IM attacks continue to grow in popularity, and are potentially more dangerous since organizations are less prepared to fight them off. Although an estimated 80 percent of the U.S.'s 1,000 wealthiest companies maintain IM networks, just 10 percent use IM security safeguards. Click Here to View Full Article "School Studies Effects of Internet Attacks" eWeek (05/09/05) Vol. 22, No. 19, P. 18; Roberts, Paul F. Iowa State University is using a new test laboratory to train students and local security professionals on cyberattacks and cyber-defense. The Internet Simulation Event and Attack Generation Environment (ISEAGE) is designed to recreate a cyberattack on any part of the Internet infrastructure, according to Doug Jacobson, director of information assurance at the university in Ames. Funded by a $500,000 grant from the Department of Justice, ISEAGE is comprised of a 64-processor cluster connected by high-speed switching gear and linked to a central disk storage system running Free BSD Unix; each processor can recreate 50 routing points. The processors give researchers the flexibility to reproduce network attacks, while ISEAGE's software tools also enable them to change traffic patterns, replay attacks in different configurations, and collect data. "We can make an attack look like it came from 1,000 computers, but we don't need 1,000 computers to do it," says Jacobson. ISEAGE will be used to model attacks on key infrastructure in cyberspace, and could help improve computer defense and forensics. Click Here to View Full Article From ACM's TechNews, May 18, 2005 "Personal Data for the Taking" New York Times (05/18/05) P. C1; Zeller Jr., Tom Dozens of Johns Hopkins University students enrolled in a computer security course last semester learned how painfully cheap and easy it is to acquire personal data online when they were grouped into teams assigned to aggregate, clean, and link entire databases of dossiers on Baltimore citizens using only public data sources with a maximum budget of $50. Several teams collected upwards of 1 million records on hundreds of thousands of individuals. The project was the brainchild of Johns Hopkins computer science professor Aviel Rubin, who is also technical director of the university's Information Security Institute. Some participants obtained information by filing Freedom of Information Act requests at local government offices, while others tapped whole databases from online sources or free commercial address databases using special computer scripts. Profiled citizen David Albright was troubled by how effortlessly information such as his occupation, address, phone number, birth date, and party registration was gathered: "What would be disturbing is if by having all this information consolidated, it made stealing an identity easier," he said. Privacy proponents have similar concerns, especially in regards to how easy it is to access Social Security numbers. ACLU lawyer Jason Brandeis expressed the need to balance out the protection of individual privacy and the public interest in unfettered access to government data. Rubin concluded that "there are strong negative consequences to being able to collect and correlate all this information on people, but it is also possible that the consequences to personal freedom would be worse if it were outlawed." Click Here to View Full Article From ACM's TechNews, May 23, 2005 "How to Hook Worms" IEEE Spectrum (05/05); Riordan, James; Wespi, Andreas; Zamboni, Diego IBM Zurich Research Laboratory research scientists James Riordan, Andreas Wespi, and Diego Zamboni detail an intrusion-detection system designed to specifically target computer worms, which Mi2g says were partly responsible for more than $68 billion in damages in February 2004 alone. The majority of intrusion-detection systems employ a dual-tier strategy in which "sentinel" programs are posted on both network-linked host computers and on the network itself, but this approach generates many false alarms and exhibits little resistance to both malicious attacks and accidental failures. The researchers' system, dubbed Billy Goat, runs on a network-connected dedicated machine and can identify worm-infected machines anywhere within the network. The genesis of Billy Goat was Riordan, Wespi, and Zamboni's realization that computers linked to the network frequently got automated requests from other machines that did not dovetail with their normal operation; worms were behind a large percentage of these requests, because they usually locate new computers to target by randomly searching through Internet addresses. Billy Goat is assigned to unused, unadvertised addresses where the illegitimacy of received requests is a given, and the system responds to requests by providing bogus virtual services, effectively fooling worms into disclosing their identity and making them easy for Billy Goat to reliably track. The system tries to attract many different kinds of worms by presenting multiple feigned services, while new fake services can be created by standard programming tools and interfaces supported by the virtualization infrastructure; Billy Goat also follows a distributed architecture that permits the coexistence of multiple Billy Goats on a network. The researchers claim Billy Goat can detect worm-infected machines within seconds of contamination, and provide their addresses as well. Click Here to View Full Article From EduPage, May 2, 2005 Latest Loss Of Personal Information: MCI Wall Street Journal, 23 May 2005 Officials from long-distance carrier MCI are investigating the loss of employee data after a laptop was stolen from the car of an MCI financial analyst. The laptop contained names and Social Security numbers for about 16,500 employees, whom the company has notified. A spokesperson for MCI said the machine was password-protected but did not say whether the employee data were encrypted. MCI is reviewing the incident to see whether the analyst violated any company policies, such as those concerning what types of information may be put on laptops and what information must be encrypted. MCI is also taking this opportunity to make sure employees who have access to sensitive information are clear on company policies. The company said that so far there have been no reports that any of the information on the laptop has been sold or misused. (sub. req'd) http://online.wsj.com/article/0,,SB111680003245940129,00.html From EduPage, May 20, 2005 Feds Conduct Searches Related To Data Thefts Wall Street Journal, 20 May 2005 Federal authorities investigating the theft of personal information from LexisNexis this week conducted raids and searches at several locations around the country. LexisNexis, which collects and aggregates information on millions of people, recently reported that information on nearly 300,000 individuals had been stolen by hackers. Investigators from the Federal Bureau of Investigation and the Secret Service searched the homes and computers of close to one dozen people, resulting in at least three arrests. Spokespersons for the agencies conducting the raids as well as for LexisNexis declined to give many details other than that the investigations are ongoing. (sub. req'd) http://online.wsj.com/article/0,,SB111653162281238311,00.html From ACM's TechNews, May 5, 2005 "Computing Officials Worry That Proposed Federal Database Could Be Hacked" Chronicle of Higher Education (05/06/05) Vol. 51, No. 35, P. A37; Carnevale, Dan The U.S. Department of Education is considering a "unit record" database listing information on individual students, but technology experts are worried about the database's vulnerability to hacking, a pressing concern in light of recent intrusions into college and company servers. Purdue University computer sciences professor and USACM chair Eugene Spafford warns that a large database, constructed ostensibly to keep tabs on student retention and graduation rates, is an irresistible target, and susceptible to an attack from any point in the system because of its size. Grover Whitehurst, director of the Education Department's Institute of Educational Sciences, says the department has yet to submit the unit record database concept to Congress, and is currently receptive to any ideas for securing confidential student data. He says the database would probably be disconnected from the Internet, making it impossible for hackers to breach the server through public computer networks. Whitehurst also says no Social Security numbers would be listed in the database, and he strongly doubts the information in the database--student names, places of enrollment, classes students are taking, financial aid they are getting, etc.--would make a particularly attractive target. Former ACM President Barbara Simons says a government database that tracks information about individual students is cause for worry, and wonders how the people who access the data would be trustworthy in the Education Department's eyes. Whitehurst says the department will consult with computer security experts before moving ahead with any unit record database proposal. From EduPage, May 2, 2005 Time Warner Reports Data Loss Reuters, 2 May 2005 A company that handles data storage for Time Warner lost tape backups containing personal information for about 600,000 employees. Iron Mountain Inc., based in Boston, reportedly lost the tapes during transport. Officials from Time Warner said the tapes did not contain customer information. In a statement, Larry Cockell, chief security officer at Time Warner, said that although no evidence exists that the data have been accessed or misused, "we are providing current and former employees with resources to monitor their credit reports while our investigation continues." Time Warner owns America Online, HBO, and Warner Brothers. Reuters, 2 May 2005 http://www.reuters.com/newsArticle.jhtml?storyID=8363208 From ACM's TechNews, May 2, 2005 "Skeletons on Your Hard Drive" CNet (04/20/05); Hines, Matt Experts say it is inordinately difficult to completely erase data on unwanted hard drives, even using commercial wiping software to overwrite the data. The National Association for Information Destruction (NAID) said it could not endorse the use of wiping software alone because studies have shown such software is not enough to ensure data deletion. Instead, the group says users should use wiping software in addition to material destruction to make sure hackers cannot pull sensitive information off of the drives, such as login data. NAID executive director Bob Johnson also says professional services that claim to wipe large numbers of computer hard drives for organizations lack adequate testing measures to check if data is inaccessible. Studies have shown the majority of resold hard drives still contain some information. The U.S. Department of Defense requires seven passes with wiping software for hard drives that do not require physical destruction, says Acronis' director Stephen Lawton, whose company sells such software. Only one pass is not enough even for home users, he says. Stronger protection is afforded through crushing services or degaussing, which is a magnetic striping process usually applied to large collections of machines. Hewlett-Packard's John Frey says the reason PC data is difficult to erase is because hardware and software makers had to ensure users did not accidentally delete information during the DOS era. Click Here to View Full Article From EduPage, April 29, 2005 FIU Suffers Computer Hack The Register, 29 April 2005 Officials at Florida International University (FIU) are warning faculty and students about possible identity theft after it was discovered that a hacker had user names and passwords for 165 computers on campus. Although only a few of the computers contained personal information, and despite the fact that no evidence exists that anyone's information has been misused, school officials fear that the hacker may have had enough access to put the university's entire network in question. University staff have been instructed to inspect 3,000 computers on campus to determine if they have been compromised. FIU has recommended that faculty and students remove any personal information from their computers and that they monitor their credit cards for suspicious activity that could indicate fraud. http://www.theregister.com/2005/04/29/fiu_id_fraud_alert/ From ACM's TechNews, April 29, 2005 A Crisis of Prioritization" Computerworld Australia (04/27/05); Bajkowski, Julian A new report from the President's Information Technology Advisory Committee (Pitac) warns that the emphasis on bolstering national security in the wake of the 2001 U.S. terrorist attacks has left a critical element--cybersecurity of civilian technological infrastructures--severely underfunded. The report concludes, "The information technology infrastructure of the U.S., which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." The Pitac study notes that in terms of research and development priorities, research emphasis is just as important as funding levels, if not more so. Pitac calls for the incorporation of holistic-level security within current and nascent architectures, which entails a change in thinking and IT design beliefs instead of pouring vast amounts of money into intermittent patches without addressing immediate problems. The committee says the federal government must guide the rehabilitation of the IT industry, asserting that "an expanded portfolio of U.S. federal cybersecurity R&D efforts is required because today we simply do not know how to model, design, and build systems incorporating integral security attributes." The Pitac report has many supporters in Australian government and industry, and AusCert director Grahame Ingram says vendors have started to make security a much more integral component of software and hardware design in the last few years. Professor Bill Caelli of Queensland University of Technology says the Pitac report was alarming and cites the need for a top-level reconsideration of embedding security within IT. Click Here to View Full Article "Does Trusted Computing Remedy Computer Security Problems?" IEEE Security & Privacy (04/05) Vol. 3, No. 2, P. 16; Oppliger, Rolf; Rytz, Ruedi Rolf Oppliger and Ruedi Rytz with the Swiss Federal Strategy Unit for Information Technology weigh the benefits and drawbacks of trusted computing, and conclude that the technology is unlikely to completely inoculate PCs against the threat of malware. Trusted computing initiatives are consistent in their basic principle to convert software-open computer systems into software-closed or software-controlled systems, which cannot be done without a secure, reliable bootstrap framework. Software-open systems are key to the PC explosion because they allow the operating system and the application software to be easily modified, upgraded, and extended; they are also key to PCs' insecurity, which threatens users' personal data as well as the security and availability of the Internet. The authors point out that commercial antivirus software is ineffective against detecting and eliminating unknown malware, while the ability to introduce malicious code at any point in the software life cycle complicates testing and detection. Not only that, but typical computer memory architecture stores programs and data in the same place, which enables malware to alter data and programs simultaneously. The separation of programs and data--a prerequisite for a more secure architecture--is also difficult. Trusted computing allows software to be authenticated and authorized to confirm its genuineness and integrity before execution, but the technology cannot ensure that software running on a computer system does not contain exploitable programming errors or malware; this situation makes trusted computing effective against manual malware execution, but useless against malware that takes advantage of glitches, flaws, and vulnerabilities in authorized software for its own purposes. The authors write that trusted computing-enabled systems are more easily securable, but their degree of protection reflects how the systems are designed and implemented. Click Here to View Full Article From EduPage, April 27, 2005 Concerns Mount Over Software's Role In Data Breaches Wall Street Journal, 27 April 2005 A number of retailers are pointing to software used at store checkouts as the weak link in the rash of recent security breaches. Magnetic strips on credit cards include--along with the credit card number--a three-digit code. Knowing that code can allow criminals to create counterfeit cards with embossed names that do not match the name attached to the account number. With that, a crook could present a photo ID that matched the name on a card, while the charge goes against an entirely different account. Software that handles credit card purchases is supposed to delete card numbers and the three-digit codes after a transaction, but several retailers now say that the systems keep those numbers in memory. John Shaughnessy of Visa USA said that a computer system that retained those numbers would be extremely tempting for criminals. Some retailers have filed suits against the makers of the software, seeking compensation for losses resulting from recent hacks. At least one software company, Micros Systems, rejected retailers' contentions, saying its products do not store such information. (sub. req'd) http://online.wsj.com/article/0,,SB111455367943717582,00.html From ACM's TechNews, April 27, 2005 "Encryption: The Key to Secure Data?" Computer Weekly (04/26/05); Bradbury, Danny Data encryption technology is now a mature market with infrequent updates, but the failure of public key infrastructure (PKI) to take off in the commercial sector has left a gaping hole in the encryption framework. Encryption comes in two flavors: Traditional symmetric encryption and asymmetric encryption that uses public and private keys. Asymmetric encryption popularized by RSA Security protects traditional symmetric encryption by adding another encrypted piece of data, which dramatically increases the difficulty of code-breaking; elliptic curve cryptography is a niche application of asymmetric encryption that uses less resources and is more suitable for PDAs and smart phones, for instance. Digital signatures protected by hashing functions, which ensure the message package is unmolested while in transit, allow parties to authenticate one another. Recently, the SHA-1 hashing algorithm was shown to be vulnerable to certain methods of attack and could prompt the industry to move to another, more secure, standard. PKI was created in order to protect against the fraudulent creation of encryption keys and involved the top-down issuance of certificates through organizations such as VeriSign, but PKI was pushed too hard, too fast, says Capgemini global chief technical officer Andy Mulholland. When PKI was promoted heavily five years ago, the bulk of online transactions was done by consumers, not businesses. If PKI was launched today, its commercial success would be far greater, says Mulholland. Encryption also faces the problem of complexity where ordinary users find even PGP encryption difficult to use, while another challenge is government involvement, especially governments' ability to obtain and decrypt keys. "Center Aims to Improve Cybersecurity in Higher Education" Indiana University (04/25/05) Indiana University is a hub for higher education cybersecurity efforts: In addition to hosting the Indiana Higher Education Cybersecurity Summit this week, the school is home to the Center for Applied Cybersecurity Research (CACR), an expanding information assurance program committed to improving the integrity and security of information systems, technologies, and content via a variety of disciplines, including computer science, informatics, organizational behavior, criminal justice, law, and public policy. CACR is driving the development of an interdisciplinary cybersecurity curriculum. "The whole nation is talking about cybersecurity, especially in higher education," says CACR director and Indiana University School of Law-Bloomington law professor Fred Cate. Computer hacking and identity theft incidents are becoming more sophisticated, severe, and frequent across the government, nonprofit, business, and higher education sectors. No educational institution is completely cyberattack-proof given the complexity and highly distributed management of schools' IT infrastructures. But Cate thinks the impact of such attacks can be minimized through a "highly coordinated" initiative involving the top leadership echelons. "Engagement in the discussion is a critical step in developing strategies that will deter attacks, reduce vulnerabilities, and help to ensure that disruptions are infrequent, of minimal duration, and cause the least damage possible," he says. Cate says CACR not only has the improvement of cybersecurity in mind, but also the improvement of cybersecurity efficiency, cost, and its effects on individuals, the economy, and the public. Click Here to View Full Article From ACM's TechNews, April 25, 2005 "Cyber Security Has Its Limits" Pittsburgh Tribune-Review (04/22/05); Bails, Jennifer The recent intrusion into Carnegie Mellon University (CMU) business school computers illustrates that not even top IT security institutions can completely guard themselves against cyberthreats and that an entirely new way of designing systems is needed, according to security and privacy experts. The CMU hack left personal information of about 20,000 applicants, graduate students, and staff open to misuse, though there is no evidence identity thieves have tried to use that data. The incident is similar to other high-profile cases at well-known organizations. University systems are especially vulnerable to hacking because of their interconnectivity and mission as providers of information. University of California, Berkeley, computer science professor and cybersecurity expert Doug Tygar called the CMU incident unlucky and did not think the problem was due to poor computer security practices. UC Berkeley suffered a serious privacy breach in March when an administrative laptop was stolen, and the school has launched an extensive audit of network and information security including policy and user access review. Cornell University computer science professor Kenneth Birman says news about major privacy breaches emerges every few hours nowadays, and notes that the recently funded TRUST center would join academic research groups to find a more permanent solution. "We can try to tackle problems when they happen and apply the latest patch, or we can design trustworthy computers from the get-go," he says. The new $19 million TRUST effort is funded by the National Science Foundation and will investigate ways to build fundamentally secure systems. Click Here to View Full Article From EduPage, April 25, 2005 Survey Shows Steep Rise In Web Site Defacements BBC, 25 April 2005 Attacks on Web sites jumped 36 percent in 2004, totaling nearly 400,000 incidents, according to Zone-H, an organization that tracks malicious Web activity. Of the attacks recorded by the organization, Web site defacements--in which a bogus Web page is substituted for a Web site's home page--constituted the vast majority of attacks. Roberto Preatoni of Zone-H pointed out, though, that "the techniques used by defacers are the same techniques used by serious criminals to cause more serious damage." According to the group's report, more than half of the successful hacks took advantage of a known weakness or careless administration, such as easily guessed passwords or unprotected systems. Zone-H reported that the frequency of attacks rises over the Christmas holidays and drops when schools reopen each year after summer break. http://news.bbc.co.uk/2/hi/technology/4480689.stm From Knowledge@Wharton, April 6, 2005 Do You Know Where Your Identity Is? Personal Data Theft Eludes Easy Remedies ChoicePoint, a consumer data vendor, hands over personal information on at least 145,000 people to criminals posing as small businesses. Hackers swipe the personal information of 32,000 people who use the database Lexis-Nexis. Bank of America loses backup tapes containing 1.2 million federal employee records. Every day, it seems, a new identify theft incident is reported followed by new rounds of questions: Should data vendors be regulated? Can identity theft hurt e-commerce? How do individuals protect themselves? Unfortunately, suggest Wharton faculty and others, no simple answers are available, especially when personal information is so easily available through search engines. Read the article From New York Times, April 9, 2005 Sentence in Spam Case LEESBURG, Va., April 8 -- A North Carolina man convicted in the nation's first felony prosecution for spamming was sentenced on Friday to nine years in prison, but the judge postponed the sentence while the case is appealed. A jury recommended the nine-year prison term after convicting Jeremy Jaynes of sending at least 10 million e-mail messages a day with the help of 16 high-speed lines. Mr. Jaynes, 30, of Raleigh, N.C., will be free on $1 million bond until the appeals process concludes. Mr. Jaynes was convicted in November for using false Internet addresses to send mass e-mail ads through a server in Virginia. Under Virginia law, sending unsolicited bulk e-mail itself is not a crime unless senders mask their identities. Published: 04 - 09 - 2005 , Late Edition - Final , Section C , Column 1 , Page 2 From ACM's TechNews, April 22, 2005 "U.S. Gets New Cyberterrorism Security Center" Computerworld (04/21/05); Weiss, Todd R. April 21 marked the official unveiling of the Cyber Incident Detection Data Analysis Center (CIDDAC) at the University of Pennsylvania; CIDDAC is a private-sector facility set up to monitor America's business infrastructure for real-time detection of cyberthreats. CIDDAC executive director Charles Fleming says the center is designed to help victimized companies reticent to share information with the government, and eliminate the bureaucracy that can slow down federal agencies' response to threats. Critical industries are being offered intrusion-detection services by CIDDAC under the aegis of a pilot project supported by the FBI and the Department of Homeland Security's Science and Technology Directorate. The tools to facilitate these services are Remote Cyber Attack Detection Sensor (RCADS) appliances that will be implemented outside corporate networks. The appliances can automatically and instantly route any intrusion data to the CIDDAC center, where is it assessed immediately and then relayed to law enforcement agencies. The authorities can employ the data to collate attack signatures that government investigators can use to more rapidly identify, pinpoint, and subdue cyberthreats. Assistant special FBI agent Shawn Henry says the data compiled through CIDDAC will allow the FBI and other law enforcement entities to thwart future attacks instead of merely responding to intrusions. Fleming says CIDDAC users will enjoy better protection against cyberthreats while still maintaining the privacy of their sensitive corporate data, adding that "privacy, trust, and anonymity are absolute essentials for the private sector to participate, and without the private sector, there is no program." Click Here to View Full Article "Researchers Propose Early Warning System for Worms" eWeek (04/20/05); Naraine, Ryan Professors Shigang Chen and Sanjay Ranka of the University of Florida's Computer and Information Science and Engineering department have written a paper proposing an early warning system for TCP-based Internet worms that promises to eliminate known vulnerabilities in current early warning systems. "The goal is to have a system to issue warnings at the very early stages of an attack and to provide information for security analysts to control the damage," the paper states. Chen says the plan combines a series of methods for automatically identifying the concentrated scan activity that signifies an ongoing worm assault, noting that the system monitors a "used" address space and pinpoints scan sources using outbound TCP RESET packets that indicate failed inbound linkage efforts, thus making localization more accurate and fortifying the system against anti-monitor measures. Chen says any existing distribution mechanisms--email, pagers, etc.--could be employed to post worm propagation advisories. Also included in Chen and Ranka's proposal is an anti-spoof protocol that can detect hosts potentially compromised by worms by winnowing out bogus scan sources, as well as a "system sensitivity" performance metric for gauging how responsive an early warning system is in broadcasting an ongoing worm attack. Chen says the system is designed for local deployment or co-deployment among enterprise networks. A distributed anti-worm system that defends against high-bandwidth distributed denial-of-service attacks has also been designed by Chen's team. Click Here to View Full Article "Stopping Spam" Scientific American (04/05) Vol. 292, No. 4, P. 42; Goodman, Joshua; Heckerman, David; Rounthwaite, Robert Software programmers and purveyors of junk email are locked in an ever-escalating arms race as the spread of spam threatens to compromise the integrity of Internet communications, write anti-spam experts and research collaborators Joshua Goodman, David Heckerman, and Robert Rounthwaite. However, smart software filters, email sender authentication schemes, legal restrictions, and other anti-spam efforts could hold back the tide of spam through widespread usage or enforcement. The authors propose a combination of spam filters with machine-learning capabilities and proof systems designed to make spamming computationally and/or financially unaffordable. Machine-learning systems can be thwarted by spammers who obscure their output's wording, but such filters can be trained to recognize and adapt to these tactics; an important component of the researchers' work is the employment of n-gram techniques that use subsequences of words to identify key words frequently associated with spam. Among the proof system options Goodman, Heckerman, and Rounthwaite investigate are human interactive proofs, which are puzzles or problems that humans can easily solve but computers cannot; computational puzzles that senders' email systems must unravel; and micropayment schemes in which spammers pay a small amount of money for each email, so that the cumulative cost becomes prohibitive. The authors also see reputation services that certify legitimate senders playing an important role in anti-spam efforts, and give high marks to the Sender ID Framework as an sender authentication scheme designed to combat email "spoofing." Goodman, Heckerman, and Rounthwaite think federal legislation can complement technological defenses against spam. Click Here to View Full Article From Microsoft's TechFlash, April 12, 2005 So-called phishing scams seem to be on the decrease since their peak last summer (http://go.microsoft.com/?linkid=2679334), but there are still good reasons to be wary. A fraudulent e-mail message that claimed to be a "Microsoft Inc." [sic] newsletter was circulated recently. In this particular instance, the subject line was "Download the new beta software from Microsoft today." The included link to an executable file was, of course, not from a legitimate Microsoft source. Ironically, the bogus file also claimed to be "our new anti-spyware software." Here's a quick review of how to avoid these look-alike scams (http://go.microsoft.com/?linkid=2679335). (A less technical description (http://go.microsoft.com/?linkid=2679336 is also available.) From ACM's Queue, April 18, 2005 Organizations of all sizes are spending considerable efforts on getting patch management right--their businesses depend on it. Read the article. From ACM's TechNews, April 18, 2005 "Stanford Joins Multi-Institution Center on Research in Cybersecurity and Computer Trustworthiness" Stanford Report (04/14/05); Yang, Sarah; Levy, Dawn Leading security experts from eight universities will join forces under the Team for Research in Ubiquitous Secure Technology (TRUST), funded for five years with about $19 million from the National Science Foundation (NSF). The University of California-Berkeley will lead the effort, joined by other institutions such as Stanford University, Carnegie Mellon University, and a number of industry and research groups. TRUST researchers note the growing importance of cybersecurity in the modern age, since so much critical infrastructure is dependent on computer systems. Researchers at Stanford's Computer Security Lab will bring expertise in a number fields, including applied cryptography, access control, data privacy, and network security; VMWare founder Mendel Rosenblum and automated methods expert David Dill are among the Stanford faculty joining the effort. The Stanford Computer Security Lab also leads the Privacy, Obligations, and Rights in Technologies of Information Assessment (PORTIA) program for the NSF, and lab co-directors John Mitchell and Dan Boneh are working on a Web phishing and identity theft project with the U.S. Secret Service. TRUST will focus on creating new technologies that enable organizations to build trustworthy control systems for critical infrastructure; besides protecting these systems from attack, TRUST technologies will also imbue them with resiliency so that they can keep operating even under attack. System design needs usability enhancements in order to strengthen the human element of computer security, which is often the weakest link, notes TRUST center director and UC-Berkeley professor S. Shankar Sastry. Click Here to View Full Article From ACM's TechNews, April 15, 2005 "Putting Teeth Into U.S. Cybercrime Policy" CNet (04/14/05); Hines, Matt Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz, a former member of the President's Critical Infrastructure Protection Board, explains in an interview that the CSIA's purpose is to give the federal government all the relevant information it needs when considering new cybersecurity legislation. He says a key goal of his organization "is to look across the scope from the simple awareness of cybersecurity as a safety issue to building up education in cybersecurity, to looking at the policy implications of what the executive and legislative branches are considering, to looking at criminal behavior and increasing penalties." Kurtz says the CSIA is pushing for Senate ratification of Europe's Convention on Cybercrime, which would help set up an international architecture for investigating and prosecuting cybercriminals. He says cyberfraud practices such as phishing could have a bearing on homeland security, when one weighs the possibility of a convergence between for-profit hacking, organized crime, and terrorism. The point where these various elements intersect must be established, and such considerations could drum up federal support for more stringent cybercrime policies. Kurtz says the CSIA is partnered with the Center for Democracy and Policy's working group to study spyware and adware in an effort to find a balance between consumer protection and the rights of companies that distribute spyware. "I think there is a need to look at this stuff in a comprehensive context," he remarks. Kurtz also notes that prior to the CSIA's formation, there was no organization fully devoted to cybersecurity policy issues. Click Here to View Full Article "Surveillance Works Both Ways" Wired News (04/14/05); Zetter, Kim University of Toronto professor Steve Mann put his concept of "equiveillance through sousveillance" in action when he led about 24 attendees of ACM's Computers, Freedom, and Privacy (CFP) conference in Seattle to a local shopping mall to film or take pictures of surveillance cameras and gauge the reactions of shoppers, store managers, and security personnel. The principle behind equiveillance through sousveillance is the establishment of surveillance parity between the monitors and the monitored. Mann and his party filmed smoked-glass ceiling domes in stores that may or may not house surveillance cameras, and wirelessly sent their pictures to displays in the conference lobby. Companies have been known to install camera domes without cameras in an effort to save money while maintaining the illusion of surveillance, a concept that was in keeping with the CFP event's theme of the Panopticon. The Panopticon is philosopher Jeremy Bentham's model prison, which keeps inmates in line simply by maintaining the possibility that they are being monitored. The conference attendees at the mall wore conference bags with dark plastic domes, some of which were equipped with wireless Webcams. Mann says watching the watchers often involves an element of duplicity, and he has designed technologies that promote surveillance equality. One such product is a wallet equipped with a card reader that can only be opened if someone swipes their ID through the reader. Click Here to View Full Article "Prying Eyes Are Everywhere" USA Today (04/14/05) P. 1D; Kornblum, Janet The commercial availability of high-tech spying tools such as hidden cameras, global positioning system devices, and software that monitors computer activity is allowing average citizens to conduct clandestine surveillance on their spouses, children, friends, and neighbors. And the wide expansion of free, easy-to-find personal information online makes background checking a simple matter as well. Howard Rheingold, author of "Smart Mobs: The Next Social Revolution," says these trends have put Orwellian technology into the hands of "your nosy neighbor, your ex-spouse, and people who want to spam you." Privacy Activism's Deborah Pierce, a speaker at this week's 15th annual Computers, Freedom & Privacy Conference, believes citizen snooping is widespread, as evidenced by increasing numbers of legal cases. Paul Saffo of the Institute of the Future warns that spying citizens run the risk of discovering knowledge they would come to regret knowing, and being found out by the people they are monitoring. One of the most common forms of citizen sleuthing is "soft surveillance," in which a curious person enters someone's name on a search engine. Many people use surveillance technologies such as spy software and hidden cameras to keep track of their children's whereabouts or activities, but UCLA psychology professor Gerald Goodman says excessive monitoring can create a feedback loop of distrust between parents and kids. There may be some value in monitoring for kids with serious behavioral problems, but experts recommend the judicious selection and use of tracking technologies. Click Here to View Full Article From ACM's TechNews, April 13, 2005 "UC Berkeley to Lead $19 Million NSF Center on Cybersecurity Research" UC Berkeley News (04/11/05); Yang, Sarah The National Science Foundation has selected the University of California, Berkeley, to head its eight-university Team for Research in Ubiquitous Secure Technology (TRUST) center, and the facility is expected to receive a five-year grant of about $19 million, with the possibility of a $20 million extension for another five years afterwards. This comes at a time when the vulnerability of U.S. critical infrastructure makes increased support for fundamental cybersecurity research a matter of considerable urgency, according to a March report from the President's Information Technology Advisory Committee. UC Berkeley's academic partners include Carnegie Mellon University, Vanderbilt University, Smith College, San Jose State University, Stanford University, Mills College, and Cornell University, while industry and other participants include Oak Ridge National Laboratory, Intel, IBM, Hewlett-Packard, Symantec, and the ESCHER research consortium. "The cybersecurity community has long feared that it would take an electronic Pearl Harbor for people to realize the scale of disruptions possible from a concerted attack by terrorists," explains TRUST center director and UC Berkeley professor S. Shankar Sastry, who notes that system design has not adequately aligned with human users and systems' usability thus far. TRUST researchers will commit themselves to the development of novel technologies designed to make organizations more capable of designing, constructing, and operating trustworthy critical infrastructure information systems. TRUST will sponsor and manage education and outreach programs to help train the next generation of trustworthy systems engineers, with a special emphasis on minority and underrepresented populations. The center will be a interdisciplinary effort that brings together experts in public policy, economics, social science, and human-computer interface technology. Click Here to View Full Article "Diffie: Infrastructure a Disaster in the Making" SearchSecurity.com (04/12/05); Brenner, Bill Whitfield Diffie, Sun Microsystems' chief security officer and co-creator of the Diffie-Hellman key exchange, says in an interview that his biggest concern is the proliferation of Windows systems into critical infrastructure, which could result in major failures in the event of an attack. He characterizes careful software coding as a more pressing need than tech diversity, explaining that "you probably shouldn't use Windows [for critical infrastructure] because of too little care to coding too deep in its guts." Diffie thinks censorship applications for controlling Web sites employees can visit are overhyped and distracting people from the much bigger problem of critical infrastructure vulnerabilities. He predicts that the next decade will see elliptical curve systems supplant modular arithmetic-based key systems and have a significant impact as smaller, integrated mobile devices become widespread. In addition to being more compact, elliptical curve is faster and more power-efficient, and scales down the size of register keys. Diffie says hand-held browsers and similar technologies will fuel people's hunger for more efficient, lower-power systems. He also foresees standard security technologies such as the Advanced Encryption Standard overthrowing competing products such as DES, 3DES, and RC4, and being incorporated into hardware and software worldwide. Diffie believes widespread Public Key Infrastructure (PKI) use is an inevitability, but acknowledges the existence of a standardization problem he primarily attributes to capital development difficulties. Click Here to View Full Article From ACM's TechNews, April 8, 2005 "Lessons in Cybersafety" ITworldcanada.com (04/05/05); Parkins, Robert The current Internet structure makes security breaches inevitable since it assumes reasonable behavior, warned Harvard Law School Internet and society executive director Jonathan Zittrain. Because attackers use the same information avenue machines receive legitimate input from, there is always the chance that incoming data could be used to control computers. This situation is eroding privacy, Zittrain told attendees of the sixth annual privacy and security conference hosted by British Columbia's Ministry of Management Services. One way to solve the problem would be the creation of separate virtual networks that run atop the current infrastructure, but are controlled so as to ensure the identities of participants; these secure networks would probably be administered by software companies, but their development prodded by government agencies who use their purchasing clout to demand greater security. Government and industry are colluding to conduct surveillance on citizens, warned ACLU Technology and Liberty Project director Barry Steinhardt. Private data brokers and "policy laundering" practices by government effectively negate domestic review of controversial government activity; policy laundering refers to government use of international organizations to develop policies by proxy outside of normal domestic purview, such as how new passport standards are being developed by the International Civil Aviation Organization. Secured Services chief technical officer Michael Smith said many IT security problems could be traced to application-centric architectures that create redundant accounts and complicated authentication processes. Identity lifecycle management systems can help streamline IT security by centralizing the creation, maintenance, and audit of identities. Click Here to View Full Article "Bigger Phishes Ready to Spawn" CNet (04/06/05); Hines, Matt Security researchers say the growth of phishing attacks has slowed dramatically, but they warn that online criminals are crafting more sophisticated attacks that employ pharming, instant messaging platforms, cross-site scripting, and DNS poisoning. Phishing attacks are also targeting smaller groups of people who hold valuable information, enabling the attacks to use more effective social engineering techniques. Salesforce.com customers, for example, were targeted with phishing messages offering free trials of new application features. Anti-Phishing Working Group Chairman Dave Jevans suspects the thieves used account names and passwords to steal corporate information that could be resold to marketers or used for industrial espionage. Phishers can use more effective social engineering with a smaller group of targets instead of general spam messages. An attack via the Yahoo! Messenger platform in March leveraged contacts in people's address books, and shows that phishers could also be targeting teenagers who might be more prone to divulge personal information. Another innovative social engineering attack mimicked antiphishing messages from eBay and other firms, warning users not to release personal information via email, said Mail-Filters' Dan Ashby. Among legitimate links included in those messages was a link to a fraudulent site. Phishers are also becoming more professional, changing their techniques in response to publicized security information. When warnings about cross-site scripting were published, some attackers began loading content into Web pages' internal frame rendering so that it would reach people who had turned off JavaScript applications. Click Here to View Full Article From ACM's Queue, April 4, 2005 Understanding Software Patching: Developing and deploying patches is an increasingly important part of the software development process. Read the article. From ACM's Queue, March 28, 2005 An Update on Software Updates: Editor Ed Grossman passed me the pen this month to tell you about our topical focus on software updates. Read the article. Kill the Bots!, an article at Technology Review.com, May, 2005. From EduPage, April 11, 2005 Program Teaches Hacking To Raise Awareness BBC, 8 April 2005 The University of La Salle in Barcelona has begun a program to raise awareness of computer hacking and to teach teens how to protect themselves. Sponsored by the Institute for Security and Open Methodologies (ISECOM), the Hacker High School invites students from local high schools to the La Salle campus to expose them to the ins and outs of hacking. Pete Herzog, managing director of ISECOM, said the program shows participants how computer hacking is accomplished so that they can understand the concepts behind what computers do, how to clean them, how applications can compromise computers, and the implications for personal privacy. According to one official from the program, the goal is to provide experiences for students to learn how hacking happens so that they will become "ethical hackers, good hackers, knowing what they do and what the limits are." School officials believe having skills as an ethical hacker could be beneficial when students go looking for jobs later. http://news.bbc.co.uk/2/hi/programmes/click_online/4423351.stm From EduPage, April 4, 2005 Higher Ed Fares Below Average For Computer Security New York Times, 4 April 2005 A recent spate of computer-security incidents at colleges and universities has drawn attention to the apparent tension between concerns over academic freedom and the need to protect sensitive information. Stanton S. Gatewood, chief information security officer at the University of Georgia, which suffered a security breach last year, noted that higher education is "built on the free flow of information and ideas," saying that college and university networks are designed based on that ideal. The result, however, is a tempting target for information thieves. According to the Office of Privacy Protection in California, colleges and universities in that state have accounted for more data incidents since 2003--close to 30 percent--than any other group. Although some states now prohibit using Social Security numbers as identifiers in many databases, their continued prevalence makes changing structures difficult. The University of Michigan, for example, spent seven years weaning itself off Social Security numbers. Because testing agencies and other organizations continue to use them, however, the university finds it still has to track them. (registration req'd) http://www.nytimes.com/2005/04/04/technology/04data.html From New York Times, April 4, 2005 Some Colleges Falling Short in Security of Computers By Tom Zeller Jr. If the computer age is continually testing how well institutions protect personal information, the nation's colleges and universities may be earning a failing grade. Read the article. From ACM's TechNews, April 4, 2005 "Carnegie Mellon Unit Looks to Advance IT Security, Reliability" Computerworld (03/28/05) P. 23; Thibodeau, Patrick Pradeep Khosla, dean of Carnegie Mellon University's Carnegie Institute of Technology and co-director of CyLab, explains in an interview that CyLab is focusing on next-generation IT systems that incorporate measurability, sustainability, security, and trustworthiness. He says that CyLab absorbed the Sustainable Computing Consortium, whose goal was to enhance the quality and reliability of software by reducing the number of bugs. Khosla says CyLab splits up its research into "thrusts:" Its resilient and self-healing systems thrust, for example, is not about security per se, although it does address some security issues. Other thrusts Khosla mentions cover user authentication and access control, data and information privacy, business economics, and threat detection modeling. The CyLab co-director notes that CyLab has the same goals as IBM's autonomic computing initiative, although their approaches differ--CyLab, for instance, usually concentrates on higher-risk problems. Khosla reports that CyLab has produced a practical secure storage demo system which is being expanded to include self-security, self-analysis, and self-repair. Such a system would enable users to trace data packets back to the source, and Khosla predicts that a lab-developed coding scheme for facilitating packet tracing will become commonplace in the next three to five years. He thinks CyLab's backers could put malicious code detection on the CyLab 2006 agenda at next month's meeting. Click Here to View Full Article From EduPage, April 1, 2005 Spammer Files For Bankruptcy Protection BBC, 1 April 2005 Scott Richter, proprietor of one of the world's best known spamming operations, said the company has been forced to file for bankruptcy protection. OptInRealBig.com has been the target of several lawsuits for violating antispam laws, including one lawsuit filed by Microsoft, which is seeking $46 million in damages. Spamhaus, an organization that monitors junk e-mail globally, ranks OptInRealBig.com third on its list of spam operations around the globe. The company is alleged to have sent billions of e-mail messages that appeared to come from hijacked return addresses, including those of the Kuwait Ministries of Communication and Finance, the Seoul Municipal Boramae Hospital, and the Virginia Community College System. In its announcement, OptInRealBig.com said that the ongoing lawsuits and possible damages have made it impossible for the company to "still run a viable business." An attorney for OptInRealBig.com said the company expects ultimately to prevail. http://news.bbc.co.uk/2/hi/technology/4400335.stm Lawsuits Target Phishers Reuters, 31 March 2005 Microsoft has filed 117 "John Doe" lawsuits against operators of Web sites involved in phishing scams. Phishers send e-mail messages that purport to be from a bank or other financial services institution. The e-mails tell recipients that they must visit a Web site and disclose personal information, typically under the pretense of updating account records or something similar. Disclosed information is then used for credit card fraud and other types of identity theft. Microsoft said it was filing the lawsuits in an effort to discover who is behind the largest phishing operations and put them out of business. Microsoft's Aaron Kornblum said, "We must work together to stop these con artists from misusing the Internet as a tool for fraud." http://www.reuters.com/newsArticle.jhtml?storyID=8051350 From ACM's TechNews, March 30, 2005 "Secure Flight Faces Uphill Battle" Wired News (03/29/05); Zetter, Kim The Transportation Security Administration (TSA) has only fulfilled one of 10 requirements set by Congress for the Secure Flight passenger screening system, set to launch in August. The Government Accountability Office (GAO) says the TSA has set up an oversight committee for the Secure Flight program, but has not yet formulated policies to guide that committee. In addition, the TSA has not yet tested the accuracy and efficacy of data nor chosen what commercial data, if any, it plans to use; also lacking are redress procedures for passengers to challenge the system's assessments or change incorrect information. Secure Flight improves on the previous CAPPS II system by placing passenger screening functions in the hands of the TSA instead of the airlines. The TSA will combine airline passenger data, government information including terrorist watch lists, and commercial data to identify possible terrorists. ACLU Technology and Liberty Project director Barry Steinhardt says airlines might have to begin collecting new information from passengers to pass on to the TSA and help verify matches against watch lists, and he doubts Secure Flight will be ready by the August deadline, when the TSA is expected to begin testing Secure Flight with two domestic carriers before rolling it out for all domestic air travel. But TSA's Yolanda Clark says the GAO report should be considered a progress report, not a final evaluation; Secure Flight is a 14-month project and was evaluated by the GAO at the eight-month point, she says. The TSA recently finished testing airline, government, and commercial data, and IT infrastructure and hardware are already in place. Click Here to View Full Article "Identity Theft Made Easier" Wall Street Journal (03/29/05) P. B1; Delaney, Kevin J. Identity thieves made headlines with security breaches at ChoicePoint and LexisNexis, but common search engines provide a much easier route to obtaining illicit personal information. Google hacking, the practice of crafting specific search queries using special commands to find sensitive personal data, was demonstrated at an Agora security industry meeting in Seattle, where teams raced to accumulate the most identity information in an hour. The winning team found a directory with the Social Security numbers of more than 70 million deceased persons, while the second-place team uncovered hundreds of scanned passport documents and a Justice Department site listing employees and their work credit-card numbers. The contest rules limited teams to using only Google to turn up data, though real hackers would likely employ other means to burrow further into exposed systems. Google and other public search engines are not responsible for the privacy breaches since they only index publicly available Web data; instead Web site operators and negligent users are to blame for data left open to the public, says Seattle chief information security officer Kirk Bailey, who organized the Agora Google-hacking contest. Data exposed via Google is often left open by people who think the information is hidden. Organizations have a responsibility to perform audits of their own networks to ensure sensitive data is not left exposed, and to enable firewall software that blocks public access to sensitive areas of the network; Google also plays a cat-and-mouse game with hackers as it tries to disable the most effective Google hacks while keeping the service as accessible as possible, say Google-hacking experts. There are a number of books and Web sites that provide information on Google hacks, and non-technical people can make use of them. "Cars Are Getting Computer-Jacked" CNet (03/25/05); Spooner, John G. The presence of automotive electronics is expanding both in the dashboard and under the hood, reducing clutter and freeing up designers to experiment aesthetically. "Everything is blending into one unified theme," notes Ford Motors designer Anthony Pozzi, who designed the Meta One concept sports car displayed at the New York International Auto Show; the car boasts a fluent design that features recessed buttons rather than stalks for changing gears, and a trio of LCD screens for displaying speed, navigation data, and other traditional gauges that can be customized to the driver's preferences. Nearly all auto models are expected to offer some type of MP3 player link in the next several years, and demand for in-vehicle iPod connectors has spurred several manufacturers to plan such offerings, although embedded hard drives may eventually outdate such devices. Electronics are also permeating car safety systems, such as networked sensors for measuring the vehicle's wheel speed, steering wheel angle, and yaw, which can be used to support dynamic stability control and other fail-safes. Eventually, car computer systems will be imbued with predictive capabilities so that they can facilitate collision avoidance and other safety-enhancing operations. Such systems are currently offered in deluxe models only, but auto executives at the show predicted that they will be incorporated into cheaper vehicles, either as an option or as standard gear. Computer systems perhaps have the greatest penetration in hybrid cars that run on both gas and electricity. Hybrid vehicles from Toyota use such systems to control the switch between electric and gas, and make the transition imperceptible. Click Here to View Full Article From EduPage, March 30, 2005 Thief Grabs Laptop And 100,000 Identities Inside Higher Ed, 29 March 2005 Officials at the University of California at Berkeley said that a laptop stolen from the university's graduate division contained personal information for nearly 100,000 individuals. The computer included records for applicants to Berkeley's graduate programs from fall 2001 to spring 2004; students enrolled in the school's graduate programs from fall 1989 to fall 2003; and individuals who received doctorates from Berkeley between 1976 and 1999. Although no evidence exists that any of the stolen information has been used fraudulently, according to a statement from the university, the institution is required by a California law to disclose the breach to those affected. The statement said the university is making "every reasonable effort to notify by mail or e-mail all 98,369 individuals whose names and Social Security numbers were on the computer." http://www.insidehighered.com/index.php/news/2005/03/29/theft From ACM's TechNews, March 28, 2005 "Terror Plot to Cripple UK in Cyber Attack" Scotsman (UK) (03/22/05); Kirkup, James Due to a growing dependence on electronic networks in Britain and throughout the world and increasing technological sophistication of terrorists, Britain's counter-terrorism coordinator David Omand issued an alert that both government and private sectors need to ramp up electronic anti-terrorism defenses. Omand says terrorists are working on launching a crippling cyberattack, warning that top al Qaeda operatives that have been arrested or are being tracked have shown significant technological sophistication. Former Metropolitan Police Authority Chairman Toby Harris warns of "significant vulnerability in the systems we all rely on," and Omand believes the defense against cyberterrorism will fail unless businesses in the private sector begin taking the threat seriously and upgrading their defenses. Attacks could come in the form of denial of service attacks, hacking into sensitive electronic systems, attacking electricity grids or systems controlling hydroelectric dam flood gates, or carrying out a coordinated physical and electronic attack on emergency systems. The global aspect of the Internet has Britain working with countries they often regard with hostility to prevent cyberattacks. Harris says, "Britain could be quickly reduced to large-scale disorder, including looting and rioting, in the event of a serious disruption of critical national infrastructure." Click Here to View Full Article "Security Counterattack" Network World (03/21/05) Vol. 22, No. 11, P. S12; Gittlen, Sandra Experts warn that new data center technologies and Web services will increase security burdens because of the added complexity; instead of guarding a perimeter and managing internal application security, IT managers will have to be able to secure every node on their network and validate the security of Web services building blocks from outside sources. Complexity is not only an issue for IT managers, but for users as well: A Palo Alto Research Center (PARC) study showed laptop users spent an average of two hours configuring 802.1X security. PARC developed an enrollment station architecture for enterprises that would allow users to configure their system settings according to network policy in just two minutes using close-proximity communications such as infrared. Cornell University's Information Assurance Institute, meanwhile, is working on language-based security that builds security basics into programming in hopes of fostering more secure Web services in the future. Web services pose serious security risks because of their connectivity and the interdependence of various services' code, and Information Assurance Institute director Fred Schneider advocates safe systems languages for building Web services and other extensible applications. Internet2 researchers have created the Shibboleth Project for simplifying authentication in cross-organizational situations where users would otherwise have to register multiple times; by reducing the amount of personal information sent out by users, these systems would be less prone to identity theft and fraud. Grid computing organizations have accepted Shibboleth as an important security technology. ContentGuard, founded by former PARC researchers, offers technology to protect content after it has left the network; the group's Extensible Rights Markup Language (XrML) has been submitted to OASIS and offers a way to control content distribution and accessibility. Click Here to View Full Article From ACM's TechNews, March 25, 2005 "War of Words over Operating Systems' Safety" New Scientist (03/23/05); Biever, Celeste Recent reports on Linux-based Web servers, the open-source Firefox Web browser, and Apple's Mac OSX operating system raise doubts about their security, which experts contend is still better than their Microsoft equivalents. Symantec's biannual Internet Security Threat report issued on March 21 indicates that 21 new programming errors were uncovered in Firefox between July and December 2004, compared to 13 in Internet Explorer. ScanIT also released on Monday a conflicting report that low patching rates made 98% of IE users exploitable in 2004, while just 15% of Linux users were vulnerable; ScanIT founder David Michaux also notes that Symantec found fewer severe errors in Firefox than in IE. The Symantec report lists 37 vulnerabilities in Mac OSX, and takes the Repeno worm discovered last October as a sign that the Mac operating system is increasingly being targeted for hacks usually associated with Microsoft and numerous Unix-based OSes. Independent security consultant Richard Forno counters that the Symantec report inflates the significance of the Mac OSX vulnerabilities, arguing that hackers "want to go after the low-hanging fruit and the Mac OSX is still not as bug-ridden as Windows." A March 22 report commissioned by Microsoft and released by Florida Institute of Technology computer scientist Richard Ford takes note of 174 vulnerabilities in an open-source Linux server, compared to 52 in a Microsoft counterpart. In addition, the interim between reporting a flaw and patching it was substantially shorter with the Microsoft server than the Linux server. Sophos security consultant Graham Cluley calls these findings immaterial since Linux users are far fewer in number and more likely to patch their systems than Windows users, which makes them less attractive to hackers. Click Here to View Full Article "Does IM Stand for Insecure Messaging?" CNet (03/23/05); Hines, Matt The threat of instant messaging (IM) worms is growing, and a key factor in their spread is the obliviousness of users and IT administrators. "A person unaware of the IM threat is the biggest risk that exists for these viruses to have some success," warns McAfee research fellow Jimmy Kuo. Most IM worms are disguised as attachments to messages that appear to originate from trusted sources, so that the recipient opens them without ever realizing that he or she has downloaded malware that rapidly spreads to all the names on their IM buddy list. Aladdin Knowledge Systems technology VP Shimon Gruper reports that IM's scant built-in security has made it unnecessary for hackers to target the IM code, but some experts think such attacks are inevitable. Furthermore, IM's popularity as a communications medium between computers and smart phones could make mobile devices vulnerable to viruses sent from PCs. The workplace penetration of public IM applications is increasing corporate networks' susceptibility to IM-borne threats, although businesses are usually better fortified against malware than consumers. There is also evidence to suggest that recent IM worms are being employed as a way for hackers to communicate with one another. VeriSign principal scientist Phillip Hallam-Baker says that although there have been few IM attacks so far, that could change. He says "that as email systems are being secured, there's a displacement effect and people are moving their efforts over to IM." America Online's Andrew Weinstein feels that user awareness of the IM threat is the best defense, and recommends that users regard every IM they receive with caution, even if it appears to come from a familiar sender. Click Here to View Full Article "Cyberterrorism Isn't a Threat Yet, One Expert Says" Fort Worth Star-Telegram (03/23/05); Batheja, Aman Cyberterrorism is a concept that has been overblown by the media and poses no threat, though someday it will evolve into a threat worth worrying about, according to longtime computer security expert Marcus Ranum, the inventor of the proxy firewall. Ranum made his comments at Texas Christian University on Tuesday during a lecture on computer hacking and terrorism. Cyberterrorism is an impractical means for terrorists to carry out their objective of striking fear into the hearts of their enemies, Ranum said. "Is it more cost effective to train yourself a cadre of cyber-ninjas or is it more effective to find idiots who will believe in your cause and wrap themselves in plastic explosives?" asked Ranum. Hackers have the capability of disrupting large parts of the Internet, but the Internet would be up and running again within 10 minutes, Ranum says. Despite his contention that cyberterrorism is not worth worrying about, Ranum does allow that the U.S. is vulnerable to cyberterrorism, pointing out that the vulnerability that produced the East Coast blackout of 2003 went undetected. Also, there is little security protecting the infrastructure that controls the nation's sewage systems, he says. Click Here to View Full Article (Access to this site is free; however, first-time visitors must register.) From New York Times, March 19, 2005 Growth of Wireless Internet Opens New Path for Thieves By Seth Schiesel The spread of the wireless data technology known as Wi-Fi has reshaped the way millions of Americans go online, letting them tap into high-speed Internet connections effortlessly at home and in many public places. ... But every convenience has its cost. Federal and state law enforcement officials say sophisticated criminals... From ACM's TechNews, March 23, 2005 "IBM Embraces Bold Method to Trap Spam" Wall Street Journal (03/22/05) P. B1; Forelle, Charles Efforts to block spam are getting more aggressive, as the fight moves from passive spam filters to counterattacking measures such as "teergrubing," where spammers are trapped by tying up their servers. Although open-source counterattacking software has been available for a while, new products from IBM and Symantec have made the practice less problematic for corporate users. A new service from IBM that sends junk email directly back to the machine identified as the spammer is scheduled to debut on March 22. The system, which is based on IBM's FairUCE technology, scans incoming data packets bearing email and checks their point of origin against a continually updated database of established spamming machines, routing the data back to the sender if the source is in the database. The zealousness of the response is proportional to the amount of spam received. The system can also delay rather than unequivocally reject data packets originating from a computer that is probably but not definitely spamming. Symantec, meanwhile, released a product in January that uses "traffic shaping" to slow links from suspected spamming machines: Data streams that appear to be coming from a spammer are throttled down so that data moves slowly; Symantec's Carlin Wiegner says the product is designed to "slow [spammers] down so much that it is more interesting for them to spam some small business or some other country." Both IBM and Symantec's products are geared toward large companies with sizable enough email traffic to realize significant profits from less spam. The products do not break anti-hacking laws that criminalize unauthorized entry to a remote system, even to protect another system; but they can boost network traffic, which is generally unwanted. "Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," argues IBM corporate security strategy director Stuart McIrvine. "Decrypting the Future of Security" Globe and Mail (CAN) (03/18/05); Kirwan, Mary Lawyer, writer, and IT security expert Mary Kirwan notes that there was "universal agreement" among speakers and panelists at the recent RSA Security Conference that innovation is a fundamental component of IT, that security is important, and that something must be done to improve security; from there the debate over what to do devolved into a blame game where most fingers were pointed at software vendors. Vendors, most clearly represented by a panel of lawyers, warned that imposing liability and subjecting them to government regulation would choke innovation and lead to higher prices, arguing that the burden of security belongs to users. One panelist disagreed, noting that customers are demanding better software licensing terms, as well as input into the code development lifecycle, greater transparency, and code escrowing in the event vendors are unavailable when customers need them. In-house Microsoft lawyers dominating the panel implied that the legal concept of "intervening criminal act" would spare vendors from being found guilty of negligence, and raised the possibility that consumers would be charged with contributory negligence. Audiences, however, generally favored legislation mandating software quality assurance and liability for code development as long as it improved IT security and eliminated vaporware providers. Security guru Bruce Schneier, former U.S. cybersecurity czar Richard Clarke, one-time U.S. elected House representative Rick White, and ITAA President Harris Miller formed a panel debating software regulation. White and Miller, representing the industry, argued that government intervention is "highly undesirable," with Miller damning widely adopted European Union software security liability laws as globally out of touch. Clarke, meanwhile, reflected the attitude of many senior government officials who have lost patience with the IT industry. Click Here to View Full Article From ACM's TechNews, March 21, 2005 "Study Criticizes Government on Cybersecurity Research" New York Times (03/19/05) P. B2; Markoff, John The federal government's cybersecurity research investments are woefully insufficient, concludes a report prepared by a subcommittee of the President's Information Technology Advisory Committee (PITAC). The report says the U.S. should give $148 million annually to the National Science Foundation to be channeled into Internet security research, as well as greater research investments by the Homeland Security Department and the Defense Advanced Research Projects Agency (DARPA). "The federal government is largely failing in its responsibility to protect the nation from cyberthreats," declared panel co-chair Edward Lazowska, who also chairs the University of Washington's computer science and engineering department. SRI International computer scientist Peter Neumann criticized both the White House and Congress for giving civilian cybersecurity research a low priority. Panelists were also concerned about DARPA and the National Security Agency's shift in focus from long-term academic research to short-term classified research, and noted a basic shortage of leadership and coordination in the federal cybersecurity research effort. They proposed the creation of a federal interagency group to address this shortage. The subcommittee argued that the cybersecurity research community lacks the numbers to fulfill a federal objective to at least double the population of civilian cybersecurity researchers by 2010. The report criticizes the commercial cybersecurity strategy of patching, and lists 10 cybersecurity research areas that should take precedence, including cyberforensics, authentication technologies, monitoring and detection tools, and secure protocols. Click Here to View Full Article "Cleaning Spam From Swapping Networks" CNet (03/18/05); Borland, John Cornell University researchers led by assistant computer science professor Emin Gun Sirer have developed "Credence," a new open-source software program designed to clear peer-to-peer (P2P) networks of spam by allowing different computers to "gossip" with each other to determine which P2P files are trustworthy. Credence starts out in the manner of many contemporary P2P networks, in which users rate the legitimacy of files; but the gossiping function checks to see how users on other systems have rated the same files, looking for similar evaluations. During a file search, Credence gives priority to results that receive high ratings by this user community with matching ratings. Spammers who rate their own files as legitimate are thus segregated from these communities of well-reputed computers. "I believe in people; I think most people are honest," notes Sirer. "I think it will be people on the periphery who will be kept out." However, antipiracy companies plant decoys of popular digital content in file-swapping networks in an effort to curb copyright infringement, and the Credence software could filter out these decoys as well. Still, Overpeer general manager Marc Morgenstern is confident that antipiracy companies such as his will inevitably find a way to bypass such filters as part of the arms race between digital pirates and copyright holders. Click Here to View Full Article From ACM's TechNews, March 16, 2005 "Schneier: Secure Tokens Won't Stop Phishing" IDG News Service (03/15/05); Roberts, Paul Strict government regulation is more important for e-commerce security than technology solutions, says Counterpane Internet Security founder Bruce Schneier in an interview. Schneier's article in the April issue of Communications of the ACM argued that two-factor authentication and other end-user technology solutions will not be enough to thwart determined hackers. He says online fraud is becoming more active and immediate; multi-factor authentication is useless when Trojan programs monitor plain text and keystrokes or when man-in-the-middle attacks dupe users into entering information on fake Web sites. Two-factor authentication is useful in some applications, such as securing internal access to company servers, but not for e-commerce. Schneier says a more effective solution to e-commerce fraud is to make banks liable for financial fraud in the same way credit card companies face most of the cost of credit card fraud. After regulations in the credit card industry, those companies began tightening down on fraud through detection technology in their own databases instead of focusing on how customers use their cards; Schneier believes the banking industry will similarly take steps to identify and stop online fraud if their bottom line is threatened. In the battle against online fraud, absolute security is impossible because security is a continuum--the aim is to manage risk enough so that commerce can continue. Security tokens issued by U.S. Bancorp, e-Trade, and America Online will provide improved security against some e-commerce threats, but eventually the benefits from multi-factor security will diminish as hackers shift tactics, says Schneier. Click Here to View Full Article "Crack in Computer Security Code Raises Red Flag" Wall Street Journal (03/15/05) P. A1; Forelle, Charles A flaw in a "hash function" technique for encrypting online data has been uncovered by a team of Chinese researchers at Shandong University, and this has raised alarms in the computer security industry because it casts doubt on the so-called impenetrability of hash function-based cryptography. The researchers found the vulnerability using the SHA-1 hash algorithm, a federal standard circulated by the U.S. National Institute of Standards and Technology (NIST) that is also considered to be cutting edge as well as the most popularly employed hash function. The Shandong team learned that "collisions," in which two different chunks of data yield the same hash, can be uncovered in SHA-1 far faster than previously thought. Cryptographers say the exploitation of the flaw, though seemingly impractical, could affect applications involving authentication, theoretically enabling a hacker to erect a bogus Web site with convincing security credentials and steal data sent to it by unsuspecting users. Counterpane Internet Security CTO Bruce Schneier confirms the existence of the SHA-1 flaw, which the Chinese researchers have not publicized. NIST is advising federal agencies to keep SHA-1 out of any new applications, and urging them to devise plans to eliminate SHA-1 from existing applications. Recently demonstrated vulnerabilities in other hash functions such as MD4 and MD5--which SHA-1 is based on--have also made cryptographers nervous. Concerns about information security are at an all-time high even without revelations about hash functions' vulnerability, most recently thanks to break-ins at data aggregators LexisNexis and ChoicePoint. From EduPage, March 28, 2005 GEORGIA UNCOVERS MISUSE OF ONLINE PORTFOLIOS After discovering files containing personal information on its e-portfolio system, officials at the University of Georgia are reviewing the institution's policies for online portfolios. A student in the university's New Media Institute--part of the school's journalism program--had used the e-portfolio system to store a list of names and credit card numbers on a university-owned server. Officials at the school are not sure how the student obtained the list, which came from a North Carolina company that sells pharmaceutical products online, or what the student intended to do with it. The server where the file resided was immediately taken down, and officials are now combing through the rest of the files before re-posting them, looking for any other inappropriate information. According to Scott Shamp, director of the New Media Institute, the incident has raised questions about how long and under what terms the university will offer online portfolio services to its students. Shamp, who expressed support for online portfolios, pointed to the possibility of third-party options to address concerns over liability for the institution. Chronicle of Higher Education, 1 April 2005 (sub. req'd) http://chronicle.com/prm/weekly/v51/i30/30a04102.htm Tech Companies Coordinate Efforts To Fight Hackers CNET, 28 March 2005 A group of leading technology companies has formed the Fingerprint Sharing Alliance to coordinate efforts to fight hackers. Members of the alliance include British Telecommunications, Cisco Systems, EarthLink, MCI, NTT Communications, and the University of Pennsylvania. When any member of the alliance experiences an attack by a hacker or notices evidence that would suggest an attack, all other members are notified, increasing the odds of limiting damage from the attack. Jim Slaby, senior analyst with the Yankee Group, expressed support for the new alliance and the kind of intercompany communication on which it is based. "Service providers that are cooperating by sharing attack fingerprints are helping mitigate these threats more quickly and closer to the source," he said, "thus making the Internet a more secure place." http://news.com.com/2100-7355_3-5642840.html From EduPage, March 21, 2005 Dartmouth Decides To Penalize, But Not Eliminate, Hackers Pittsburgh Post-Gazette, 18 March 2005 Applicants to the Tuck School of Business at Dartmouth College who used a hacker's tips to try to access admissions records were not automatically disqualified, though their actions were considered by school officials in their admissions decisions. The decision to consider applications of those involved in the hacking was made after consultations with faculty and staff and with the appliants themselves. Unlike officials at Harvard University, Duke University, MIT, and Carnegie Mellon University, administrators at Dartmouth decided that the hacking, while serious, "did not reach the level that would necessarily bar a person from being a valued member of the Tuck community," according to Paul Danos, dean of the school. Attempting to access restricted records was viewed by the school as "a very important negative factor" in considering the applications, but ultimately the school's decision did not rest on that single factor. Of the 17 applicants involved, some were admitted, and those who enroll will be monitored and counseled. The incident will also become a part of their files. http://www.post-gazette.com/pg/05077/473361.stm Applying Old Scams To New Technologies Wired News, 20 March 2005 The emergence of voice over Internet protocol (VoIP) phone service has opened a new door for hackers and others to fool users. Using the Internet to transmit phone calls allows callers to spoof Caller ID systems, something that isn't possible with traditional phone service. Although telemarketers are required by the Federal Communications Commission to properly identify themselves, Caller ID spoofing is otherwise not prohibited. As a result, someone can, for example, call Western Union, which requires customers to call from their home phones to initiate money transfers, using a faked source number, and make a fraudulent transfer. In other instances, debt collectors and private investigators use Caller ID spoofing to trick people into answering their phones and possibly divulging information they otherwise would not. Scams similar to e-mail phishing rackets also take advantage of Caller ID spoofing, deceiving people into believing that a caller is at a bank or a financial institution and helping persuade them to reveal personal information to the caller. http://www.wired.com/news/privacy/0,1848,66954,00.html From EduPage, March 18, 2005 Hackers Target Boston College Alumni Database ZDNet, 17 March 2005 A computer at Boston College with access to an alumni database has been found to be infected with a virus that may have exposed personal information on more than 100,000 individuals. According to officials at the college, the computer was operated not by the college but by a third-party IT service, which officials declined to name. Although no evidence has so far surfaced that any of the information in the database was in fact accessed by hackers, officials decided to notify anyone who might have been affected. Jack Dunn, spokesperson for Boston College, said, "We thought it was necessary to send out the precautionary advisory to alert the alumni and to offer them steps that they could take to ensure their privacy." Dunn also noted that Boston College will hereafter delete Social Security numbers from its records, despite their usefulness in maintaining accurate records. Social Security numbers have lately been highlighted as one of the pieces of personal information that pose the greatest risk for identity theft. Members of Congress have recently proposed strict restrictions for how and when Social Security numbers can be gathered and sold. http://news.zdnet.com/2100-1009_22-5623084.html From EduPage, March 23, 2005 Study Blames Users For Encouraging Spam BBC, 23 March 2005 A new report lays much of the blame for the ongoing problem of spam at the feet of computer users who open spam messages and even buy products or services advertised in spam. According to the survey, conducted by Mirapoint and the Radicati Group, nearly one-third of users have opened such messages, and one in ten has made a purchase. The report calls such actions "bad e-mail behavior" and said it encourages not just marketers but con artists to continue sending vast amounts of spam. Many adult-themed e-mail messages lure computer users into visiting Web sites that then install spyware or other malicious code. Graham Cluley, senior technology consultant for security firm Sophos, agreed that users bear much of the responsibility for spam's continued presence. "If no one responded to junk e-mail and didn't buy products sold in this way," he said, "then spam would be as extinct as the dinosaurs." http://news.bbc.co.uk/2/hi/technology/4375601.stm From BBC News, March 22, 2005 Rise of zombie PCs 'threatens UK' BBC News, March 22 The UK leads the world in home computers that have been hijacked by malicious hackers, warns a report. Read the article. From New York Times, March 13, 2005 Can a Virus Hitch a Ride in Your Car? New York Times, By Tom Zeller Jr. And Norman Mayersohn What if viruses, worms or other forms of malware penetrated the computers that control ever more crucial functions in the car? Read the article. From New York Times, March 12, 2005 What to Expect of 'Spamalot'? A Lot of Spam New York Times, By David F. Gallagher A security glitch exposed the names and postal and e-mail addresses of more than 31,000 people who had signed up for newsletters for "Spamalot" and "Movin' Out." Read the article. From Edupage, March 11, 2005 Schools Criticized Over Rejection Of Nosy Applicants Chronicle of Higher Education, 11 March 2005 A number of business-school applicants who were rejected due to their looking at university admissions records online without authorization have spoken out against the universities' decision to exclude them. Carnegie Mellon University, Harvard University, and MIT have rejected the applications of 153 individuals who used a hacker's instructions to try to find out if they had been accepted. Although some applicants involved acknowledged that accessing the records was wrong, they contended that the actions do not constitute hacking and that the institutions have overreacted. One rejected applicant wrote a letter to Harvard, admitting a "lapse in judgment" but noting that he "wasn't trying to harm anyone and wasn't trying to get an advantage over anyone." Len Metheny, CEO and president of ApplyYourself, the software that all the affected schools used for applications, said the procedure to access the records was sufficiently complicated that anyone doing so would have to have known it was unauthorized. (sub. req'd) http://chronicle.com/prm/daily/2005/03/2005031104n.htm From ACM's Tech News, March 2, 2005 "'Perfect Storm' for New Privacy Laws?" CNet (03/01/05); Lemos, Robert A spate of high-profile data security breaches has caught the attention of a number of U.S. senators who are advocating more unified privacy laws. Just 10 days following the announcement of ChoicePoint's loss of more than 145,000 individuals' information to fraud, Bank of America said it lost backup tapes containing customer records of 1.2 million federal employees. Sen. Ron Wyden (D-Ore.) five years ago warned colleagues against an "Exxon Valdez of privacy," and Electronic Privacy Information Center executive director Marc Rotenberg says recent events will likely be the trigger for serious congressional action. Sen. Bill Nelson (D-Fla.) is preparing to revise the Fair Credit Reporting Act to treat data aggregators such as ChoicePoint and Acxiom like credit-reporting agencies. Another possibility is a federal version of California's Security Breach Information Act, which Sen. Dianne Feinstein (D-Calif.) proposed in June 2003 without success. That measure would require government agencies and businesses to notify individuals whose personal data may have been compromised. Cato Institute analysts suggest the use of tort law to force companies to strengthen their data security, and one California woman is already suing ChoicePoint for not adequately protecting her information. Besides business interests, the Bush administration may not want too strong regulation on data aggregators because agencies such as the Department of Homeland Security and Department of Justice rely on those firms for identity-verification services. Click Here to View Full Article From Edupage, March 4, 2005 Harvard Rejects Applicants Who Peeked Wall Street Journal, 8 March 2005 Officials from the Harvard Business School said they will reject 119 applicants who used a hacker's instructions to try to find out whether they had been accepted by the school. Calling the action "unethical" and saying that it cannot be rationalized, a statement from Harvard said, "Any applicant found to have done so will not be admitted to this school." Administrators at Carnegie Mellon University have also said they will reject candidates who attempted to gain unauthorized access to admissions records. Applicants to several other institutions affected--including Stanford University, Duke University, and Dartmouth College--will have to wait to find out how those schools decide to treat the situation. Using the instructions posted online by a hacker, applicants were able for a short period to use a name and password to access the admissions records. Institutions have been able to identify applicants who accessed admission records based on the name and password. For many who looked, there was no decision in the system, and school officials stressed that even if an applicant located an answer, those decisions were not necessarily final. Some have criticized Harvard officials for responding too harshly to the incident. (sub. req'd) http://online.wsj.com/article/0,,SB111029921614173536,00.html Hackers Compromise Publisher's Database CNET, 9 March 2005 Hackers compromised a database owned by publisher Reed Elsevier, gaining access to names, addresses, Social Security numbers, and driver's license numbers of about 32,000 individuals. Other information, including credit history and financial data, was reportedly not involved. The breach happened at Seisint, a data-collection company that the publisher bought last year. Seisint is a competitor to ChoicePoint, which recently reported an incident in which hackers accessed records on 145,000 individuals. According to officials at Reed Elsevier, the fraud came to light when a billing complaint from a customer showed unauthorized activity with a user name and password. Reed Elsevier is contacting the individuals affected and working with the FBI and the Secret Service to locate the hackers. http://news.com.com/2100-1029_3-5605736.html From Edupage, March 4, 2005 Hacker Exposes Admissions Records San Jose Mercury News, 3 March 2005 A hacker who was able to access admissions records for dozens of business schools posted instructions online for how applicants could access those records. Among the universities whose records were exposed were Harvard University, Stanford University, Duke University, Carnegie Mellon University, and Dartmouth College. All of the affected schools use an online application and notification system called ApplyYourself. The vulnerability that allowed the unauthorized access has been fixed, but during the nine hours in which the systems were exposed, several hundred students attempted to find out if they had been accepted to schools to which they applied. Final decisions and notifications of acceptance are not expected for several more weeks. School officials have been able to identify at least some of the applicants who gained access to the records systems, and officials from some schools said such activity would factor into the admission decision. Steve Nelson of Harvard's MBA program said, "Hacking into a system in this manner is unethical and also contrary to the behavior we expect of leaders we aspire to develop." Even if a student saw a decision, said Nelson, that decision isn't final until March 30. http://www.siliconvalley.com/mld/siliconvalley/11044063.htm From ACM's Tech News, February 28, 2005 "Thwarting 'Evil Geniuses'" Spokane Journal of Business (02/24/05); Read, Paul Blue Water Technologies CEO John Shovic teaches computer-science majors at Eastern Washington University about cyberthreats and their perpetrators so that they can shield themselves against such dangers. He teaches four courses: The first two detail computer network operations, the deployment of security measures, and the hacking of networks; the second two courses educate students in malware creation, hacking strategies, and defensive measures by having them practice information warfare in a controlled, network-isolated environment. "Before you can learn to defend, you have to learn how to attack," argues Shovic, noting that his students attempt to breach computers in a special facility and learn computer forensics techniques to analyze security exploits and trace hackers. One exercise involves student teams attempting to disable each other's systems while simultaneously defending their own systems. Shovic divides hackers into two varieties: "Script kiddies" who download software that automates the location and infection of victims, and "evil geniuses" who craft malware and inflict serious harm; he says his courses focus on both mentalities, while the advanced classes primarily concentrate on the second, more damaging kind of hacker. To shore up against cyberattacks, Shovic recommends that businesses install internal security policies, such as restrictions on employees downloading software without supervision; protect networks from the Internet with firewalls; run and constantly update antivirus software; regularly update operating systems with patches issued by the manufacturer; make a greater effort to bolster internal security; and encrypt all data routed along wireless networks. Shovic says graduates of his courses have an easy time finding employment, given the desirability of network security expertise and the current scarcity of training in that area. Click Here to View Full Article From Edupage, February 28, 2005 Bank Loses Sensitive Data New York Times, 26 February 2005 The Bank of America has lost backup tapes containing details of Visa cards that the bank issued to 1.2 million federal employees, who use the credit cards for travel expenses and other purchases related to government business. About 900,000 of those affected work in the Defense Department, according to Alexandra Trower, a spokesperson from the bank. Trower said that following a shipment of a number of such backup tapes, it was discovered that some were missing. The Secret Service was notified and is investigating the disappearance, but according to Trower, no evidence has surfaced that any of the lost information has been put to improper use or that the loss resulted from theft. The bank does not plan to change any of the affected credit card numbers, but it has notified those individuals whose information was included on the missing tapes. (registration req'd) http://www.nytimes.com/2005/02/26/national/26data.html From ACM's Tech News, February 25, 2005 "Cybercorps Scholarships Fund New Generation of Security Gurus" Software (02/05) Vol. 22, No. 1, P. 98; McLaughlin, Laurianne The goal of the National Science Foundation's Cybercorps scholarship program is twofold: To increase leading computer science students' knowledge of information assurance and security, and to encourage them to apply that knowledge to government work after they graduate. Professors think the scholarship students will enhance the safety of America's public and private digital infrastructure in the future. The program funds either an undergraduate's junior and senior years or a two-year graduate program, on the condition that recipients spend two years in the employ of a government agency following graduation. Participating universities can also receive capacity-building awards to help upgrade information assurance and security curricula and courses, as well as help the schools qualify as National Security Agency Centers for Academic Excellence. Cybercorps was motivated by a number of factors, including the need for more students with information assurance and security skills in government agencies. Cybercorps lead program director Diana Gant notes that nearly 90% of all Cybercorps graduates have earned a government job and been employed by government agencies, while Carnegie Mellon University Cybercorps program coordinator Don McGillen reports that students are electing to remain with government agencies even after their term of service ends. Placing Cybercorps graduates in government jobs can be a slow process because of the need for security clearances, although Gant says participating agencies are attempting to resolve this problem. The program's future targets include making government agencies more aware of the program, boosting the amount of real-world content that students use in classes, and addressing information security across multiple disciplines, including anthropology, engineering, political science, and sociology. Click Here to View Full Article From Edupage, February 16, 2005 Companies Point To Education For Poor Security Training CNET, 16 February 2005 In a panel discussion at the Secure Software Forum in San Francisco, a number of major software makers pointed to inadequate security training at colleges and universities as a main reason software continues to be plagued with security flaws. Mary Ann Davidson, chief security officer at Oracle, said, "Unfortunately, if you are a vendor, you have to train your developers until the universities start doing it." Although other problems were identified, including a lack of sophisticated, automated tools to identify flaws, representatives of other software companies included in the panel agreed that at least some of the blame falls on colleges and universities for not providing graduates with sufficient understanding of security issues. Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, disagreed, saying that "Functionality still trumps security." When companies must decide how to allocate development money, he said, they choose new features over security for existing applications. A study by Gartner noted that although companies cite lack of skills among developers as a significant problem, those same companies put relatively little funding into training programs. http://news.com.com/2100-1002_3-5579014.html From ACM's Tech News, February 14, 2005 "How to Stop Junk E-Mail: Charge for the Stamp" New York Times (02/13/05) P. BU5; Stross, Randall Author and historian Randall Stross suggests that re-thinking the email system along the lines of the postal service, in which the sender pays for sending messages, can plug up the flood of spam. He describes the Can-Spam bill as "worse than useless," noting that prominent experts such as John Marshall Law School professor David Sorkin say the measure has effectively legalized unsolicited commercial email. Can-Spam places the burden of authorizing or not authorizing direct marketers to send junk email on the recipients through its "opt out" system. Stross writes that the recently created Messaging Anti-Abuse Working Group, whose members include ISPs such as Yahoo!, AOL, and EarthLink, is a promising venture, in that members are sharing anti-spam methods and courting other ISPs to adopt protective measures by screening both incoming and outgoing emails. Stross also notes that ISPs have begun to attach digital signatures of their customers' domain names to outgoing mail, preventing forgery or alteration via open-source DomainKeys encryption software. However, he doubts that authentication technologies or legislation will solve the spam problem, and calls for a scheme to make spammers pay for sending email that forces legitimate companies to concentrate on the best business prospects and makes spamming unprofitable for the more flagrant abusers. One such scheme is an email "stamp" proposed by computer scientists Cynthia Dwork and Moni Naor, in which the sender is charged a levy of time for each message he sends by forcing his computer to solve a complex computational puzzle. The Penny Black Project system would be used on a voluntary basis, and not be needed when the sender fires off email to friends and relatives. Another anti-spam strategy backed by AOL's Carl Hutzler is "Port 25 blocking," which would deny individual PCs from acting as a mail server; all outgoing mail would be forced to go through an ISP, where spam mail could be easily identified and blocked. Click Here to View Full Article "Terror's Server" Technology Review (02/05) Vol. 108, No. 2, P. 46; Talbot, David Terrorists have a diverse array of online tools and techniques at their disposal with which to fund their causes, spread their messages, swell their ranks, orchestrate malicious acts, and generate fear. Examples include the ghoulish posting of murder imagery; terrorist Web sites, which University of Haifa professor Gabriel Weimann says have exploded in recent years; and coded communications via email or chat rooms. Filters that block offensive Web content are available but imperfect, while Internet content regulation faces both legal challenges such as First Amendment rights and technical challenges such as filtering tools' tendency to sometimes shut out needed content. Still, the public and private sectors are aggressively developing and deploying new technologies for detecting and monitoring terrorist activity so that more effective anti-terrorism strategies can be formulated and implemented. A Rensselaer Polytechnic Institute research group is working on an algorithm that targets online social networks that could be used to plan terrorist activities. Industry efforts to combat spam and other forms of cybercrime also have anti-terrorist applications, as terrorists often use such scams to get funding; defensive measures in this vein include new email authentication schemes and moves by major ISPs to more conscientiously enforce their terms of service, which include provisions to remove objectionable content upon request. However, SRI International computer scientist Peter Neumann reports that these various efforts come up short because the cultural impetus to create trustworthy systems is lacking. Experts also think a cyberterrorism incident or the emergence of concrete connections between online fraud and terrorist attacks could provoke an overreaction in which government and industry transform Web content into a rigidly controlled and monitored resource. Click Here to View Full Article From ACM's Tech News, February 11, 2005 "Virtual Jihad" Newsweek (02/09/05); Isikoff, Michael; Hosenball, Mark; Horesh, Andrew Radical Islamic Web sites are urging readers to launch a cyber-jihad against their enemies; this calls attention to the potential for cyberterrorism, which national-security experts have identified as a major threat that could damage the United States far more seriously than the general public believes. Experts warn that critical, digitally-controlled U.S. infrastructure such as broadcasting networks, public utilities, and transportation systems are ripe for cyberattack--as is the FBI, which admitted as much after intruders broke into one of the bureau's commercial servers last week. One of the more notorious examples of well-coordinated cyberattacks was highlighted at a recent conference for federal computer-security experts hosted by the Defense Department's Computer Crime Center. The attack took place in the fall of 2000 when the capture of three Israeli soldiers by Lebanese Shiite fighters prompted angry hackers to deface the Shiite Hizbulla movement's Web site, which in turn triggered a cascade of Israeli-Palestinian cyber-warfare that eventually extended to U.S.-based targets. Israeli officials believe the online conflict was directly responsible for economic and governmental disruptions. The incident shows that nation-states, not just private citizens, are capable of cyberterrorism, according to Kenneth Geer with the Navy Criminal Investigation Service. Cybersecurity experts also point to a case in Australia in which a disgruntled former public utility contractor released raw sewage into public areas by breaking into the computer system that controlled a local sewer network, thus illustrating the potential damage that could be caused by crafty or well-informed hackers. SITE Institute director Rita Katz notes that almost all extremist Islamic Web sites calling for a holy war have how-to sections on cyberterrorism. Click Here to View Full Article From ACM's Tech News, February 9, 2005 "Project Honeypot Aims to Trap Spammers" New Scientist (02/05/05) Vol. 185, No. 2485, P. 26; Biever, Celeste The tide of spam can only be countered by a partnership between technology and legislation, stresses John Praed of the Internet Law Group. This was established by the trackdown, prosecution, and conviction of spammer Jeremy Jaynes, who may face nine years of incarceration for his activities, which netted him about $750,000 per month. Paul Graham, organizer of MIT's annual Spam Conference, says evidence uncovered at Jaynes' office suggests that spammers think spam filters are easier to thwart than they actually are. Filters, which scan messages for words typical of junk email, can sometimes be fooled by large amounts of random text spammers insert within their messages; or spammers can hijack computers with viruses and use them as spam launching pads. One tool Webmasters can use to build evidence against spammers is Chicago lawyer Matthew Prince's Project Honeypot software, which exploits a provision in the federal CAN-SPAM Act that criminalizes the harvesting of email addresses for spamming. The software can transform a Web site into bait for such harvesters: When "crawler" software visits the site, the software produces a bogus email address that the crawler captures, and records the time, date, and crawler address; this ensures that any mail sent to the fake address originates from the spammer. Prince admits that spammers will likely come up with anti-honeypot countermeasures, but says he has countermeasures of his own to deal with this scenario. Still, Graham notes that though Jaynes' conviction was cause for rejoicing at the Spam Conference, the battle against spammers is far from over. Click Here to View Full Article From ACM's Tech News, February 2, 2005 "Law Barring Junk E-Mail Allows a Flood Instead" New York Times (02/01/05) P. A1; Zeller Jr., Tom Instead of curbing the growth of unsolicited junk email, the year-old federal Can Spam Act has helped it along: Estimates reckon that spam currently accounts for about 80 percent of all email sent, compared to between 50 percent and 60 percent before the law was enacted. Antispam proponents such as Spamhaus Project founder Steve Linford contend that the law has legalized spamming by essentially granting bulk advertisers permission to send junk email as long as they adhere to certain regulations. Critics argue that Can Spam's biggest loophole is the requirement that recipients must opt out of being retained on an emailer's list, and violators simply use opt-out messages to confirm the validity of email addresses and the likelihood that people are using them. Institute for Spam and Internet Public Policy CEO Anne Mitchell says it is ridiculous to think that law enforcement agencies could halt spam's growth instantly, and notes that filters' general success probably contributed to the increase by forcing spammers to send out more junk email in order to maintain the dollar rate of return. Sen. Conrad Burns (R-Mont.) says judging Can Spam's effectiveness now is premature, noting in an email that the Federal Trade Commission may simply need a little prodding to enforce the law. Microsoft Internet safety enforcement lawyer Aaron Kornblum sees value in pursuing lawsuits against spam enablers under Can Spam, explaining that "Our objective with sustained enforcement activity is to change the economics of spamming, making it a cost-prohibitive business model rather than a profitable one." Unfortunately, analysts foresee the spam problem worsening as spammers take advantage of malware to turn PCs into "zombie" spam distributors and steal working email addresses from ISPs, while spam-friendly merchants subscribe to "bulletproof" Web host services to keep their Web sites offshore and out of U.S. jurisdiction. Click Here to View Full Article From New York Times, October 25, 2004 New I.B.M. Report Will Warn of Computer Security Threats New York Times, October 25, 2004, by John Markoff I.B.M. plans to begin releasing a monthly report of threats to computer networks in an effort to establish an indicator similar to the federal government’s Homeland Security Advisory System. Read the article From Is Your Job Going Offshore?, October 24, 2004 Outsourcing booms, although quietly THE WALL STREET JOURNAL, By Jesse Drucker and Jay Solomon Read the Article From New York Times, October 24, 2004 Identities Stolen in Seconds by Timothy L. O'Brien Identity theft, thanks mainly to the growth of the Internet, is epidemic. Can it be stopped? Read the article From ACM's TechNews, October 20, 2004 "Tech Firms, Lawmakers Target Spam, E-Mail Fraud" Baltimore Sun (10/18/04) P. 1A; Bishop, Tricia Spam and email fraud have entered the crosshairs of legislators and technology companies, making Bill Gates' prediction that spam would be eliminated by 2006 seem less unlikely now. "I think you'll see some real changes within three years," declares Pew Internet and American Life Project researcher Deborah Fallows. The general consensus among experts is that spam now accounts for 70 percent to 80 percent of all email, compared to approximately 10 percent three years ago. Meanwhile, the Anti-Phishing Working Group reports that phishing--the practice of scamming consumers into revealing personal financial data by using bogus Web sites and logos that resemble familiar financial services firms--has increased by a factor of 17 since December 2003 to almost 2,000 distinct scams. "One very big fear about spam is it will turn off people from electronic commerce and using email in general," notes John Palfrey of Harvard Law School's Berkman Center for Internet and Society. One of the more significant anti-spam developments was this month's passage of a Maryland law that carries a maximum fine of $25,000 and a 10-year prison sentence for violators, although some experts say such measures lack teeth in the absence of an effective method for verifying email senders. However, a trio of email authentication techniques is currently being tested by Internet service providers: One method focuses on verifying the authenticity of the address posted on the email's "envelope;" another aims to confirm the legitimacy of the address listed in the "from" line of an email; and the third employs a digital signature for message authentication. The Federal Trade Commission has stated that it will intercede and prescribe an email authentication standard if the industry cannot. Click Here to View Full Article From ACM's TechNews, October 13, 2004 "The Quest for Secure Code" Globe and Mail (CAN) (10/12/04); Kirwan, Mary Poor software quality is responsible for every one of the SANS Institute's top 20 Internet security vulnerabilities, yet universities still fail to teach proper coding techniques and government remains cowed by industry lobbying efforts. SANS Institute research director Alan Paller says evaluation and certification programs are needed to ensure that programmers have the proper training, and he notes that even universities appointed by the government to be "Centers of Excellence in Cybersecurity" do not require security courses for their IT graduates. Carnegie Mellon University computer science department head Jeannette Wing says even if students are taught more security, practical realities at the workplace will mean feature-focused code produced quickly, if that is what those students' employers desire. Meanwhile, millions of business customers are hindered by restrictive licenses from tweaking their software purchases. Microsoft emphasizes security during its interview process for prospective employees and evaluates workers on their ability to deliver quality code, but the company has a huge legacy infrastructure and backward compatibility issues, says Wing. The government has made many efforts to intervene and make vendors liable for their products, but have been met with hundreds of millions of dollars in lobbying efforts, notes Paller. Even attempts to make vendors liable with caps on potential damages has not worked, as IT industry lawyers are reluctant to admit that secure code is possible. Rep. Adam Putnam (R-Fla.) is expected to make a new push for legislation soon and is chair of the House subcommittee on cybersecurity policy, and the Federal Information Security Management Act is also expected to make a change as vendors cater to the $40 billion federal IT market. Click Here to View Full Article "A Matter of Trust: Privacy and Security in the Information Age" IST Results (10/08/04) A number of FP6 IST projects seek to improve privacy and identity management (PIM) in the hopes of enabling Europeans to interact in cyberspace safely and securely while allowing them to manage their personal data, a critical ability if citizens are to adopt new online services. Notable initiatives include Privacy and Identity Management for Europe (PRIME), the Future of Identity in the Information Society (FIDIS), Government User IDentity for Europe (GUIDE), and Roadmap for Advanced Research in Privacy and Identity Management (RAPID). The RAPID project, which was completed in June 2003, influenced the FP6 research agenda by recognizing two categories: A technical category concerning multiple and dependable identity management, infrastructure, and enterprise, and a nontechnical category that dealt with socioeconomic and legal issues. PRIME involves a 20-member international consortium that aims to improve the usability and functionality of privacy-enhancing technologies (PETs) through the application of "privacy by design" and "data minimization" principles: The former focuses on building PETs into information systems using basic technologies such as human-computer interfaces, ontologies, authorization, and cryptology, while the latter stresses permitting the collection of personal data on an as-needed basis. Both the FIDIS and GUIDE projects emphasize the need for an integrated, coordinated, Europe-wide identity research effort to achieve their respective goals. FIDIS members will collaboratively investigate interoperability of IDs and ID management systems, forensic applications, mobility issues, profiling, the "identity of identity," and de-identification and the high-tech ID. GUIDE's objective is to construct an open architecture for secure, compatible e-government electronic ID services and transactions for Europe. Click Here to View Full Article From EduPage, October 11, 2004 Antispam Conference Calls For International Cooperation BBC, 11 October 2004 Attendees of the International Spam Enforcement Workshop this week heard officials from the United States and the United Kingdom make the case that a key element to addressing the problem of spam is increased international cooperation. Data suggest that 60 percent of all e-mail is spam and that 80 percent of spam originates in a different country from where it is delivered. More than 20 nations were represented at the workshop, organized by the U.S. Federal Trade Commission (FTC) and the U.K.'s Office of Fair Trading (OFT). Deborah Majoras, chairwoman of the FTC, said that the biggest challenge to stopping spam is locating its source, which requires governments to share information on suspected spammers. Richard Thomas, the U.K.'s Information Commissioner, called for expanding powers of enforcement to shut down spammers. He said governments should pass laws requiring Internet service providers (ISPs) to disclose information about spam sent on their systems, something ISPs currently are not forced to do. http://news.bbc.co.uk/2/hi/technology/3733864.stm From ACM's TechNews, October 8, 2004 "Mission: Critical" Information Security (09/04) Vol. 7, No. 9, P. 26; Barlas, Stephen; Earls, Alan; Fitzgerald, Michael An Information Security survey of professionals in the financial, energy, transportation, telecom, and government sectors highlights the vulnerability of the U.S. critical infrastructure to online attack: Fifty-one percent of financial services professionals say their industry is not prepared for cyberattacks, a sentiment echoed by 57 percent of energy industry respondents, 65 percent of transportation industry respondents, 60 percent of telecom workers, and 62 percent of federal IT/security personnel. Still, most respondents agree that their sector is better prepared for cyberattacks than they were before Sept. 11, 2001. The cyberterrorist threat has spurred workforce, infrastructure, and data redistribution, as well as the erection of flexible backup centers and lines of communication, among financial institutions; sector-wide collaboration to understand and protect against individual and collective threats is being facilitated by data exchange channels such as the Financial Services Information Sharing and Analysis Center. The energy sector's cyber-vulnerability is growing as the system control and data acquisition (SCADA) systems that direct the majority of energy automation link to the Internet, and the industry response's has been to build security standards and information sharing, while the departments of Homeland Security (DHS) and Energy are studying and lowering risks through a National SCADA Testbed. Each sub-sector of the transportation industry is exploring and implementing cybersecurity strategies, with air transportation being scrutinized the most because of privacy issues related to the personal data airlines are collecting. Telecom experts are more fearful of the damage potential of a multi-pronged assault rather than a single attack, but few think such a siege would cripple the United States. Especially frustrating are the poor marks the DHS has been receiving from security experts, although the government security improvement budget will increase while administrative bodies such as the DHS' National Cybersecurity Division will continue to disseminate security info to both federal and private entities, stage incident response exercises, and build more secure government networks. Click Here to View Full Article From ACM's TechNews, October 6, 2004 "Hacking 101: It's For Your Own Good" Charlotte Observer (10/05/04); Choe, Stan UNC Charlotte (UNCC) professors such as Bill Chu believe the best way to cultivate network security professionals is to "expose our students to dark side techniques so they gain insight on how bad guys can penetrate systems and how to effectively protect them." Chu teaches Vulnerability Assessment and System Assurance, an ethical hacking course that assigns homework assignments such as breaking into a computer network or spreading malware. Students enrolled in the course are required to sign a legal agreement in which they promise not to employ the techniques or information they learn for malevolent purposes. Russell Shackelford, who heads ACM's education board, notes that teaching students responsible, ethical behavior has been a difficult task for computer science and IT programs, and the usual strategy has been to teach a separate course on ethics that often bores students. More and more "white hat" hackers are being hired by businesses to attempt to crack corporate network security so that vulnerabilities can be spotted and remedied before malicious hackers can exploit them. At a recent UNCC lecture, a visiting professional white hat hacker told students that courses such as Chu's merely provide the tools to learn hacking skills, which cannot be cultivated without a student's drive. "It goes to fundamental human curiosity," he remarked. Ethical hacking students often find work in companies' IT staffs. Click Here to View Full Article "Cyber Center Targets Internet Plagues" NewsFactor Network (10/05/04); Martin, Mike Much like the Centers for Disease Control study how to prevent and contain human sicknesses, the National Science Foundation (NSF) is funding a new Center for Internet Epidemiology and Defenses (CIED) that will study computer viruses and worms. The Internet's openness and efficiency may have led to its phenomenal success, but those qualities also pose the biggest challenge to the Internet as well, says CIED project director and University of California computer science professor Stefan Savage. "Infection is spread via contact, and the Internet allows a host infected in one place to rapidly contact any other system on the planet," he explains. Outbreaks occur so fast that only fully automated defenses will be able to control them, which is why CIED is focusing on classes of computer infections, not just single versions of computer code. University of California at Berkeley International Computer Science Institute senior researcher Vern Paxson says creating defenses against a known infection is easy, but understanding entire classes of pathogens requires deep insight into the behavior of those infections and how it differs from normal network activity. CIED will use technology such as "network telescopes" and "network honeyfarms" to monitor and measure ongoing Internet infections in real time in order to gather evidence. Eventually, the researchers expect to produce algorithms that can automatically create virus and worm signatures to inoculate systems. CIED is part of the NSF's $30 million Cyber Trust program that aims to not only deal with current problems, but create more secure and resilient infrastructure for the future, notes NSF Cyber Trust program director Carl Landwehr. Click Here to View Full Article "The Search for Computer Security" Harvard University Gazette (09/30/04); Powell, Alvin Greg Morrisett, a professor at Harvard University's Division of Engineering and Applied Sciences (DEAS), believes the burden of trusting an incoming program to be free of bugs or malware should be transferred from the computer user to the program itself. "What we're aiming for is a day when you don't have to 'trust' a code, where you can state your guidelines [for acceptable code] and the builder would have to give you a [mathematical] proof that you can check," he explains. Morrisett, a programming language pioneer who has developed tools that identify exploitable flaws in computer programs, is authoring software tools designed to help programmers write less buggy code. He estimates that one bug exists for every 100 to 1,000 lines of code, and the growing complexity of computer programs makes manual checking for bugs impractical without computerized assistance. Morrisett's tools scan code for consistency in a process that the DEAS professor likens to checking that speed calculation formulas use the same units. Morrisett acknowledges that the programs he designs for tracking down and eliminating software bugs can just as easily be used for exploitation by hackers. He predicts that "The next round of questions [pertaining to computer security] will be ethical, legal, and social," and he hopes to use his position at Harvard to help address these questions. He says, "We have to understand that technology gets you to a certain place, and the remaining questions are harder." Click Here to View Full Article From EduPage, October 4, 2004 Survey Shows U.S. Computer Users Unaware Of Security Risks BBC, 3 October 2004 A survey commissioned by the National Cyber Security Alliance (NCSA) shows significant gaps of understanding among U.S. computer users about the actual threat posed by computer security problems. According to the survey, 30 percent of Americans believe they are more likely to be hit by lightning, to be audited by the IRS, or to win the lottery than be the victim of a computer security problem; among users under the age of 25, the rate of those who believe this rises to 40 percent. In truth, cybersecurity threats, including viruses, phishing scams, and hacking, affect about 70 percent of computer users, while the odds of being hit by lightning are 0.0000102 percent, according to the U.S. National Weather Service. The survey also found that 90 percent of computer users remember Janet Jackson's "wardrobe malfunction" during the Super Bowl, but only 60 percent remember when the security software on their PCs was last updated. Ken Watson, chairman of the NCSA, said that 91 percent of PCs are infected with some variant of spyware. The NCSA has declared October to be National Cyber Security Awareness month in the United States and is sponsoring educational efforts to teach users about the real risks of ignoring cybersecurity. http://news.bbc.co.uk/2/hi/technology/3708260.stm From ACM's TechNews, October 4, 2004 "E-Cyclers Embrace Data Destruction" eWeek (10/01/04); Hachman, Marc Computer recyclers are taking measures to verifiably destroy data as well as hardware in order to comply with federal regulations such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, which prohibit the public exposure of confidential data by financial and health care institutions; meanwhile, fears of civil suits are driving more traditional companies to pursue the same goal. Debate has sprung up over the best techniques to destroy data, which range from Department of Defense-compliant overwriting software to the physical shredding of disk platters. Software vendors say that overwriting a hard disk once either with other files or random bits of data is inadequate, as some or all of the information in a file can be revealed by latent magnetism. The DOD's 5220.22-M specification advises overwriting each disk sector several times with nonrandom and pseudorandom data. However, shredding is recommended for both nonfunctional drives and drives with more than 10 defects. A Sept. 30 teleconference between members of the National Association for Information Destruction (NAID) failed to resolve differences between supporters of software wiping and supporters of shredding, but attempts will be made to reach an accord before the NAID board's final recommendation on Nov. 29. Small-scale nonprofit recycling organizations are also joining the data destruction bandwagon, and a lack of certification procedures for compliance with the DOD's 5220.22-M spec is benefiting these firms by boosting competition in the data-destruction product market. Data destruction certification has been adopted by many recyclers as a saleable service, and there is little oversight in the negotiation of contracts and certifications between recyclers and clients. Click Here to View Full Article "App Developers Need to Redouble Security Efforts" eWeek (09/30/04); Schindler, Esther The recent Gartner Application Development Summit included new statistics underscoring the need for development and quality assurance teams to increase their security efforts. Gartner research director Theresa Lanowitz says the problems of IT network and physical security have been solved for the most part, which means that the application layer is the most vulnerable. Companies must take responsibility for security issues during development, or have a higher risk of a catastrophic event. According to Gartner, if 50 percent of software vulnerabilities were dealt with before production use, enterprise configuration management costs and incident response costs would each be reduced by 75 percent. Lanowitz says someone in the organization must be responsible for security issues, such as an "application security architect." This person's primary focus is the risk that a company faces, and articulating that risk to staff and management. Lanowitz says government agencies and financial institutions have been leading the way in creating application security architects that work on the same level as application architects and ensure that security testing is added to the quality assurance framework. Gartner predicts that 80 percent of development teams will incorporate application security architects by 2006. Lanowitz also expects to see a wave of development tools integrating security functions by 2007, although the market for now is in its infancy. Click Here to View Full Article From EduPage, September 29, 2004 California Gets Tough On Spyware Reuters, 28 September 2004 Arnold Schwarzenegger, governor of California, this week signed an antispyware bill that criminalizes placing software on another user's computer without authorization. The bill bans surreptitious software that monitors users' surfing habits or tracks keystrokes, among other types of spyware. Under the legislation, computer users can sue those responsible for spyware for actual damages from the applications. Several other states and the federal government are currently working on similar measures to try to limit unauthorized software. Critics of the law say it lacks adequate enforcement provisions. Spyware expert Ben Edelman called the bill "a piece of junk," saying it is "the most superfluous of all legislation." http://www.reuters.com/newsArticle.jhtml?storyID=6359582 From EduPage, September 24, 2004 Concern Grows Over JPEG Flaw BBC, 24 September 2004 Some security experts are warning users that a recently announced flaw in the way some Microsoft applications handle JPEG images could lead to the next large-scale virus infection. David Perry of anti-virus firm Trend Micro noted that the combination of several factors has his firm especially worried about the JPEG flaw. Those factors, Perry said, include the number of applications that are affected by the flaw--more than a dozen--and the fact that there has not been a significant virus attack for some time, which may have the effect of lowering users' attention to preventive measures. When the flaw was announced, no code had yet appeared that exploited it. Within the past week, however, such code has been written and has appeared on a private mailing list and a public Web site. Perry characterized the current situation as "the virus equivalent of a harmonic convergence." Others were not as worried about the threat posed by the flaw. Graham Cluley of anti-virus firm Sophos noted that so far no malicious code is being delivered using the flaw. "It is purely being done as a 'proof of concept,'" said Cluley. http://news.bbc.co.uk/2/hi/technology/3684552.stm From ACM's TechNews, September 22, 2004 "Reports on Spam Levels Paint Differing Views of the Problem" Wall Street Journal (ONLINE) (09/21/04); Bialik, Carl; Creighton, Deborah S. Accurately measuring the extent of the spam problem and the effectiveness of strategies to combat it is complicated by inconsistent statistical reports on the volume of junk email, and the fact that the most oft-cited reports are furnished by antispam software vendors. An August estimate by MessageLabs determined that spam constituted 84 percent of all email, while a report from Brightmail indicated 66 percent. Meanwhile, FrontBridge Technologies and Brightmail claim that the spam problem continues to expand, while AOL contends that spam growth has been level for the past 12 months. The antispam companies supplying these reports usually cull their data from email they scan for corporate clients, which may not represent a cross-section of Internet users, though both vendors and certain analysts believe spam-fighting products' mainstream penetration is reducing this sampling partiality. Still, the inconsistency between spam level reports has been a frustrating factor for legislators: For example, spam level estimates accumulated by the Organization for Economic Cooperation and Development (OECD) varied so wildly as to discourage the organization's attempt to evaluate the spread of spam and the performance of countermeasures. "There's not much out there except what's coming from private companies, where the methodology differs and we don't know how it differs," remarks Dimitri Ypsilanti with the OECD. Muddling matters are divergent definitions of spam among antispam companies and nations, while some spam filters operate by amassing reports from users, whose characterization of spam is not always objective. Furthermore, the reported numbers are mean averages that can be distorted by major spam attacks against a few companies. Click Here to View Full Article From SANS' News Bites, September 22, 2004 FTC Considers Offering Bounties for Spammer Convictions 17 September 2004 The US Federal Trade Commission would like to be able to prosecute more spammers, but given the lack of admissibility of much of the evidence they use in identifying spammers, this has proven problematic. What they need is hard, admissible evidence, probably provided by an insider. Such evidence would likely be provided only if there were a bounty program, much like Microsoft's $250,000 bounty for the successful prosecution and conviction of malware authors. http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=story&AT=39124098-39025001t-40000011c Phishers Target Gmail Accounts 15 September 2004 Some phishers are now trying to steal Gmail accounts. The phishing email informs Gmail users that they can invite friends to sign up for a Gmail account if they fill out a form that includes their Gmail address and password. Gmail accounts are in demand because of their limited availability. Google does send out free invitations for users to send to friends, but all the users need to do is click on a button, rather than providing their personal account information. http://news.com.com/2102-1032_3-5367986.html?tag=st.util.print From ACM's TechNews, September 20, 2004 "'Dirty Dozen' Tips From Former Cybersecurity Czar" Computerworld New Zealand (09/14/04); Watson, David Richard A. Clarke, the former cybersecurity advisor to President Bush, claims hackers and phishers are keeping e-commerce and e-government from reaching their full potential. Clarke says security worries are the primary factor thwarting the widespread take-up of Internet banking and other transactions that can be done more cheaply and efficiently online. Clarke lists a dozen trends that will influence IT security in the future, including encryption of archived data and automated security audits of IT assets with asset management software. In IT security, the future "dirty dozen" trends also include more thorough testing of software code for mistakes such as buffer overflows and protecting the client side as well as the back-end. One of the most crucial trends will be to control the "road warriors"--travelers and visitors who remotely connect their laptops into corporate networks and introduce worms and viruses. Clarke says products that scan and check laptops for security risks will become more widely used. Another important trend is the outsourcing of fundamental security functions such as firewalls and intrusion detection to groups such as ISPs. More attention to security threats from inside, such as former workers who keep access to systems and information at their former workplace, will find corporate networks increasingly segmented so that workers can only obtain access to systems relevant to their position. Clarke says, "People are trying to take back cyberspace from the phishers, identity thieves and hackers and we can all be part of the effort to take it back." Click Here to View Full Article From New York Times, September 19, 2004 Users Find Too Many Phish in the Internet Sea By David F. Gallagher A recent flood of fake Citibank e-mail messages demonstrates the growing arsenal of tricks used by online "phishers." Read the article. Attacks on Windows PC's Grew in First Half of 2004 By John Markoff A survey of Internet vulnerabilities shows a sharp jump in attacks on Windows-based personal computers and a marked increase in commercially motivated threats. Read the article. From New York Times, September 19, 2004 Barbarians at the Digital Gate By Timothy L. O'Brien and Saul Hansell How spyware, a program that creeps onto a computer’s hard drive unannounced, is wrecking the Internet. Read the article From ACM's TechNews, September 17, 2004 "DHS Moves Ahead With Cybersecurity R&D Efforts" Computerworld (09/15/04); Verton, Dan The Department of Homeland Security (DHS) is engaged in several pilot cybersecurity efforts designed to address the scarcity of real-world incident data, such as the Protected Repository for Defense of Infrastructure Against Cyber Threats (Protect) program. The goal of Protect is to convince major private-sector infrastructure companies to voluntarily provide real-world attack data that can be used to test prototype cybersecurity measures, says Douglas Maughan with the Homeland Security Advanced Research Projects Agency. He says the program would be dependent on a trustworthy access repository process featuring a government-backed data repository hosted by a third party, with written contracts with data suppliers; researchers can apply to participate in Protect, while data owners would be permitted to block access for specific researchers. Meanwhile, DHS' Cyber Defense Technology Experimental Research test bed aims to contribute to the creation of next-generation critical infrastructure security technologies by building a homogeneous emulation cluster residing at the University of Utah's Emulab facility. The initiative, which lets researchers concentrate on security hole prevention and detection as well as assess operational systems' security and dependability, has so far received $14 million in funding. Sept. 20 marks the first meeting of the DHS' Border Gateway Protocol steering committee, which is readying R&D pilots to build safe protocols for the routing framework that links ISPs and subscriber networks, which is highly susceptible to human error and router-directed assaults. Another DHS-organized steering committee will analyze and develop cybersecurity pilots for the Domain Name System that will study such dangers and vulnerabilities as denial-of-service attacks and unsanctioned root servers and top-level domains. Click Here to View Full Article "Dozens of Experts Take on Cyberterror" Seattle Post-Intelligencer (09/13/04); Shukovsky, Paul Government and business leaders from across the Pacific Northwest conducted a cyberterror simulation last week to assess the vulnerability of computer-controlled critical infrastructure. The public-private partnership attracted more than 100 experts from several states, the Department of Homeland Security, the military branches, Microsoft, Boeing, the FBI, a number of U.S. and Canadian utilities, the Bonneville Power Administration (BPA), and the Los Alamos, Sandia, and Argonne national laboratories. In opening remarks, Maj. Gen. Timothy Lowenberg, adjutant general of the Washington National Guard, described cybertechnology as a great strength for the nation, but also as an area of tremendous weakness. The exercise, dubbed Blue Cascades II, gave experts an opportunity to determine how telecommunications, utilities, and other major systems rely upon one another, such as how a power failure brings banking and finance to a halt, for example. Participants signed an agreement not to reveal the result of the exercise, and a reporter was asked to leave after introductions. In exercises conducted by the BPA, systems were found to be secure from attacks. However, "there are some utilities that operate on the Internet, and that's a vulnerability," said BPA security manager Robert Windus. Click Here to View Full Article "The Next Threat" Forbes (09/20/04) Vol. 174, No. 5, P. 70; Lenzner, Robert; Vardi, Nathan There is growing evidence that terrorist cells such as al Qaeda are attempting to become skilled in hacking and other forms of cyberwarfare, and experts warn that cyberterrorists could cripple the World Wide Web, interfere with military communications systems, or disrupt electrical grids to catastrophic effect. But few federal agencies or corporations have considered or followed recommendations for shoring up both public and private infrastructure, despite the imminence of the cyberterrorist threat. Reasons for the sluggish response include political in-fighting, beliefs among government officials that the threat is exaggerated, indecision over who should foot the bill for implementing tougher cybersecurity, and regulatory and financial stumbling blocks that are hindering the growth of corporate security spending. American businesses are reluctant to pass on the costs of cybersecurity upgrades to customers, either because they are tightly regulated or are faring so poorly that a price hike could kill them. Rep. William Thornberry (R-Texas) thinks tax incentives would be a far more productive tool to encourage corporate spending than government regulations, while the major automated control system providers contend that customers flatly refuse anything with a price tag, even if it is more secure. However, the deployment of such control systems to run utility grids and other key components of U.S. infrastructure is the reason why America is so vulnerable to cyberattack: Ted Lewis of the Navy Postgraduate School reports that almost 300 facilities responsible for 80% of America's electricity use employ poorly shielded control systems, which lack encryption and are easy to manipulate. Of particular concern are weaknesses demonstrated in the Border Gateway Protocol, which could be exploited to manipulate routing information and corrupt the Internet, and the Domain Name System, which is underpinned by poorly secured root servers. Click Here to View Full Article From Business Week Insider, September 17, 2004 Are Hurricanes Swamping Spammers? Lots of folks think the hits that the Sunshine State (aka Spam State) have taken slowed the volume. Probably isn't so, though http://www.businessweek.com/technology/content/sep2004/tc20040916_1065.htm?c=bwinsidersep17&n=link12&t=email From ACM's TechNews, September 15, 2004 "OpenBSD's Theo de Raadt Talks Software Security" Computerworld Australia (09/10/04); Gedda, Rodney OpenBSD founder Theo de Raadt says the vast majority of software security holes are due to low-level programming errors that are copied and spread throughout many different applications. He says programming errors occur when the code author misuses program functions in seemingly insignificant ways, and these mistakes slip by and get propagated as those portions of code are re-used, until billions of lines of open and closed source code are riddled with potential security vulnerabilities, as is the case today. De Raadt explains that it is impossible to root out all of the vulnerabilities, and that there is basically nothing that can stop hackers from finding and trying to exploit those flaws. The approach de Raadt advocates is making the environment difficult for the hacker to understand, so that even after they have found the bug, they do not know how to use it to obtain the needed system privileges. Software vendors must boost security audits, improve education, and incorporate basic technologies that can thwart hacks in general, de Raadt says. He claims that some Linux variations are using strange-environment defense approaches similar to OpenBSD, and there are even some Unix users who disguise their systems to look like OpenBSD machines in order to discourage targeted hack attacks. Adopting OpenBSD is not a solution to security problems, however, since most hackers are targeting the Internet at large and building up spam or denial-of-service capabilities that threaten even securely coded systems. De Raadt is especially critical of Microsoft, which he says will probably always be vulnerable to security flaws because of integration with a bug-riddled Web client. Click Here to View Full Article From ACM's TechNews, September 13, 2004 "Malware Writers Using Open-Source Tactics" Linux Insider (09/09/04); Mello, John P. Jr. Malware writers have adopted open-source software development techniques to help them create zombie networks of remotely controlled PCs, which are estimated to generate between 25 percent and 30 percent of all spam. "There's a community of worm builders creating, almost in an open-source fashion, Trojan source code that can be downloaded, compiled and released into the wild," says MX Logic CTO Scott Chasin. Zombie networks earn money for their creators when rented out to spammers. Sanvine cofounder and chief architect Don Bowman says the people who control zombie networks have become more savvy to counter defense measures, such as monitoring activity on port 25. Because too much traffic on suspect channels will raise the attention of ISPs and get the account shut down, larger networks of spam software are now programmed to send out fewer messages per hour and operate during hours when the PC user is unlikely to be online. Analysts say that such zombie networks are responsible for anywhere from 25 percent to 80 percent of all spam now being sent; Chasin says the creators of these networks benefit from the open source model of application development. He says, "A lot of these Trojans and their variants borrow from the open-source industry and are built off a community effort in the underground environment." Click Here to View Full Article From ACM's TechNews, September 10, 2004 "House Panel Gets Tough on Spyware, P2P Piracy" InternetNews.com (09/08/04); Mark, Roy The House Judiciary Committee has toughened its stance on peer-to-peer digital piracy and spyware with the Sept. 8 passage of the Piracy Deterrence and Education Act and the Internet Spyware Prevention Act. The former bill goes after the digital dissemination of copyrighted content "with reckless disregard for the risk of further infringement," and proposes a maximum prison sentence of three years to violators who electronically distribute 1,000 or more copyrighted materials over a 180-day period. Furthermore, the bill sets aside $15 million for the establishment of an Internet use education program coordinated by the Department of Justice (DOJ). The Spyware Prevention Act criminalizes the deliberate access of a computer without authorization as well as the intentional circumvention of authorized access, and calls for a maximum jail term of five years if the goal of such an intrusion is to support another federal crime. The legislation also calls for a prison sentence of up to two years for violators who intentionally injure or defraud a person or damage a computer by installing spyware without permission, and allocates $10 million to the DOJ to fight spyware and phishing scams. The act's approval follows the passage of an earlier spyware bill by the House Energy and Commerce Committee that requires consumer notification of spyware's presence prior to downloading software, injunctions against unfair or deceitful practices such as computer hijacking and keystroke logging, and the provision of an opt-in screen before the transmission or enablement of any data collection software by anyone who is not the owner or authorized user of a computer. Judiciary spyware bill co-sponsor Rep. Lamar Smith (R-Texas) says that his bill, unlike the Energy and Commerce version, targets bad behavior rather than technology. "At the same time, the legislation leaves the door open for innovative technology developments to continue to combat spyware programs," attested Rep. Bob Goodlatte (R-Va.). Click Here to View Full Article "System Alert: Web Meltdown" Independent (London) (09/08/04); Grossman, Wendy The Internet has already "melted down" when considering it is impossible for users to avoid spam and viruses, poor-quality software, and vaguely defined restrictions on how they can use their ISP accounts, according to networking expert Lauren Weinstein and other technology experts who met recently in Los Angeles to discuss the dangers to the Internet. Weinstein, University of Pennsylvania professor Dave Farber, and computing expert Peter Neumann convened the gathering of about 50 technology experts, and the atmosphere was pessimistic. Whereas 10 years ago, technologists confidently tackled fixes or workarounds necessary to make the Internet run, the recent gathering seemed unsure of their technologist powers. Part of the problem is the increasing amount of regulation: ISPs restrict whether users can share their connections or use them for Web servers, entertainment industries have successfully squelched file-sharing networks such as eDonkey, ICANN remains a law unto itself, and governments around the world are eyeing telecommunications-style regulation for VoIP. Former ICANN board member and programmer Karl Auerbach says the Internet is rapidly becoming a fundamental utility, even as it is still developing and facing numerous challenges. Government, business, and regular users depend on the Internet for daily activity and core operations. Meanwhile, evidence shows that anti-virus firms are falling behind in the race to provide security solutions and denial-of-service attacks regularly knock out or slow major sites. Internet governance law expert Michael Froomkin, however, says concern about the state of the Internet is nothing to be worried about in itself; instead, it portends a radical change to fix the situation. Click Here to View Full Article "Are Hackers Using Your PC to Spew Spam and Steal?" USA Today (09/08/04) P. 1B; Acohido, Byron; Swartz, Jon Since last year, infectious programs have been turning hacked PCs into zombie computers, making them send spam emails and take part in other illegal activities. Experts say the number of infected machines has reached the millions at a time when computers are more powerful and dangerous than ever. Intelguardians co-founder Ed Skoudis says there has been a sharp rise in the number of machines attacked this year, and he's "worried things will get much worse." Most hijacked computers are in homes, on college campuses, or at small businesses, and the motive for hacking has changed from challenge to profit. Experts say code writers put together networks of zombie PCs and then sell access to identity thieves, spammers, and blackmailers. Most consumers whose computers are taken over are not immediately aware of the problem. Dave Dittrich, senior security engineer at the University of Washington's Center for Information Assurance and Cybersecurity, says, "We have a large population that is easily tricked." Regulators must deal with jurisdictional problems in trying to catch suspects since many are not located in the United States, and critics say that existing laws are too weak. The situation will not change quickly, experts believe, since affecting drastic security improvements means tech suppliers would have to cooperate on universal security standards. While vendors are unlikely to move fast on their own, experts say consumer outrage could speed things up. Meanwhile, cyber security experts say law enforcement has only recently begun to focus on the problem, but they are hindered by weak laws and the enormity of the problem. Keith Lourdeau, deputy assistant director of the FBI's Cyber Division, says, "Hackers can do almost anything with a compromised PC, and there isn't much we can do about it." Click Here to View Full Article "Industry Group Voicing Cybersecurity Concerns in Washington" Investor's Business Daily (09/09/04) P. A6; Howell, Donna Executive director of the Cyber Security Industry Alliance (CSIA) Paul Kurtz says the motivation for the organization's establishment was to give cybersecurity industry leaders "a common voice in Washington on cybersecurity policy issues." The seven-month-old CSIA aims to address such issues as cybersecurity awareness--which Kurtz says is showing signs of progress, although more improvement is needed--and the implications of regulatory measures such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act for IT security. Section 404 of Sarbanes-Oxley, which requires CEOs to affirm their financial statements, is hazy in how it relates to cybersecurity, and Kurtz notes that his organization is attempting to find and cite case studies as examples of strategies companies can employ to comply with the regulation. He explains that when it comes to Section 404 compliance, firms need to track transactions related to collating their financial statements along with their sanction and assent. He says, "While the CSIA doesn't have legal authority to put down guidelines, what we can do is put together a picture of what's happening in the space, how companies are responding, and help other companies determine what to do." Kurtz says he reports to the senior executives of the CSIA's founding firms, who are eager to collaborate with other cybersecurity-focused organizations such as the Business Software Alliance and the Information Technology Association of America. He also notes that the CSIA will be pushing for increased understanding of cybersecurity issues through close collaboration with people on Capitol Hill. From SANS' News Bites, September 9, 2004 --Investigative Report: How Hackers Infect PCs To Spread Spam and Steal Money In a landmark study of the economics and techniques of hackers, two top reporters from USA Today have painted a vivid picture of what is really going on in cyber crime today and how it involves millions of home and business users. This article is the first of two parts. Part One vividly illustrates the problem and ends with the challenge: "Consumer outrage needed." On Thursday, September 9, Part Two shows that the problem will just get worse if vendors and ISPs continue to refuse to do their fair share to reduce the risk. http://www.usatoday.com/money/industries/technology/2004-09-08-zombieuser_x.htm "The Human Factor Trumps IT in the War on Terror" Government Computer News (09/01/04); Jackson, William Information technology can be used as an intelligence gathering and analysis tool in the war on terrorism, but the organization of the intelligence community will need to change to make the data as effective as possible, according to industry experts. The place of IT in the war on terrorism was the topic of a panel of computer scientists at the University of Maryland. "While there is a lot of good information out there, it isn't getting to the right people at the right time," explained William J. Lahneman, coordinator of the Center for International and Security Studies in the School of Public Policy. The culture of "knowledge is power" in the intelligence community prevents more effective sharing of information, and James Hendler of the university's Institute for Advanced Computer Studies agreed that changing the culture of intelligence agencies would be a huge challenge. The scientists also stressed the need for a change in IT architectures, including the Web. And although terrorists have not used the Internet to carry out any significant attacks, they are using the Web more effectively to galvanize supporters than the U.S. government, according to the researchers. Click Here to View Full Article From ACM's TechNews, September 3, 2004 "When E-Mail Points the Way Down the Rabbit Hole" New York Times (09/02/04) P. E8; Johnson, Kirk Spam is a runaway technology phenomenon that focuses on better understanding human interests, according to academics and spam experts. Spam and technologies to counter it develop quickly, but are not developing in the traditional economic sense where the aim is to gain market share; instead, spam technologies are more similar to military stealth technologies, except that to succeed the spam must better understand human behavior. That is why a spam message that offers anti-spam solutions seems eerily self-aware, or at least sensitive enough to know a solicitation to stop messages such as itself is appealing to the targeted reader. Anti-spam research focuses on knowing what is truly of interest to the email user and seeks to block all other messages, while spam purveyors become successful by tapping the messages that users really want, or perhaps did not know they wanted. Interestingly, no one really knows where spam development is headed: "It brings home the idea of technology living an independent existence--a parallel universe of computer programs living in a world of their own, having their own quarrels," says MIT Center on Technology and Self director Sherry Turkle. Unlike self-conscious technology that is developed in the laboratories of science fiction, perhaps a future intelligent spam will be consumed with base human issues such as penis enlargement, online gambling, and debt consolidation. Turkle warns that spam is likely to continue to provide more accurate mirrors of human interests, even to the point where spam filtering technologies may discern users' subconscious desire to read some spam messages. Using Web activity records and personal data, spam and anti-spam software will become more attuned to individual minds. Click Here to View Full Article From EduPage, September 3, 2004 More Compromised Data, Or Simply More Disclosure? San Jose Mercury News, 2 September 2004 Since January 2004, officials in California have notified nearly 600,000 students, faculty, and staff at the state's higher education institutions that personal data about them had been compromised in a number of separate incidents. In June, for example, an auditor working for the California State University system lost a hard drive that contained information including names, addresses, and Social Security numbers for 23,500 individuals. The largest single incident involved data for more that 500,000 individuals, which was accessed by hackers who broke into computer systems for San Diego State University and the University of California, San Diego. A law requiring notification of such security breaches went into effect in July 2003. Joanne McNabb of the Office of Privacy Protection in the California Department of Consumer Affairs noted that the incidence of such compromises likely has not increased. "It's just that we know about them now," she said, "when we didn't hear [about them] before." http://www.siliconvalley.com/mld/siliconvalley/9568329.htm From ACM's TechNews, September 1, 2004 "Organized Crime Invades Cyberspace" Computerworld (08/30/04) Vol. 32, No. 35, P. 19; Verton, Dan Antivirus researchers say a surprising increase in virus and worm activity is linked to an underground economy in identity theft and spam. F-Secure antivirus research director Mikko Hypponen says the connection is not very new, though until recently the writers were thought to be only a rogue subculture. He says MyDoom was the start of a concerted effort to make money from virus and worm infections. Although the MyDoom worm gained notoriety for its denial-of-service attacks against SCO and Microsoft, the more significant activity was going on behind the scenes, when someone scanned millions of IP addresses for backdoors left open by the virus. A network was set up, ready to service the underground spam market. F-Secure analysts decoding encrypted messages in a version of Bagle found warnings to the author of the Netsky.R virus. Bands of hackers, likely Russian immigrants living in different European countries, had been using Bagle and other malware to expand their spam proxy networks, but the Netsky.R author used the infection to clean out those spammers' viruses and was running denial-of-service attacks against their front Web sites. Symantec director Brian Dunphy says that a recent variant of MyDoom featured peer-to-peer networking capabilities that allowed the author to update infected machines and protect his network against rivals. Viruses and worms are also being used to install Web servers on vulnerable systems; Web sites often sell subscription services on compromised computers. Some support identity theft rings, harvesting credit card and other information to sell underground. Click Here to View Full Article From EduPage, August 27, 2004 DNA Analysis Used To Fight Spam BBC, 25 August 2004 Researchers at IBM's TJ Watson Research Center have modified an algorithm--originally created to discern patterns in protein sequencing--to serve as a spam filter. The algorithm, named Chung-Kwei after a Feng Shui character, analyzes e-mail, looking for patterns of letters that exist in spam but not in legitimate messages. Because of the amount of spam in circulation today, the researchers have an abundance of spam e-mail to feed to the algorithm to train it to identify those strings of characters that indicate a message is spam. Chung-Kwei is able to process 88,000 messages in about 15 minutes, said the researchers, and will continue to "learn" as more e-mail arrives. The tool is able, for example, to identify e-mails that have "S" replaced with "$" as spam. Researchers said Chung-Kwei is able to successfully detect nearly 97 percent of spam. http://news.bbc.co.uk/2/hi/technology/3584534.stm From ACM's TechNews, August 27, 2004 "Exhibit Features Viruses as Art" Wired News (08/27/04); Delio, Michelle The "I Love You rev.eng" art exhibit is set to begin a worldwide tour this September in the United States, featuring an historical analysis of hacker culture, hands-on exhibits where people can create and observe computer viruses, and art displays featuring computer code. The show is a second part to the 2002 presentation, "I Love You Computer_Viren_Hacker_Kultur," that was held in Frankfurt, Germany. Curator Franziska Nori says the aim of the show will be to document a range of hacker activities, but especially to highlight how hacker culture embodies the Buddhist teachings of the Dalai Lama. "'Share your knowledge and you will achieve immortality,' and, 'Learn the rules so that you will know how to break them,'" she quotes. Nori says hackers influenced the Internet's development more than any other group, and that there is a large distinction between the large majority of hackers and virus creators and a few that are intent on damaging property. "Most viruses remain to a large extent in private collections within the hacker community and were deliberately never made public," she says. "I Love You rev.eng" refers to reverse engineering, and is a variant from the first show's title as a tribute to virus writing. The show will feature a virus laboratory, called "The Zoo," where people can watch how malware affects computers, and another set-up where people can use virus kits to create their own code and release it on machines in the zoo. In addition to other art exhibits, the show serves as a starting point for Brown University's yearlong study of global networking and will feature a symposium. The show begins at Brown University in Rhode Island on Sept. 11, and will travel to Copenhagen, Denmark, before possibly moving on to other destinations. Click Here to View Full Article "A Proactive Approach to Security" VNUNet (08/18/04); Thomson, Iain Symantec chief technology officer Robert Clyde is also a founding member of the IT industry's Information Sharing and Analysis Center, as well as the group's executive committee treasurer. In an interview, he says virus threats will continue to drive the security business, and notes that malware attacks are increasing in frequency and complexity. He says reactive, signature-based security methods are becoming less effective, and more proactive and predictive security is needed, perhaps through behavior blocking and client compliancy. Clyde says, "The time from software patch to exploit is dropping below the time needed for companies to install the patch. Even if you start when the patch is released, most IT departments will take 30 days to test and patch a system and hackers are faster than that now." Hardware security is not enough, and software will continue to have vulnerabilities, Clyde predicts. He says an average of 53 software vulnerabilities are found each week, and most are high-severity. Although that number has leveled off, Clyde thinks that "we're at a knee in the vulnerability curve and the numbers will continue to rise as new, more feature-rich operating systems come on the market." Vulnerability scanners are useful for writing secure code, but they are by no means perfect, and Clyde believes that vulnerability will be a problem for the next 20 years or so. Outsourcing is a better option for some industries than others. Click Here to View Full Article From ACM's TechNews, August 25, 2004 "Concerns Mount Over Major Web Strike" eWeek (08/24/04); Morgenstern, David A rash of assaults on primary Internet servers and the recent defeat of the MD5 and Shah Level 0 encryption algorithms are raising concerns among Internet operators that a convergence of political activism and hacking is taking place. Compounding these fears are warnings from security experts that terrorists may launch a long-threatened "electronic jihad" against servers sometime this week; in fact, Kaspersky Labs International founder Yevgeny Kaspersky expects an attack against financial and political sites on Aug. 26, according to a Tuesday report from RIA Novosti. Kaspersky's warning appears to imply that the e-jihad will take the form of wide-scale distributed denial of service attacks such as the ones that targeted Akamai Technologies in June and DoubleClick's domain name system in July, although experts hint that major Internet services as well as root servers are under threat as well. Meanwhile, Packet Clearing House research director Bill Woodcock implies that Internet servers and ISPs could be threatened by the cracking of MD5 and Shah-0, which was detailed at the recent Crypto 2004 conference. The algorithms are employed in numerous commercial applications that include financial turnkey systems, enterprise content servers, and Internet routers. Woodcock likens the MD5 and Shah-0 circumvention to tumbling dominos: "A vulnerability is found, and a bunch of smart people follow the trail until bad things happen," he explains. The technique used to crack the algorithms may be unfeasible, but Woodcock notes that Internet operators are worried that Internet services will be adversely affected if hackers adopt and refine the method. Click Here to View Full Article "Selective Shutdown Protects Nets" Technology Research News (09/01/04); Patch, Kimberly Max Planck Institute researcher Adilson Motter has demonstrated that cascade failures triggered by assaults on large, central network nodes could be mitigated by shutting down peripheral nodes. The scientist has built a model showing that the scale of a cascade failure can be dramatically lowered if a certain population of nodes that manage small loads are deactivated before the cascade effect starts, while the overall network load is kept in balance. Finding the right nodes to eliminate is the key challenge, as the wrong nodes can worsen the cascade effect. Nodes have the dual purpose of transmitting and generating load, but central nodes are targeted by attackers because they more often serve as transmitters and thus play a major role in load balancing. Motter's model illustrates that cascade failures produced by sudden load shifts can be diminished by the removal of load-generating nodes, as well as by the shutdown of heavily-loaded connections that convey traffic from load-generating nodes to central distribution nodes. This scheme can be extended to power grids, which consist of generator stations that supply power, local stations that distribute power to customers, and transmission stations that carry power from generators to local stations; automatic devices along the transmission lines shut down grid components when their load becomes unmanageable, and Motter explains that transmission stations are most vulnerable to cascade effects. Intentionally disconnecting local stations from the transmission stations that are about to fail can reduce the size of the cascade, according to Motter's model. "It is still speculative to talk about practical applications [but] I hope to my work will motivate new studies on the control of cascading failures in realistic models of network systems," comments Motter. Click Here to View Full Article From SANS NewsBites , August 23, 2004 London Internet Exchange Members Adopt Code of Practice to Thwart Spammers The Register, 18 August 2004 Internet Service Providers (ISPs) that belong to the London Internet Exchange (LINX) have approved "a code of practice" to shut down web sites that are advertised by spam, even when the spam itself comes from a third party or another network. LINX also would like to see ISPs take down web sites that sell spamming tools. LINX hopes to spread the standard across the globe in a concerted effort to put spammers out of business. LINX boasts 150 members, including most major ISPs in the UK as well as some in continental Europe, the US and Asia. Read more at http://www.theregister.co.uk/2004/08/18/isp_war_on_spam/print.html and http://www.linx.net/press/releases/103.thtml. Yankee Group Study Suggests Most Large Companies will Outsource Security by End of the Decade Information Week, 23 August 2004 According to a Yankee group study, nearly 90% of big US companies will outsource security by 2010. Apart from the cost savings, the reasons companies are moving toward outsourced security include the fact that attacks are arriving more and more swiftly, giving companies little time to put appropriate defenses in place. In addition, companies need to focus on compliance with HIPAA and Sarbanes-Oxley regulations. Finally, it is becoming more difficult to describe network perimeters. http://informationweek.com/shared/printableArticle.jhtml?articleID=29116929. From Peter Coffee's Enterprise It Advantage, August 23, 2004 Immature standards, encryption attacks impose burdens on early adopters eWeek, August 23, 2004 "There must be millions of people," wrote columnist Robert Benchley about 70 years ago, "who are no more equipped than I am to guide a motor vehicle through any more of an emergency than a sudden light breeze. The logical ending to the whole situation is for all the automobiles in the world to pile up on top of one another at one big cross-road." When people talk about an Information Superhighway, Benchley's image quickly comes to my mind. In the same way that Benchley could never have imagined an H2 bearing down on a Mini, the people who built the Internet could never have imagined zombie bot nets mounting distributed-denial-of-service attacks on Net-edge cache servers. The Internet was built to tolerate random failures, not to withstand deliberate and focused attacks; it seems to me that new Internet initiatives still tend toward a science-project definition of technical success that says, "once it can be shown to work, it's done." Read the rest of the column at http://eletters.eweek.com/zd1/cts?d=79-1017-6-7-128123-115810-1. From ACM's TechNews, August 20, 2004 "Convergence Quagmire: Viruses with Spam" TechNewsWorld (08/18/04); Lyman, Jay A July intelligence report from MessageLabs indicates virus authors and spammers are forming a symbiotic relationship that combines their expertise and strategies into a new class of email security threat. The report finds that BugBear, SoBig, MyDoom, and other viruses are employing spamming techniques so they can proliferate, with financial gains being the ultimate goal. "What is 'cool' is to join forces with the spammers and prove that you're capable of making money out of malicious code," states the report. MessageLabs security analyst Natasha Staley says nearly all viruses released this year have been distributed via spam or have been used to penetrate systems used for spamming, and that treating spam and viruses as a single threat is the best defensive measure against the growing convergence of these two practices. "It's actually a pretty incestuous relationship and it's really hard to separate the two anymore," Staley concludes. IDefense malicious code intelligence director Ken Dunham believes the merging of viruses and spam is part of cybercrime's natural evolution, and adds that increasing dependence on network protocols and network shares, among other things, is spurring other kinds of cross-breeding between cybercriminals. He observes that the virus/spam convergence is being accompanied by the growing availability of source code, tools, and knowledge used to create and launch malware or spam. Dunham notes that virus writers use spamming techniques to better mask their identity and the starting point of virus outbreaks. Click Here to View Full Article From EduPage, August 18, 2004 SURVIVAL TIME OF UNPROTECTED PCS DROPS CNet, August 17, 2004 Researchers at the SANS Institute's Internet Storm Center estimate that an unprotected PC will be compromised within 20 minutes of being connected to the Internet, down from an estimated 40 minutes last year. The estimate is based on observations of vacant IP addresses, which received reports approximately every 20 minutes. According to the researchers, if those reports come from Internet worms, the unprotected machine would likely become infected within 20 minutes, which is especially troublesome because most patches that would protect the computer take longer than that to download and install. Scott Conti, network operations manager for the University of Massachusetts at Amherst, said that, as a test, his institution recently put two unprotected computers on the school's network, and both were compromised within 20 minutes. As a result, all computers at the institution will be checked before they are allowed to connect to the network. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 18, 2004 - Vol 6, #33 "Philippine Government Plans National Cyber Security System" IT World, August 10, 2004 he Philippine government has outlined its plan for a national cyber security system to protect government and business systems from cyber attacks. There are six priority initiatives designed to help get the program going. They include enacting a Computer Crime Law, reducing the risk of threat to the country's electronic critical infrastructure with the help of a risk and vulnerability assessment plan and the creation of an Incident Response Team Coordinating Center. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 18, 2004 - Vol 6, #33 "AOL and Yahoo to Use Authentication Technology in Fight Against Spam and Phishing" Computer World, August 12, 2004 America Online and Yahoo both plan to begin using email authentication technology to fight the worsening problem of spam and phishing scams. AOL plans to use Microsoft's Sender ID authentication architecture to verify that incoming email is legitimate; Yahoo will use DomainKeys technology to sign outgoing email. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 18, 2004 - Vol 6, #33 "eMail Security Companies Say They Will Support Sender ID" TechWeb , August 12, 2004 A number of email security companies voiced support for Microsoft's Sender ID sender authentication standard and said they would incorporate it into their products. The companies had gathered at a summit requested by the eMail Service Provider Coalition (ESPC) and hosted by Microsoft. Click Here to View Full Article From ACM's TechNews, August 16, 2004 "Cellphone Viruses: How Worried Should You Be?" Business Communications Review (07/04) Vol. 34, No. 7, P. 14; Krapf, Eric Security experts warn that the Cabir virus, which spread through smart cell phones last month but did not actually do damage, is an example of the havoc that could take place. Cabir may or may not have been the first wild cell phone virus; it used the Bluetooth specification to spread through phones that use the Symbian operating system. Core Competence President David Piscitello says Cabir arrived as a message. "The reason it can infect other phones by proximity is that lots of phones are left with default settings on their Bluetooth interface," he explains. Cell phone viruses can also spread through ring tones, email attachments, text messaging, skins, pictures, or audio recordings. Piscitello considers cell phone viruses serious because the phones' operating systems are fairly fragile. He says, "You can create all sorts of denial of service attacks against the relatively fragile operating systems of handhelds and cell phones. Remember, these devices don't have lots of memory or CPU, so overwhelming them isn't exactly hard." Core Competence vice president Lisa Phifer also notes that few people may even know if their phones are infected. PDAs are also at risk, but there is some antivirus software available for them; users should also consider host-based intrusion-detection and personal firewalls for handheld devices, Phifer adds. Phifer also warns that VoIP is at risk for Wi-Fi-enabled VoIP technology connected to WLANs. Piscitello advises users to consider their IP phones more computer than phone, and thus just as vulnerable to viruses. No Link provided. From ACM's TechNews, August 13, 2004 "Unprecedented Security Network for Olympics" Associated Press (08/10/04); Varouhakis, Miron Security at the Olympic Games in Greece this month will include street surveillance cameras, paired with sophisticated software, that will act as digital security guards collecting intelligence. The $312 million system was developed by a consortium led by Science Applications International and gathers images and audio from more than 1,000 high-resolution and infrared cameras, four mobile command centers, 12 patrol boats, one blimp, 4,000 vehicles, and nine helicopters. Speech-recognition software will put spoken words into text, and the text and other electronic communications will be searched for patterns. The system covers nine ports, airports, greater Athens, and all the other Olympic cities, and has components used by U.K. and U.S. government intelligence agencies. In preparation for the Olympic Games, the Greek government modified legislation to allow increased tapping of mobile and land line phone conversations. With the technology-enabled security measures and surveillance, authorities will be able to respond to critical incidents in the most effective way since they already have important information on hand, explains Greek police spokesman Col. Lefteris Ikonomou. The camera software is intended to spot and rank possible risks, says Dionysios Dendrinos, general manager of consortium member One Siemens. It is also sophisticated enough to distinguish between a tire blowout and a gunshot. The security net also includes a sensor network established throughout Athens designed to detect chemical agents. There have been some protests over the use of the extended security measures, since some people fear the loss of privacy. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "APWG Data Shows Steady Increase in Phishing Scams During First Half of Year" Computer World, August 4, 2004 Data from the Anti-Phishing Working Group indicates that the incidence of phishing scams increased an average of 50% a month during the first half of 2004. A Websense Inc. analysis of APWG's report found that 25% of phishing sites were on hacked servers and that 94% of the sites allowed attackers to remotely download personal information entered by those who fell prey to the attacks. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY" Computer World, August 6, 2004 Sensitive Building Data is Readily Available on the Internet (6 August 2004) Sensitive information about the physical security of various companies has been found on their corporate web sites. For example, there are 3-dimensional models of the exterior and some of the interior of the Citigroup's Manhattan headquarters; there is also information about the building's structural design flaws. Amit Yoran, director of the Homeland Security Department National Cyber Security Division, says they may consider publishing best practices guidelines for companies regarding the availability of such information. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "Hospitals Defy Patching Restrictions" NW Fusion Ellen Mesmer, August 9, 2004 Concerned that patient safety could be threatened, hospital staff members are applying Microsoft's patches to various Windows-based devices in defiance of the manufacturers' restrictions. Manufacturers often have a long testing period or are concerned that a patch may impair a device's functionality. Hospital staff are concerned that malware could imperil patient safety and that applying patches is a part of HIPAA (the Health Insurance Accountability and Portability Act) compliance. The Food and Drug Administration (FDA) is encouraging hospitals that run into these problems to file complaints in writing which could result in the manufacturers losing their "government seal of approval." Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "FCC Rules: Spammers Need Consent to Send to Wireless Subscriber Messaging Service Domains" Washington Post, Information Week Articles The Federal Communications Commission (FCC) has issued a new rule requiring mass marketers to obtain express permission from users before sending commercial messages to mobile phones and PDAs. The Commission is also requiring that the Commercial Mobile Radio Service providers compile a list of all pertinent Internet domains that will be used as a do not spam list; the list would not contain individual addresses. Click Here to View Full Washington Post Article Click Here to View Full Information Week Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "Reverse Engineering of Windows XP SP2" PCWorld.com (08/03/04); Brandt, Andrew Reverse Engineering of SP2 Reveals Strong Security Approach (9 August 2004) Security company F-Secure has reverse-engineered SP2 and believes the update will do a good job protecting against outbreaks of worms like Sasser, Slammer and Blaster; infections will spread more slowly and it will be more difficult for automated worms to spread on updated systems. Click Here to View Full Article From ACM's TechNews, August 9, 2004 "Feds Seek a Few Good Hackers" PCWorld.com (08/03/04); Brandt, Andrew The recent Defcon 12 hackers' conference included a recruitment presentation by federal law enforcement agents searching for talented people to work for the government. "The Department of Defense understands how important computers are to defending the United States, and is always on the lookout for good people," said Alvin Wallace, a supervisory special agent for the Air Force's Office of Special Investigations. The presentation was well-received with many of the twenty-something crowd taking business cards and asking questions about pay, security clearances, and college scholarships. Former National Security Agency director of information assurance Mike Jacobs spoke, urging hackers to help protect the United States from spies and terrorists. He said that when he worked at the agency, he would remind his colleagues that "the hacker community is probably our ally, and we need to pay attention to what they're doing out there." Some hackers may have trouble getting security clearances due to past misbehavior. Jim Christy, director of the Defense Department's Cyber Crime Center, says that the fight against terrorism has reduced security agency resources for cybercrime. The presenters noted that recruitment has to continue because employees tend to move into private industry. Wallace says his office provides "one of the best training grounds...Some of the best computer crime investigators in other federal agencies had their start in the Air Force Office of Special Investigations." Click Here to View Full Article From ACM's TechNews, August 6, 2004 "Stealth Wallpaper Keeps Company Secrets Safe" New Scientist (08/04/04); Fox, Barry BAE Systems, under contract with British telecoms regulator Ofcom, has developed a technique to thwart the interception of Wi-Fi signals from office base stations while ignoring mobile phone signals, through a system based on a secret "stealth" technology originally created to hide military radars. The technology is a wallpaper composed of Frequency Selective Surface sheeting, which can mask radar antennas by being electrically programmed to permit only the exact frequency the antennas wish to transmit and receive, while soaking up all other frequencies. The sheeting consists of a kapton substrate coated with a thin layer of copper on both sides: One side is covered by a grid of copper crosses, while on the other side matching crosses set at a 45-degree angle are etched off, leaving a copper film with a grid of cross-shaped holes. Careful adjustments to the size and spacing of the crosses allows the wallpaper to pass specified frequencies while inhibiting all others, according to BAE. Ofcom engineers say the wallpaper can stop Wi-Fi signals at 2.4 GHz, 5 GHz, and 6 GHz, while permitting the passage of 3G and GSM cell phone signals, as well as emergency calls. Linking diodes between the copper crosses allows frequency filtering to be switched on and off, and the wallpaper can be produced in volume relatively cheaply. Up to now, the only effective measure to prevent interception of office communications was to line walls with aluminum foil and cover the windows with radio-absorbent glass, but such a "Faraday cage" scheme precludes the use of mobile phones in the office. An even thinner, transparent version of the wallpaper is being developed as a window covering. Click Here to View Full Article From ACM's TechNews, August 6, 2004 "Onion Routing Averts Prying Eyes" Wired News (08/05/04); Harrison, Ann Tor is a second-generation communications system being developed by the U.S. Naval Research Lab that employs onion routing to anonymize Web surfers and protect their activities from corporate or government eavesdropping. In an onion-routing scheme, messages are sent through a distributed network of nodes selected at random; each node is aware of its preceding and succeeding nodes only, and each server has a symmetric encryption key that removes one layer of a message and reveals instructions for the next node along the route. Onion routing cannot support flawless anonymity, but it helps shield users from snoopers who are not monitoring both the sender and recipient of the message at the time the transaction transpires. Tor is designed to be easier to use and less problematic than its first-generation predecessor, and developers say the system can thwart the tracking of users by Web sites, inhibit the compilation of Web site visitor lists by governments, keep whistleblowers safe, and subvert local censorship by employers, ISPs, or schools. "The point of the Tor system is to spread the traffic over multiple points of control so that no one person or company has the ability to link people," explains programmer Roger Dingledine, who adds that companies could employ the system to carry out prudent competitive research or route their staff's Web browsing to prevent employment sites from ascertaining which employees are job-hunting. The Navy's motivation in funding Tor's development is to protect the identity of government workers who gather intelligence and conduct politically volatile negotiations through anonymous communication. Dingledine and Nick Mathewson are developing Tor as a research platform with a global pool of open-source software developers; users are allowed to operate as many Tor nodes as they want. Click Here to View Full Article From ACM's TechNews, August 6, 2004 "FCC Takes on Spam, Copying" Wired News (08/05/04); Grebb, Michael The FCC adopted a number of proposals on Aug. 4 concerning wireless spam and digital copying controls, as well as how wiretapping rules should be applied to voice-over-Internet-protocol (VoIP) services. The commission motioned that certain wireless spam messages be banned as part of its deployment of the Can-Spam Act: Unsolicited "mobile service commercial messages" were banned, but short message service messages that go directly to phone numbers were permitted, and spammers could exploit this exemption. "Transactional" and "relationship" messages such as billing statements were also exempt, and the job of defining what messages fit into those categories was left to the FTC. Wireless providers were also mandated by the FCC to submit wireless domain names to the commission so that a public database of not-to-be-spammed domains can be compiled. The FCC also proposed that certain VoIP telephony services fall under the jurisdiction of the Communications Assistance for Law Enforcement Act's (CALEA) wiretapping rules, which currently exclude ISPs, although law enforcement authorities support the application of those rules to the Net. However, the FCC's proposal specified that CALEA could only cover "connected" VoIP providers that permit Internet-to-traditional phone calls, while peer-to-peer VoIP services would be exempt. The commission also approved 13 technologies that digital TV equipment manufacturers can incorporate into devices that work with "broadcast flag" copy controls, although some technologies such as TiVoGuard permit limited cross-platform distribution of copied content. The Motion Picture Association of America expressed its disappointment that the agency approved TiVoGuard without conducting "further analysis," while Fred von Lohmann with the Electronic Frontier Foundation said that users are still left vulnerable to crippling copy protections. Click Here to View Full Article From ACM's TechNews, August 4, 2004 "Talking Computer Security" CyberDefense Magazine (07/04) Vol. 2, No. 7, P. 16 In a roundtable discussion with CyberDefense Magazine, eBay VP and former White House Special Adviser for Cyberspace Security Howard Schmidt, PatchLink Chairman Sean Moshir, and Foundstone President Stuart McClure talk about the current status of the computer security industry as well as future directions it may take. The panelists provide numerous reasons why the Internet's safety and security is so hard to maintain, among them: The design of the Internet to be an open and collaborative environment that supports anonymity; the inability to keep up with new problems, which are being unearthed on a daily basis; and vendors' eagerness to give customers special features and functionalities without considering how they might impact security. Schmidt remarks that America has taken a vanguard position in boosting cyber-defenses through private-sector and international partnerships, and McClure reports good progress in security deployments by American companies and greater security education. A General Accounting Office report indicates that progress has been made in security patch management, but Moshir contends that the narrowing gap between the announcement of a vulnerability and its exploitation means that patch automation can no longer be just a luxury. Schmidt observes that on-demand Web-based vulnerability evaluation is key to patch management, while McClure says, "The two will go hand-in-hand eventually." McClure raises the need for more knowledge about security requirements among small organizations, while Schmidt calls for better identification of IT systems' interdependencies, developers' prioritization of software quality control over new features and usability, expanded cybersecurity education, and better enforcement of cyber criminal investigation and prosecution. The possibility of a cyberattack comparable to 9/11 is debatable: Schmidt says that society's resiliency against network assaults is improving, but this is no reason to relax our vigilance. Click Here to View Full Article From ACM's TechNews, August 4, 2004 "Fingerprinting Your Files" Technology Review (08/04/04); Garfinkel, Simson Cryptographic hash functions are one of the most useful mathematical tools in computing today, because they allow people to easily protect passwords, stored files, and even database information. One of the most recent applications comes from three Stanford University researchers, who created a browser plug-in that scrambles one easily remembered password for different e-commerce sites based on those sites' Web domains; this protects people from hackers who could use their uniform log-in and password to gain access to multiple accounts, while providing users with the convenience of remembering just one set of identifiers. Yahoo! also uses a version of hash cryptography in its registration process where the user computer is sent a "challenge" sequence that must be appended to the entered password, protecting people using insecure public terminals from hackers sniffing Web traffic, for example. Hash functions are mainly based on research done in the 1980s by RSA co-inventor and MIT professor Ron Rivest, who developed the system as a way to ensure the integrity of a file; hash files garnered from a set of computer files can let the owner know those files were not tampered with, for instance, because any change in the input would produce a different hash code. Hash technique is also used in the Surety secure timestamp service to verify a file was in existence at a certain time, and this involves publishing the hash code in a well-known location owned by a third-party, such as the New York Times classifieds. Although the Message Digest #5 (MD5) hash function is the most widely used today, perhaps the most secure is the U.S. government's Secure Hash Algorithm, or SHA-1, which caused some controversy at the time of its announcement because cryptographers theorized it contained a backdoor for U.S. intelligence services. Hash functions continue to be used in innovative ways, and might possibly be used to secure entire databases as proposed in the book "Translucent Databases" by Peter Wayner. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "The Shaky State of Security" InfoWorld (07/26/04) Vol. 26, No. 30, P. 32; Roberts, Paul F. The 2004 InfoWorld Security Survey of over 600 IT professionals paints a fairly bleak picture of enterprise security: Only 38 percent of respondents report strong confidence in their security, while just 8 percent report extreme confidence. IT leaders are also highly concerned with a lack of sufficient personnel and training to bolster security, while the swelling ranks of applications available online has increased concern about application vulnerabilities. Security fears are being stoked by the growing number of worms and viruses plaguing the Internet over the past 12 months--in fact, almost 30 percent of survey respondents called malicious code the greatest single threat to enterprise network security. Thirty percent of respondents have no clue as to how many attacks their network was subjected to in the past year, and 22 percent do not know how many successful attacks transpired at that time. These figures come as no surprise to SANS Institute research director Alan Paller, who explains that "It's difficult to find infected machines when the infection is meant to be kept hidden." Bank of America's John Schramm says low-level passive attacks occur with such regularity on some corporate networks that IT administrators usually ignore them and concentrate on higher-level attack data, while 57 percent of respondents working for enterprises that manage their own network security say the effectiveness of intrusion detection is often determined by the number of staffers on hand. Forty percent of surveyed IT professionals blame network exploits on operating system flaws, 24 percent report their organization suffered a denial-of-service attack, and 19 percent cite buggy Web applications; yet many respondents' loyalty to major software vendors remains steadfast. This year's respondents are chiefly fearful of malicious code, but experts believe that spyware, identity spoofing, and other threats of less concern are becoming increasingly serious, which makes a case for boosting awareness of enterprise security. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Hack This" EDN Magazine (07/22/04) Vol. 49, No. 15, P. 26; Webb, Warren Dealing with malware on desktop systems is often as simple as rebooting the computer, but this strategy does not apply to embedded systems, whose operation must continue even when faced with security threats. The National Institute of Standards and Technology (NIST) has prepared a list of security-related design principles for designers to think about throughout the embedded systems' lifespan, such as defining a security agenda, designing the product, accommodating upgrades and changing threats, incorporating a new technology, erecting multiple security layers, and training programmers to develop protected software. Issues that must be addressed in order to determine the best security measures include what data needs to be protected and what kinds of potential attackers are out there and how sophisticated they are. Because embedded devices, particularly portable ones, are vulnerable to so many more threats than desktop systems, designers are advised to include physical protection, such as hardened enclosures and seals or tapes that provide visible evidence of tampering, in addition to traditional software security. Designers can also follow embedded software security standards, such as the Common Criteria for Information Technology Security Evaluation and Multiple Independent Levels of Security. Users must pass a multi-stage authentication process before they are allowed to interact with secure embedded systems. When an embedded system must be linked to a network or the Internet, designers encrypt the data either symmetrically or asymmetrically, though both methods require a secret key and an encoding sequence to translate plain text into cipher text and back again. Embedded-product-development budgets are expected to grow so these safeguards can be provided. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Search Engines Expose Vulnerabilities" Computerworld (07/29/04); Willoughby, Mark Hackers use search engines to discover vulnerabilities in Web site source code, and security experts forecast an increase in this behavior. "People have discovered that they can make a really tight Google query that comes back with results that show lots of vulnerabilities at once," says SPI Dynamics application security analyst Matt Fisher. He points out that backup files and source code are sometimes stored in clear text or as HTML files, adding that the problem lies with poor Web application security, not search engine security practices. Passwords are sometimes found in embedded code, and searching with an invalid file extension, such as .inc, .bak, or .old, will usually return Web site source code. The information tells what the site is storing, as well as configuration data that could be helpful in a hack. "Developers are not taught secure coding," Fisher says, noting that firewalls will not protect against such invasions. Chris Wysopal, vice president of @stake, says that hackers also use search engines to hide their locations and to complicate forensic investigations. Since hackers view the search engine results through a third-party cache, there is no information left about their IP address. Also, the MyDoom.O worm used search engines to locate email addresses stored in a domain range. Wysopal warns people must understand how attackers work and that they are not usually going after a given site but just searching for an opportunity. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Hackers Plan Global Game of 'Capture the Flag'" CNet (07/30/04); Lemos, Robert Hackers from all over the U.S. are planning to engage in a massive game of capture the flag next February, in which they will launch a cyberattack of unprecedented scale against systems set up and maintained by other hackers. The three-day event will pit East Coast against West Coast hacker teams in what is publicized as the first large-scale hacking competition to be waged over the public Internet; the contest's organizers, the Ghetto Hackers security group, expect to have 1,000 participants signed up by February. The game is being advertised at this week's Defcon hacking convention. So that the game does not leak onto the Internet, the Ghetto Hackers intend to build a network that runs on the Internet but is independent from it, through the use of a virtual private network. Security experts are largely unfazed by the event: Counterpane Internet Security founder Bruce Schneier notes that most players will not resort to "large-scale, uncontrollable attacks." Jennifer Granick of Stanford University's Center for Internet Law and Society reports that in a case where a virus or worm spills over from the game onto the Internet and causes damage, there could be a basis for legal action. Doug Tygar of the University of California, Berkeley doubts that the capture-the-flag game will yield anything significant to scholars, though he does see value in the experiment as a learning experience. Every year for the last three years at the Defcon convention, the Ghetto Hackers have coordinated a small capture-the-flag game in which eight teams hack each other on a closed network, but next year's contest promises not only to be global but to involve more amateur hackers. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Academics Enlist in Spam Battle" eWeek (07/31/04); Hicks, Matt The Conference on Email and Anti-Spam, which brought together researchers from both academic and industry labs, represented the first serious academic conference to focus on spam and spam countermeasures, according to Microsoft Research's Joshua Goodman. The hottest debate centered on the proliferation of economic-based models for spamming deterrents, such as programs where spammers pay a fee for sending unsolicited commercial email, perhaps as a micropayment when a message is determined to be spam by a recipient. The same panel explored a Microsoft research project that employs a computational puzzle strategy to force spammers' computer systems to consume additional CPU or memory resources to send email in bulk, as well as challenge-response questions. University of Cambridge researcher Richard Clayton argued that each deterrent could be subverted by determined spammers. Challenge-response systems, for instance, could be thwarted by cheap labor employed by spammers, while computing power could be stolen from zombie systems in order to beat computational obstacles. "The problem is that not only is my machine insecure and my identity insecure but that my money is insecure as well," Clayton explained. Presentations at the conference included: an analysis of phishing schemes by MailFrontier engineer Jon Oliver, who concluded that even legitimate marketing emails from major companies are being misinterpreted as phishing scams because the problem is so widespread; a report from the University of Illinois at Champaign-Urbana's Ben Gross that 50 percent of people use multiple email accounts; and observations from Geoff Hulten of MSN's Anti-Spam Technology and Strategy Group that spam for non-graphical sexual products is increasing dramatically, while spam for explicit sexual products is falling. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Hackers Are Discovering a New Frontier: Internet Telephone Service" New York Times (08/02/04) P. C4; Belson, Ken Internet phones are becoming more and more attractive to hackers as the technology proliferates among home and business users. Several malicious attacks directed against Net phone networks have already resulted in millions of dollars in lost business. Hackers or angry employees with access to a corporate phone server can listen in on conversations by secretly setting up software that tracks voice packets, and Net phone tapping is much easier than wiretapping. Phone manufacturers and Internet security experts say the damage caused by Internet phone hacking has been low, while quantifying the extent of the damage is difficult because the technology is immature and many companies are reluctant to reveal problems; however, the general feeling is that Net phone exploitation will become more frequent and more serious as companies establish digital phone networks and integrate them with their data networks. "Voice over Internet phones are not in the spotlight of hackers yet, but in this voyeuristic world, if someone can listen in on people's conversations and get a thrill, they will," warns Avaya security consultant Joe Seanor. Beyond cheap thrills, hackers may eavesdrop on digital phone conversations to gather information that can be sold to rival companies. Measures hackers may take against digital phone networks include programs that seek holes in firewalls and disrupt phone traffic and counterfeit voice packets that can get past security programs. Vonage and other companies supply Internet calling services that are more difficult to hack into, but hackers could still infect an individual phone user's computer and eavesdrop on any emails and voice calls that go through the compromised system. Experts say firms can avert incidences of internal sabotage by installing encryption software and restricting code access to a select handful of employees or resort to "deep packet inspection" in case the first strategy fails. (Articles published within 7 days can be accessed free of charge on this site. After 7 days, a pay-per-article option is available. First-time visitors will need to register.) Click Here to View Full Article From ACM's TechNews, July 30, 2004 "Internet Snagged in the Hooks of 'Phishers'" Washington Post (07/29/04) P. E1; Walker, Leslie Phishing attacks are occurring more frequently, worrying the e-commerce and banking industries. According to Gartner, some 57 million U.S. adults have received a phishing email, and nearly 11 million clicked on a false link, while 1.8 million actually gave out personal information. The Federal Trade Commission is planning a summit this autumn to focus on authentication tools guarding against phishing attacks, and the FBI will start a drive to identify and catch phishers next month. SAIC chief scientist James Jones says that phishers seem to be getting pickier about their targets and appear to be culling target lists. Meanwhile, companies such as Earthlink are feeling the pain along with their customers. Each time a phishing exploit targets Earthlink customers, the company receives 40,000 phone calls from users, says senior manager Scott Mecredy. Earthlink offers ScamBlocker software that keeps a blacklist of known phishing sites on people's Web browsers. VeriSign notes that the attacks are becoming more sophisticated, with 93 percent of the emails the company examined containing spoofed return addresses to make them look more legitimate. Phishers are also getting better at making their fake sites look like the real thing and can camouflage the real Internet address or replicate the small padlock icon at the bottom right-hand corner. There is a need for universal tools to verify the authenticity of emails and Web sites. Next month the FBI will launch a new concerted effort with various law enforcement agencies called Digital Phishnet designed to identify and catch phishers. Meanwhile, experts say online commerce is suffering due to Internet security concerns. Gartner analyst Avivah Litan says, "I think we will see the slowdown accelerate. And if the problems aren't fixed, people will use the Internet for surfing, but they won't transact online." Click Here to View Full Article From EduPage, July 7, 2004 WORM VARIANT CLOGS E-MAIL, SEARCH ENGINES ZD-Net, July 26, 2004 A variant of the MyDoom worm hit early Monday, clogging e-mail accounts worldwide and slowing search engines Google, Yahoo, AltaVista, and Lycos because it automatically performs Web searches on those search engines after it infects a PC. Tens of thousands of PCs have reportedly been infected. Looking for e-mail addresses on search sites is a twist on earlier variants of MyDoom, which looked for addresses only on the host hard drive. ZDNet, 26 July 2004 Click Here to View Full Article From ACM's TechNews, July 26, 2004 "An Eye Opener on Open Source Internet Security" IST Results (07/22/04) The purpose of the Information Society Technologies program-funded SECRETS project was to assess the advantages and disadvantages of open source software for Internet security for the benefit of the public and private sectors, and its evaluation of the toolkit for deploying OpenSSL's Secure Sockets Layer (SSL) and IPSec's Free Secure Wide Area Network (FreeS/WAN) yielded mixed results. The protocols' functionality was tested in the areas of secure e-commerce, secure mobile communications, network monitoring, and intelligent networks. Intrasoft International's Antonis Ramfos reports that one of open source software's major drawbacks is that the organizations that devise the protocols frequently fail to capably support them afterwards, while a dearth of standardization has led to interoperability problems with other open source software. Such problems were typical of FreeS/WAN, according to the SECRETS evaluation. Despite such problems, Motorola's Ross Velentzas says the SECRETS project determined that the protocols' deployment is "worth considering by commercial organizations and governments for integration into the software products" they build or employ. The utilization of OpenSSL by others is much easier than FreeS/WAN because, unlike Free/SWAN, OpenSSL boasts sufficient documentation from its organization. The SECRETS partners, which include Motorola, Intrasoft, and Alcatel, are still working with open source software for Internet security, and Ramfos and Velentzas concur that both the public and private sectors will use such protocols more extensively in the future. Click Here to View Full Article From ACM's TechNews, July 26, 2004 "Wanted: Cybersecurity Experts" Medill News Service (07/22/04); Kumler, Emily The federal government was urged to make a greater commitment to cybersecurity and to have cyberspace experts take on a larger role in Homeland Security efforts during a hearing before the House Science Committee on July 21. Cybersecurity experts said more educational programs are needed, and added that courses will have to be up-to-date and be able to adapt to the latest demands of cyberspace. Chet Hosmer, president of Wetstone Technologies, a cybersecurity research development company, stressed that security experts will need to make adjustments quickly because potential attacks can develop and change at "Internet speed." Hosmer also took issue with the setup of higher-education curricula, which is producing fragmented cybersecurity training programs because of its rigidity. The social science department offers criminal justice programs, while computer science is relegated to math or computer science departments. "Building programs that cross domains is quite difficult for many reasons, and the student typically lacks depth in either area and is ill-prepared for [work in] digital investigation after graduation," said Hosmer. Some educators saw community colleges as an ideal resource for security training because of their focus on practical skill. Military educational programs, such as the National Strategy to Secure Cyberspace, are another form of cybersecurity training. Click Here to View Full Article From ACM's TechNews, July 23, 2004 "Is Your Computer a Loaded Gun?" Salon.com (07/22/04); Vaidhyanathan, Siva The Senate Judiciary Committee will hear testimony today on the Induce Act, which aims to ban technologies that enable copyright infringement and allow civil penalties for users that intentionally assist a third person in violating copyright. Although the Inducing Infringement of Copyrights Act is aimed specifically at changing the behavior of 60 million Americans who have participated in unauthorized file-sharing, it is so broad in its potential application that it makes basic technology components suspect. Not only would this law undermine the landmark 1984 "Betamax case" that provides for reasonable recording and archiving, but it also threatens to stifle technological innovation. Peer-to-peer file-sharing companies would be the direct targets of the Induce Act because they offer the interface software people use to easily share files on the Kazaa and Grokster networks. Last year, a federal court ruled these software makers cannot be responsible for the illegal activities of their users because of the way they are designed; moreover, a previous federal court ruling allowed new digital technologies such as the MP3 player because they had "substantial non-infringing uses." The Motion Picture Association of America and Recording Industry Association of America (RIAA) say the Induce Act does not target normal technology, or "neutral technology," in the words of the RIAA's Mitch Bainwol--yet no technology is neutral, especially when it is as powerful and enabling as networked digital technologies are. When users have the opportunity to use alternative file-sharing technologies such as Gnutella, ICQ, FreeNet, and BitTorrent, they will do so. Unless authorities and industry officials are willing to re-architect the entire system to disallow this misbehavior, interfering policy such as the Induce Act will fail, writes Siva Vaidhyanathan, New York University assistant professor of culture and communication. Click Here to View Full Article (Access to this article is available to paid subscribers only.) From EduPage, July 7, 2004 PIRACY REPORT STIRS CONTROVERSY New York Times, July 19, 2004 A recent report by the Business Software Alliance (BSA) about the cost of software piracy has prompted some to suggest a political motive for the report. Two weeks ago, the BSA issued a report that estimated annual losses to software piracy at $29 billion. To some, however, the timing of the report--released not long after a Senate bill was introduced that would significantly strengthen copyright law--was not merely coincidental. Opponents of the Senate bill argued that it would effectively invalidate a Supreme Court decision that protects those who develop technology that could be--but is not necessarily--used for copyright violations. Overturning that precedent, said critics, would only serve to protect interests of copyright holders and would stifle technological innovation. Critics of the bill contend that the BSA, which has previously estimated losses to piracy at $13 billion, exaggerated the amount and released the report at a time that it would influence senators considering the bill. Supporters of the bill said it is sufficiently focused to target egregious violators of copyright. The BSA defended the new estimate, saying the data that led to the higher number were more comprehensive than in previous studies. New York Times, 19 July 2004 (registration req'd) Click Here to View Full Article From ACM's TechNews, July 19, 2004 "Loose Clicks Sink Computers" Baltimore Sun (07/19/04) P. 6A; Stroh, Michael Stray signals discharged from an electronic device can unintentionally reveal sensitive data, a phenomenon known as "compromising emanations" that has long been an attractive area of study for civilian computer researchers. In one experiment, Cambridge University computer scientist Markus Kuhn can intercept radio waves emitted by laptop video connectors, and he says that "There are probably a half-dozen or dozen exciting phenomena yet to be discovered." In another experiment, Kuhn was able to rebuild the image on a computer screen by analyzing its reflected glow on a nearby wall, while Lockheed Martin Space Systems' Joe Loughry and Auburn University's David Umphress learned that the patterned blinking of light emitting diodes embedded in hardware components can give hints about the information passing through the machine. The exploitation of compromising emanations has been a longstanding tradition, and about four decades ago the U.S. military started a highly classified project run by the National Security Agency to develop hardware that could sense and block such signals. Electromagnetic radio waves have long been the most worrisome kind of compromising emanations, but more subtle electronic signals have been uncovered in recent years. A pair of IBM researchers, for example, developed a relatively inexpensive technique to figure out what a person is typing by training neural network software to translate unique sound waves produced when the keys strike a membrane between the keyboard and its base; the use of a parabolic microphone allowed the experimenters to listen in from a distance of almost 50 feet. Meanwhile, Eran Tromer of the Weizmann Institute revealed at a May conference that encrypted data could theoretically be cracked by monitoring high-frequency noise emitted by Intel Celeron microprocessors. Click Here to View Full Article The Baltimore Sun has removed this link - they may have corrected the problem. From ACM's TechNews, July 14, 2004 "Computer, Heal Thyself" Salon.com (07/12/04); Williams, Sam Berkeley researcher and ACM President David Patterson and Stanford scientist Armando Fox's Recovery Oriented Computing (ROC) project focuses on the design of computer systems that can can rapidly bounce back from malfunctions. The initiative is just one of many "autonomic computing" projects that are sweeping academic and corporate research facilities. Fox says modern systems are plagued with software bugs that programmers have had to contend with since "the beginning of time," and he and Stanford doctoral student George Candea have co-authored a series of papers that probe "micro-rebooting," a strategy in which system managers simply reboot the malfunctioning elements of a computing network, an approach that Candea says often fixes the bug faster than tracking down and correcting the root cause. Both he and Fox have devised recursive restartability, a preventative maintenance process whereby an automated network manager reboots each branch of a network's node tree, while Candea is focusing on the integration of micro-rebooting and fault injection, a strategy he calls crash-only computing. The doctoral student has created a Java applications server split into a management element that periodically queries the software system and looks for any indications of bad data, and a monitoring element that assesses the error path and malfunctioning component and triggers a micro-reboot. The National Science Foundation has funded University of Virginia researcher David Evans' project, which mimics biological systems more closely by having modules in a software network communicate in a manner modeled after chemical diffusion. Each module is programmed to construct and maintain a 3D superstructure, after which various modules are exposed to destructive data and purged from the system when they fail; the network is designed to replace the lost modules by tapping a distributed memory or "signal" of each component's position and function. No Additional Article Link From ACM's TechNews, July 14, 2004 "Hacktivism and How It Got Here" Wired News (07/14/04); Delio, Michelle The term "hacktivism" was not coined until 1998, when several members of the Cult of the Dead Cow (cDc) hacker organization held an online discussion of how hacking could be used to promote political freedom in China after the Tiananmen Square incident. Professor Ronald Diebert of the University of Toronto's Citizen Lab explains, "The combination of hacking in the traditional sense of the term--not accepting technologies at face value, opening them up, understanding how they work beneath the surface, and exploring the limits and constraints they impose on human communications--and social and political activism is a potent combination and precisely the recipe I advocate to students and use to guide my own research activities." He adds that increasing numbers of mainstream human rights activists and major foundations are embracing hacktivism, and singles out cDc in particular for its often irreverent, ethical, and ingenious tactics. CDc leverages the section of the UN Declaration of Human Rights stating that freedom of opinion and expression without interference and through any media is a universal human right. Oxblood Ruffin, a member of cDc, says the group has been establishing relationships with grass-roots and traditional human rights organizations. One cDc group, Hacktivismo, has devised tools that permit people to access and exchange information marked as undesirable by their government. Patrick Ball, who directs human rights programs at the nonprofit Benetech, says "hacktivism is an opportunity for engaged young programmers to do cool and socially beneficial stuff with their technical skill and curiosity--instead of getting in trouble." Click Here to View Full Article From ACM's TechNews, July 12, 2004 "For Hackers, Shop Talk, a Warning and Advice" New York Times (07/12/04) P. C3; Thompson, Nicholas This year's Hackers on Planet Earth (HOPE) conference featured speakers such as Apple Computer founder Stephen Wozniak, who bemoaned that people today consider hackers to be synonymous with terrorists to such a degree that the government has instituted excessively harsh penalties against violators of computer fraud regulations. Wozniak described hacking as mainly "just some kid trying to do something funny," illustrating his argument with his own hacking escapades, which included such pranks as manipulating the phone system to place a free call to the pope. Wozniak told the younger attendees that they should follow a code of ethics and resist the temptation to do harm, a view espoused by many veteran hackers. HOPE conference head of security Mike Roadancer said he thinks younger hackers have a strong need for guidance and discipline. A recurring contention among speakers and participants at the conference was that they hack chiefly to expose security holes in corporate computer systems in the hopes that their actions will lead to improved data protection and privacy. "If a hacker breaks into a company's system, and that system isn't properly secured, that company should be held liable," remarked veteran hacker John T. Draper. A good portion of the event was devoted to arguing the need for the government to loosen its monitoring and control of computer networks. Sessions were held to help hackers become more competent, while others concentrated on tools that could help penetrate or secure computer systems. Click Here to View Full Article (Access to this site is free; however, first-time visitors must register.) From ACM's TechNews, July 12, 2004 "Cybersecurity Research Underfunded, Executives Say" Government Computer News (07/08/04); Jackson, Joab The National Science Foundation (NSF) can only fund about 10 percent of the research proposals it receives in regards to improving IT security, according to testimony at a House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census hearing this week. "There are good ideas in the cybersecurity area that we're simply not able to fund," said NSF computer and information science and engineering directorate assistant director Peter Freeman. He said the foundation has received over 150 proposals for a current solicitation in computer security, about a third of which show promise, but that the agency has only enough money to fund 10 percent of the total. Hratch Semerjian, the acting director of the National Institute for Standards and Technology (NIST), said computer security deserves more emphasis and that it is an important part of nearly every new application developed by the institute. The NSF has requested $751 million for networking and IT research next year, while the NIST has requested $57.9 million for computer science research, with another $6 million specifically for cybersecurity. Overall, Rep. William Clay (D-Mo.) says federal spending on IT-related R&D will total about $2.2 billion this year, but would fall to $2 billion in 2005 under President's Bush budget proposal. Click Here to View Full Article From ACM's TechNews, July 12, 2004 "Corporate Governance Task Force Pushes Security Best Practices" Enterprise Systems (07/07/04); Schwartz, Mathew A new report from the National Cyber Security Partnership's (NCSP) corporate governance task force says getting executives involved in security is the best way to protect the nation's critical infrastructure. The report, "Information Security Governance: A Call to Action," suggests more federal funding for software development tools that root out defects, a management framework for information security governance, and more executive-level and boardroom-level attention to security. Unisys managed security services global director John Summers says the report's aim was to help governments and companies correctly implement and secure an electronic infrastructure. He says, "One of the challenges that all organizations are trying to address--the government in particular--is what is the right way to implement [and] secure an electronic infrastructure." Unisys is assisting the Transportation Security Administration with network implementation, including IT security. Summers believes that critical infrastructure industries are moving from making security imperative to making it routine. Companies usually want others to define security standards and responsibilities, but it is hard to define best practices when things are still evolving, he explains. To complement the NCSP report, Summers recommends the National Institute of Standards and Technology's security infrastructure best practices, which are intended for federal agencies. It is too soon for regulations because threats and responses are changing too quickly. Summers says that security is more about risk management; security assessment should involve the needs of the business overall. Click Here to View Full Article From ACM's TechNews, July 12, 2004 "For Hackers, Shop Talk, a Warning and Advice" New York Times (07/12/04) P. C3; Thompson, Nicholas This year's Hackers on Planet Earth (HOPE) conference featured speakers such as Apple Computer founder Stephen Wozniak, who bemoaned that people today consider hackers to be synonymous with terrorists to such a degree that the government has instituted excessively harsh penalties against violators of computer fraud regulations. Wozniak described hacking as mainly "just some kid trying to do something funny," illustrating his argument with his own hacking escapades, which included such pranks as manipulating the phone system to place a free call to the pope. Wozniak told the younger attendees that they should follow a code of ethics and resist the temptation to do harm, a view espoused by many veteran hackers. HOPE conference head of security Mike Roadancer said he thinks younger hackers have a strong need for guidance and discipline. A recurring contention among speakers and participants at the conference was that they hack chiefly to expose security holes in corporate computer systems in the hopes that their actions will lead to improved data protection and privacy. "If a hacker breaks into a company's system, and that system isn't properly secured, that company should be held liable," remarked veteran hacker John T. Draper. A good portion of the event was devoted to arguing the need for the government to loosen its monitoring and control of computer networks. Sessions were held to help hackers become more competent, while others concentrated on tools that could help penetrate or secure computer systems. Click Here to View Full Article From EduPage, July 7, 2004 United Nations To Address Spam Problem San Jose Mercury News, 6 July 2004 Officials from a United Nations agency said this week it will work to fight spam on an international scale. According to Robert Horton, the acting chief of the Australian communications authority, the International Telecommunications Union (ITU) will work to bring the problem of spam under control within two years. The ITU, which is meeting this week in Geneva to address the growing problem of spam, will write examples of legislation that would allow effective cooperation among governments in fighting spam. Many countries currently lack any legislation dealing with spam, and those that do often have laws that are difficult to reconcile across borders. According to the ITU, spam may account for as much as 85 percent of all e-mail today, as well as a significant portion of text messages received by cell phones. http://www.siliconvalley.com/mld/siliconvalley/9089737.htm Three Countries To Coordinate Antispam Efforts Internet News, 6 July 2004 The United States, the United Kingdom, and Australia have agreed to coordinate their efforts to fight spam. Under the agreement, the U.K. Office of Fair Trading, the Australian Competition and Consumer Commission, and the U.S. Federal Trade Commission will share evidence and investigative information against spammers. The United Kingdom and Australia are expected to benefit from the agreement more than the United States, which is responsible for more global spam than any other country. According to a recent report, the number of spam outbreaks has risen from 350,000 per day to 500,000 since the United States passed the Can Spam Act. The report also estimates that within two years, spam will account for 98 percent of all e-mail. http://www.internetnews.com/xSP/article.php/3377451 Report Shows Steep Rise In Software Piracy CNET, 7 July 2004 A new report from the Business Software Alliance (BSA) estimates that pirated software represented 36 percent of all software installations worldwide during 2003, with corresponding losses to software makers of $29 billion. According to the report, financial losses were highest in Western Europe, at $9.6 billion, and the highest levels of piracy were found in China and Vietnam, at 92 percent. The BSA, which represents companies including Microsoft, Apple Computer, Hewlett-Packard, Intel, and IBM, largely attributes the rise in software piracy to P2P networks. Jeffrey Hardee, the BSA's Asia-Pacific director, said that governments in the Asia-Pacific region "really do want to develop strong IT sectors. And to do that, there's no question they have to bring down the levels of piracy." http://news.com.com/2100-1014_3-5259395.html From ACM's TechNews, June 30, 2004 "Software Fuse Shorts Bugs" Technology Research News (07/07/04); Patch, Kimberly Stanford University researcher George Candea says restraints on input and outputs could make software more stable, preventing much of the bug-related troubles that cost the U.S. economy nearly $60 billion each year, according to National Institute for Standards and Technology estimates. Software fails when operations extend beyond the set of conditions for which the software was tested, and Candea proposes constraining reality for software by rejecting unanticipated inputs and outputs through the use of software fuses, which are protections similar to electrical fuses regulating current flowing through a circuit. Developing these fuses requires correctly defining acceptable input and output, as well as measuring predictability so that trade-offs can be made between predictability, performance, and cost. Candea's approach treats the software application itself as a black box so that the software fuse is similarly deployed with both legacy systems and newer software. Traditional software reliability researchers may eschew limiting inputs and outputs, but Candea says the method is a pragmatic way of dealing with a very difficult problem, and should coincide with regular software quality improvements. He says, "Instead of fixing the product that fails when given wrong inputs, fix the inputs." Software fuses would guard against inputs of unexpected size, such as buffer overflow exploits used by the SQL Slammer worm, for example, or inputs of unexpected content, such as the HTML parsing technique used in denial-of-service attacks with the Apache Web server and Squid proxy cache. Other benefits of the software fuse method include the ability of third parties to install the fuses on proprietary software and their relative cost-effectiveness compared to constantly rewriting software, which often introduces new bugs. Click Here to View Full Article "FTC Mulls Bounty System to Fight Spam" MSNBC (06/29/04); Brunker, Mike The perceived ineffectiveness of the federal CAN-Spam law has prompted the FTC to consider a bounty system in which a person who identifies a spammer breaking the law will receive a reward of at least 20 percent of the civil penalty the FTC eventually collects--a particularly attractive proposition, considering that the FTC will probably seek multimillion-dollar fines against the most flagrant violators. The bounty concept was given currency by Stanford Law School professor Lawrence Lessig, who concluded, "If the vigilantes who are working so hard to keep lists of offending email servers were to turn their energy to identifying and tracking down spammers, then this passion to rid the world of spam might actually begin to pay off--both for the public and for the bounty hunters." The FTC is accumulating and evaluating expert testimony on the plan and is expected to tell Congress whether it is feasible by September, but critics want the plan rejected. Spamhaus.org founder Steve Linford sees no point to such a system, given that the FTC has already compiled so much data about spammers' identities, while Louis Mastria with the Direct Mail Association says the plan would only encourage online vigilantism and probably would not lead to any actual arrests. But disappointment in CAN-Spam's performance is palpable and growing stronger, given reports of steadily increasing volumes of spam. Worse, IronPort Systems' Tom Gillis says spammers are increasingly using "zombie" computers as spam launching platforms in order to avoid being traced by authorities. On the other hand, CAN-Spam advocates feel the law is fulfilling its purpose, and was never intended to be an all-in-one solution, but rather "one weapon in the [anti-spam] arsenal," according to Carol Guthrie, a representative of CAN-Spam co-author Sen. Ron Wyden (D-Ore.). Click Here to View Full Article From ACM's TechNews, June 28, 2004 "Winning the War on Spam" Discover (06/04) Vol. 25, No. 6, P. 24; Johnson, Steven The current model for fighting spam is treating it as a disease, with spam-blocking software, blacklists, and other techniques being disease-fighting antibodies. Some technology experts say this thinking is flawed because it does not try to address the root cause of spam, which is its profitability: If millions of identical messages are sent out, the cost is still basically the same as if the spammer sent only one message. Ferris Research estimated businesses spent $10 billion fighting spam last year, not to mention the inconvenience caused to home users and the millions of hours consumed emptying junk mail. Over the past several decades, environmentalists figured out that industrial pollution, like spam, actually costs more than it appears: People buying gas at the pump pay for the oil extraction, refining, and transportation, but do not pay for the associated damage to the environment; in this sense, email is simply too cheap to reflect the exorbitant costs of spam on users and the Internet infrastructure. Although some experts have advocated a small monetary charge for email, this system would not only be difficult to implement, but would unfairly punish those who could possibly benefit from email most. Microsoft researcher Cynthia Dwork has another solution that involves payment for email, except in computation time, not money: She suggests making sending computers figure out a puzzle so that each email message would cost about 10 seconds in computational time. Dwork's scheme is dependent on a variable element in the puzzle, which can increase the complexity of the puzzle in relation to Moore's law; though this 10-second tax would not likely affect regular users much since they could do other tasks on their PC in the meantime, it would mean a single computer could only send out roughly 8,000 emails per day instead of the millions they currently can churn out. Spammers would have to buy more machines, which would put many of them out of business. Click Here to View Full Article "Internet Takedown" Government Technology (06/04) Vol. 17, No. 6, P. 24; McKay, Jim The United States is depending more and more on the Internet to conduct business and government functions, but this poses a risk given the vulnerability of the Internet. Experts say that the chances of a major disruption--whether from deliberate attack or from an accident like the 2003 blackout--are growing. "The problem with the Internet is we developed it so fast and furiously, and didn't take a step back and build it foundationally with security in mind," says Phyllis Schneck, chairwoman of the FBI's InfraGard board of directors. There is no real short-term solution besides reducing the severity and number of interruptions, including viruses. Georgia Technology Authority Walter Tong says hackers are the most worrisome threat presently. A company with excellent security could still be at risk if it is connected to one with poor security, and Carnegie Mellon University Software Engineering Institute fellow Watts Humphrey says today's software is so defective that hackers easily find flaws in it. There is no real agreement as to how much damage an accident or a hacker can cause, though studies at Ohio State University suggest that the storage of key Internet routing information in only a few nodes is not a good idea, since damaging one could affect many areas. Critical infrastructure such as emergency services and transportation use the Internet, which puts those systems at risk until some technological solution is developed, such as a parallel network with secure routers. John McCarthy, executive director of the George Mason School of Law's Critical Infrastructure Protection Project, is involved with a partnership between the District of Columbia, Maryland, Virginia, and the Homeland Security Department to find out what infrastructures are essential, how they are interdependent, and what to do to protect them. He believes that every sector should understand its role in protecting, and that state governments must determine which infrastructures are most important. Click Here to View Full Article From ACM's TechNews, June 25, 2004 "IT and End Users Differ on Spam Severity" IT Management (06/18/04); Gaudin, Sharon Spam in the workplace is a greater source of concern among IT managers than end users, according to a study performed by Insight Express for the information security firm Symantec. Around 50 percent of polled end users say junk email is not a problem in the office, while 79.1 percent of IT managers report that spam is a weighty problem. Ten percent of IT administrators say spam is out of control, 33 percent claim it is barely under control, and 56 percent are convinced spam is fully under control. In comparison, about 8 percent of end users believe spam is out of control, 23.3 percent think spam is barely under control, and 68 percent are confident that it is firmly under control. IT managers listed spam as their worst problem after malware, according to the Insight survey. Symantec product management director Chris Miller explains that spam is a bigger problem for IT administrators because they must deal with the spam that all the staff receives, not just one employee. "They're dealing with bandwidth usage, storage usage, viruses it may be bringing in, staffing, and the hours they have to put in," he notes. "The end user sees it as garbage they have to deal with. The IT manager has a lot of other issues." One thing IT managers and end users agree on is spam's staying power: Almost 71 percent of IT managers expect to be struggling with spam three years from now, while 72 percent of end users wager that the spam problem will increase in severity. Click Here to View Full Article "Task Force Pushes for Early Warning System" Security Management (06/04) Vol. 48, No. 6, P. 40; Piazza, Peter The Cyber Security Early Warning task force, formed at last year's National Cyber Security Summit, has issued recommendations for the first time, including one for the creation of an Early Warning Alert Network (EWAN) to work with existing public-private information-sharing organizations. The network would be funded by stakeholders and the Homeland Security Department, and would create a network of networks. The task force's aim is to improve the sharing, integration, and dissemination of cybersecurity threat information culled from the DHS' US-CERT, the FBI's InfraGard program, and critical infrastructure information sharing and analysis centers (ISACs). The task force wants to start beta testing EWAN in October and launch it in December, but those dates are not fixed. The task force would also like to create a National Crisis Coordination Center (NCCC) to pull together both private and public constituencies to prevent and respond to crises. Information Technology Association of America vice president Greg Garcia describes the NCCC as "a cross-disciplinary organization in which, working side by side, were representatives from intelligence agencies, law enforcement agencies, the private sector, academia, all working together in a collaborative environment" on both cyber and physical security. However, the center is a ways off from realization. Tekmark Global Solutions managing director Mike Higgins believes that the recommendations will run into the same snags that have hindered similar ventures, such as the private sector's fear of sharing information with the government, and having it thus exposed to the Freedom of Information Act. Nevertheless, the NCCC has strong support from Congress and various government agencies. From New York Times, June 23, 2004 Two Arrested and Charged in E-Mail Theft By Saul Hansell U.S. investigators arrested an America Online employee for stealing the Internet provider's customer list and selling it to a purveyor of "spam" e-mail. From EduPage, June 23, 2004 ISPs Agree On Antispam Measures New York Times, 23 June 2004 Four of the largest e-mail providers have agreed to work collectively on sender-authentication technologies to limit the flow of spam. Despite saying more than a year ago that they would cooperate on such an undertaking, America Online, Yahoo, EarthLink, and Microsoft have been working on separate approaches to the challenge of screening out e-mail that does not come from its purported source. In May, however, Microsoft announced it would combine its technology, called Caller ID, with that of America Online and EarthLink, called Sender Policy Framework (SPF), and name it Sender ID. Meanwhile, Yahoo has been developing a technology called Domain Keys, which is potentially more effective but requires more work to implement. The four companies announced this week they would test each other's technologies, paving the way for a coordinated effort to block spam. http://www.nytimes.com/2004/06/23/technology/23spam.html From ACM's TechNews, June 23, 2004 "Software Industry Seeking New Ways to Fight Piracy" Investor's Business Daily (06/22/04) P. A4; Bonasia, J. The software industry has been attempting to counteract digital piracy through education and technological measures, but the results have been uneven. Business Software Alliance (BSA) VP Bob Kruger says program-sharing employees at small and midsize firms are chiefly responsible for the rampant spread of software piracy, which costs the industry $13 billion annually, by BSA estimates. The software industry's anti-piracy tactics have evolved from unwieldy "dongles" to the application of serial numbers to software products that verify licensed users online when a new program is activated, but Autodesk government affairs director David Crane believes the optimum solution is a greater emphasis on education and anti-piracy enforcement. The nonprofit BSA raises public awareness of digital piracy through representation at industry events, offices, and schools, and via notices and advertisements; in addition, people can report on their current or former employers through a BSA Web site or a toll-free hot line. If companies are not complying with software license terms, BSA fires off a letter of warning to the CEO, and then may request a court order for a surprise software audit if the company remains noncompliant. "We want to bring these companies into the fold of responsible software users," says Kruger. Perpetrators of black-market organized digital piracy may also face the wrath of the Justice Department: Two years ago, John Sankus Jr., chief architect of the notorious DrinkOrDie software piracy ring, received a prison sentence of 46 months. Kruger says such incidents can serve as reminders to corporate tech managers of the importance of software license enforcement. "Spam-Sending PCs Could Be Kicked Offline" MSNBC (06/22/04); Sullivan, Bob The Anti-Spam Technical Alliance, which counts Yahoo!, AOL, Earthlink, and Microsoft among its members, released a set of recommendations on June 22 for halting the proliferation of junk email. One of the recommendations calls for ISPs to cut email service for any users whose computers have been turned into "zombie" spam-launching platforms, even if they are unaware that their systems have been hijacked. MessageLabs.com estimates that almost two-thirds of all spam is sent by zombie systems, while AOL believes that figure could be closer to 90 percent. MessageLabs' Brian Czarny doubts that ISPs would be able to suspend service for so many users, given the massive volume of customer service calls they would be inundated with; a more realistic expectation is for the firms to restrict outgoing emails to 100 or 500 per day, and then notify users that their machines must be purged before they can send any more messages. MessageLabs researchers have also determined that spammers are increasingly personalizing spam by monitoring recipients through spyware programs--in fact, a recent Earthlink poll calculates that one-third of all Net-linked computers have been infected with spyware. More accurately identifying actual email senders is another priority of the Alliance, and among its proposals for reaching this goal is restricting the number of emails spam purveyors can send, if not shutting off their email altogether. "It's much the way a credit-card company would look for...suspicious spending on your credit card and either contact you or secure your account immediately," explains AOL director of anti-spam operations Carl Hutzler. Earthlink chief architect Robert Sanders argues that deactivating consumers' email benefits them since their PCs are already contaminated by malware. Click Here to View Full Article From ACM's TechNews, June 21, 2004 "Shortage of Computer Security Experts Hampers Agencies" National Journal's Technology Daily (06/10/04); New, William Homeland Security Department chief security officer Jack Johnson warns there is a severe lack of IT security professionals in government, and that the government needs to train the "next generation" of cyber experts. Johnson says his agency lacks the IT workforce it needs to build required security systems, and would contract that job out to private-sector workers, except that there are only so many cleared contractors. At the Homeland Security Department, Johnson and CIO Steve Cooper have split data security tasks, with Johnson handling unclassified data and Cooper dealing with more sensitive material. Cooper is currently working on a Homeland Security Information Network he says will be on par with Defense Department security by the end of this year, and is also redesigning personnel security in order to lessen internal cybersecurity threats. Federal Aviation Administration (FAA) deputy director Thomas O'Keefe says that more research and development is needed for cybersecurity, along with more collaboration among industry and researchers. He argues that information-sharing among government security professionals needs to be more efficient and effective than information-sharing among Internet criminals. O'Keefe notes that the nation's air-traffic control system is completely separate from the Internet, protecting it from viral outbreaks. The FAA is moving to an IP-based system, but will still keep its network separate from the general Internet. Click Here to View Full Article "Vigilantes on the Net" New Scientist (06/12/04) Vol. 182, No. 2451, P. 26; Moran, Barbara Counterstrike software is viewed as a panacea by companies frustrated by ineffective laws and enforcement against hackers and other online miscreants, but critics claim that such a tact is unethical, possibly unlawful, and could provoke an all-out war in cyberspace. Most organizations' response to cyberattacks is to bolster their defenses with firewalls, honeypots, and other measures, but network managers are locked into an unending game of one-upmanship with hackers; furthermore, small companies may not have the financial resources to upgrade their protection. It was this conundrum that prompted Tim Mullen of AnchorIS to develop software that strikes back at malware such as the Nimda worm by sending its own mutual exclusion (mutex) program back to the machine the worm came from and causing it to reboot (thus canceling the worm's mutex), while the user of the worm-sending machine is informed of his culpability via a pop-up window. Symbiont's iSIMS software is more sophisticated, and offers more aggressive counterstriking options: The product analyzes attacks to determine their point of origin, the damage they could cause if not stopped, and possible response strategies, leaving the final decision to the individual client. Offensive measures iSIMS is capable of include altering routing data on a malware-laden packet so that it is directed back to its source, and a last-resort option of sending code to the attacking computer that stops the attack. A key concern of critics is that counterstrike software can target innocent users such as owners of "zombie" computers who are unaware that their machines have been hijacked, or people whose addresses have been deliberately spoofed by hackers. In one scenario, malicious parties could exploit counterstrike software and goad two organizations to attack each other. Lawrence Berkeley National Labs engineer Eugene Schultz contends that the mentality behind counterstrike software is typical of "a small number of...hotheads...who want to get back at people." "Decoding Application Security" CSO Magazine (05/04); Violino, Bob The World Wide Web has made business easier, but it has made information security more expensive and difficult. Application security is a major issue for chief information security officers (CISOs). Security product vendors are introducing new products intended to provide application-level security that firewalls cannot, but CSOs and CISOs say that enterprises should proceed cautiously as the processes and products mature. Web application attacks use application flaws to get into systems or computers, and defensive measures include code inspection, outside scanning for flaws, and application-security gateways that scan incoming network traffic more deeply than conventional firewalls. Web-application security monitors applications to make sure they behave the way they are supposed to, explains Gartner's Richard Stiennon, which is more effective than trying to learn every attack signature. Yankee Group predicts that the market for application security products and services will go from 2002's $140 million to $1.74 billion by 2007. The technologies currently available are working well, say early adopters. New York State Office of Cyber Security & Critical Infrastructure Coordination director Will Pelgrin says the state is looking into application-security products, and has included application-security best practices in its state agencies' security policy. The Department of Energy is evaluating a NetContinuum gateway, and senior security analyst John Dias says the agency's vulnerability to application-level attacks has dropped. However, the technologies are hindered somewhat by their impact on application performance, complex implementation, untested record, and funding and training issues. Click Here to View Full Article From ACM's TechNews, June 16, 2004 "FTC Rejects Creation of No-Spam Registry" Washington Post (06/16/04) P. A1; Krim, Jonathan FTC Chairman Timothy Muris announced yesterday that the agency would not develop a do-not-spam list similar to the highly popular do-not-call list; Muris said the list would be ineffective because spammers would simply choose to ignore it. Worse still, he said such a registry could be exploited by spammers to increase their mass sending of junk email. Sen. Charles E. Schumer (D-N.Y.) expressed his disappointment with the decision in a written statement, noting that "The registry is not the perfect solution but it is the best solution we have to the growing problem of spam and we will pursue congressional