This site has been created to log references to spam and related technology issues. If you have any suggested additions, please contact me. From New York Times, October 23, 2005 Colleges Protest Call to Upgrade Online Systems By Sam Dillon And Stephen Labaton A U.S. order aimed at facilitating court-ordered monitoring of Internet activity could cost billions, opponents say. Read the article From ACM's TechNews, October 21, 2005 "Sue Companies, Not Coders" Wired News (10/20/05); Schneier, Bruce While some have called for holding individual programmers accountable for security vulnerabilities in the codes they write, a more sensible approach would place the responsibility on their employers, writes Counterpane Internet Security CTO Bruce Schneier. The reason for this is incentive, the same engine that drives all economic activity. If businesses see a financial disincentive for taking the time to ensure that their programs are of the highest quality, they are unlikely to do so. The preponderance of poor software speaks to the decision they have made, namely, that it is more profitable to suffer an occasional spate of bad publicity and short-term loss of sales than it is to invest in the extra programmers and extend the time-to-market to ensure consistently secure software. For consumers, proprietary formats, compatibility issues, and software monopolies make it difficult to exercise a conscious preference for secure software, thereby perpetuating the cycle of insecure products of poor quality foisted on them. Opening up software manufacturers to liability for insecure products would quickly reverse that trend, as they would have to shoulder the entire cost of a poor design, which clearly would be to their economic disadvantage. While some of the higher production costs of more secure software would inevitably pass on to the consumer, they would be no higher than the costs associated with using software rife with vulnerabilities. Click Here to View Full Article "Mother Nature's Storms Postpone DHS' Cyber Storm" Washington Technology (10/19/05); Dizard III, Wilson P. Originally scheduled for November 2005, the Homeland Security Department's (DHS) virtual cyberattack on the United States exercise, known as Cyber Storm, will occur in February 2006 due to resource demands and infrastructure damage related to recent hurricanes in the Gulf Coast region, according to DHS' Michelle Petrovich. The delay of Cyber Storm was requested by the electric utility industry in order to provide them with more time to repair their infrastructure networks, said University of Southern California computer scientist Terry Benzel, whose DETER Internet test bed project is part of Cyber Storm. The inter-agency exercise will test the response to a combined attack involving an Internet-based assault on both the financial sector and the power grid as well as physical attacks. Click Here to View Full Article From ACM's TechNews, October 17, 2005 "At Microsoft, Interlopers Sound off on Security" New York Times (10/17/05) P. C1; Markoff, John Microsoft recently held its second Blue Hat conference, where a small group of independent security researchers are invited to the company's Redmond, Wash., headquarters to share details of their work exposing vulnerabilities in Microsoft's programs. The conference, held last week, comes after a year of intense focus on security that has signaled a clear shift in Microsoft's priorities. The hackers in attendance identified the manner in which Windows operating systems address peripherals, and its forthcoming Xbox 360, as specific targets for hackers. The Blue Hat gathering marks an about-face in the way Microsoft views the hacker community. The Blaster and Slammer worms fundamentally altered Microsoft's position toward security, as they began to compromise the company's stature in the eyes of customers. The white hat hacker community has taken notice of Microsoft's efforts to improve security, and has been largely receptive to the software giant's overtures, though many warn that security could be just entering a new era with the growing use of mobile devices. The widespread, scattershot attacks such as Blaster will also likely become a thing of the past, as profit is now the motive for more precise, targeted attacks, rather than Web-wide assaults designed solely to create chaos. Microsoft has been using a technique known as fuzzing in the development of its software, where tens of thousands of combinations are tested automatically in the search for flaws. According to company officials, Microsoft has significantly reduced the number of security bulletins it has issued in the last few years. Click Here to View Full Article "US Still World's Top Spammer" IDG News Service (10/13/05); McMillan, Robert In a recent report, security vendor Sophos determined that about 26 percent of worldwide spam originated within the United States, which is down from 42 percent in 2004. The reason for the drop, according to Sophos senior technology consultant Graham Cluley, is more effective prevention methods by ISPs and the work of antispam task forces. Meanwhile, spammers are focusing on the growing broadband connections in South Korea and China with the amount of spam originating in South Korea up 8 percent from 2004 to 2005 and the amount in China up 7 percent, according to Cluley, who points to the total amount of spam remaining the same between the two years. Spamhaus Project volunteer John Reid asserts that one way to significantly decrease spam is for ISPs to prohibit almost all of their users from establishing servers running the Internet standard port 25. Reid believes the policy would not affect the vast majority of non-spammers and points to previous attempts in Canada proving the method successful. Click Here to View Full Article From ACM's TechNews, October 14, 2005 "Developers 'Should Be Accountable' for Security Holes" ZDNet UK (10/12/05); Espiner, Tom Former White House cybersecurity advisor Howard Schmidt and the British Computing Society disagreed at Secure London 2005 on who should be accountable for the security of code. Schmidt said software developers should be held accountable for the code they write, while the BCS said companies should be responsible rather than their developers. "I know a lot of developers who would be very uncomfortable with that level of accountability, especially if that were legal accountability," says a spokesperson for the BCS. The spokesperson also noted that code is not static and it can be altered after it has been purchased, security attacks often occur because the latest patch or system has not been installed, and buyers need to make sure their vendor uses their own security product. Schmidt, currently president and chief executive of R&H Security Consulting, believes many software developers lack skills in writing secure code and need better training. "Most university courses traditionally focused on usability, scalability, and manageability, not security," he said. He also cited a Microsoft survey that said 64 percent of software developers lacked confidence in their ability to write secure applications. Click Here to View Full Article From ACM's TechNews, October 7, 2005 "Nematodes: The Making of 'Beneficial' Network Worms" eWeek (10/05/05); Naraine, Ryan At the recent Hack In the Box event in Malaysia, security researcher Dave Aitel showed off a demo of a "Nematode" framework for creating a benign computer worm that he believes organizations will employ to reduce the costs of network security. "With this [Nematode] concept, you can take advantage of automating technologies to get protection for pennies on the dollar," he said. Aitel said the nematodes or nonmalicious worms can be automatically generated from available vulnerability data, and he envisions a time when ISPs, large companies, and government organizations deploy "strictly controlled" nematodes to make security more cost-efficient. Aitel's concept involves the employment of servers or "Nematokens" that only respond to requests from networks cleared for assaults, and the Nematode Intermediate Language (NIL), a programming language for creating the worms. Exploits can be rapidly and simply converted into nematodes through use of the NIL. Prior to his current stint at the Immunity security firm, Aitel worked as a computer scientist at the National Security Agency and then as a code-breaker for @Stake. The commercial technology that enables networks to protect themselves automatically with automated technologies will be available within five years, Aitel reckons. "The Sky Really Is Falling" CIO (10/01/05) Vol. 19, No. 1, P. 80; Worthen, Ben Co-chairman of the President's Information Technology Advisory Committee (PITAC) Ed Lazowska says inaction is the order of the day among government, CIOs, and vendors as far as cybersecurity is concerned. He accuses the Bush administration of undervaluing science, engineering, education, and research, which means that CIOs will be prevented from purchasing desperately needed cybersecurity products unless they pressure the government as well as pay for cutting-edge products as a demonstration of their commitment to cybersecurity. Lazowska says an attack on the nation's IT infrastructure could have serious ramifications for its critical infrastructure, while the military's dependence on commercial vendors for most of its hardware and software makes it highly vulnerable to cyberattacks as well. He cites a PITAC study that singles out three federal agencies as particularly deplorable in terms of cybersecurity funding: The Homeland Security Department, which currently commits a mere $18 million of its approximately $1 billion annual science and technology budget to cybersecurity; the Defense Advanced Research Projects Agency, whose investment in mainly classified cybersecurity programs shuts the door to premier academic researchers and yields products of little immediate value to commercial IT systems; and the National Science Foundation, which could only fund a small portion of its Cyber Trust program. Lazowska says current cybersecurity efforts are all about "Band-Aid" solutions, when what should be developed are new system architectures with long-term applications, static and dynamic vulnerability detection tools, programming languages with basic security functionality, and methods for building trusted software systems from diverse elements. Click Here to View Full Article From EduPage, October 5, 2005 Research Project Will Track Network Attacks Chronicle of Higher Education, 4 October 2005 (sub. req'd) A research project will collect regular snapshots of computer networks from as many as 10 colleges and universities in an effort to improve protections from and responses to Internet attacks. The Information Security in Academic Institutions project, an initiative of the Columbia University Teachers College, uses monitoring technology called DShield and has already been tested at three institutions. The other institutions in the project have yet to be named, and the system may eventually be widely available. The system will give network administrators data about the state of networks, allowing them to gain a better understanding of Internet attacks by comparing data from before, during, and after an attack. Steffani A. Burd, executive director of the project, described it as "a 360-degree view of what's going on." The system will also pool data collected from participating institutions and make it available anonymously on the Web. This aggregation of data will allow a comparison between activity on the Internet generally and what's happening at campuses. http://chronicle.com/daily/2005/10/2005100401t.htm California Passes Anti-Phishing Law InformationWeek, 3 October 2005 A tough new anti-phishing law makes California the first state to pass legislation targeting that particular brand of online scam. The Anti-Phishing Act of 2005 makes it a crime to use "the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business." Identifying information includes Social Security numbers, credit card numbers, passwords, PINs, and other information that can be used to steal from individuals. Those found guilty of phishing are subject to fines of $2,500 per violation, as well as damages to victims of either actual losses or $500,000, whichever is greater. http://informationweek.com/story/showArticle.jhtml?articleID=171202672 FTC Sues For Alleged Spyware MSNBC, 5 October 2005 The Federal Trade Commission (FTC) has sued Odysseus Marketing, accusing the company of engaging in distributing spyware. Odysseus distributed an application called Kazanon, which supposedly allowed users to trade files anonymously, without fear of being identified by record companies. According to the FTC, users who downloaded the application also got a range of adware programs that fed advertisements to those users' computers and added items to the search results pages of popular search engines, including Google and Yahoo. The added items, which were indistinguishable from those supplied by the search engine, directed users to companies that paid Odysseus for the placement. Further, the software did not offer users a simple option to uninstall it. Walter Rines, owner of Odysseus, disputed all of the FTC's claims. He noted that the user agreement informs consumers of what will be installed when they download the Kazanon program. He also said an uninstall tool is available and that his company's software did not remove any search results but merely added to the list. Rines also said the lawsuit was "moot" because his company stopped distributing adware several weeks ago. http://msnbc.msn.com/id/9598897/ From ACM's TechNews, October 5, 2005 "Text Hackers Could Jam Cellphones, a Study Says" New York Times (10/05/05) P. C1; Schwartz, John Metropolitan cell phone networks could be crippled by hackers who launch denial-of-service attacks against the phones' Internet-accessible text-messaging services, according to a study from Pennsylvania State University researchers. The study's lead researcher, computer science and engineering professor Patrick McDaniel, says hackers could hinder voice calls by clogging the control channel for cell phone calls with text messages. McDaniel and colleagues say they validated the feasibility of this scenario by demonstrating it on a small scale with their own cell phones, and their findings were corroborated by government regulators and phone company engineers. Cellular companies insist they have established deterrents to address the threat, though experts such as Cigital CTO Gary McGraw believe the solutions will likely be inelegant. The Penn State researchers' report cites the impracticality of severing the link between the phones' short messaging services and the Internet gateways, but suggests security could be added by restricting the message traffic that is fed into the network. Fencing in voice and data in next-generation cell phones to prevent traffic jams from blocking voice calls is another recommendation of the paper, which will be posted online and presented at the 12th ACM Conference on Computer and Communications Security (CCS'05) in November. Aviel D. Rubin, technical director of Johns Hopkins University's Information Security Institute, says, "Anytime a vulnerability in the physical world exists that can be exploited via computer programs running on the Internet, we have a recipe for disaster." Click Here to View Full Article "Fortifying DOD's Network Defenses" Federal Computer Week (09/26/05) Vol. 19, No. 33, P. 60; Tiboni, Frank As attacks on Defense Department (DOD) computer networks increase, Purdue University computer science professor Eugene Spafford calls for the creation of a new generation of computer systems and security tools. However, such a project will require long-term research. Meanwhile, Spafford recommends six steps to better protect DOD computer networks: Basing security purchases on effectiveness rather than cost; severely limiting access to computer systems; removing all unnecessary systems; narrowing the number of users that can add hardware and software to the networks; requiring training and supervision of all network users; and implementing network-monitoring practices. Spafford laments that the government is not currently funding long-term cybersecurity research that is key to designing a new and highly effective network security system for federal agencies. Most security used to protect federal agency networks is designed for commercial use and not to protect highly sensitive data. SANS Institute research director Alan Paller says network security is not about implementing the latest security methods but more about preventing attacks up to 18 months in advance. An anonymous Defense Information Systems Agency official reports a change in DOD security that involves moving to a service-oriented architecture to facilitate data sharing among agencies as well as more effective IT services. Also, the new structure makes the Joint Task Force-Global Network Operations in charge of defending, operating, and maintaining the DOD's information infrastructure, according to the official who says, "We have many challenges in synchronizing the many IT efforts and security for [networks] across [the DOD's] vast infrastructure." Click Here to View Full Article "Are Attackers Winning the Arms Race?" InfoWorld (09/26/05) Vol. 27, No. 39, P. 22; Grimes, Roger The severity and speed of malware attacks as well the skill of those who orchestrate them is increasing as hacking becomes more professional and profit-oriented. Forty-nine percent of 474 individuals surveyed in this year's InfoWorld Security Research Report said increasingly sophisticated cyberattacks represented the most serious security challenge their companies will face in the next 12 months, while 57% listed viruses as the top network security threat. Respondents noted that each had thwarted an average of 368 intrusions in the preceding 12 months, but an average of 44% of those attacks were successful. Malware's formerly stagnant nature is shifting toward a "mothership approach" in which a malicious program, once it has infected a computer, links to outside servers and downloads new instructions or programs. Hackers are designing worms to configure into bot networks that hijack thousands of PCs, which are "rented out" to criminal businesses or organizations. A lot of present-day malware exploits patched and unpatched vulnerabilities in Internet browsers, while the interim between the announcement of a vulnerability and the emergence of an exploit is shrinking. The InfoWorld poll found that anti-spyware software and appliances will experience the biggest purchasing increases in the next year. Strong adoption continues for intrusion detection and intrusion protection systems, but a greater number of administrators are enabling those products' blocking functionality. Click Here to View Full Article From ACM's TechNews, October 3, 2005 "Microrobots Show Promise in IT, Security" Dartmouth Online (NH) (09/28/05); Beale, Matt Dartmouth researchers have developed the smallest mobile, untethered robot in the world after seven years of effort. The microrobot is a mere one-tenth the thickness of a single human hair, and can crawl like an inchworm and be steered without being connected to a power source. The device walks on a grid of electrodes that serve as both power supply and control mechanism, and it lacks wheels or joints because they are unworkable at such a tiny scale. The research team was awarded a grant by the Department of Homeland Security's Office of Domestic Preparedness to develop the microrobot for possible security applications such as identity verification and information protection. Dartmouth computer science graduate Igor Paprotny envisions a group of people who each carry a vial of microrobots as a means of identification. "They each spread some on a substrate and enter a PIN or something," he explains. "If we're all who we say we are, the microrobots assemble into a key, or message that, say, gives you the code to activate a nuclear weapon." The microrobot was created through cooperation between Dartmouth's computer science and engineering departments. Click Here to View Full Article "The Global State of Information Security 2005" CIO (09/15/05) Vol. 18, No. 23, P. 60; Berinato, Scott; Ware, Lorraine Cosgrove Even as preventative security measures grow more sophisticated, the security industry remains loosely coordinated and decentralized, and struggles continually to keep up with the steady proliferation of threats. A recent study found that many security administrators are indifferent to government compliance regulations, and are often lax about risk management, as only 37 percent responded that they had in place an active security strategy. Much of the problem with cybersecurity is that the daily occurrence of multiple threats has administrators constantly scrambling to put out fires, leaving them with little time to formulate long-term strategies. Though information security remains overwhelmingly reactive, organizations are beginning to pay it more attention, as witnessed by the growing number of executive positions created to deal expressly with security. The results are tangible, as the higher up in the organization the security executive position is, the better the organization's security rating. Having high level security executives in place also tends to align security more closely with the direction of the business. Still, companies with high-level security positions are outnumbered by those that have yet to elevate the role. Larger companies have very recently stepped up their monitoring of employees to rein in risky activities, such as instant messaging. There is also a widespread disregard for the Department of Homeland Security as a leader in cybersecurity. In dealing with government regulations, there is a pervasive ignorance about their scope and intention, as an alarmingly high number of respondents reported either that regulations do not apply to them, or that they are knowingly non-compliant. Though the number of incidents reported held steady, many of those surveyed were unsure of the extent of the damage. Similar uncertainty was reported when respondents were asked about the budgetary allotment reserved for security, and 16 percent were unsure if their security budgets would increase or decrease in the future. Click Here to View Full Article From ACM's TechNews, September 26, 2005 "Basic Training for Anti-Hackers" Chronicle of Higher Education (09/23/05) Vol. 52, No. 5, P. A41; Carnevale, Dan The threat of terrorists penetrating computer networks and wreaking havoc prompted the creation of the Cyber Security Boot Camp, an intense 10-week summer program hosted by the U.S. Air Force and Syracuse University in which participating college students study and practice hacking so that they may learn how to defend against cyberattacks. Air Force Research Laboratory computer engineer Kamal Jabbour says the goal of the program goes far beyond making these cyber-defenders technically proficient: He wants them to become sensitive to the urgency of the threat in order to be decisive in action. Participants take cybersecurity courses that cover cryptography, steganography, network security, wireless security, and digital forensics. Students are required to analyze a security problem and present a solution in a detailed report each week, all the while conforming to a strict writing style. Participants also serve as interns with local companies and organizations in order to be exposed to real-world cybersecurity applications. The boot camp's high-pressure course load is complemented by adherence to stringent rules concerning housing, appearance, and physical fitness, which are laid out in a military regimen. The program climaxes with a hacking contest in which student teams penetrate their opponents' computers to capture virtual flags. Each team is divided into two groups--one dedicated to attack rivals' systems and the other committed to defending their own system. From EduPage, September 23, 2005 Congressmen To Ask For Review Of Higher Ed Antipiracy Efforts Chronicle of Higher Education, 23 September 2005 (sub. req'd) At a U.S. House of Representatives subcommittee meeting this week, lawmakers, campus officials, and representatives of the movie industry and of a provider of legal download services discussed efforts by U.S. colleges and universities to curtail copyright violations on their networks. Reps. Lamar Smith (R-Tex.) and Howard Berman (D-Calif.) said they will ask the Government Accountability Office to issue a formal report on what effects those efforts have had on student file-trading habits. According to Smith, "We will ask for the report so we can increase the scrutiny and increase the public attention to piracy." Also at the hearing, Norbert Dunkel, director of housing at the University of Florida, described his institution's use of an application called Icarus, which automatically restricts usage of the network for students who connect to P2P services. Dunkel said the tool, which the university developed, has led to a 95 percent reduction in outgoing traffic from the university's network and virtually eliminated notices of copyright infringement. Smith applauded the application, but Daniel Updegrove, vice president for information technology at the University of Texas at Austin, expressed concerns that such a blanket approach to the problem could limit the academic freedom and privacy of students. http://chronicle.com/daily/2005/09/2005092301t.htm From ACM's TechNews, September 30, 2005 "Brazilians Blazing Trails With Internet Technology" Knight-Ridder Wire Services (09/26/05); Chang, Jack Despite crippling levels of poverty and violence, Brazil is home to some of the world's most innovative technology, and plays host to some of the most sophisticated hackers. Brazil often finds itself the locus of international debates over intellectual property rights and private media controls, and though it does not have in place the infrastructure that other developing nations do, Brazil has made significant advances in open access technology that place it at the forefront of the Third World. Brazil received a major economic boost when Google acquired the native firm Akwan Information Technologies and established an office in Sao Paolo. There is still a wide gulf between rich and poor in Brazil, and while its 22 million-plus residents with Internet access rank it in the top 10 worldwide, that number still only represents 12 percent of the population. Piracy is also a major issue, as roughly 60 percent of the software and 70 percent of the hardware in use in Brazil infringes on copyright laws; Brazil is also a notorious haven for cyber criminals, as it is estimated that approximately 80 percent of the world's hackers are based in Brazil. The country's emerging IT industry has reached the $10 billion mark in annual sales. The spirit of unfettered access has led to the widespread implementation of the Linux platform in government and private industry, along with a host of other open-source applications. Throughout Brazil, open access movements are seeking to provide free Internet capability to computer users, and its vibrant open-source community draws on innovation from all over the country to maintain Web sites, provide tech support, and develop new technologies. Click Here to View Full Article "Anti-Spyware Gets HIP" IT Architect (09/05) Vol. 20, No. 9, P. 61; Conry-Murray, Andrew Anti-spyware software is expected to transition from threat-specific technologies to Host-based Intrusion Prevention Systems (HIPS) as vendors deploy proactive solutions that block new and unknown spyware programs from PCs. Such solutions are likely to be increasingly compelling for security architects as the development of spyware continues without respite and end users continue to install spyware-laden programs despite repeated warnings. Most anti-spyware programs use signatures and are only effective against programs that are already defined in the threat database, while the increasing difficulty of removing spyware once installed makes proactive prevention all the more urgent. Some vendors offer behavior-based spyware detection technologies that can thwart the installation of spyware on enterprise desktops without the use of signatures, although such solutions carry with them the risk of false positives. "The market is warming up to the notion that existing signature-based solutions aren't providing adequate malware prevention," says Finjan's Nick Sears. "Customers are looking to alternative solutions." Other anti-spyware options deliver protection at the network gateway by scanning incoming Web traffic for spyware and adware, preventing spyware on a PC from linking to a remote server on the Internet, and stopping end users from surfing to established sites for spyware or adware. However, none of the gateway products can protect mobile users outside the corporate environment. Click Here to View Full Article "Destructive Power of Mobile Viruses Could Rise Fast, Experts Say" IDG News Service (09/28/05); Nystedt, Dan As the interconnectedness central to the dream of the digital home rapidly becomes a reality, a host of security and privacy concerns arises. The same Web cams that alert users to suspicious activity within their homes can also be used by hackers seeking to break in to determine if anyone is home. Internet connectivity is being incorporated into a growing number of devices that have not yet evolved to carry the same level of security as PCs and desktops. As attacks on traditional hardware become more sparse, the added functionality in mobile phones makes them a more popular target. The number of reported malware threats menacing mobile devices has grown to 87, up from fewer than 10 at the beginning of last year. Symbian is the most popular operating system for mobile phones in the world, and its series 60 was the target of 82 of the reported viruses, though analysts are quick to point out that that proportion speaks more to the system's popularity than its vulnerability. Faster download speeds elevate the risk of a virus infecting and spreading throughout a mobile phone. It is projected that the threat against mobile devices will increase as more hackers recognize the potential vulnerabilities and turn their attention away from traditional attacks. Click Here to View Full Article From ACM's TechNews, September 28, 2005 "Lawmaker Doesn't Rule Out Cybersecurity Regulation" IDG News Service (09/27/05); Gross, Grant The U.S. government and the private sector have not given cybersecurity adequate emphasis, said Rep. Dan Lungren (R-Calif.), speaking at a Sept. 26 cybersecurity policy forum hosted by Nortel Networks. Although his preference is for companies to voluntarily patch vulnerabilities, Lungren, chairman of the House Economic Security, Infrastructure Protection, and Cybersecurity Subcommittee, did not dismiss the possibility of the government imposing cybersecurity regulations, which he fears would "stifle the kind of innovation that's available to the private sector to come up with their own fixes." Lungren also said the government must gain a better comprehension of cybersecurity risk, especially as it pertains to Internet-powered supervisory control and data acquisition (SCADA) systems responsible for much of the country's critical infrastructure. He urged the government to make a stronger effort to anticipate cyberattacks, particularly those that threaten to cause the worst damage, and channel its resources into preventing such incidents. Nortel CEO Bill Owens noted at the same forum that the likelihood of cyberattacks will rise as increasing numbers of devices transmit information via Internet Protocol. Acting director of the Homeland Security Department's National Cybersecurity Division Andy Purdy claimed his agency is attempting to raise the profile of the cybersecurity issue, citing the creation of a new assistant secretary for cybersecurity as a step in the right direction. But he agreed with Lungren that private companies bear a significant measure of responsibility in the assurance of Internet safety. Click Here to View Full Article "New Security Proposed for Do-it-All Phones" CNet (09/27/05); Evers, Joris The increasing consolidation of functions into mobile phones has placed a premium on safeguarding their security. The Trusted Computing Group (TCG) has developed a hardware-based standard for securing mobile phones that has been backed by industry heavyweights such as Nokia, Motorola, Intel, and Samsung. Addressing security on the hardware level will give users greater confidence in their phones, and the TCG standard would protect data and offer copyright protection for exclusive content. The TCG's plans would support similar features to those offered by the Trusted Platform Module, the chip geared for PCs and servers that enables authentication, secure storage, and protected email. The proposal also contains operational restrictions that would prohibit users from running certain applications on their devices. Mobile phones will become an increasingly tempting target for hackers as their functionality expands, particularly as they start to include credit card payment information, which the TCG standard is expected to address in a future iteration. Meanwhile, the incorporation of digital rights management into a mobile phone security platform has raised the ire of user-rights advocates, who claim that it is an unnecessary restriction of a user's freedom. Despite broad support from major cell phone companies, the fractured nature of the industry makes it unlikely that the new security features will see widespread adoption before 2008. Click Here to View Full Article From ACM's TechNews, September 23, 2005 "Name That Worm--Plan Looks to Cut Through Chaos" CNet (09/22/05); Evers, Joris Last month, a worm with various names wreaked havoc on Windows 2000 operating systems, abetted by the chaotic and fractured attempts to identify it. To address that issue the CME naming system has emerged, which tags a given piece of malware with a unique identifier. The United States Computer Emergency Readiness Team (US-CERT) says its product will provide a common identifier to help users identify which threat is attacking their system, and notify them if they are protected or not. CME promises to fulfill the longstanding goal of the security industry to agree on a unified system to name viruses and worms; industry participation in CME is voluntary, and will be a key factor in the initiative's success. When multiple security companies create different names for the same outbreak, there is often widespread confusion as to whether or not there is one threat or multiple, related threats. Organizations that use multiple security products from different vendors are often confounded by multiple alerts of the same virus or worm with different names. At first, CME will only issue numbers to major threats, though US-CERT plans eventually to cover all attacks. Regardless of the names security vendors produce, CME will assign an attack with a random number within hours of its discovery, and tag it with its associated characteristics; then security companies are urged to include the CME tag with whatever semantic description they produce, so as to create a commonality that helps users understand the actual scope of the threat. Click Here to View Full Article "The Next 50 Years of Computer Security: An Interview With Alan Cox" O'Reilly Network (09/12/05); Dumbill, Edd EuroOSCON keynote speaker and Linux kernel developer Alan Cox describes computer security as "basic" and "reactive," but starting to show signs of improvement. He says the interim between the discovery of bugs and the launch of exploits has shrunk, and exploits will improve in tandem with software tools; because Linux offers greater security than many competitors, it is less vulnerable to exploits, but Cox says no system--Linux included--provides enough protection. Promising developments Cox points to include a significant uptake in code verification and analysis tools, which helps prevent the introduction of errors within production, and a movement toward in-depth defense through the use of SELinux, no-execute flags in processors and software emulation, and randomization of where objects are located in memory. He notes that SELinux can also be employed to make users more security-conscious by turning behavioral advisories into policy. Cox believes the incorporation of security into software development tools can be done without hindering developers' productivity because many improvements automate tedious chores. Cox says the cost of cleaning up the mess caused by system breaches is the current driver of secure software implementation, while the bad publicity this entails as well as statutory duties with data protection are further incentives. He reasons that lawsuits from the government or users harmed by poorly run systems might also encourage security deployments. "In theory as we get better at security the expected standard rises and those who fail to keep up would become more and more exposed to negligence claims," Cox says. Click Here to View Full Article From ACM's Tech News, September 19, 2005 "Now, Every Keystroke Can Betray You" Los Angeles Times (09/18/05) P. A1; Menn, Joseph Cybercriminals have begun to prey on online banking customers, using sophisticated software to record individual keystrokes and obtain passwords and PIN numbers. From June to July, the number of reported phishing attacks dropped, while the number of programs designed to steal passwords, known as crimeware, more than doubled. Though many consumers report that fears of cybercrime will lead them to modify their shopping habits, many banks encourage the use of online transactions because they entail far less cost than a visit to a branch. Crimeware can be installed inadvertently by opening an attachment or an advertising link, after which it can record all keystrokes or only those made at selected financial sites; the information is then relayed back to the hackers, who thus far have largely been using it to access accounts one at a time, though efforts at automating the process have recently emerged. One particularly malicious program, known as Grams, cuts out the step of relaying the information to the hacker and automatically cleans out the account once the information is recorded. In response, the FDIC has implored banks to investigate new security measures, though they respond with the fear that too much security could become a nuisance and cost them customers. As security measures become more sophisticated, criminals are keeping the pace, as efforts to select passwords with a mouse instead of using keystrokes have been met with programs that can take a picture of a computer screen to intercept the mouse clicks; some banks have even taken to calling customers when irregular activity is observed on their accounts. Liability remains a pressing issue, as the FDIC and many banks disagree on the extent to which consumers are covered in the event that their data are compromised. Click Here to View Full Article "False Protection" Software Development (09/05) Vol. 13, No. 9, P. 34; O'Connell, Laurie The software designed to bolster enterprise systems against malware and other cyberthreats has itself become a ripe target for hackers, and analysts such as Cigital CTO and author Gary McGraw say security software providers' failure to be software security practitioners is chiefly to blame. "Vendors have to engineer security into the development application lifecycle, get developers to have core responsibility, and give them the tools to do it," says Yankee Group analyst Andrew Jaquith. He suggests that security software developers perform design reviews early and regularly; run nightly regression tests and frequent code base reviews; maintain focus on privilege levels and authorization management; study component authentication; unearth buffer overflows; and conduct checkpoint reviews with security-savvy personnel. Jaquith also recommends that developers test for functions the application is not supposed to carry out. Furthermore, he advises developers to base their choice of vendor or software security system on hard evidence of best practices and an exhaustive technique for spotting and fixing problems encountered by staff, clients, or third parties. Another way to boost security is to fortify the patching infrastructure and analyze security products' auto-update components. An organization's general security can also be shored up by deploying a diverse assortment of anti-virus products from multiple vendors, as well as multisourced solutions from varying code bases. Click Here to View Full Article From ACM's Tech News, September 16, 2005 "Hacking's a Snap in Legoland" CNet (09/15/05); Terdiman, Daniel Lego executives responded with surprising enthusiasm when adult Lego aficionados hacked and modified one of its development tools for digital designers. Lego's Ronny Scherer says the company welcomes and encourages modifications that show them how to adapt their software to users' needs. The software in question is a free 3D modeling program that fans can download and use to design their own customized Lego models out of digital collections, or palettes, of bricks; Lego then manufactures the bricks and sends them to users. Members of the adult Lego modeling community complained that the design and purchase of these customized models was too expensive because the available palettes usually contained far more bricks than were needed to build the models, and also failed to include important components. Each palette is comprised of several bags of bricks, and software engineer Dan Malec and other Lego enthusiasts believed they could purchase less bricks and reduce their overall costs by lowering the number of bricks in a palette. They compiled a database listing what bags must be bought in order to collect specific bricks, and then tweaked the digital files listing the palettes users would see in the modeling program so they would be listed by bag rather than by palette. Analyst Anita Frazier reasons that Lego welcomed this hack because "it doesn't ultimately hurt the intellectual property, and [the users] aren't modifying the trademark or the core property at all." Click Here to View Full Article "A Human Connection to Intrusion Detection" SearchSecurity.com (09/14/05); McKay, Niall Researchers at the University of Nottingham want to use the human body's immune system as a model for protecting computer systems. Computer science professor Uwe Aickelin and his colleagues are collaborating with immunologists at the University of the West of England in Bristol to build a computer intrusion detection system that has an artificial immune system. "The University of the West of England is carrying out 'wet' experiments to look at various aspects of cell behavior and passing on their findings to us," explains Jamie Twycross, research associate with the Automated Scheduling Optimization and Planning Lab at the University of Nottingham. "We use the results to try and build a computational model." The immunologists are employing the controversial "danger theory," which holds that a complex system that accesses the origin, seriousness, and frequency of the danger signals the human immune system. Twycross is working to recreate, for an artificial immune system, the process in which garbage-collecting dendric cells that roam the body transform into fighter cells to battle an infection. Similarly, the software would be able to assess threats to computer systems by gathering information from a number of sources. Click Here to View Full Article "Fleet-Footed Worm Blocker" Computerworld (09/12/05) P. 36; Anthes, Gary Microsoft Research is developing software designed to defend networks from fast-replicating computer worms. Vigilante can spot even unknown worms in network traffic, erect "filters" against them, and notify other machines on the network so quickly that the worms can be impeded before humans are even conscious of them, according to research software design engineer Manuel Costa. He says the two biggest hurdles his research team had to overcome was to develop algorithms that could identify previously unseen worms, and to generate no false positives that would result in the blockage of legitimate traffic. Costa says further research is required for Vigilante to fully meet the first challenge, but the false positive challenge has been effectively tackled. Once computers running the software detect an attack, they produce "self-certifying alerts" and distribute them to other machines, which can confirm the alerts before taking defensive action. Costa says the computationally intensive algorithms responsible for spotting worms and issuing alerts would usually run on several nonproduction "honeypot" servers, while the protection mechanisms that reply to the alerts would operate on every network-connected machine. BT Group scientist Robert Ghanea-Hercock sees Vigilante as a potentially useful safeguard in large enterprise or government networks, but cautions that the software "is less valuable in the open network or broadband sector due to the lack of cooperation between the security vendors." Click Here to View Full Article From EduPage, September 14, 2005 Sound Of Keyboard Clicks Reveals What Is Typed ZDNet, 14 September 2005 Researchers at the University of California at Berkeley have demonstrated that an audio recording of someone typing on a computer keyboard can reveal with surprising accuracy exactly what they have typed. Using commercially available recording equipment, the researchers captured audio of typing and analyzed the sounds using an algorithm they developed. Because keys make different sounds, the system is able to make educated guesses about what key was pressed in what order. The application then applies some linguistic logic, including spelling and grammar checks, to refine the results. After three rounds of revisions, the application was able to identify 96 percent of the individual characters typed and 88 percent of the words. The application was effective even with background noise, such as music or cell phones ringing. Doug Tygar, UC Berkeley professor of computer science and information management and a principal investigator of the study, said the project should raise concerns about the security risks of such a technology. "If we were able to figure this out," he said, "it's likely that people with less honorable intentions can--or have--as well." http://news.zdnet.com/2100-1009_22-5865318.html From EduPage, September 12, 2005 "Google Hacking" Network World (09/05/05) Vol. 22, No. 35, P. 1; McMillan, Robert The practice of Google hacking--the penetration of computer networks through Google search queries--owes its start to Computer Sciences researcher and author Johnny Long, who created the Google Hacking Database initially as a joke. The database now serves as a repository for about 1,500 queries, while the Google hacking community is composed of approximately 60,000 members. The search engine is used to not only to unearth credit card numbers, passwords, and unguarded Web interfaces to Web sites, routers, and other things, but also to perform hacker reconnaissance. "Nowadays, pretty much any hacking incident most likely begins with Google," says F-Secure chief research officer Mikko Hypponen. One method is for a hacker to await a security bulletin and then employ Google to find Web sites that use the vulnerable software. Google's database can also be employed to map out computer networks and thwart network administrators' attempts to hinder eavesdroppers. Long reasons that Google's greater involvement in the security community could present new business opportunities. Google could, for instance, create a Google Security Alerts system that notifies customers when their Web sites harbor bugs discovered by Long and other Google hackers. Click Here to View Full Article From EduPage, September 7, 2005 UT Hacker Gets Fine, Probation Houston Chronicle, 7 September 2005 A former student at the University of Texas at Austin has been sentenced for hacking into the university computer system, a charge on which a federal jury convicted him in June. Christopher Andrew Phillips has been ordered to pay $170,000 in restitution for his crimes and to serve five years of probation. Phillips was found guilty of damaging the university's computers and of illegally possessing close to 40,000 Social Security numbers. The jury acquitted him of intending to profit from the personal information he obtained. In addition to the fine and probation, Phillips is forbidden from using the Internet for five years except for school or for work and only under the supervision of his parole officer. In a statement, U.S. Attorney Johnny Sutton said, "[Phillips] found out the hard way that breaking into someone else's computer is not a joke." http://www.chron.com/cs/CDA/ssistory.mpl/metropolitan/3342919 From ACM's TechNews, September 7, 2005 "Bug Hunters, Software Firms in Uneasy Alliance" CNet (09/06/05); Reardon, Marguerite The "responsible disclosure" of security flaws can be a contentious issue between software firms and security researchers. Researchers who do not comply with Microsoft's disclosure guidelines and publicly expose a bug in detail before it is fixed can get into trouble, but independent security researcher Tom Ferris argues that Microsoft takes so long to release patches that full disclosure is warranted; critics also say full disclosure puts pressure on software makers to improve the security of their products faster. IDefense Labs director Michael Sutton says relationships between security researchers and software makers have generally improved over the last several years, and Microsoft, for one, is attempting to get into hackers' good graces through "Blue Hat" conferences and other outreach efforts. Cisco and Oracle, on the other hand, have earned researchers' enmity by failing to expeditiously fix bugs after researchers report them, as well as not updating researchers on their progress, in keeping with responsible disclosure guidelines. Director of Germany's Red Database Security Alexander Kornbrust publicly revealed a half-dozen security vulnerabilities in Oracle software when the software maker failed to issue fixes some two years after he first reported them, and he says Oracle only gave him feedback immediately after he alerted the company to the bugs' existence. Former White House cybersecurity adviser Howard Schmidt says responsible disclosure of software bugs is critical, given America's reliance on IT systems. He suggests that technology companies' lack of responsiveness to security researchers' warnings could be addressed through an intermediate government agency, namely the U.S. Computer Emergency Readiness Team. Click Here to View Full Article From EduPage, September 2, 2005 Colleges Dealing With Computer Security Concerns Christian Science Monitor, 1 September 2005 As the number of computers on college campuses rises, and as IT becomes increasingly rooted in campus activities, higher education officials find themselves facing expanding numbers and kinds of threats to vulnerabilities in computer security. According to the Privacy Rights Clearinghouse (PRC), 50 million people have been involved in data breaches over the past seven months, including more than 30 incidents on U.S. college and university campuses. Complicating the challenge to IT security staff is the historically open nature of academic settings, a characteristic often at odds with strong computer security. Another factor making life difficult for IT staff are the computers that students bring to campus with them, often with inadequate or poorly configured security features. Jack Suess, vice president of information technology at the University of Maryland Baltimore County, however, noted that of the 11,000 to 12,000 computers on his campus this year, "there's probably only 200 or 250 I'm really worried about." http://www.csmonitor.com/2005/0901/p12s02-legn.html From ACM's TechNews, September 2, 2005 "The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)" Time (09/05/05) Vol. 166, No. 10, P. 34; Thornburgh, Nathan; Forney, Matthew; Bennett, Brian The revelation that a ring of Chinese hackers, collectively known as Titan Rain, has been launching coordinated attacks on sensitive and seemingly secure U.S. networks to steal data for some time has unsettling implications for U.S. security. The Department of Defense issued a warning that Titan Rain could not only be a coalition of data thieves but also a patrol point for more critical attacks that could hijack or cripple certain U.S. military networks. Such threats are compounded by the fact that federal investigators must jump through bureaucratic hoops to gain authorization to track down and neutralize foreign cyberspies, while concerns of potential international incidents as a result of such probes only add to the delicacy investigators must practice. There is also a lack of experienced investigators, prompting the intelligence community to encourage or at least unofficially sanction freelancers, such as former Sandia National Laboratories computer network security analyst Shawn Carpenter, who traced the Titan Rain intrusions to a trio of Chinese routers in the province of Guangdong, and dutifully informed the FBI. Sandia dismissed Carpenter because his activities constituted hacking into foreign computers, which is unlawful. Carpenter justifies his actions by saying his case shows the need for reforms if the U.S. is to more effectively respond to cyberthreats. Although Washington has no official position on the power behind Titan Rain, Carpenter and other network-security analysts are convinced that the Chinese government masterminded the attacks. Click Here to View Full Article "The Threats Get Nastier" InformationWeek (08/29/05) No. 1053, P. 34; Claburn, Thomas; Garvey, Martin J. Business technology and security professionals are confident their IT systems are adequately protected against cyberthreats, according to InformationWeek Research's U.S. Information Security Survey 2005, but this attitude belies the fact that worms, viruses, and other forms of malware are more insidious and dangerous than ever. The recent Zotob worm epidemic shows that such threats have not gone away, while the motivation behind such attacks has shifted from bragging rights to financial gain. The most common types of security threats and espionage during the past year were viruses and worms, phishing, denial of service, and Web-scripting language violations, while suspected culprits have included hackers, virus writers, unauthorized and former workers, and organized crime. Seventy-eight percent of survey respondents who believe their vulnerability to cyberthreats has increased or remained steady over the past year say the growing sophistication of such threats is their chief concern, while other anxiety-provoking factors include more ways to attack corporate networks, increased volume of attacks, and more malicious intent. Fifty-one percent of businesses plan to boost their IT security budget this year, while 56 percent of respondents say they are approaching IT security in a more structured way due to the need to conform to government regulations. Enhanced application security, secure remote access, and improved access controls are among the top priorities for these companies. Not only are cyberattacks being launched across multiple modes, but virus writers are taking a cue from hackers and using rootkits to conceal their activities from detection systems. Six percent of companies admit hackers gained access to their customer records, but the actual percentage may be higher if one assumes that some companies are hiding the truth or have been compromised without their knowledge. From ACM's TechNews, August 31, 2005 "The Future of Computer Worms" IT Observer (08/30/05); Sancho, David Trend Micro research engineer David Sancho outlines possible future attack strategies of bot worms and what steps can be taken to counter them. He says the modular design of bot worms enables them to exploit vulnerabilities faster, which means the interim between the disclosure of a vulnerability and its exploitation will shrink in the very near future; countermeasures Sancho suggests include the immediate patching of home systems as soon as updates are available, and the deployment of software and hardware designed as protective measures against malware in corporate environments. The author thinks future worms could employ polymorphic shellcode exploit attacks, a method in which bot authors create a module that alters the exploit code so that it always varies, which could thwart vulnerability and intrusion detection systems whose effectiveness hinges on the exploit code never changing. A solution to this threat would be a tool that detects the unique compression methods used by each worm variant, and Trend Micro has a scan engine in the works that promises to spot different compression techniques before isolating specific detection patterns. Sancho also expects future worms to perform RSS feed hijacking, in which worms commandeer the existing configured RSS-feed clients to automatically download new worms and other kinds of malware. The author believes the release of Internet Explorer 7 could make RSS feed hijacking a legitimate threat, and recommends that companies implement a method to scan HTTP traffic as a protective measure. Click Here to View Full Article From EduPage, August 26, 2005 Cyberscam Continues Apace BBC, 26 August 2005 A recently discovered identity-theft scam continues to cause problems for Internet users, despite efforts by security firms and the FBI to stop it. Security firm Sunbelt Software uncovered the scam accidentally while investigating spyware. Sunbelt located an Internet server whose log files contained personal information harvested by keylogging from many thousands of users. The company notified the FBI, and the server was shut down soon afterwards, only to resurface later. Each time the servers are taken down, more of them appear elsewhere. The keylogging software, which is circulated by a computer virus, captures private information from users and transmits it to one of the rogue servers. The FBI is working to find out who is operating the servers. In the meantime, Sunbelt has developed a tool that searches for the malicious software, which is has named Srv.SSA-KeyLogger. http://news.bbc.co.uk/2/hi/technology/4186972.stm From ACM's TechNews, August 26, 2005 "Hackers Attack Via Chinese Web Sites" Washington Post (08/25/05) P. A1; Graham, Bradley; Eggen, Dan Hackers have been focusing attacks on hundreds of unclassified U.S. government systems through Chinese Web sites for several years, reported anonymous government officials. Analysts are split on whether these intrusions are the work of a coordinated Chinese government initiative to breach U.S. networks and monitor government databanks, or other hackers using Chinese networks to mask the attacks' point of origin. "This is an ongoing, organized attempt to siphon off information from our unclassified systems," said one official, who noted that State, Energy, Defense, and Homeland Security Department networks are among those targeted. With roughly 5 million computers spread across the globe, the Pentagon has more computers than any other agency, making its network the most vulnerable target to both foreign and domestic hackers, the officials said. The Pentagon estimates that China is the No. 1 source of Defense Department hacks, though Lt. Col. Mike VanPutte of the U.S. Strategic Command's Joint Task Force for Global Network Operations said this only proves that China is the probes' "last hop" before they strike their targets. One anonymous government official downplayed the severity of the attacks, while another said an FBI investigation has yet to yield any definitive proof of who is orchestrating the intrusions. U.S. concerns about Chinese military initiatives in general are fueling worries about China-based cyberattacks, and the spate of attacks on unclassified systems has added urgency to the Pentagon's effort to acquire new detection software programs and better train computer security specialists, according to several officials. Click Here to View Full Article From ACM's TechNews, August 24, 2005 "Hacker Underground Erupts in Virtual Turf Wars" Christian Science Monitor (08/22/05); Spotts, Peter N. Hacker turf wars sparked by the increasing strategic and monetary value of compromised computers have usually simmered out of the public eye, but such skirmishes were in plain view last week when the Zotob worm infected computers at a major airport, media outlets, and industrial companies, and prompted an all-out battle between competing malware. Zotob appeared a mere six days after Microsoft announced a patch for the security flaw the worm was crafted to take advantage of, and Curtis Franklin Jr. of Secure Enterprise Magazine reports that the average time between the disclosure of a vulnerability and the release of an exploit has shrunk from 21 days to eight days in the last 24 months. Experts say this shorter timeframe can be partially explained by the apparent use of prewritten program "shells" by malware authors, while the patching process can be held up by negotiations between corporate network managers and other parts of the corporation. "Zero-day exploits" in which malware appears on the same day a flaw is announced are generating the most concern, and Franklin says the Zotob turf war illustrates a convergence among the various forms of malware in terms of function. Intelguardians Network Intelligence security consultant Tom Liston says hacker turf wars have increased significantly over the last three years. University of Southern California at Los Angeles professor Peter Reiher adds that such battles used to be primarily over bragging rights, whereas today they indicate a greater interest in controlling infected systems. Click Here to View Full Article From ACM's TechNews, August 19, 2005 "Can a Simple Password Stop Domain Name Hijacking?" Tom's Hardware Guide (08/17/05); Gruener, Wolfgang Using a password at the time of a domain transfer between registrars could safeguard against identity fraud targeting Internet domain names, which has emerged as one of the most significant threats to networks today. Securing the domain name transfer process has been slow, due partially to the lackluster implementation of Extensible Provisioning Protocol (EPP), an XML-based transfer program. VeriSign is moving toward adopting EPP for the .com and .net domains at an unspecified time frame, which will ultimately reduce the vulnerability of top-level domains. Since 2000, Registry Registrar Protocol has been steering the exchange of domain name services, but that program, adopted by VeriSign in 2003, contains no built-in security features. EPP potentially offers greater security through database management systems, whereby the acquiring registrar verifies the customer's identity from the losing registrar through an authInfo code. The key to authInfo's success will be its application to create unique codes for each domain name, rather than registrar-wide generic codes that are easy targets for hackers. ICANN SSAC Fellow Dave Piscitello describes EEP authInfo essentially as a password, as no one other than the receiving registrar could view the transmission in an unencrypted form. The .com and .net domains have been slow to implement EPP, though its use is common in other domains, such as .org, .biz, and .info. It is estimated that .com and .net will not be fully converted to EEP for another year. EEP may not be a universal panacea, however, as the transfer process still depends on WHOIS data of questionable reliability. Ultimately, SSAC says registrants themselves must be accountable for securing domain names, ensuring their information is current, and choosing an appropriate registrar, as well as utilizing EEP authInfo to its full extent. Click Here to View Full Article "Computer Characters Mugged in Virtual Crime Spree" New Scientist (08/18/05); Knight, Will The increasingly porous boundary between the real and virtual worlds is illustrated by the arrest of a Chinese exchange student in Japan on suspicion of controlling software "bots" to assault and rob game characters of virtual possessions, which were then fenced for real money through an auction Web site. Bots can easily best virtual characters controlled by people because they perform tasks in a game very swiftly or repetitively, and such activities can be spotted by countermeasures used by many games companies. Computer games consultant Ren Reynolds comments that bot authors and games firms are locked in an arms race, while the practice of turning virtual worlds into a cash cow is expanding. Computer security expert Bruce Schneier says the line is blurring between real and virtual crime as well, citing recent reports of criminals trying to penetrate games or steal players' account data for money. "I regularly say that every form of theft and fraud in the real world will eventually be duplicated in cyberspace," Schneier writes on his blog. "Perhaps every method of stealing real money will eventually be used to steal imaginary money, too." Reynolds concludes that the rising online game player population will fuel crooks' desire for exploitation even further. Click Here to View Full Article From ACM's TechNews, August 19, 2005 "Al-Qaida Recruiting Target: Skilled Hackers" Investor's Business Daily (08/19/05) P. A4; Tsuruoka, Doug Mark Rasch, chief security counsel for Solutionary, Inc. and former head of the Justice Department's computer crime unit, reports that foreign governments and terrorist organizations such as al-Qaida are attempting to hire Internet hackers to break into commercial and federal computer networks, with an eye toward sabotage or information theft. He says a massive assault against our cyberinfrastructure would disrupt services but not inspire terror; much more effective would be a combination cyberattack and physical attack, which would spread fear as well as hinder response strategies. Rasch says al-Qaida has formulated plans to attack U.S. networks controlling the supervisory control and data acquisition (SCADA) systems underlying the country's utility infrastructure. Terrorists can contact hackers in a variety of ways, including through Internet relay chat channels, anonymous outsourcing, and anonymous remailers that hide the original source of messages. Rasch suggests a number of precautions to defend against cyberterror attacks, such as the installation of disaster recovery and business continuation technology and redundant systems. So that people can understand and identify attack precursors, he recommends an exchange of information. Rasch also suggests improving information sharing networks following an attack. "'War of the Worms' Spurs Latest Cyber-Attack" ABC News (08/17/05); James, Michael S. The attack earlier this week that slowed systems at The New York Times, The Associated Press, and other media outlets may have been an example of battling worms competing for control of major computer networks. The culprit was identified as different strains of the Zotob worm, which targets computers running Windows 2000, though if unprotected, Windows 2003 and XP are also vulnerable. In the latest attacks, the hackers were attempting to seize control of the computers to create botnets, and posted death threats aimed at antivirus companies. The pursuit of unlawful computer armies has led to a virtual turf war, where rival hackers delete each other's worms to clear the way for their own in an effort to build the largest botnet. The recent trend in hacking has been toward personal greed, as simply defacing a Web site or launching a denial of service attack no longer motivates hackers: "Destroying the Internet is not really useful if the Internet is the means to your financial goals," noted Art Manion of the U.S. CERT center at Carnegie Mellon. Botnet operators use the expropriated computers to send out torrents of spam or access personal information, though there is also an underground economy that pays to rent botnets for various purposes, most commonly to send out spam. The use of multiple third-party computers makes it difficult to track the originator of botnet spam. Cybertrust's David Kennedy believes poor laptop security may have facilitated the recent attacks, and cautions businesses to keep security patches updated, and use a special router to manage the connection between the notebook and the providing pipeline; he adds that users should power their notebooks down completely before connecting to the network. Click Here to View Full Article "Computer Virus Writers Moving Faster with Attacks" Reuters (08/17/05); Swartz, Spencer A flood of malware-based attacks against U.S. media companies and other corporations this week has prompted security analysts to warn that the window between the disclosure of vulnerabilities and their exploitation by hackers is shrinking. "These guys have gotten a lot faster...they are doing it faster than managers can keep up with," stated F-Secure virus researcher Eno Carrera. Analysts said the interim between advisories of flaws in Microsoft's Windows operating system and the release of exploitative viruses was several weeks or months a few years ago. However, hackers authored and released exploits of three Windows security vulnerabilities mere days after Microsoft notified users of their existence last week. The malware caused thousands of vulnerable machines to restart repeatedly, and potentially exposed computers to hackers who could hijack a system as a launch-pad for future virus attacks and steal personal data while the user is unaware. Also troubling is the fact that virus writers often release malicious code faster than computer system safeguards can be updated. Hackers have additionally started exploiting instant messaging's popularity among office workers as a vehicle for delivering viruses. Click Here to View Full Article From Microsoft -- "School is in: 7 computer security tips for students". From the Chicago Tribune, Now, Every Keystroke Can Betray You. From New York Times, August 17, 2005 Virus Attacks Windows Computers at Companies By Matt Richtel A handful of digital worms that exploit vulnerabilities in some Microsoft Windows computers spread on Tuesday. Read the article. From New York Times, August 15, 2005 Spyware Heats Up the Debate Over Cookies By Bob Tedeschi Internet users now routinely delete cookies, leaving marketers scrambling to find another tool to measure their effectiveness. Read the article. From EduPage, August 17, 2005 Former AOL Employee Sentenced For Data Theft Reuters, 17 August 2005 A judge in New York has sentenced a former employee of America Online to 15 months in prison for stealing 92 million screen names from AOL and selling them to a spammer. Jason Smathers, who pleaded guilty earlier this year and cooperated with prosecutors, expressed remorse for his actions and asked the judge for leniency. Indeed, the judge could have given Smathers 24 months in prison for his crimes, which included conspiracy and interstate trafficking of stolen property. AOL has said it suffered monetary losses of $300,000 as a result of Smathers's actions. The judge in the case has given the company 10 days to prove those losses, after which he said he will impose a fine, hinting that he is leaning toward a fine of $84,000. http://today.reuters.com/business/newsarticle.aspx?storyID=nN17251689 From ACM's TechNews, August 17, 2005 "'Spear Phishing' Tests Educate People About Online Scams" Wall Street Journal (08/17/05) P. B1; Bank, David To raise user awareness of online scams designed to trick them into revealing sensitive information to data thieves and other miscreants, organizations such as the U.S. Military Academy are conducting exercises in which people are sent phony emails disguised as official requests to link to Web pages and enter confidential data, and then upbraided if they do so. Through this strategy, defenders hope to teach users to be more cognizant of "spear phishing" scams in which attackers craft email messages that would seem to originate from the recipient's company or organization. Last June, over 500 West Point cadets were sent mock emails from a fictitious colonel instructing them to click on a link to confirm that their grades were correct, and more than 80 percent of recipients complied; the cadets were gently reprimanded via email and advised to be more cautious in the future. In recent months, almost 10,000 employees of New York state were sent emails that were supposedly official notices asking them to access sites and enter their passwords and other personal details, and those who did were sent a note explaining the purpose of the exercise. "The bottom line lesson was: Even if the request comes from legitimate individuals, never give out personal information," said New York CIO William Pelgrin. However, such methods could potentially erode employees' trust for their organizations' information-security personnel. Still, SANS Institute research director Alan Paller called such exercises "a key defense against large-scale theft of confidential information." From EduPage, August 15, 2005 E-Mail Marketer Convicted Of Stealing 1.6 Billion Names Wall Street Journal, 15 August 2005 A jury in Arkansas has convicted Scott Levine of stealing 1.6 billion computer records from Little Rock-based data vendor Acxiom Corp. The records included names, addresses, phone numbers, and other personal information that Levine's company, Snipermail.com, sought to use in direct e-mail marketing campaigns. In the case, the government presented evidence that Levine had used illegally obtained passwords of about 300 legitimate Acxiom customers to fraudulently access the records. Levine was convicted of 120 counts of unauthorized access to a computer, two counts of fraud for cracking passwords, and one count of obstruction of justice for trying to destroy evidence stored on Snipermail computers. Levine will be sentenced in January. Acxiom said that since the intrusion, it has improved security procedures for protecting data, including strengthening encryption systems and the company's ability to detect when unauthorized access takes place. (sub. req'd) http://online.wsj.com/article/0,,SB112406416615412935,00.html From ACM's TechNews, August 15, 2005 "NIST Creates Online Treasure Trove of Security Woes" Federal Computer Week (08/15/05); Yasin, Rutrell The National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) is a comprehensive repository of cybersecurity data culled from all publicly available vulnerability resources that also supplies references to industry resources. NVD creator and NIST computer scientist Peter Mell says about 12,000 vulnerability entries have been posted on the NVD Web site, with roughly 10 new postings added daily. The public will be able to use NVD to gain detailed information on flaws in specific products and trends in industry segments, while developers who must import vulnerability data into their security offerings could benefit as well, according to Mell. The database is constructed wholly on the Common Vulnerabilities and Exposures (CVE) naming standard maintained by Mitre, and which is used by some 300 security products to spot vulnerabilities and expedite interoperability between those products; Mell says NVD will further assist in the facilitation of compatibility by augmenting the CVE standard with detailed vulnerability data. The public can freely avail themselves of NVD's vulnerability information as an XML feed, and Mell says the database can also produce statistics that extrapolate vulnerability-discovery trends. Unlike the Homeland Security Department's Technical Cyber Security Alerts and Vulnerability Notes, which only notify the public about the most critical flaws, NVD offers "an encyclopedia of everything," reports Mell. SANS Institute research director Alan Paller notes that users can employ NVD to answer difficult queries such as whether software from specific vendors is flawed. NVD is sponsored by the DHS' National Cyber Security Division as a complement to the department's suite of vulnerability management products, Mell says. Click Here to View Full Article "Instant Messaging: A New Target For Hackers" Computer (07/05) Vol. 38, No. 7, P. 20; Leavitt, Neal The growing popularity of instant messaging (IM), especially among businesses, has made it an increasingly attractive target to phishers, malware authors, and other attackers. IMlogic CTO Jon Sakoda says IM attacks can propagate rapidly thanks to IM's real-time capabilities. Other factors encouraging IM attackers include a lack of safe computing practice among users; the false sense of security users feel due to IM's immediacy and informality; growing functionality and complexity of IM systems; and an absence of corporate IM-use policies. Messaging providers and security companies are attempting to thwart or mitigate IM attacks by monitoring and analyzing IM security risks through the IMlogic Threat Center and similar efforts, and are also educating consumers about safe computing practices. Many IM virus outbreaks cannot be halted by traditional antivirus technology, which fails to keep up with the rapid spread of IM communications. However, virus throttling shows promise as a method for slowing down and limiting the damage of messaging worm propagation. Furthermore, major IM networks are amending their clients to combat buffer overflow attacks enabled by substandard programming and memory management. From EduPage, August 12, 2005 New York Adds Disclosure Law The Register, 12 August 2005 New York State has enacted a law requiring corporate or public organizations to notify individuals in the event that personal information about them has been compromised. Similar in concept to a California law that went into effect two years ago, the New York law compels organizations that store sensitive information to contact consumers as quickly as is practical if there is evidence or suspicion that data including Social Security numbers or credit card numbers have been unlawfully accessed. At least 15 other states have passed similar legislation since California did. New York State Assembly member James Brennan, sponsor of the legislation, said, "If a person is not aware that he or she has been a victim of identity theft, then the damage done could be severe and irreversible," noting that the sooner people are made aware of security breaches involving sensitive data, the better their chances are of avoiding the worst repercussions. http://www.theregister.com/2005/08/12/ny_security_breaches_disclosure/ From ACM's TechNews, August 12, 2005 "PluggedIn: Wireless Networks--Easy Hacker Pickings" Reuters (08/05/05); Sullivan, Andy Wireless networks are highly vulnerable to exploitation, so much so that hackers regularly compete to find open Wi-Fi connections. Mapping out wireless access points, a practice known as wardriving, is very popular, as demonstrated by wardriving contests hosted at the recent Defcon hacker conference. Inexpensive wireless routers let consumers surf the Web from home, while a Wi-Fi signal's radius of several hundred feet allows neighbors to access the Internet as well. Very few wireless hotspot owners avail themselves of encryption, password protection, and computer-specific network access features. Wardrivers say the WEP encryption standard employed by many access points is easy to break, while others blame manufacturers such as Linksys for failing to make security a default setting in their products because they are more interested in ease of use. Mike Wagner with Linksys claims new routers enable computers to securely link with other Linksys devices through the simple push of a button, but admits his company cannot ship its products with the security settings activated because most users will not go to the trouble of changing the default password. Numerous laws criminalize accessing computer networks without authorization, but few have been put to the test in court. Wardrivers claim not to approve of unauthorized network use, insisting that the goal of their activities is to raise awareness of wireless security's vulnerability among consumers and manufacturers in the hope of spurring them to make improvements. Click Here to View Full Article From EduPage, August 10, 2005 Hackers Hit Another University San Francisco Chronicle, 9 August 2005 Sonoma State University, an hour north of San Francisco, has become the latest in a growing list of universities to suffer a hacker attack that put personal information of students and staff at risk. At Sonoma State, hackers in July gained access to several computer workstations, which allowed them to access a number of other computers before university staff detected and put an end to the intrusion. In all, the hackers had access to names and Social Security numbers of nearly 62,000 students, applicants, or employees of the university between 1995 and 2002. A spokesperson for the university said the hackers did not have access to financial information and noted that there is currently no evidence that any of the information has been misused. Nevertheless, the university is required by state law to contact individuals whose personal information has been compromised, and the university is working to do just that. The university has set up a Web site with information and is advising affected individuals to contact credit-reporting agencies to be on the lookout for possible identity fraud. http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/08/09/BAGLJE50C81.DTL Students Face Punishment For Computer Tampering Wired News, 9 August 2005 Thirteen high school students in the Kutztown Area School District in Pennsylvania face felony charges of tampering with computers after defeating security measures on laptops issued to them by the school district. The laptops included Internet filters and an application that allowed district administrators to see what students did with the computers. The 13 used administrator passwords--which, for unknown reasons, were taped to the backs of the computers--to override the filters and download software such as iChat that the district policy forbids. The students also modified the monitoring program so that they could see what the administrators did with their computers. The students and their parents argued that the felony charges are unwarranted, but, according to the district, students and parents signed acceptable use policies that clearly state what activities are not allowed and that warn of legal consequences if the policy is violated. The students continued to violate district policies for use of the computers even after detentions, suspensions, and other punishments, according to the district. Only then did school officials contact the police. http://www.wired.com/news/technology/0,1282,68480,00.html Spammer Settles With Microsoft New York Times, 10 August 2005 Microsoft has reached a settlement with Scott Richter, a man once described as one of the top three spammers in the world. Efforts by Microsoft and New York Attorney General Eliot Spitzer in 2003 resulted in the collection of 8,000 e-mail messages containing 40,000 fraudulent statements sent by Richter's company, OptInRealBig. Richter earlier agreed to pay New York State $50,000; under the new settlement, Richter will pay Microsoft $7 million. According to Bradford L. Smith, chief counsel for the software giant, $5 million would be used to "increase our Internet enforcement efforts and expand technical and investigative support to help law enforcement address computer-related crimes," while another $1 million will be spent on improving computer access for the poor in New York State. The settlement also requires Richter to comply with state and federal laws governing e-mail and to submit to oversight of his company's operations for three years. (registration req'd) http://www.nytimes.com/2005/08/10/technology/10spam.html From ACM's TechNews, August 10, 2005 "Critics Say Security Still Lags" Investor's Business Daily (08/09/05) P. A4; Howell, Donna Internet and computer security continues to face heavy criticism four years after Sept. 11, with industry organizations and the Government Accountability Office (GAO) urging the allocation of more federal resources to tech security. A CSO magazine poll of 389 security professionals finds that roughly 59 percent of respondents doubt the government can secure the U.S. information infrastructure, while 45 percent expect hackers or terrorists to launch the digital equivalent of a Pearl Harbor-style attack against the nation's critical infrastructure. The GAO has issued several studies finding fault with federal cybersecurity efforts, and Ron Ross with the National Institute of Standards and Technology says his organization has been developing a set of standards and guidelines designed to help agencies construct improved information systems and safeguards. "There's no long-term vision for what we ought to be doing in cybersecurity research and development," notes Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz. "In the long term, we need to think about our information systems constantly being under attack...And the need to transfer over to other systems." In July, CSIA recommended the development of a 10-year federal plan to enhance the security, reliability, and resiliency of information technology, as well as additional funding for the issue. A recent restructuring of the Homeland Security Department resulted in the creation of an assistant secretary for cybersecurity and telecommunications; both CSIA and the ITAA praised this maneuver, though ITAA President Harris Miller still laments that some federal IT agencies' budgets remain flat. Unisys' Greg Baroni points to increased security audits encouraged by security guidelines mandated by the Federal Information Security Management Act, which will soon obtain a "compliance component." "Annual Hacking Game Teaches Security Lessons" SecurityFocus (08/04/05); Lemos, Robert The annual DEF CON conference hosts a hacker version of Capture the Flag, and this year's bout emphasized more real-world skills, according to University of California at Santa Barbara computer science professor Giovanni Vigna, whose Shellphish team was the victor. "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things," Vigna explained. "It's about analyzing the security posture of a system that is given to you and about which you initially know nothing." This year the organizers courted controversy by running a central server on which each team's virtual server operated, whereas in past tournaments each team was permitted to run their own server; Crispin Cowan with Novell's SUSE division said this meant there was very little defense that could be implemented, and he doubted that anyone with a substantial interest in defense will participate in future tournaments if exclusive concentration on code auditing becomes the norm. One of the organizers defended his year's game with the argument that the bout was a hacking contest. He said finding and exploiting security flaws in custom software via reverse engineering, not just code auditing, is key to being a top hacker. The organizer insisted that defense was not sidelined, noting that some teams successfully deployed Tripwire, a data-integrity checker that can pinpoint altered files, and used an intrusion detection system to monitor traffic. Vigna said the winning team's strategy kept the discovery of flaws and the toughening up of systems services in balance. Click Here to View Full Article "Car Computer Systems at Risk as Viruses Go Mobile" Reuters (07/29/05); Virki, Tarmo; Shields, Michael In-vehicle computer systems could be threatened by malware as hackers' interest in authoring viruses for wireless devices grows, according to automotive industry officials and analysts. Automakers' tweaking of on-board computers to allow consumers to transfer data with mobile phones and MP3 players also increases the cars' vulnerability to mobile viruses that hop between devices through the connective Bluetooth technology, which is employed in car electronics interfaces for service and monitoring. The worst-case scenario is that the computer would no longer be able to control engine performance, emissions, navigation, and entertainment systems, and Symantec mobile virus specialist Guido Sanchidrian says this should not prevent motorists from driving their cars on their own. Thus far there have been no reports of viruses in auto systems, but carmakers say they are giving the matter serious consideration, even though research shows transplanting a virus into a car is not a simple proposition. A BMW representative says such transplants are a possibility, and addressing this problem has been an area of concentration for many years. A Siemens representative claims her company uses systems that screen out unwanted programs and data via encryption. Automakers' growing emphasis on computer security could be a windfall for antivirus firms, and IDC projects that the mobile security software market will skyrocket from $70 million in 2003 to $993 million in 2008. Click Here to View Full Article From EduPage, August 5, 2005 Court Upholds University Block On Spammer Inside Higher Ed, 4 August 2005 A federal appeals court ruled in favor of the University of Texas (UT) in its dispute with White Buffalo Ventures over thousands of spam e-mails sent by the company to students of the institution. In 2003, White Buffalo, which operates an online dating service geared toward UT students, began sending thousands of messages to student e-mail addresses it had obtained through public records. After receiving many complaints from students, the university blocked White Buffalo's e-mails, a move the company said infringed on its First Amendment rights and its rights under the CAN-SPAM Act. A federal judge disagreed with White Buffalo, and the current ruling supports that decision. The three-judge panel of the appeals court found that the institution is within its rights to place restrictions on commercial speech if such restrictions can be shown to legitimately benefit constituents--in this case, UT's students. Observers noted that the court's rejection of White Buffalo's CAN-SPAM argument is important in that it presents a significant roadblock to organizations that would try to use the law to make it easier, rather than more difficult, to send unsolicited e-mail. http://insidehighered.com/news/2005/08/04/ut From EduPage, August 3, 2005 CU Suffers Another Hack The Denver Post, 3 August 2005 Hackers broke into a server at the University of Colorado (CU), marking the third security breach in the past six weeks. The latest attack targeted servers that held information for the school's ID card, known as the Buff OneCard. Those servers included names, Social Security numbers, and photographs but not financial information. Potentially exposed in the attack is personal information for 29,000 students, some former students, and 7,000 staff members. Students who will be entering the university in the fall were not affected. Dan Jones, IT security coordinator, said it was not clear whether this attack was perpetrated by the same people who compromised two other servers recently. In April, CU had decided to move away from using Social Security numbers as identifiers for students, based on security problems at other institutions and the risk of identity theft. Some systems on campus, however, still use Social Security numbers to track students, according to Jones. Officials at the university said they will hire an independent auditing firm to assess the institution's security measures and will also evaluate some 26,000 computers to determine which could be placed behind a firewall. http://www.denverpost.com/news/ci_2909173 Researcher Says Dns Servers Vulnerable CNET, 3 August 2005 In a presentation at the Black Hat conference last week, security researcher Dan Kaminsky argued that domain name system (DNS) servers represent a broad vulnerability in the Internet. Kaminsky said that of 2.5 million DNS servers he tested, nearly 10 percent could be susceptible to so-called DNS cache poisoning. In total, about 9 million DNS servers are operating globally. DNS servers translate typed URLs into numbers necessary to locate Web sites. In cache poisoning, legitimate numeric Web addresses are replaced, causing users to be redirected to sites of the hacker's choosing. Often, users are sent to Web sites that install malware or that deceive users into disclosing personal information, which can then be used in identity theft. Incidents of cache poisoning have disrupted Internet service in the past, including this March, when users trying to access CNN.com and MSN.com were sent to sites that installed spyware. Security experts advise operators of DNS servers to audit their machines and make sure they configure them in the safest manner possible. http://news.com.com/2100-7349_3-5816061.html From New York Times, August 7, 2005 Europe Zips Lips; U.S. Sells ZIPs By Eric Dash, August 7, 2005 The U.S. looks at privacy largely as a consumer and an economic issue; in the rest of the developed world, it is regarded as a fundamental right. Read the article. The Rise of the Digital Thugs By Timothy L. O'brien, August 5, 2005 The newest big corporate menace: disgruntled techies, who find company secrets and will keep them, for a price. Read the article. From ACM's TechNews, August 3, 2005 "The Sniffer vs. the Cybercrooks" New York Times (07/31/05) P. 3-1; Rivlin, Gary As the motivation for hackers shifts from the pursuit of bragging rights to high-stakes economic plundering, many corporations are enlisting the services of sniffers, security analysts who peer through the eyes of a hacker to exploit a system's vulnerabilities in the name of improving its security. A recent survey found that over 87 percent of the companies polled conduct penetration tests, up from 82 percent a year ago; up 14 percent from 2003, companies in North America spent more than $2 billion on security consulting last year, says Gartner analyst Kelly Kavanagh. Sniffers such as independent consultant Mark Seiden often resort to unorthodox techniques to expose a system's vulnerabilities. While he is a former programmer with considerable technical expertise, Seiden may be best known for his innovative methods for gaining access to companies' most sensitive information, such as using disguises to infiltrate restricted places. Once inside, Seiden is an expert at figuring out where a data center is housed, and by blending in, picking locks, and shimmying through air ducts to drop through a ceiling into an otherwise secure room, he has exposed weaknesses in many high-profile companies. The most porous security is most likely to be found in a physical building, where file cabinets with cheap locks and unsecured backup tapes offer a wealth of sensitive information to someone such as Seiden. Though his creativity and uncanny ability to think like a cyber-criminal have kept him in high demand, he acknowledges that "you can't prevent a determined adversary who has unlimited resources from breaching security." But as Gartner analyst Richard Mogull points out, even though 100 percent security will forever be an illusion, sniffers such as Seiden can help companies protect against the vast majority of would-be hackers who "have only rudimentary skills." Click Here to View Full Article Solutions to many of our security problems already exist, so why are we still so vulnerable? Read the article from Queue. From New York Times, July 31, 2005 The Sniffer vs. the Cybercrooks By Gary Rivlin Sniffers, or professionals who test a computer network's security, must do their best to think like an enterprising cyberthief. Read the article. From EduPage, July 29, 2005 Congress Gets Serious About Data Privacy CNET, 28 July 2005 Ahead of its August recess, Congress moved data-security measures to the top of its agenda, with various House and Senate committees considering three different bills dealing with the protection of sensitive information. The broadest legislation being considered is the Personal Data Privacy and Security Act, which would place new restrictions on how personal information may be used and imposes criminal penalties for those found to have violated it. The bill would limit the sale and publication of Social Security numbers, require notification of consumers in the event their personal data is compromised, and restrict the authority of the states in writing their own regulations for data protection. Other bills working their way through the Senate include similar requirements that consumers be notified of data breaches, but they only include civil penalties. The other measures, including one passed by the Senate Commerce Committee, place oversight and enforcement authority with the Federal Trade Commission (FTC). Critics of the proposed legislation argue that it is being rushed through without proper discussion. http://news.com.com/2100-7348_3-5808894.html. From ACM's TechNews, July 27, 2005 "Two Professors Go Fishing for Phishers" San Francisco Chronicle (07/25/05) P. E1; Kirby, Carrie Stanford computer science professors John Mitchell and Dan Boneh are leading a team developing anti-phishing tools designed to help email users avoid bogus Web sites and prevent crooks from stealing other peoples' passwords. The SpoofGuard software plug-in the team created last year examines each site visited by users for signs of phoniness, and alerts them if it spots anything suspicious. A second plug-in, PwdHash (password hash), scrambles the password typed into a site and creates a unique sign-on for each visited site; should a user sign on to a spoofed version of a legitimate site and be fooled into typing in his password, PwdHash will prevent the phishers from acquiring the same password the authentic site got. In addition, PwdHash addresses users' tendency to employ the same password at many different sites, which means thieves' attempts to log on to as many sites as they can with a PwdHash-scrambled password will fail. PwdHash will be unveiled at a Baltimore security conference next week, while Boneh expects to release a third tool, the SpyBlock Trojan horse key-logging software deterrent, in six months. The tools are freely available as browser plug-ins on the Stanford Web site, although the researchers would prefer that such solutions are embedded within the major browsers. Click Here to View Full Article From EduPage, July 25, 2005 Software Hides Passwords From Phishers San Jose Mercury News, 25 July 2005 Two professors at Stanford University are set to unveil software designed to foil phishers by scrambling passwords entered into Web sites. John Mitchell and Dan Boneh developed the software, called PwdHash, to deal with the growing problem of Web sites that lure computer users into disclosing personal information. The software creates a unique password for each Web site a user visits. If the user goes to a bogus version of a legitimate Web site, the software creates a separate password, leaving the operator of the bogus site with a password that will not work at the real site. Previously, the pair of professors have written software that tries to identify fraudulent Web sites and notifies the user when such a site is suspected. http://www.siliconvalley.com/mld/siliconvalley/12218576.htm CU Computers Hacked The Denver Channel, 22 July 2005 Officials at the University of Colorado said hackers gained access to two servers at the university, possibly exposing personal information on nearly 43,000 students and employees of the institution. One server, at the College of Architecture, contained data on 900 individuals; the other, at the university's health center, included information for another 42,000 people. The servers included names, Social Security numbers, addresses, and dates of birth, according to the university, but neither included credit card information. Still, university officials are advising those affected to monitor their credit reports for suspicious activity, and the university has set up a Web site and a hot line to answer questions. Investigators looking into the situation said that one hacker came through a server in France, while the other came through a server in Eastern Europe. University officials have no information so far that any of the personal data on the servers has been misused. http://www.thedenverchannel.com/technology/4757407/detail.html Paying Hackers For Bugs CNET, 24 July 2005 Computer-security firm TippingPoint has begun a program to pay rewards to individuals who report computer vulnerabilities. Not unlike similar programs from other companies, the TippingPoint deal offers a variable amount of money if a reported bug proves valid. The company will use the information to update its own protection software and will notify the maker of the vulnerable product about the problem. David Endler, director of security research at TippingPoint, said the reward program is intended to "reward and encourage independent security research" and to "ensure responsible disclosure of vulnerabilities." Not all security companies believe in bounties. Internet Security Systems, for one, said that paying for such bug reports amounts to having hackers do a company's research for it. An official from Internet Security Systems also noted that the bugs reported in such programs are typically very low-level problems, saying that the more extreme vulnerabilities are worth much more when used for hacking than if turned in to security companies. http://news.com.com/2100-7350_3-5802411.html Hackers Finding New Targets Wall Street Journal, 25 July 2005 According to a new report from the SANS Institute, the number of computer hacking incidents is rising, and the targets of such hacks are increasingly software applications rather than operating systems. The organization found that the number of vulnerabilities reported was up 11 percent from the first quarter of the year to the second, and up nearly 20 percent from a year earlier. Alan Paller, SANS's research director, said the situation is getting worse. As operating systems become more secure, hackers are turning to applications, such as Apple's iTunes and RealNetworks's RealPlayer. Hackers are also focusing efforts on backup systems, particularly those of Computer Associates and Veritas Software. Because backup systems typically contain vast amounts of confidential corporate data, they represent an attractive target. SANS noted that the best way to avoid such hacking threats is to install all software patches, keep antivirus tools up to date, and be prudent in opening e-mail attachments. (sub. req'd) http://online.wsj.com/article/0,,SB112224497897894400,00.html From ACM's TechNews, July 25, 2005 "Retracing Spam Steps Could Halt Mass Emails" New Scientist (07/22/05); Knight, Will A team of researchers from IBM and Cornell University have devised SMTP Path Analysis, a method that traces an email's Internet route by examining Simple Mail Transfer Protocol (SMTP) data embedded within the message's concealed "header," and determines from this information whether the message is spam or authentic. The algorithm at the heart of SMTP Analysis "learns" by studying the chain of Internet Protocol addresses in both spam and legitimate email headers, which enables it to ascertain fairly accurately whether a new incoming email is genuine or junk. Barry Leiba with IBM's Thomas J. Watson Research Center says the algorithm cannot efficiently identify spam by itself, but is effective when it operates in conjunction with content filters; moreover, it can spot material that content filters cannot. The researchers developed a second algorithm to assess the plausibility of the route an email claims to have followed as a countermeasure to spammers' ability to forge the address of the mail server used to send the message out. Microsoft anti-spam researcher Joshua Goodman says spammers should have a hard time inventing a workaround to SMTP Path Analysis, since the technique uses IP information derived from multiple sources. The SMTP Path Analysis software was unveiled at the Second Conference on Email and Anti-Spam on July 22. Other anti-spam proposals suggested by industry groups include having email servers furnish cryptographic keys so that messages can be confirmed upon their arrival in an in-box. Click Here to View Full Article "May I Have Your Identification, Please?" SiliconValley.com (07/25/05); Lee, Dan Several email authentication technologies will go before the Internet Engineering Task Force as candidates for an industry standard. DomainKeys Identified Mail (DKIM) is a joint venture between Yahoo! and Cisco Systems that marries the former's DomainKeys and the latter's Internet Identified Mail into a technology that enables a sender's company or service provider's mail service to assign scrambled digital signatures to outgoing emails that verify the address; the recipient confirms the address by checking that the sender has been registered as genuine through the domain name system. Meanwhile, the Microsoft-backed Sender ID specification checks the numerical IP address of the server sending the email against a published list of servers authorized to send messages by the domain owner. DKIM has experienced difficulty in recognizing messages that are part of email lists employed in discussion groups that may modify a message, while Sender ID cannot always identify email forwarded from one address to another. Experts classify an effective email authentication standard as one that is adopted by a large portion of the world's email senders, and Gartner analyst Arabella Hallawell believes DKIM will emerge as the leading standard because it faces fewer technical problems than Sender ID. However, Yahoo!, Cisco, and Microsoft each expect both technologies to find use. EarthLink's Tripp Cox says the level of industry collaboration surrounding these technologies is "unprecedented." "If we're going to make an impact on spam, it's crucial that the vast majority of Internet senders and receivers implement the technology," he argues. Click Here to View Full Article From EduPage, July 22, 2005 National Cybersecurity Test Scheduled ZDNet, 22 July 2005 The Department of Homeland Security's National Cyber Security division plans a test of the nation's cybersecurity incident response capabilities with an exercise scheduled for November 2005 called Cyber Storm. The announcement came in written testimony by Acting Director Andy Purdy before a Senate subcommittee earlier this week. http://news.zdnet.com/2100-1009_22-5799876.html "Information Security With Colin Percival" O'Reilly ONLamp (07/21/2005); Lucas, Michael W. Simon Fraser University visiting researcher Colin Percival described his research on information security in a recent interview, which deals with the security threat posed by hyperthreading. He demonstrated how this technique can be used to exploit vulnerabilities in a system by a hacker who simply needs to run code concurrent to the running of the program he is trying to spy on. Percival found a fundamental vulnerability in Intel's design that allowed him to penetrate the system, raising considerable concern in the security community; in response, Microsoft and Intel were reluctant to acknowledge the security breach, and have been slow to develop patches. Some critics maintain that Percival's exploitation is largely theoretical, though he claims that it is a very real threat. Percival believes that in the future, the task of sifting through source code in search of security errors will be handled by programs, instead of people. Percival's research, published in a paper entitled "Cache Missing for Fun and Profit," proved the existence of a covert channel running between threads on the same processor core, and demonstrated how it could be used as a side channel, as well as offering solutions on how to guard against it. Percival developed his research while working on his doctoral degree and serving as a deputy security officer for FreeBSD. He has also written an open-source, downloadable security tool called FreeBSD Update that enables users to download and install security updates with little complication, addressing what he believes to be the central obstacle to the adoption of new security tools. Click Here to View Full Article "Call for Homeland Security Cybersecurity Improvements" IDG News Service (07/19/05); Gross, Grant The U.S. Department of Homeland Security (DHS) does not have recovery plans in case of a widespread Internet attack, Government Accountability Office IT management director David Powner said yesterday, speaking before the Senate Homeland Security and Governmental Affairs Committee. Powner told lawmakers that DHS must implement an Internet recovery plan and a national cybersecurity threat assessment to better protect U.S. cybersecurity. Powner also said the GAO believes DHS must develop better relationships with state and local governments, private industry, and other federal agencies to counter cyber threats. Powner said that although DHS is making progress, "large portions of our critical infrastructure are unprepared to effectively handle a cybersecurity attack." Sen. Tom Coburn (R-Okla.) agreed with Powner and called for better coordinated cybersecurity prevention and recovery techniques. Meanwhile, DHS National Cyber Security Division acting director Andy Purdy asserted that the agency is implementing several plans to boost cybersecurity and decrease vulnerability. Sen. Thomas Carper (D-Del.) said DHS must put a higher priority on cyber security issues, cautioning that a joint physical and cyber attack could cripple response efforts. He said, "Cybersecurity plays an important role in the protection of our critical infrastructure." Click Here to View Full Article From ACM's TechNews, July 20, 2005 "Corrupted PC's Discover a Home: The Dumpster" New York Times (07/17/05) P. 13; Richtel, Matt; Markoff, John When faced with the contamination of their PCs by malware and other unwanted programs, many owners are opting to toss their infected machines and replace them with uncorrupted models, rather than go to the trouble of repairing them. Pew Internet and American Life Project director Lee Rainie characterizes such a response as entirely reasonable, given the incessant flood of malicious software, adware, spyware, defective programs, diminishing performance, and system crashes. In addition, Rainie says the threat of system corruption is escalating, and that "the arms race seems to have tilted toward the bad guys." Symantec's Vincent Weafer estimates that the ranks of computer viruses have swelled by more than 100 percent in the last six months alone, while adware and spyware programs have increased by approximately 400 percent; Symantec executives partly attribute this development to the growth of high-speed Internet access. Especially worrying is malware that can conceal itself from cleansing and removal programs, which makes the scrubbing of corrupted PCs a more complicated and often manual task, according to Weafer. Yale computer science professor David Gelernter says the software industry is chiefly responsible for this lamentable state of affairs, and points out that people are less and less willing to clean their PCs. Meanwhile, anti-infection tools such as firewalls, antivirus programs, and spyware-removal software are far from 100 percent effective. Some users, after acquiring new systems, are modifying their behavior to lessen the chances of PC corruption; for instance, San Francisco physician Terrelea Wong refuses to loan her computer out to friends, because she suspects her old system became infected through indiscriminate use of the Internet by her and her friends. Click Here to View Full Article "Between Phishers and the Deep Blue Sea" CNet (07/18/05); Kawamoto, Dawn Hackers are often based in India, Korea, or China, with differing time zones and language barriers increasing the difficulty facing security enforcement agencies in the United States. The most prevalent cyberattacks are carried out by a network of zombies, or compromised computers that are remotely controlled without notification to the computer's owner. Currently, China is home to 21 percent of new zombies with the United States at 17 percent and South Korea at 6.8 percent, according to CipherTrust. Hackers overseas are carrying out attacks due to a high prevalence of broadband in China and South Korea but a lack of proper security software, according to Anti-Phishing Working Group Chairman David Jevans. Another factor boosting the prevalence of overseas attackers is the fact that even small amounts of money provide significant incentive to a hacker in a developing country than to a hacker in the United States. The Forum of Incident Response & Security Teams, an international clearinghouse for response to security incidents among government agencies, universities, and organizations, recommends companies implement a computer security incident response team, keep security patches and antivirus software updated, monitor network traffic for strange behavior, and join security groups in order to share valuable security information among members. Meanwhile, a broad, international coalition of trade groups, companies, and law enforcement organizations are working to stem cyberattacks from abroad by tightening global cooperation and establishing automatic filtering systems to block email traffic from specific regions. HoneyNet Project President Lance Spitzner says today's hackers are in it for the money not fame. He says, "It's not so much a security issue. It's a crime issue now." Click Here to View Full Article From New York Times, July 17, 2005 A Pass on Privacy? by Christopher Caldwell E-ZPass is one of many innovations that give you the option of trading a bit of privacy for a load of convenience. Read the article. From New York Times, July 16, 2005 What to Do After Your Data Is Stolen by M.P. Dunleavey Another kind of headache started with some of the advice given to me as an identity theft victim - advice that sounds solid and sensible, but does nothing or may even make matters worse. Someone should really test-drive this stuff, so allow me .... Read the article. From EduPage, July 18, 2005 University Charges Cybersquatting Detroit News, 18 July 2005 A Minnesota-based company has raised the ire of a number of colleges and universities after registering more than 23,000 URLs, many of which imply a connection to the schools that does not exist. BDC Capital Inc. has registered such URLs as www.universityofmichiganwolverines.com, which is not affiliated with the University of Michigan at all, and www.uofmgophers.com, which has no connection with the University of Minnesota. Marvin Krislov, general counsel at the University of Michigan, which has sent the company a cease-and-desist order, called the URLs a "pretty clear violation of trademark," noting that reasonable people would likely assume a connection between the site and the institution. A spokesperson from BDC said the company does not believe it has violated any trademarks. He said the company believes that the URLs "represent a significant asset to both BDC and the schools," saying that BDC anticipates a "partnership" with the schools to sell souvenirs and other items. http://www.detnews.com/2005/technology/0507/18/0tech-250797.htm Study Shows Drop In Damages From Cyber Attacks The Register, 18 July 2005 A new study shows a significant drop in the amount of damage caused by cyber attacks as well as a shift in the kinds of attacks that are most commonly reported. Researchers from the University of Maryland conducted the Computer Crime and Security Survey on behalf of the Computer Security Institute (CSI), with consultation from security experts at the FBI. The survey questioned IT security officials at 700 private companies, governmental agencies, and universities and found that the average cost per security incident was $204,000, down from $526,000 a year earlier. Viruses remain the most frequent type of attack (32 percent), but unauthorized access rose to second on the list at 24 percent. Chris Keating, director of CSI, noted that schemes to steal individuals' identities are a growing concern. The survey, he said, indicates "more financial damage due to theft of sensitive company data," a trend that should press network managers to ensure the security of enterprise systems. http://www.theregister.com/2005/07/18/csi_fbi_security_survey/ While Computer Attack Costs are Down, Data Theft Costs Increase Computerworld 18 July 2005 A survey from the Computer Security Institute (CSI) and the FBI found that the average losses due to computer attacks dropped 61% in 2004. The 700 companies and government agencies who responded to the survey reported an average cost for cyber attacks of US$204,000 in 2004 compared to an average of US$526,000 in 2003. This is the fourth consecutive year in which the cost has dropped. However, the cost associated with information theft has increased more than US$51,000 from last year. Theft of proprietary information cost the respondents an average of US$355,000 in 2004, compared to US$169,000 in 2003. http://www.computerworld.com/printthis/2005/0,4814,103301,00.html From ACM's TechNews, July 18, 2005 "How to Make Safer Software" Wall Street Journal (07/18/05) P. R4; Guth, Robert A. As software has filtered down to virtually every aspect of our lives, developers have begun to realize that the bells and whistles that used to drive sales of their products must take a backseat to fundamental security and quality provisions. In a recent interview, Cigital CTO Gary McGraw highlights the shift toward accountability that is defining today's software industry, as evidenced by the Sarbanes-Oxley Act and other standards of security-driven compliance. The trend is to knit security measures into the fabric of the software, rather than to address it after implementation through firewalls and antivirus programs whose vulnerabilities have already been exposed. Also, more companies in non-software industries are starting to look at software development in house, such as banks, credit card companies, and automobile manufacturers. McGraw cites Microsoft as having emerged from its earlier practice of relying on features to drive software sales to a more responsible, quality-focused approach that has enhanced the security of their software and further solidified their dominance in the market, even if the company is still not perfect. McGraw recommends that developers incorporate software assurance throughout the design of every package, which entails considering the end requirements of a system as well as the potential threats hackers may pose to it. To fully integrate software with the business community, developers must also overcome the language barrier and speak in terms that have instant relevance to bottom line, instead of burying themselves in impenetrable technical rhetoric. In the face of foreign competition, McGraw believes U.S. software companies can retain their preeminence through forward-looking risk management and needs assessment, even if India and China can offer coders who work for lower wages. From EduPage, July 13, 2005 Coalition To Release Spyware Definition CNET, 12 July 2005 The recently created Anti-Spyware Coalition is set to release a definition of spyware. According to officials from the group, the first step toward dealing with the growing problem of spyware and adware is to define very clearly what it is. The group's proposed definition, which the public can comment on until August 12, identifies spyware as software that is installed without adequate notification and that monitors computer users' activities. The group also proposes a broader definition that would include software that interferes with users' abilities to properly control their systems. Critics of the group's definitions argue that makers of spyware and adware stand to benefit the most from such a definition because it clearly delineates what they could do and get away with. After the comment period is closed, officials of the Anti-Spyware Coalition will incorporate the best suggestions into the final definitions. http://news.com.com/2100-1029_3-5783926.html From EduPage, June 29, 2005 Security Community Bemoans Loss Of Hacker Magazine Silicon.com, 11 July 2005 Long-time hacker magazine "Phrack" will stop being published this year after nearly 20 years as an information exchange for computer mischief, and at least some computer security experts believe computer users will be less safe after it is gone. Hackers have routinely undermined their own efforts by revealing their successes at compromising systems or causing other damage. Pete Simpson of computer security firm Clearswift noted that although the magazine makes computer exploits available to those who would use them to cause harm, by definition it also makes them available to the community of users working to protect computers from hackers. Simon Perry, vice president of security strategy at Computer Associates, said that security experts will still be able to find information about new exploits but that "Phrack was great as a one-stop shop" for such information. Simpson commented that after Phrack shuts down, younger hackers are likely to develop new vehicles to tell the world about their triumphs, once again leveling the playing field. http://software.silicon.com/security/0,39024655,39150241,00.htm From Queue, June 25, 2005 The Answer is 42 of Course If we want our networks to be sufficiently difficult to penetrate, we've got to ask the right questions. Read the Article. From ACM's TechNews, July 8, 2005 "Schools Looking for Ways to Lure More Minorities" Triangle Business Journal (07/01/05); Sutker, Colin Undergraduate enrollments in computer science programs, which have tended to lean toward the white male demographic, are shrinking. This is spurring computer science departments to study their student populations in order to ascertain the reasons why they are failing to lure minorities, so that they can take action. University of Virginia professor Joanne Cohoon believes white males' attraction to computer science and the erosion of the white male majority in the United States are draining the pool from which the U.S. IT workforce is drawn from. Auburn University computer science professor Juan Gilbert says innovation in computer science programs is suffering because diversity is lacking, since students with common backgrounds follow a common problem-solving model that limits their creativity. He adds that minorities are often discouraged from pursuing computer science because they have few peers or role models, which perpetuates the stereotype that their mathematical skills are sub-par. Getting more minorities interested in computer science by providing role models to young students is the mission of organizations such as the Coalition to Diversify Computing and the Institute for African-American E-Culture. Meanwhile, the National Science Foundation has taken a leading role in national initiatives to boost minority enrollment by establishing the Broadening Participation in Computing program, which apportions grants to colleges for programs designed to increase minority participation from a $14 million fund. Click Here to View Full Article From ACM's TechNews, July 8, 2005 "How Secure Is Federal 'Cybersecurity'?" Fox News (07/07/05); Vlahos, Kelley Beaucar Although the protection of America's cyber-infrastructure has been of primary concern since 9-11, official reports and industry experts concur that the U.S. government's cybersecurity effort comes up drastically short, focusing on short-term "band-aid" solutions instead of a long-term strategy. Observers blame a dearth of leadership and a failure to keep pace with the rapid appearance of new dangers. A February report from the President's Information Technology Advisory Committee (PITAC) attributed America's cybersecurity woes to inadequate R&D funding, refusal to share Federally developed technologies with the private sector, and general apathy in Washington; critics and PITAC co-chairman Edward Lazowska say little has been done to address these issues in the five months since the report was submitted. A May report from the Government Accountability Office (GAO) concluded that the 13 critical security protocol implementation objectives the GAO recommended to the Department of Homeland Security remain unrealized, citing the continued lack of national cyberthreat and vulnerability evaluations or government-industry contingency recovery strategies. Beefing up the cybersecurity of America's critical infrastructure will remain an elusive goal until DHS tackles the challenges of organizational stability, information-sharing between government agencies as well as the government and the private sector, and the demonstration of effective cyberattack prevention, according to the GAO. Also in May, DHS took issue with an earlier DHS Inspector General's report that spotlighted security problems in several DHS agencies, arguing that significant improvement to U.S. cybersecurity has been made. Click Here to View Full Article From ACM's TechNews, July 1, 2005 "Antispam Proposals Advance" CNet (06/29/05); Festa, Paul The Internet Engineering Steering Group (IESG) announced that it has adopted two competing antispam technologies, citing both as still "experimental." Microsoft, AOL, and others have been competing for control of the antispam market, which now appears to be divided between the Sender Policy Framework (SPF) and Sender ID. Microsoft backs Sender ID, which it sees as a more sophisticated version of SPF. Microsoft's Samantha McManus says, "We're glad to see Sender ID's experimental status, and we think email authentication is very important for addressing spam and phishing. That said, we definitely have more to do." Both technologies have been accepted by email providers, though the IESG, a division of the Internet Engineering Task Force (IETF), believes the experimental trial is necessary to solidify standards. As an alternative, Cisco backs Yahoo's DomainKeys as its authentication and antispam application. The IESG said, "Given the importance of the worldwide email and DNS systems, it is critical that future standards support their continued stability and smooth operation." Click Here to View Full Article "The Answer Is 42 of Course" Queue (06/05) Vol. 3, No. 5, P. 34; Wadlow, Thomas Independent security consultant Thomas Wadlow writes that the role people play in online security makes absolutes irrelevant, and he advises companies to base the defense of their security systems on the fundamental question of how the network can be designed so that is it "safe enough." Many cases of successful network intrusions stem from either lax design or highly motivated hackers, leading Wadlow to formulate a two-pronged strategy to defend against intruders with sufficient skill, motivation, and opportunity: The first goal is to design the network to require a very high level of skill and motivation for an attacker and present as little opportunity as possible for successful attacks, while the second goal is to determine where and how much effort to devote to the process. In the category of skill, questions to be asked include how hackers build their skills with off-the-shelf software; how companies can maximize the amount of skill hackers need to breach networks and minimize the amount of skill needed to operate network defenses; how the acquisition of network knowledge by attackers can be prevented; and how to tell that a network is under attack. Questions to be raised on the subject of motivation include how or why people are provoked to attack the network; whether the company's defensive actions encourage or discourage an attacker's motivation; and what would motivate people not to attempt intrusions. To keep a hacker's opportunities to attempt a break-in as low as possible, the company should clearly identify opportunities, and determine if all network entrances and exits are known and that the network is built in accordance with company assumptions through constant measurement. Because the most skilled, motivated, and opportunistic hackers often work for the company, care must be taken to establish who are trustworthy and untrustworthy employees or ex-employees, the most potentially dangerous insiders, and how to keep the people who can cause a security problem happy, engaged, and mindful of the potential for trouble as well as the fallout from an intrusion. From EduPage, June 29, 2005 Phishers Locked Up CNET, 29 June 2005 Two men have been sentenced to prison in Britain for orchestrating a phishing scheme that used stolen identities to pilfer as much as 6.5 million pounds over two years. Douglas Harvard and Lee Elwood were sentenced to six and four years respectively for their parts in the phishing ring, which authorities said garnered at least 750,000 pounds during one 10-month period. The men allegedly worked with individuals in Russia to traffic in personal information and the money stolen using that information. Mick Deat, deputy head of Britain's National Hi-Tech Crime Unit, issued a statement thanking the U.S. Secret Service and the FBI for their assistance in the investigation. The statement also expressed Deat's hope that the convictions will discourage others who might consider such scams. http://news.com.com/2100-7348_3-5766860.html From ACM's TechNews, June 29, 2005 "Cybersecurity Group Looks to Europe for Help" IDG News Service (06/27/05); Pruitt, Scarlet Former White House security director and current Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz on Friday called the global information systems security threat "high risk," and warned that federal agencies are "taking information security for granted." Kurtz left his position at the White House because he disagreed with the emphasis on physical security over information security. At CSIA, Kurtz is working along with CEOs from security companies on global cybersecurity issues, such as developing policies with cooperation from a variety of concerned players and improving prevention standards. Kurtz laments the U.S. government's reduced spending on cybersecurity research and development, and says some in government wrongly believe that most cyber mischief is the work of geek teenagers instead of professional criminals. Kurtz says CSIA is pushing the private sector to develop strategies to mitigate cyberthreats, focusing on a holistic approach that involves many affected parties. CSIA is already working with the European Union's Article 29 working group on data protection, and plans to eventually extend their work into Asia. In the U.S., Kurtz hopes CSIA's efforts will push the U.S. government to take more action. He says, "We need to raise these issues, but at the same time, we need to make sure that the government doesn't overreact." Click Here to View Full Article From ACM's TechNews, June 27, 2005 "Microsoft Pushing Spam-Fighting System" Associated Press (06/22/05); Jesdanun, Anick Despite the fact that Microsoft's spam-fighting technology Sender ID delivers about 10 percent of legitimate email messages to junk folders, the company announced plans to become more aggressive at rejecting mail sent through company or service providers not registered with the Sender ID system by the end of this year. The system requires that ISPs, companies, and other domain name holders submit their mail servers' unique IP addresses, so the Sender ID system can verify emails were sent from those particular IP addresses, but only about 25 percent of email currently has the necessary Sender ID data. The Internet Engineering Task Force disbanded its Sender ID task force last September amid patent disputes, but nevertheless encouraged Microsoft and others to continue developing their spam-fighting systems. The Direct Marketing Association's Jerry Cerasale believes Microsoft's move is "a necessary step to protect both corporate brands and consumer confidence." Microsoft's Craig Spiezle acknowledged that some critics of the Sender ID system are concerned about disruption of mail-forwarding services or "send to a friend" links. Spiezle asserts that Microsoft is monitoring the situation to prevent any such disruptions. Click Here to View Full Article From ACM's TechNews, June 27, 2005 "Viruses, Security Issues Undermine Internet" Washington Post (06/26/05) P. A1; Cha, Ariana Eunjung The Internet is falling prey to a growing body of security threats, as the network with a billion users but no owner still relies essentially on a global honor system. "The Internet is stuck in the flower-power days of the '60s during which people thought the world would be beautiful if you are just nice," says Karl Auerbach, a computer scientist working actively to improve the security of the Internet. Increased security concerns and the growing feeling that the current Internet will never realize its promise are leading many to advocate a second look at the network, a so-called Internet 2.0. As the Carnegie Mellon CERT Coordination Center reported an increase in the number of vulnerabilities from 1,090 in 2000 to 3,780 in 2004, a unified response has been hindered by disputes over property ownership and profits. The Internet's architects never spent much time thinking of defenses to internal attacks, focusing instead on external threats, such as natural disasters, while ignoring the central threat the network now faces. As the number of users proliferates and hackers develop increasingly devious ways to attack Web sites and compromise security, some have speculated that instead of applying temporary patches, portions of the Internet will need to be rebuilt from the ground up. As current governing bodies exert only a tenuous regulatory authority over the Internet, there have been calls for turning control over to an established central organization, such as the United Nations. Amidst the scramble to define the next generation of the Internet, security remains the prime mover in a field of diffuse visions. Some companies are heralding "return addresses" for emails that would remove the mystery of a sender's identity, and others, such as the small academic coalition Internet2, advocate a compartmentalized Internet where users would convene in small groups created for very specific purposes, such as a chat room for parents of children on the same soccer team or some other easily-defined group that would deny access to anyone not of that community. Click Here to View Full Article From ACM's TechNews, June 24, 2005 "Better PC Security Years Away" TechNewsWorld (06/22/05); Mello, John P. The immediate future of secure computing will more closely resemble a mainframe than a PC, until an enhanced operating system and better hardware are developed. In the meantime, researchers are working on technologies to improve PC security, such as the Trusted Platform Module (TPM), which establishes a secure hardware zone inside a PC to confidently support security programs. Intel, AMD, and Microsoft are also jumping on board with their own PC security applications. Intel's Chad Taggard said, "What we're doing with this hardware and the Trusted Platform Module is taking best known security methods and putting them where people can't tamper with them." AMD's technology solves the "warm boot hole" problem that opened the door to hackers accessing data in a computer that had just been restarted, with its power still on, by wiping the immediate memory. Microsoft's next Windows version, code-named Longhorn, will be vital to their own Next-Generation Security Base (NGSCB), as well as the future of the secure PC in general, though by some estimates the technology will not be fully actualized until 2009 or 2010. Computer Associates' John Bedrick cautioned, "These aren't going to be a panacea for everything." He adds that while there are no sure bets, "what we all try to do is improve what we have and try to get ahead of the curve as much as possible," allowing that hackers will evolve just as security technologies do. Click Here to View Full Article From ACM's TechNews, June 22, 2005 "Snoozing About Security" CNet (06/17/05); Cooper, Charles The two-year-old Department of Homeland Security (DHS) cybersecurity division has gone through three cyberczars and millions of taxpayer dollars with no progress in the quest to control the increasing number of worm and virus attacks, writes CNet executive editor Charles Cooper. In an Internet poll, most Americans doubt the U.S. government is doing enough in terms of cybersecurity with just 28 percent reporting that the government is doing a good job. Pending legislation establishing an Assistant Secretary for Cybersecurity and the DHS Cybersecurity Enhancement Act of 2005 increasing funding and authority are both meant to help improve cybersecurity. A report from the Government Accountability Office (GAO) determined significant structural and cultural problems among federal agencies. The GAO suggests creation of security milestones to help improve progress in cybersecurity, but the DHS rejected the recommendations and called for more "clarifications." GAO report author David Powner and other security experts fear a combined cybersecurity and physical terrorist attack due to ongoing vulnerabilities. Powner says, "If you look at the recovery plans (DHS has in place), more work needs to be done. If you look at reconstituting the Internet if there were an event that took down the network, there's still not a plan in place." Click Here to View Full Article "Common Criteria or Common Confusion?" SD Times (06/01/05) No. 127, P. 5; de Jong, Jennifer The process of certifying the security of commercial software is not necessarily flawed, but the two dimensions of the Common Criteria results in some confusion, according to Mike Wolf, general manager of the advanced products engineering group at software vendor Green Hills. Common Criteria, which consists of a process for evaluating technical remedies to security threats and a set of standards for specifying the threats, is confusing because it has two dimensions to its rankings, says Wolf. While the first dimension, the Protection Profile, refers to the specific security requirements that were tested, the second dimension, the Evaluation Assurance Level, ranges from EAL1 (low) to EAL7 (high) to indicate how confident evaluators are about the product's ability to deliver on its security claims. People often focus on the second dimension, but it must be considered in relation to the first dimension. For example, Microsoft received a Common Criteria certification for Windows 2004 at the competitive EAL4 ranking, but its first dimension Controlled Access Protection Profile (CAPP) represents a minimal level of security functions. As IBM's Dan Frye explains, "you can have a high level of confidence about a minimal set of security functions." CC became an international standard in 1993 as the introduction of country-specific security initiatives fell out of favor in the United States, Canada, and European countries. Click Here to View Full Article From EduPage, June 27, 2005 University Of Connecticut Discovers Security Breach New York Times, 24 June 2005 Officials at the University of Connecticut have discovered a breach of one of the university's servers, which contained personal information for about 72,000 individuals. According to Michael Kerntke, a spokesperson for the school, the university found a program on the server that could have given a hacker access to the information on that computer, which included names, addresses, phone numbers, Social Security numbers, and dates of birth. Although the program has evidently been on the server since October 2003, officials said there was no evidence that any of the data had actually been taken. Kerntke noted that the program seems to have been part of a broad Internet attack rather than one specifically directed at the university. As a result, he said, "the attacker most likely had no knowledge of the kind of data stored on the server." (registration req'd) http://www.nytimes.com/2005/06/25/technology/25conn.html From EduPage, June 24, 2005 Choicepoint Changes Practices To Avoid Repeat Disclosure Wall Street Journal, 24 June 2005 Following the high-profile loss of personal information on nearly 145,000 individuals, data broker ChoicePoint said it will make significant changes to its business procedures to prevent future security breaches. In its reports, the company will begin masking Social Security numbers, and it will limit the amount of business it conducts with certain customers, including private investigators, collection agencies, and small financial companies. ChoicePoint has also begun offering access to individuals--at no charge--to the information that the company keeps on them. Though not widely advertised, the new service provides one annual report of "personal public records" searches. ChoicePoint currently maintains a vast database of information culled from public and business records on nearly every adult in the United States. After the security breach that exposed so many individuals to identity theft, Congress held hearings on ChoicePoint and other data brokers and is considering tightening regulation of the data industry. (sub. req'd) http://online.wsj.com/article/0,,SB111957007176668246,00.html From EduPage, June 15, 2005 Spyware Charges Result In $7.5 Million Settlement Reuters, 15 June 2005 California-based Intermix Media will pay New York State $7.5 million over three years to settle a spyware lawsuit. In the suit, New York Attorney General Eliot Spitzer had charged the company with violating state false-advertising and deceptive-practices laws. Intermix acknowledged that it formerly distributed software that was surreptitiously installed on users' computers, though as part of the settlement the company admitted no wrongdoing. Intermix had previously suspended the distribution of the software at issue; with the settlement, the company will permanently discontinue the practice. Intermix has also created a position of chief privacy officer since the lawsuit was originally filed, and officials from the company said they have cooperated with federal regulators. Read the article Survey Shows More Bad Guys Turning To Browser Attacks CNET, 14 June 2005 According to a new survey by the Computing Technology Industry Association (CompTIA), the incidence of browser-based attacks rose sharply last year, while that of viruses and worms fell slightly. Browser-based attacks exploit the naivety of computer users, as in the case of phishing attacks, or technical vulnerabilities in browser or operating system software. Phishing scams work by fooling users into disclosing private information; other attacks attempt to download malicious code to the computers of visitors to a Web site to steal information or take control of the computer. According to CompTIA's survey of nearly 500 organizations, 56.6 percent have been targets of browser-based attacks, up from 36.8 percent one year ago. Viruses and worms continue to head the list of computer security threats, at 66 percent, which is just down from last year's number of 68.6 percent. Read the article From EduPage, June 13, 2005 Former Student Convicted Of Stealing Data Chronicle of Higher Education, 13 June 2005 A former student of The University of Texas at Austin has been found guilty of writing a computer program that stole names and Social Security numbers from about 37,000 students, faculty, and others associated with the university. The jury found Christopher Andrews Phillips not guilty, however, of intending to profit from the data he stole. Phillips, who is now a senior at the University of Houston, said he wrote the program as part of his computer training and never had any intention of using the information. The theft took place in 2002 and 2003, when Phillips's program made more than 600,000 inquiries to a UT database, trying to match names with Social Security numbers. UT officials detected the activity and traced it to Phillips, whose computer was seized with the program he wrote and the data it had harvested. Phillips faces up to six years in prison; had he been convicted of the other charges, he would have faced close to 30 years. (sub. req'd) http://chronicle.com/prm/daily/2005/06/2005061301t.htm Liberty Alliance Addresses Id Theft CNET, 13 June 2005 The Liberty Alliance has announced the formation of an Identity Theft Protection Group, intended to address the problem of identity theft. The alliance was created in 2001 to establish standards for online authentication and now has a membership of more than 150 companies, nonprofits, and government organizations. Michael Barrett, co-chairman of the new group and a security executive at American Express, said he believes the problem of identity theft will continue to worsen such that "it is no longer a question if your identity gets stolen, but when." The new group will initially work to clearly define the problem and its parameters and later will try to develop solutions, which, according to Barrett, might include technical specifications, best practices, or business guidelines. James Van Dyke of Javelin Strategy and Research, which covers identity fraud, noted that despite perceptions otherwise, the incidence of identity theft has been decreasing over the past few years. Read the article From EduPage, June 6, 2005 Spam Fighters Form New Coalition Silicon.com, 3 June 2005 A new group tentatively called the Anti-Spyware Coalition plans to publish guidelines to define spyware, best practices for software development, and a lexicon of common terms by the end of the summer. The guidelines will be open to public comment. The Center for Democracy and Technology, a public advocacy group based in Washington, is running the new initiative. The coalition formed two months after the collapse of the Consortium of Anti-Spyware Technology Vendors, which admitted a company suspected of making adware. According to David Fewer, staff counsel at the Ottawa-based Canadian Internet Policy and Public Interest Clinic, which is affiliated with the new consortium, judging whether software is spyware comes down to notice, consent, and control. Many adware and spyware products fail to meet all three requirements. Read the article From ACM's TechNews, June 13, 2005 "Internet Security...Writ Very Small" Network World (06/06/05) Vol. 22, No. 22, P. 1; Messmer, Ellen Iowa State University researchers have developed a version of the Internet in microcosm to be used as a cyber-defense test bed, according to computing professor and project leader Doug Jacobson. The Internet-Simulation Event and Attack Generation Environment (Iseage) was funded primarily by a $500,000 grant from the Justice Department, which has promised an additional $700,000 for this summer. Iseage, which resides on a high-speed LAN, was used by students engaged in Iowa State's Cyber Defense Competition last month. The contest involved teams who defended Web sites running on Windows, Unix, and open source operating systems against security professionals representing hackers. Iowa State student and winning team member Sean Howard says the battle waged on Iseage imparted the experience of defending a corporate network. Jacobson says simulating the complexities of real-life cyberattacks is commercially desirable; "Our goal is to have [Iseage] as a point where organizations can test security paradigms," he explains. Iowa State will permit organizations to use Iseage to model their networks with defense in mind, for an as-yet undisclosed fee. It is also expected that the state of Iowa will employ Iseage to assess its network's resiliency against various cyberattack scenarios. Click Here to View Full Article "The Looming Threat of Pharming" InfoWorld (06/06/05) Vol. 27, No. 23, P. 39; Leon, Mark Pharming exploits the requirement that all URLs must be converted into IP addresses via the domain name system (DNS), and the hacker who successfully "poisons" a DNS server will cause that server to respond to an authentic URL request with a bogus IP address. Upon arriving at the phony site, the victim enters an ID, password, and personal identification number, only to receive a pop-up window that claims the password is invalid; the victim then re-enters the data, by which time he has been sent back to the real site, unaware that his account is now open to the hacker. Security experts and analysts agree that the most effective deterrent against DNS poisoning is to ensure that one has the latest DNS software and security patch updates, and they recommend that users running Berkeley Internet Name Domain (BIND) should upgrade to Version 9, which is more or less immune to poisoning compared to earlier iterations. "If you lock down all your servers and make sure they are only pulling off root cache servers, it is going to be very difficult for a hacker to pharm you," says TraceSecurity CTO Jim Stickley. SANS Institute analyst Johannes Ullrich cautions that this do-it-yourself strategy entails a lot of work, given the complexity of maintaining the DNS. The IETF's decade-old DNS Security (DNSSEC) protocol is acknowledged by many experts to be the ultimate defense against pharming, because it facilitates the encryption and signing of DNS data. However, Ullrich says this solution is impractical, a conclusion echoed by Burton Group analyst Dan Golding, who describes DNSSEC as "horrendously complex." He also notes that the inherent difficulty and cost of pharming is such that the number of pharming hackers should be relatively small, though Stickley says the presence of vulnerable DNS servers ensures that pharming will explode, sooner or later. Click Here to View Full Article From ACM's TechNews, June 10, 2005 "Computer Viruses Become Hacker Informants" New Scientist (06/09/05); Marks, Paul Security experts have discovered an emerging class of malware called vulnerability assessment worms that keep hackers apprised of the latest computer-network vulnerabilities so they can refine their cyberattack strategies or even target individual machines. Once the worms contaminate a network, they scan for security holes and report back to hackers via an Internet chatroom; scores of computers compromised by "bot" viruses are frequently directed through a chatroom link, and are often used to distribute spam or knock out Web sites with a denial of service attack. Symantec's Kevin Hogan says new viruses are coming out of the woodwork in ever-increasing numbers because the source code for many programs is freely available online. Computer security expert Bruce Schneier notes in the June 2005 edition of the ACM's Queue magazine that over 1,000 new viruses and worms were uncovered in just the last six months, and points to the SpyBot.KEG worm as one of the most advanced forms of vulnerability assessment malware. The program informs its creator about vulnerabilities through an Internet Relay Chat (IRC) channel, and Schneier anticipates the emergence of even more complex IRC worms of a similar nature, as well as the use of peer-to-peer file-trading networks as launching platforms for new viruses. Hogan says the bot-hacker communication channel can be blocked with strong firewalls, while the IRC these hackers use can also be their undoing, since a hacker can be easily tracked once the authentic IP address of the IRC channel host is learned. Click Here to View Full Article From ACM's TechNews, June 6, 2005 "Device Drivers Filled With Flaws, Threaten Security" Security Focus (05/26/05); Lemos, Robert Although operating system code has improved in recent years, device drivers still have numerous flaws that threaten operating system security. The responsibility of securing device driver code lies primarily with the third-party hardware vendors that create the drivers, but also with Microsoft and the Linux development community. Automated code-checking firm Coverity said an audit of the Linux 2.6.9 kernel code revealed that over 50 percent of the discovered flaws existed in device drivers. Though those flaws may not have been exploitable, they do reflect on the overall quality of code, says Coverity CEO Seth Hallem. Microsoft's Windows software development process includes provisions for checking third-party code shipped with the operating system and the company has an initiative to improve device driver development. The Linux kernel has been consistently audited for security, but the kernel source tree contains huge numbers of outdated device drivers, says Novell software engineering director Crispin Cowan. Of particular concern are drivers with direct memory access such as USB drivers, graphics drivers, and sound drivers, since code launched from those can overwrite system memory. Networking, wireless, and Bluetooth drivers are the only ones that are vulnerable to remote access, however. Open Source Development Labs Linux evangelist Bill Weinberg says driver exploits are also limited by the fact that many of them will simply crash the system. From New York Times, June 9, 2005 The Scramble to Protect Personal Data by Tom Zeller Jr. The problem of data security goes well beyond couriers and data tapes. And improving things takes time and money. Read the article. From ACM's TechNews, June 3, 2005 "Has Ransomware Learned From Cryptovirology?" NewsFactor Network (06/02/05); Young, Adam L. The Trojan recently reported in the media to hold victims' data hostage is probably not a true cryptovirus, writes infosec researcher Adam Young, who pioneered cryptovirology research along with his Columbia University professor Moti Yung. But the news shows criminal hackers are likely to begin wielding cryptographic tools more frequently in their activities, especially public-key cryptography. According to the Associated Press and F-Secure, the so-called "Ransomware" attack was actually easily foiled--F-Secure said its anti-virus product was able to detect the Trojan and decrypt the hostage files; however, cryptoviruses such as those demonstrated in Young's research promise to be much more powerful because they leverage pubic-key cryptography instead of symmetric encryption alone. With true cryptoviruses, victims would necessarily have to cooperate with the hacker to decrypt the symmetric key using the hacker's private key. Young wrote his thesis on cryptovirus attacks in 1995 and published a paper together with Yung at the 1996 IEEE Symposium on Security & Privacy, and over the next decade they gathered more research and evidence of cryptovirus attacks and documented attempts to hold data hostage. In February 2004, the researchers published their compiled work in the book "Malicious Cryptography: Exposing Cryptovirology." Because of his experience in the field, Young warns that it is only a matter of time before an attacker develops and releases a true cryptovirus or cryptoworm that could affect thousands of users. He urges the IT industry to take previously collected research seriously and begin building in defenses against such attacks. Click Here to View Full Article "'Silent Horizon' War Games Wrap Up for the CIA" Associated Press (05/26/05); Bridis, Ted The CIA's Information Operations Center is conducting a three-day exercise dubbed "Silent Horizon" that simulates a prolonged cyberterrorist attack that could potentially cause as much damage and disruption as the Sept. 11, 2001, attacks, say exercise participants who want to remain anonymous. Although the government seems more concerned about biological attacks and physical threats from terrorists, FBI director Robert Mueller admits terrorists are actively recruiting computer scientists. Mueller says terrorists currently lack the resources for such a large-scale electronic attack on the United States. A previous cyberterrorism exercise, known as Livewire, determined government agencies may remain unaware of early-stage cyberterrorist attacks without the support of private technology companies. Dennis McGrath, who helped coordinate similar exercises for Dartmouth College's Institute for Security Technology Studies, says, "You hear less and less about the digital Pearl Harbor...It's just not at the top of the list." About 75 people took part in Silent Horizon at the secretive Information Operations Center, which studies cyber threats to the U.S.'s computer networks. Click Here to View Full Article From ACM's TechNews, June 1, 2005 "Privacy Matters" Washington Technology (05/23/05) Vol. 20, No. 10, P. 1; Lipowicz, Alice Privacy proponents' increased emphasis on enhancing the collection, storage, and sharing of personal information with more protective measures has sparked expectations of a legislative mandate for more rigorous controls over personal information. However, it remains uncertain as to how the government plans to balance out the often antagonistic goals of privacy rights and national security. "The question is: How do you do what you need to do while minimizing the damage to civil liberties and rights?" says consultant Ramon Barquin. Better data security alone does not adequately address privacy concerns, which have been key factors in the delay, reassessment, or cancellation of high-profile anti-terrorism projects such as the Transportation Security Administration's CAPPS II airline passenger screening initiative, the Pentagon's Total Information Awareness data mining program, and the Justice Department's Terrorist Information and Prevention System. Homeland Security officials insist that their department's privacy office has stepped up efforts to address privacy issues earlier; DHS Privacy Officer Nuala Kelly earned some credibility with a report on certain improprieties of TSA staff during the early development of CAPPS II that probably helped hasten the program's termination, yet many say her office does not carry sufficient clout. "The chief privacy officer needs the independence and adequate authority to properly evaluate the privacy concerns of the department, outside political pressures," noted the House Homeland Security Committee's Rep. Bennie Thompson (D-Miss.) last month. Congress is mulling a batch of proposals to reduce ID theft while strengthening privacy protections, including the establishment of a national privacy and civil rights oversight board. Click Here to View Full Article "Hacker Hunters" BusinessWeek (05/30/05) No. 3935, P. 74; Grow, Brian; Bush, Jason To counter the growing threat of professional, profit-driven cyber-criminals, enforcement agents or "hacker hunters" are combining the latest cybercrime deterrents with traditional tactics such as infiltration and the Internet equivalent of wire-tapping to topple and successfully prosecute online crime rings. The need to prevent cybercrime has never been more crucial, as the damage caused by hackers is growing steadily worse, while enforcement agencies are underfunded and underequipped. The urgency of the situation has not only helped cultivate smarter federal, state, and local agencies, but greater collaboration between them; in addition, cybercrime legislation is being pursued more aggressively. The highly publicized takedown of the ShadowCrew hacker gang by the Secret Service is a case study in how both the nature of cybercrime and anti-cybercrime strategy is changing. ShadowCrew's suspected ringleaders allegedly ran shadowcrew.com as an international clearinghouse for stolen credit cards and identity documents, and the gang reportedly had 4,000 members worldwide: Two people administered the Web site and recruited members; "moderators" hosted online forums where members could share tips on hacking and ID theft; "reviewers" obtained and tested merchandise; and "vendors" bought and sold on the site, mostly through online auctions. The Secret Service enlisted an insider to act as an informant, created and used a gateway to locate gang members, and coordinated an international crackdown on ShadowCrew by state and local police and authorities in six foreign countries. The biggest obstacle law enforcement faces in curbing cybercrime is its worldwide scope. Countries with weak hacking laws and flimsy enforcement are havens for cyber-criminals, who can also tangle up the trail for investigators by keeping servers in a separate country. Click Here to View Full Article From EduPage, June 1, 2005 Colleges Learn About Identity Theft From An Identity Thief New York Times, 29 May 2005 As part of its efforts to increase awareness about student loan fraud, the Department of Education is distributing a DVD to colleges and universities of an interview with a convicted identity thief. As part of his plea agreement, John E. Christensen was interviewed by authorities to create the DVD, in which he describes how, over a period of three and a half years, he used the identities of more than 50 individuals to defraud the government of more than $300,000 in federal student grants and loans. Each year, the Department of Education disburses about $65 billion in financial aid. In the interview, Christensen, who is serving his prison sentence in Arizona, explains how he fraudulently obtained personal information and used it to register for classes and apply for financial aid. Because financial aid processes take place largely online, defrauding the government is "becoming easier and easier all the time," said Christensen. "You never have to see anybody." (registration req'd) http://www.nytimes.com/2005/05/30/national/30fraud.html The DOE website is at http://www.ed.gov/about/offices/list/oig/misused/index.html. From EduPage, May 27, 2005 Hackers Hit Stanford Silicon.com, 26 May 2005 Officials at Stanford University and the FBI are investigating a computer breach at the university's Career Development Center (CDC) earlier this month that may have exposed personal information on as many as 10,000 individuals. Most of those affected are students, though a small number are recruiters who had registered with the CDC. Information that might have been improperly accessed includes names, Social Security numbers, financial information, and, in some cases, credit card numbers. The university is notifying those possibly affected by the breach, in compliance with the 2003 Security Breach Information Act. That law requires organizations to inform California residents any time their personal information might have been accessed without authorization. http://software.silicon.com/security/0,39024655,39130758,00.htm Gao Says Dhs Unprepared For Cybersecurity CNET, 26 May 2005 The Government Accountability Office (GAO) has issued a report strongly critical of the readiness of the Department of Homeland Security (DHS) to deal with threats to the nation's cybersecurity. According to the report, DHS "has not fully addressed any" of 13 areas of cybersecurity, including bot networks, criminal gangs, foreign intelligence services, spammers, and spyware. "DHS cannot effectively function as the cybersecurity focal point intended by law and national policy," said the authors of the report. During the past year, DHS has seen the departure of a number of high-level officials, including the director and deputy director of Homeland Security's National Cyber Security Division, the undersecretary for infrastructure protection, and the assistant secretary responsible for information protection. A representative of DHS refuted the GAO's findings, saying that DHS has made improvements to the "nation's cybersecurity posture." He noted that DHS, as a new federal agency, measures progress in nonquantitative, less formal ways. http://news.com.com/2100-7348_3-5722227.html From ACM's TechNews, May 27, 2005 "Collaboration Is a Necessity for a Secure Infrastructure" Computing (05/26/05); Nash, Emma Now that IT is considered an integral part of the business, it is time for collaboration between industry users and vendors to establish best practices, says Oracle chief security officer Mary Ann Davidson. As one of the 10 charter members of the Global CSO Council, Davidson is taking a lead role in fostering collaboration between industry users, vendors, and government; other Global CSO Council members including New York cybersecurity head William Pelgrin, eBay CSO Howard Schmidt, and Bank of America information security director Rhonda MacLean. Davidson is working with the National Institute of Standards and Technology to create secure software development auditing standards that could be applied to commercial software, and is representing the industry on Capitol Hill to push for funding of such efforts. Software development auditing standards are an essential building block to better overall security, she says. Another important critical issue for improving IT security is improved software development education at universities. Currently, hiring companies are left with the burden of training new programmers in secure development practices; university programs should be certified, so that software developers create stable products similar to how architects and civil engineers also focus on stability and security. Finally, Davidson points out that IT security awareness is starting to increase due to issues such as regulatory compliance, and that new security products are preventative in nature. Click Here to View Full Article "House Approves Spyware Penalties" TechNews.com (05/24/05); McGuire, David The House of Representatives voted overwhelmingly in favor of Rep. Mary Bono's (R-Calif.) Spy Act and Rep. Bob Goodlatte's (R-Va.) Internet Spyware Prevention Act on May 23. The anti-spyware proposals are nearly identical, although Bono's bill requires businesses to use an "opt-in" policy in which they must ask people's permission to install spyware on their computers. Goodlatte's measure offers no such provision, and it has garnered much more industry support as a result. Bono's bill bans some of the more egregious spyware tactics, and sets a maximum penalty of $3 million for each violation; Goodlatte's legislation would send some spyware distributors to prison for up to five years. An inability to reach a compromise on the "opt-in" issue scuttled the hopes of merging the two proposals, according to Bono. She says, "I believe it's one of the most important parts of the bill. I think we own the computer and we ought to have a say about who installs what on your computer." The Information Technology Association of America has been a frequent adversary of anti-spyware legislation, but President Harris Miller acknowledges the need for a national standard, since several states have started promoting their own anti-spyware measures that could lead to balkanization if left unchecked. America Online and the National Cyber Security Alliance found spyware installed in 85 percent of 329 randomly selected Internet users' computers last October, with the average "infected" computer hosting over 90 spyware and adware programs; last year IDC predicted that annual anti-spyware software expenditures will skyrocket from $12 million in 2003 to $305 million in 2008. Sen. Conrad Burns (R-Mont.) has sponsored anti-spyware legislation in the Senate, and says passage of the House bills shows progress on the issue. Click Here to View Full Article From EduPage, May 2, 2005 Spreading Spyware Through An Affiliate Program TechWeb, 24 May 2005 A business based in Russia is adopting the affiliate-program approach to spreading spyware around the globe. Called iframeDOLLARS, the company is offering Web site operators 6.1 cents for every computer on which the Web site installs code that exploits vulnerabilities in Windows and Internet Explorer. Microsoft has issued patches for the weaknesses, but unpatched computers remain at risk. The malicious code includes backdoors, Trojans, spyware, and adware. Operators of the iframeDOLLARS site claim to have paid out nearly $12,000 last week alone, which would translate to nearly 200,000 infected computers. Although spyware expert Richard Stiennon called the tactic "brazen" and said iframeDOLLARS might be making quite a bit of money from its scheme, Dan Hubbard, the head of security at Websense, gave iframeDOLLARS less credit. He noted that the company has been around for a while, trying various methods to install malicious code, and he said a number of others have tried similar affiliate programs to accomplish the same thing. http://www.techweb.com/wire/security/163700705 House Takes Two Steps Against Spyware CNET, 23 May 2005 The House of Representatives overwhelmingly passed two separate bills this week designed to address the growing problem of spyware. HR 29, introduced by Mary Bono (R-Calif.), would impose stiff fines on anyone found guilty of distributing computer code that results in browser hijacking, modifying bookmarks, collecting personal information without permission, and disabling security mechanisms. Violators can be fined as much as $3 million per incident. One of only four Representatives who voted against Bono's bill, Zoe Lofgren (D-Calif.) had introduced another bill, HR 744, that also prohibits installing spyware. Lofgren's bill, which passed 395 to 1, would impose fines and jail time to anyone found guilty. Both bills now go to the Senate, which failed to act on a spyware bill sent by the House last year. Senators have said they will not allow a similar situation this year. http://news.com.com/2100-1028_3-5717658.html From ACM's TechNews, May 25, 2005 "Database Hackers Reveal Tactics" Wired News (05/25/05); Zetter, Kim Three young hackers suspected of breaking into the LexisNexis database claim the intrusion was done to make a name for themselves rather than to commit identity theft. One of the suspects is also a member of the Defonic Crew hacking group, and says his hack of America Online encouraged him and other Defonic members to take on bigger hacking challenges; "Shasta," a hacker who is not a suspect in the LexisNexis case, says the successful AOL intrusions bred carelessness among Defonic Crew when it came to not leaving a trail. Last March, LexisNexis admitted that intruders penetrated a database belonging to its Seisint subsidiary and used name searches to appropriate the personal data of up to 310,000 people, but the hacker suspects claim they were unaware of this until a friend of one of them, pretending to be a teenaged girl, engaged in an online chat session with a Florida policeman with a Seisint account. The suspect coaxed the officer to click on an attachment containing a Trojan horse with promises of erotic content, and the program downloaded to his computer and gave the hacker total access to his files, including one linking to Seisint's Accurint service. Another suspect in the LexisNexis breach used a Java script to find other active Accurint accounts, and uncovered an account belonging to a Texas police department; he then contacted Seisint posing as a LexisNexis tech administrator and coaxed an employee to reset the account's password so he could create new accounts in the police department's name. A separate investigation that may be related to the LexisNexis case led to several arrests in California, and Santa Clara County Deputy District Attorney Jim Sibley theorizes that more than one hacker group may have breached LexisNexis, given its shoddy security. Click Here to View Full Article "Scientist Blames Web Security Issues on Repeated Mistakes" E-Commerce Times (05/24/05); Germain, Jack M. BBN Technologies researcher Peiter Zatko believes the Internet's vulnerability to catastrophic failure is rooted in scientists and engineers repeatedly committing the same mistakes, but he does think this situation can be remedied and is heartened by industry's growing awareness of the problem. His view is that programmers must stop coding programs riddled with access holes that stem from calls within a program for certain convenience actions. Zatko says the abuse of the Internet's critical infrastructure makes an all-in-one security solution impossible, and partially attributes the infrastructure's weakness to engineers overworking the Internet's intended use. He says the addition of utilities and telephone service to the Internet puts further strain on the network. Zatko recommends that scientists cross-field their knowledge in order to find effective solutions to the Internet's security flaws, insisting that "We need to break up the old boy network." He sees the technology industry's reversion to dedicated services instead of multipurpose devices as a positive step, and advises the continuation of this trend. Zatko expects the repeated abuse of the Internet to halt once it becomes too dangerous, too complicated, and too costly to use safely. Once that point is reached, people will start clamoring for government regulation, he predicts. Click Here to View Full Article From SAN's NewsBites, 7(21), May 25, 2005. Hackers Holding Computer Files 'Hostage' (23 May 2005) A new type of extortion plot has been identified, unlike any other cyber extortion, according to the FBI. Hackers used an infected website to infect computers with a program that encrypts the users file. Then the criminal demanded money for the key to decrypt the files. Enhanced versions of this attack threaten large numbers of users with loss of important data, loss of money, or both. http://news.yahoo.com/s/ap/20050524/ap_on_hi_te/internet_ransom [Editors' Note (Paller and Dhamankar): This is a substantial expansion of the extortion threat. Previously large organizations were targeted. Now because infection is indiscriminant, everyone is at risk. To protect your systems: (1) ensure your back ups are current and retrievable, (2) ensure your operating system and browser are fully patched (through automated patching), (3) refrain from opening *any* attachments unless you are expecting them.] GAO Report Finds Wireless Security Lacking at Federal Agencies (17 May 2005) A Government Accountability Office study found that federal agencies lack adequate wireless network security. In its report, GAO recommends that the Office of Management and Budget require agencies to incorporate wireless security into their information security programs under the Federal Information Security Management Act. This would include policies in wireless network implementation and use, configuration requirements for wireless security tools and training employees and contractors on wireless policies. Of 24 executive branch agencies, nine had no wireless network policies and 13 had no wireless equipment security configuration requirements. At six agency headquarters in downtown Washington, DC, the GAO found wireless signals leaking outside of buildings, unsecured wireless equipment configuration and unauthorized wireless devices operating on the network. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=ndaily2&story.id5827 http://www.gao.gov/new.items/d05383.pdf [Editor's Note (Schultz): What amazes me is that so many organizations continue to have cleartext wireless communications despite the inherent danger of eavesdropping and the availability of suitable encryption solutions. (Shpantzer): Most places have either a 'no wireless' policy or a 'wireless with XYZ security' policy. Both require monitoring and enforcement. If you have no policy at all, you're virtually guaranteed to have insecure wireless in place, set up for convenience and mobility by enterprising employees. If you have no policy, what can you can do to those employees? Not much.] Court Rules German ISPs Do Not Have to Provide Record Companies with Customer Data (17 May 2005) The Higher Regional Court in Hamburg, Germany has ruled that German ISPs are not required to provide record companies with information about their customers' identities. The court argued that ISPs "merely provide access to the web," but are not themselves a part of copyright infringement acts. This overturns a District Court ruling, based on Germany's Copyright Act, which allowed record companies access to ISP customer information after the discovery of an FTP server where songs were available for free download. http://www.theregister.co.uk/2005/05/17/hamburg_isp_ruling/print.html From ACM's TechNews, May 18, 2005 "Instant Messaging Falls Prey to Worms" New Scientist (05/14/05) Vol. 186, No. 2499, P. 26; Biever, Celeste Instant messaging (IM) technology is fertile new ground for hackers, according to experts. In 2001, 141 million people were using IM applications, but that number has since grown to 863 million people, making IM-based hacks more appealing. Security experts had hoped that limited approved contact lists would hinder IM-based attacks, but now worms are increasingly targeting linked email accounts. Compared to 2004, security company IMlogic reports a significant increase in IM-based worms in the first three months of this year. Attacks often use an application programming interface to detect Microsoft IM networks and spread malicious messages that look as if they are coming from a friend. However, clicking on the link automatically downloads a virus, giving hackers remote control over victims' computers. Some hacks are sophisticated, with code trained to chat with victims prior to sending the malicious link, though the chat is often fragmented and illogical. "It always shocks me how well these social engineering attacks end up working," says Nicholas Weaver, a security expert at the International Computer Science Institute in Berkeley, California. Hackers are also targeting IM applications via application vulnerabilities. Analysts say email viruses are still a bigger threat, but they that IM attacks continue to grow in popularity, and are potentially more dangerous since organizations are less prepared to fight them off. Although an estimated 80 percent of the U.S.'s 1,000 wealthiest companies maintain IM networks, just 10 percent use IM security safeguards. Click Here to View Full Article "School Studies Effects of Internet Attacks" eWeek (05/09/05) Vol. 22, No. 19, P. 18; Roberts, Paul F. Iowa State University is using a new test laboratory to train students and local security professionals on cyberattacks and cyber-defense. The Internet Simulation Event and Attack Generation Environment (ISEAGE) is designed to recreate a cyberattack on any part of the Internet infrastructure, according to Doug Jacobson, director of information assurance at the university in Ames. Funded by a $500,000 grant from the Department of Justice, ISEAGE is comprised of a 64-processor cluster connected by high-speed switching gear and linked to a central disk storage system running Free BSD Unix; each processor can recreate 50 routing points. The processors give researchers the flexibility to reproduce network attacks, while ISEAGE's software tools also enable them to change traffic patterns, replay attacks in different configurations, and collect data. "We can make an attack look like it came from 1,000 computers, but we don't need 1,000 computers to do it," says Jacobson. ISEAGE will be used to model attacks on key infrastructure in cyberspace, and could help improve computer defense and forensics. Click Here to View Full Article From ACM's TechNews, May 18, 2005 "Personal Data for the Taking" New York Times (05/18/05) P. C1; Zeller Jr., Tom Dozens of Johns Hopkins University students enrolled in a computer security course last semester learned how painfully cheap and easy it is to acquire personal data online when they were grouped into teams assigned to aggregate, clean, and link entire databases of dossiers on Baltimore citizens using only public data sources with a maximum budget of $50. Several teams collected upwards of 1 million records on hundreds of thousands of individuals. The project was the brainchild of Johns Hopkins computer science professor Aviel Rubin, who is also technical director of the university's Information Security Institute. Some participants obtained information by filing Freedom of Information Act requests at local government offices, while others tapped whole databases from online sources or free commercial address databases using special computer scripts. Profiled citizen David Albright was troubled by how effortlessly information such as his occupation, address, phone number, birth date, and party registration was gathered: "What would be disturbing is if by having all this information consolidated, it made stealing an identity easier," he said. Privacy proponents have similar concerns, especially in regards to how easy it is to access Social Security numbers. ACLU lawyer Jason Brandeis expressed the need to balance out the protection of individual privacy and the public interest in unfettered access to government data. Rubin concluded that "there are strong negative consequences to being able to collect and correlate all this information on people, but it is also possible that the consequences to personal freedom would be worse if it were outlawed." Click Here to View Full Article From ACM's TechNews, May 23, 2005 "How to Hook Worms" IEEE Spectrum (05/05); Riordan, James; Wespi, Andreas; Zamboni, Diego IBM Zurich Research Laboratory research scientists James Riordan, Andreas Wespi, and Diego Zamboni detail an intrusion-detection system designed to specifically target computer worms, which Mi2g says were partly responsible for more than $68 billion in damages in February 2004 alone. The majority of intrusion-detection systems employ a dual-tier strategy in which "sentinel" programs are posted on both network-linked host computers and on the network itself, but this approach generates many false alarms and exhibits little resistance to both malicious attacks and accidental failures. The researchers' system, dubbed Billy Goat, runs on a network-connected dedicated machine and can identify worm-infected machines anywhere within the network. The genesis of Billy Goat was Riordan, Wespi, and Zamboni's realization that computers linked to the network frequently got automated requests from other machines that did not dovetail with their normal operation; worms were behind a large percentage of these requests, because they usually locate new computers to target by randomly searching through Internet addresses. Billy Goat is assigned to unused, unadvertised addresses where the illegitimacy of received requests is a given, and the system responds to requests by providing bogus virtual services, effectively fooling worms into disclosing their identity and making them easy for Billy Goat to reliably track. The system tries to attract many different kinds of worms by presenting multiple feigned services, while new fake services can be created by standard programming tools and interfaces supported by the virtualization infrastructure; Billy Goat also follows a distributed architecture that permits the coexistence of multiple Billy Goats on a network. The researchers claim Billy Goat can detect worm-infected machines within seconds of contamination, and provide their addresses as well. Click Here to View Full Article From EduPage, May 2, 2005 Latest Loss Of Personal Information: MCI Wall Street Journal, 23 May 2005 Officials from long-distance carrier MCI are investigating the loss of employee data after a laptop was stolen from the car of an MCI financial analyst. The laptop contained names and Social Security numbers for about 16,500 employees, whom the company has notified. A spokesperson for MCI said the machine was password-protected but did not say whether the employee data were encrypted. MCI is reviewing the incident to see whether the analyst violated any company policies, such as those concerning what types of information may be put on laptops and what information must be encrypted. MCI is also taking this opportunity to make sure employees who have access to sensitive information are clear on company policies. The company said that so far there have been no reports that any of the information on the laptop has been sold or misused. (sub. req'd) http://online.wsj.com/article/0,,SB111680003245940129,00.html From EduPage, May 20, 2005 Feds Conduct Searches Related To Data Thefts Wall Street Journal, 20 May 2005 Federal authorities investigating the theft of personal information from LexisNexis this week conducted raids and searches at several locations around the country. LexisNexis, which collects and aggregates information on millions of people, recently reported that information on nearly 300,000 individuals had been stolen by hackers. Investigators from the Federal Bureau of Investigation and the Secret Service searched the homes and computers of close to one dozen people, resulting in at least three arrests. Spokespersons for the agencies conducting the raids as well as for LexisNexis declined to give many details other than that the investigations are ongoing. (sub. req'd) http://online.wsj.com/article/0,,SB111653162281238311,00.html From ACM's TechNews, May 5, 2005 "Computing Officials Worry That Proposed Federal Database Could Be Hacked" Chronicle of Higher Education (05/06/05) Vol. 51, No. 35, P. A37; Carnevale, Dan The U.S. Department of Education is considering a "unit record" database listing information on individual students, but technology experts are worried about the database's vulnerability to hacking, a pressing concern in light of recent intrusions into college and company servers. Purdue University computer sciences professor and USACM chair Eugene Spafford warns that a large database, constructed ostensibly to keep tabs on student retention and graduation rates, is an irresistible target, and susceptible to an attack from any point in the system because of its size. Grover Whitehurst, director of the Education Department's Institute of Educational Sciences, says the department has yet to submit the unit record database concept to Congress, and is currently receptive to any ideas for securing confidential student data. He says the database would probably be disconnected from the Internet, making it impossible for hackers to breach the server through public computer networks. Whitehurst also says no Social Security numbers would be listed in the database, and he strongly doubts the information in the database--student names, places of enrollment, classes students are taking, financial aid they are getting, etc.--would make a particularly attractive target. Former ACM President Barbara Simons says a government database that tracks information about individual students is cause for worry, and wonders how the people who access the data would be trustworthy in the Education Department's eyes. Whitehurst says the department will consult with computer security experts before moving ahead with any unit record database proposal. From EduPage, May 2, 2005 Time Warner Reports Data Loss Reuters, 2 May 2005 A company that handles data storage for Time Warner lost tape backups containing personal information for about 600,000 employees. Iron Mountain Inc., based in Boston, reportedly lost the tapes during transport. Officials from Time Warner said the tapes did not contain customer information. In a statement, Larry Cockell, chief security officer at Time Warner, said that although no evidence exists that the data have been accessed or misused, "we are providing current and former employees with resources to monitor their credit reports while our investigation continues." Time Warner owns America Online, HBO, and Warner Brothers. Reuters, 2 May 2005 http://www.reuters.com/newsArticle.jhtml?storyID=8363208 From ACM's TechNews, May 2, 2005 "Skeletons on Your Hard Drive" CNet (04/20/05); Hines, Matt Experts say it is inordinately difficult to completely erase data on unwanted hard drives, even using commercial wiping software to overwrite the data. The National Association for Information Destruction (NAID) said it could not endorse the use of wiping software alone because studies have shown such software is not enough to ensure data deletion. Instead, the group says users should use wiping software in addition to material destruction to make sure hackers cannot pull sensitive information off of the drives, such as login data. NAID executive director Bob Johnson also says professional services that claim to wipe large numbers of computer hard drives for organizations lack adequate testing measures to check if data is inaccessible. Studies have shown the majority of resold hard drives still contain some information. The U.S. Department of Defense requires seven passes with wiping software for hard drives that do not require physical destruction, says Acronis' director Stephen Lawton, whose company sells such software. Only one pass is not enough even for home users, he says. Stronger protection is afforded through crushing services or degaussing, which is a magnetic striping process usually applied to large collections of machines. Hewlett-Packard's John Frey says the reason PC data is difficult to erase is because hardware and software makers had to ensure users did not accidentally delete information during the DOS era. Click Here to View Full Article From EduPage, April 29, 2005 FIU Suffers Computer Hack The Register, 29 April 2005 Officials at Florida International University (FIU) are warning faculty and students about possible identity theft after it was discovered that a hacker had user names and passwords for 165 computers on campus. Although only a few of the computers contained personal information, and despite the fact that no evidence exists that anyone's information has been misused, school officials fear that the hacker may have had enough access to put the university's entire network in question. University staff have been instructed to inspect 3,000 computers on campus to determine if they have been compromised. FIU has recommended that faculty and students remove any personal information from their computers and that they monitor their credit cards for suspicious activity that could indicate fraud. http://www.theregister.com/2005/04/29/fiu_id_fraud_alert/ From ACM's TechNews, April 29, 2005 A Crisis of Prioritization" Computerworld Australia (04/27/05); Bajkowski, Julian A new report from the President's Information Technology Advisory Committee (Pitac) warns that the emphasis on bolstering national security in the wake of the 2001 U.S. terrorist attacks has left a critical element--cybersecurity of civilian technological infrastructures--severely underfunded. The report concludes, "The information technology infrastructure of the U.S., which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." The Pitac study notes that in terms of research and development priorities, research emphasis is just as important as funding levels, if not more so. Pitac calls for the incorporation of holistic-level security within current and nascent architectures, which entails a change in thinking and IT design beliefs instead of pouring vast amounts of money into intermittent patches without addressing immediate problems. The committee says the federal government must guide the rehabilitation of the IT industry, asserting that "an expanded portfolio of U.S. federal cybersecurity R&D efforts is required because today we simply do not know how to model, design, and build systems incorporating integral security attributes." The Pitac report has many supporters in Australian government and industry, and AusCert director Grahame Ingram says vendors have started to make security a much more integral component of software and hardware design in the last few years. Professor Bill Caelli of Queensland University of Technology says the Pitac report was alarming and cites the need for a top-level reconsideration of embedding security within IT. Click Here to View Full Article "Does Trusted Computing Remedy Computer Security Problems?" IEEE Security & Privacy (04/05) Vol. 3, No. 2, P. 16; Oppliger, Rolf; Rytz, Ruedi Rolf Oppliger and Ruedi Rytz with the Swiss Federal Strategy Unit for Information Technology weigh the benefits and drawbacks of trusted computing, and conclude that the technology is unlikely to completely inoculate PCs against the threat of malware. Trusted computing initiatives are consistent in their basic principle to convert software-open computer systems into software-closed or software-controlled systems, which cannot be done without a secure, reliable bootstrap framework. Software-open systems are key to the PC explosion because they allow the operating system and the application software to be easily modified, upgraded, and extended; they are also key to PCs' insecurity, which threatens users' personal data as well as the security and availability of the Internet. The authors point out that commercial antivirus software is ineffective against detecting and eliminating unknown malware, while the ability to introduce malicious code at any point in the software life cycle complicates testing and detection. Not only that, but typical computer memory architecture stores programs and data in the same place, which enables malware to alter data and programs simultaneously. The separation of programs and data--a prerequisite for a more secure architecture--is also difficult. Trusted computing allows software to be authenticated and authorized to confirm its genuineness and integrity before execution, but the technology cannot ensure that software running on a computer system does not contain exploitable programming errors or malware; this situation makes trusted computing effective against manual malware execution, but useless against malware that takes advantage of glitches, flaws, and vulnerabilities in authorized software for its own purposes. The authors write that trusted computing-enabled systems are more easily securable, but their degree of protection reflects how the systems are designed and implemented. Click Here to View Full Article From EduPage, April 27, 2005 Concerns Mount Over Software's Role In Data Breaches Wall Street Journal, 27 April 2005 A number of retailers are pointing to software used at store checkouts as the weak link in the rash of recent security breaches. Magnetic strips on credit cards include--along with the credit card number--a three-digit code. Knowing that code can allow criminals to create counterfeit cards with embossed names that do not match the name attached to the account number. With that, a crook could present a photo ID that matched the name on a card, while the charge goes against an entirely different account. Software that handles credit card purchases is supposed to delete card numbers and the three-digit codes after a transaction, but several retailers now say that the systems keep those numbers in memory. John Shaughnessy of Visa USA said that a computer system that retained those numbers would be extremely tempting for criminals. Some retailers have filed suits against the makers of the software, seeking compensation for losses resulting from recent hacks. At least one software company, Micros Systems, rejected retailers' contentions, saying its products do not store such information. (sub. req'd) http://online.wsj.com/article/0,,SB111455367943717582,00.html From ACM's TechNews, April 27, 2005 "Encryption: The Key to Secure Data?" Computer Weekly (04/26/05); Bradbury, Danny Data encryption technology is now a mature market with infrequent updates, but the failure of public key infrastructure (PKI) to take off in the commercial sector has left a gaping hole in the encryption framework. Encryption comes in two flavors: Traditional symmetric encryption and asymmetric encryption that uses public and private keys. Asymmetric encryption popularized by RSA Security protects traditional symmetric encryption by adding another encrypted piece of data, which dramatically increases the difficulty of code-breaking; elliptic curve cryptography is a niche application of asymmetric encryption that uses less resources and is more suitable for PDAs and smart phones, for instance. Digital signatures protected by hashing functions, which ensure the message package is unmolested while in transit, allow parties to authenticate one another. Recently, the SHA-1 hashing algorithm was shown to be vulnerable to certain methods of attack and could prompt the industry to move to another, more secure, standard. PKI was created in order to protect against the fraudulent creation of encryption keys and involved the top-down issuance of certificates through organizations such as VeriSign, but PKI was pushed too hard, too fast, says Capgemini global chief technical officer Andy Mulholland. When PKI was promoted heavily five years ago, the bulk of online transactions was done by consumers, not businesses. If PKI was launched today, its commercial success would be far greater, says Mulholland. Encryption also faces the problem of complexity where ordinary users find even PGP encryption difficult to use, while another challenge is government involvement, especially governments' ability to obtain and decrypt keys. "Center Aims to Improve Cybersecurity in Higher Education" Indiana University (04/25/05) Indiana University is a hub for higher education cybersecurity efforts: In addition to hosting the Indiana Higher Education Cybersecurity Summit this week, the school is home to the Center for Applied Cybersecurity Research (CACR), an expanding information assurance program committed to improving the integrity and security of information systems, technologies, and content via a variety of disciplines, including computer science, informatics, organizational behavior, criminal justice, law, and public policy. CACR is driving the development of an interdisciplinary cybersecurity curriculum. "The whole nation is talking about cybersecurity, especially in higher education," says CACR director and Indiana University School of Law-Bloomington law professor Fred Cate. Computer hacking and identity theft incidents are becoming more sophisticated, severe, and frequent across the government, nonprofit, business, and higher education sectors. No educational institution is completely cyberattack-proof given the complexity and highly distributed management of schools' IT infrastructures. But Cate thinks the impact of such attacks can be minimized through a "highly coordinated" initiative involving the top leadership echelons. "Engagement in the discussion is a critical step in developing strategies that will deter attacks, reduce vulnerabilities, and help to ensure that disruptions are infrequent, of minimal duration, and cause the least damage possible," he says. Cate says CACR not only has the improvement of cybersecurity in mind, but also the improvement of cybersecurity efficiency, cost, and its effects on individuals, the economy, and the public. Click Here to View Full Article From ACM's TechNews, April 25, 2005 "Cyber Security Has Its Limits" Pittsburgh Tribune-Review (04/22/05); Bails, Jennifer The recent intrusion into Carnegie Mellon University (CMU) business school computers illustrates that not even top IT security institutions can completely guard themselves against cyberthreats and that an entirely new way of designing systems is needed, according to security and privacy experts. The CMU hack left personal information of about 20,000 applicants, graduate students, and staff open to misuse, though there is no evidence identity thieves have tried to use that data. The incident is similar to other high-profile cases at well-known organizations. University systems are especially vulnerable to hacking because of their interconnectivity and mission as providers of information. University of California, Berkeley, computer science professor and cybersecurity expert Doug Tygar called the CMU incident unlucky and did not think the problem was due to poor computer security practices. UC Berkeley suffered a serious privacy breach in March when an administrative laptop was stolen, and the school has launched an extensive audit of network and information security including policy and user access review. Cornell University computer science professor Kenneth Birman says news about major privacy breaches emerges every few hours nowadays, and notes that the recently funded TRUST center would join academic research groups to find a more permanent solution. "We can try to tackle problems when they happen and apply the latest patch, or we can design trustworthy computers from the get-go," he says. The new $19 million TRUST effort is funded by the National Science Foundation and will investigate ways to build fundamentally secure systems. Click Here to View Full Article From EduPage, April 25, 2005 Survey Shows Steep Rise In Web Site Defacements BBC, 25 April 2005 Attacks on Web sites jumped 36 percent in 2004, totaling nearly 400,000 incidents, according to Zone-H, an organization that tracks malicious Web activity. Of the attacks recorded by the organization, Web site defacements--in which a bogus Web page is substituted for a Web site's home page--constituted the vast majority of attacks. Roberto Preatoni of Zone-H pointed out, though, that "the techniques used by defacers are the same techniques used by serious criminals to cause more serious damage." According to the group's report, more than half of the successful hacks took advantage of a known weakness or careless administration, such as easily guessed passwords or unprotected systems. Zone-H reported that the frequency of attacks rises over the Christmas holidays and drops when schools reopen each year after summer break. http://news.bbc.co.uk/2/hi/technology/4480689.stm From Knowledge@Wharton, April 6, 2005 Do You Know Where Your Identity Is? Personal Data Theft Eludes Easy Remedies ChoicePoint, a consumer data vendor, hands over personal information on at least 145,000 people to criminals posing as small businesses. Hackers swipe the personal information of 32,000 people who use the database Lexis-Nexis. Bank of America loses backup tapes containing 1.2 million federal employee records. Every day, it seems, a new identify theft incident is reported followed by new rounds of questions: Should data vendors be regulated? Can identity theft hurt e-commerce? How do individuals protect themselves? Unfortunately, suggest Wharton faculty and others, no simple answers are available, especially when personal information is so easily available through search engines. Read the article From New York Times, April 9, 2005 Sentence in Spam Case LEESBURG, Va., April 8 -- A North Carolina man convicted in the nation's first felony prosecution for spamming was sentenced on Friday to nine years in prison, but the judge postponed the sentence while the case is appealed. A jury recommended the nine-year prison term after convicting Jeremy Jaynes of sending at least 10 million e-mail messages a day with the help of 16 high-speed lines. Mr. Jaynes, 30, of Raleigh, N.C., will be free on $1 million bond until the appeals process concludes. Mr. Jaynes was convicted in November for using false Internet addresses to send mass e-mail ads through a server in Virginia. Under Virginia law, sending unsolicited bulk e-mail itself is not a crime unless senders mask their identities. Published: 04 - 09 - 2005 , Late Edition - Final , Section C , Column 1 , Page 2 From ACM's TechNews, April 22, 2005 "U.S. Gets New Cyberterrorism Security Center" Computerworld (04/21/05); Weiss, Todd R. April 21 marked the official unveiling of the Cyber Incident Detection Data Analysis Center (CIDDAC) at the University of Pennsylvania; CIDDAC is a private-sector facility set up to monitor America's business infrastructure for real-time detection of cyberthreats. CIDDAC executive director Charles Fleming says the center is designed to help victimized companies reticent to share information with the government, and eliminate the bureaucracy that can slow down federal agencies' response to threats. Critical industries are being offered intrusion-detection services by CIDDAC under the aegis of a pilot project supported by the FBI and the Department of Homeland Security's Science and Technology Directorate. The tools to facilitate these services are Remote Cyber Attack Detection Sensor (RCADS) appliances that will be implemented outside corporate networks. The appliances can automatically and instantly route any intrusion data to the CIDDAC center, where is it assessed immediately and then relayed to law enforcement agencies. The authorities can employ the data to collate attack signatures that government investigators can use to more rapidly identify, pinpoint, and subdue cyberthreats. Assistant special FBI agent Shawn Henry says the data compiled through CIDDAC will allow the FBI and other law enforcement entities to thwart future attacks instead of merely responding to intrusions. Fleming says CIDDAC users will enjoy better protection against cyberthreats while still maintaining the privacy of their sensitive corporate data, adding that "privacy, trust, and anonymity are absolute essentials for the private sector to participate, and without the private sector, there is no program." Click Here to View Full Article "Researchers Propose Early Warning System for Worms" eWeek (04/20/05); Naraine, Ryan Professors Shigang Chen and Sanjay Ranka of the University of Florida's Computer and Information Science and Engineering department have written a paper proposing an early warning system for TCP-based Internet worms that promises to eliminate known vulnerabilities in current early warning systems. "The goal is to have a system to issue warnings at the very early stages of an attack and to provide information for security analysts to control the damage," the paper states. Chen says the plan combines a series of methods for automatically identifying the concentrated scan activity that signifies an ongoing worm assault, noting that the system monitors a "used" address space and pinpoints scan sources using outbound TCP RESET packets that indicate failed inbound linkage efforts, thus making localization more accurate and fortifying the system against anti-monitor measures. Chen says any existing distribution mechanisms--email, pagers, etc.--could be employed to post worm propagation advisories. Also included in Chen and Ranka's proposal is an anti-spoof protocol that can detect hosts potentially compromised by worms by winnowing out bogus scan sources, as well as a "system sensitivity" performance metric for gauging how responsive an early warning system is in broadcasting an ongoing worm attack. Chen says the system is designed for local deployment or co-deployment among enterprise networks. A distributed anti-worm system that defends against high-bandwidth distributed denial-of-service attacks has also been designed by Chen's team. Click Here to View Full Article "Stopping Spam" Scientific American (04/05) Vol. 292, No. 4, P. 42; Goodman, Joshua; Heckerman, David; Rounthwaite, Robert Software programmers and purveyors of junk email are locked in an ever-escalating arms race as the spread of spam threatens to compromise the integrity of Internet communications, write anti-spam experts and research collaborators Joshua Goodman, David Heckerman, and Robert Rounthwaite. However, smart software filters, email sender authentication schemes, legal restrictions, and other anti-spam efforts could hold back the tide of spam through widespread usage or enforcement. The authors propose a combination of spam filters with machine-learning capabilities and proof systems designed to make spamming computationally and/or financially unaffordable. Machine-learning systems can be thwarted by spammers who obscure their output's wording, but such filters can be trained to recognize and adapt to these tactics; an important component of the researchers' work is the employment of n-gram techniques that use subsequences of words to identify key words frequently associated with spam. Among the proof system options Goodman, Heckerman, and Rounthwaite investigate are human interactive proofs, which are puzzles or problems that humans can easily solve but computers cannot; computational puzzles that senders' email systems must unravel; and micropayment schemes in which spammers pay a small amount of money for each email, so that the cumulative cost becomes prohibitive. The authors also see reputation services that certify legitimate senders playing an important role in anti-spam efforts, and give high marks to the Sender ID Framework as an sender authentication scheme designed to combat email "spoofing." Goodman, Heckerman, and Rounthwaite think federal legislation can complement technological defenses against spam. Click Here to View Full Article From Microsoft's TechFlash, April 12, 2005 So-called phishing scams seem to be on the decrease since their peak last summer (http://go.microsoft.com/?linkid=2679334), but there are still good reasons to be wary. A fraudulent e-mail message that claimed to be a "Microsoft Inc." [sic] newsletter was circulated recently. In this particular instance, the subject line was "Download the new beta software from Microsoft today." The included link to an executable file was, of course, not from a legitimate Microsoft source. Ironically, the bogus file also claimed to be "our new anti-spyware software." Here's a quick review of how to avoid these look-alike scams (http://go.microsoft.com/?linkid=2679335). (A less technical description (http://go.microsoft.com/?linkid=2679336 is also available.) From ACM's Queue, April 18, 2005 Organizations of all sizes are spending considerable efforts on getting patch management right--their businesses depend on it. Read the article. From ACM's TechNews, April 18, 2005 "Stanford Joins Multi-Institution Center on Research in Cybersecurity and Computer Trustworthiness" Stanford Report (04/14/05); Yang, Sarah; Levy, Dawn Leading security experts from eight universities will join forces under the Team for Research in Ubiquitous Secure Technology (TRUST), funded for five years with about $19 million from the National Science Foundation (NSF). The University of California-Berkeley will lead the effort, joined by other institutions such as Stanford University, Carnegie Mellon University, and a number of industry and research groups. TRUST researchers note the growing importance of cybersecurity in the modern age, since so much critical infrastructure is dependent on computer systems. Researchers at Stanford's Computer Security Lab will bring expertise in a number fields, including applied cryptography, access control, data privacy, and network security; VMWare founder Mendel Rosenblum and automated methods expert David Dill are among the Stanford faculty joining the effort. The Stanford Computer Security Lab also leads the Privacy, Obligations, and Rights in Technologies of Information Assessment (PORTIA) program for the NSF, and lab co-directors John Mitchell and Dan Boneh are working on a Web phishing and identity theft project with the U.S. Secret Service. TRUST will focus on creating new technologies that enable organizations to build trustworthy control systems for critical infrastructure; besides protecting these systems from attack, TRUST technologies will also imbue them with resiliency so that they can keep operating even under attack. System design needs usability enhancements in order to strengthen the human element of computer security, which is often the weakest link, notes TRUST center director and UC-Berkeley professor S. Shankar Sastry. Click Here to View Full Article From ACM's TechNews, April 15, 2005 "Putting Teeth Into U.S. Cybercrime Policy" CNet (04/14/05); Hines, Matt Cyber Security Industry Alliance (CSIA) executive director Paul Kurtz, a former member of the President's Critical Infrastructure Protection Board, explains in an interview that the CSIA's purpose is to give the federal government all the relevant information it needs when considering new cybersecurity legislation. He says a key goal of his organization "is to look across the scope from the simple awareness of cybersecurity as a safety issue to building up education in cybersecurity, to looking at the policy implications of what the executive and legislative branches are considering, to looking at criminal behavior and increasing penalties." Kurtz says the CSIA is pushing for Senate ratification of Europe's Convention on Cybercrime, which would help set up an international architecture for investigating and prosecuting cybercriminals. He says cyberfraud practices such as phishing could have a bearing on homeland security, when one weighs the possibility of a convergence between for-profit hacking, organized crime, and terrorism. The point where these various elements intersect must be established, and such considerations could drum up federal support for more stringent cybercrime policies. Kurtz says the CSIA is partnered with the Center for Democracy and Policy's working group to study spyware and adware in an effort to find a balance between consumer protection and the rights of companies that distribute spyware. "I think there is a need to look at this stuff in a comprehensive context," he remarks. Kurtz also notes that prior to the CSIA's formation, there was no organization fully devoted to cybersecurity policy issues. Click Here to View Full Article "Surveillance Works Both Ways" Wired News (04/14/05); Zetter, Kim University of Toronto professor Steve Mann put his concept of "equiveillance through sousveillance" in action when he led about 24 attendees of ACM's Computers, Freedom, and Privacy (CFP) conference in Seattle to a local shopping mall to film or take pictures of surveillance cameras and gauge the reactions of shoppers, store managers, and security personnel. The principle behind equiveillance through sousveillance is the establishment of surveillance parity between the monitors and the monitored. Mann and his party filmed smoked-glass ceiling domes in stores that may or may not house surveillance cameras, and wirelessly sent their pictures to displays in the conference lobby. Companies have been known to install camera domes without cameras in an effort to save money while maintaining the illusion of surveillance, a concept that was in keeping with the CFP event's theme of the Panopticon. The Panopticon is philosopher Jeremy Bentham's model prison, which keeps inmates in line simply by maintaining the possibility that they are being monitored. The conference attendees at the mall wore conference bags with dark plastic domes, some of which were equipped with wireless Webcams. Mann says watching the watchers often involves an element of duplicity, and he has designed technologies that promote surveillance equality. One such product is a wallet equipped with a card reader that can only be opened if someone swipes their ID through the reader. Click Here to View Full Article "Prying Eyes Are Everywhere" USA Today (04/14/05) P. 1D; Kornblum, Janet The commercial availability of high-tech spying tools such as hidden cameras, global positioning system devices, and software that monitors computer activity is allowing average citizens to conduct clandestine surveillance on their spouses, children, friends, and neighbors. And the wide expansion of free, easy-to-find personal information online makes background checking a simple matter as well. Howard Rheingold, author of "Smart Mobs: The Next Social Revolution," says these trends have put Orwellian technology into the hands of "your nosy neighbor, your ex-spouse, and people who want to spam you." Privacy Activism's Deborah Pierce, a speaker at this week's 15th annual Computers, Freedom & Privacy Conference, believes citizen snooping is widespread, as evidenced by increasing numbers of legal cases. Paul Saffo of the Institute of the Future warns that spying citizens run the risk of discovering knowledge they would come to regret knowing, and being found out by the people they are monitoring. One of the most common forms of citizen sleuthing is "soft surveillance," in which a curious person enters someone's name on a search engine. Many people use surveillance technologies such as spy software and hidden cameras to keep track of their children's whereabouts or activities, but UCLA psychology professor Gerald Goodman says excessive monitoring can create a feedback loop of distrust between parents and kids. There may be some value in monitoring for kids with serious behavioral problems, but experts recommend the judicious selection and use of tracking technologies. Click Here to View Full Article From ACM's TechNews, April 13, 2005 "UC Berkeley to Lead $19 Million NSF Center on Cybersecurity Research" UC Berkeley News (04/11/05); Yang, Sarah The National Science Foundation has selected the University of California, Berkeley, to head its eight-university Team for Research in Ubiquitous Secure Technology (TRUST) center, and the facility is expected to receive a five-year grant of about $19 million, with the possibility of a $20 million extension for another five years afterwards. This comes at a time when the vulnerability of U.S. critical infrastructure makes increased support for fundamental cybersecurity research a matter of considerable urgency, according to a March report from the President's Information Technology Advisory Committee. UC Berkeley's academic partners include Carnegie Mellon University, Vanderbilt University, Smith College, San Jose State University, Stanford University, Mills College, and Cornell University, while industry and other participants include Oak Ridge National Laboratory, Intel, IBM, Hewlett-Packard, Symantec, and the ESCHER research consortium. "The cybersecurity community has long feared that it would take an electronic Pearl Harbor for people to realize the scale of disruptions possible from a concerted attack by terrorists," explains TRUST center director and UC Berkeley professor S. Shankar Sastry, who notes that system design has not adequately aligned with human users and systems' usability thus far. TRUST researchers will commit themselves to the development of novel technologies designed to make organizations more capable of designing, constructing, and operating trustworthy critical infrastructure information systems. TRUST will sponsor and manage education and outreach programs to help train the next generation of trustworthy systems engineers, with a special emphasis on minority and underrepresented populations. The center will be a interdisciplinary effort that brings together experts in public policy, economics, social science, and human-computer interface technology. Click Here to View Full Article "Diffie: Infrastructure a Disaster in the Making" SearchSecurity.com (04/12/05); Brenner, Bill Whitfield Diffie, Sun Microsystems' chief security officer and co-creator of the Diffie-Hellman key exchange, says in an interview that his biggest concern is the proliferation of Windows systems into critical infrastructure, which could result in major failures in the event of an attack. He characterizes careful software coding as a more pressing need than tech diversity, explaining that "you probably shouldn't use Windows [for critical infrastructure] because of too little care to coding too deep in its guts." Diffie thinks censorship applications for controlling Web sites employees can visit are overhyped and distracting people from the much bigger problem of critical infrastructure vulnerabilities. He predicts that the next decade will see elliptical curve systems supplant modular arithmetic-based key systems and have a significant impact as smaller, integrated mobile devices become widespread. In addition to being more compact, elliptical curve is faster and more power-efficient, and scales down the size of register keys. Diffie says hand-held browsers and similar technologies will fuel people's hunger for more efficient, lower-power systems. He also foresees standard security technologies such as the Advanced Encryption Standard overthrowing competing products such as DES, 3DES, and RC4, and being incorporated into hardware and software worldwide. Diffie believes widespread Public Key Infrastructure (PKI) use is an inevitability, but acknowledges the existence of a standardization problem he primarily attributes to capital development difficulties. Click Here to View Full Article From ACM's TechNews, April 8, 2005 "Lessons in Cybersafety" ITworldcanada.com (04/05/05); Parkins, Robert The current Internet structure makes security breaches inevitable since it assumes reasonable behavior, warned Harvard Law School Internet and society executive director Jonathan Zittrain. Because attackers use the same information avenue machines receive legitimate input from, there is always the chance that incoming data could be used to control computers. This situation is eroding privacy, Zittrain told attendees of the sixth annual privacy and security conference hosted by British Columbia's Ministry of Management Services. One way to solve the problem would be the creation of separate virtual networks that run atop the current infrastructure, but are controlled so as to ensure the identities of participants; these secure networks would probably be administered by software companies, but their development prodded by government agencies who use their purchasing clout to demand greater security. Government and industry are colluding to conduct surveillance on citizens, warned ACLU Technology and Liberty Project director Barry Steinhardt. Private data brokers and "policy laundering" practices by government effectively negate domestic review of controversial government activity; policy laundering refers to government use of international organizations to develop policies by proxy outside of normal domestic purview, such as how new passport standards are being developed by the International Civil Aviation Organization. Secured Services chief technical officer Michael Smith said many IT security problems could be traced to application-centric architectures that create redundant accounts and complicated authentication processes. Identity lifecycle management systems can help streamline IT security by centralizing the creation, maintenance, and audit of identities. Click Here to View Full Article "Bigger Phishes Ready to Spawn" CNet (04/06/05); Hines, Matt Security researchers say the growth of phishing attacks has slowed dramatically, but they warn that online criminals are crafting more sophisticated attacks that employ pharming, instant messaging platforms, cross-site scripting, and DNS poisoning. Phishing attacks are also targeting smaller groups of people who hold valuable information, enabling the attacks to use more effective social engineering techniques. Salesforce.com customers, for example, were targeted with phishing messages offering free trials of new application features. Anti-Phishing Working Group Chairman Dave Jevans suspects the thieves used account names and passwords to steal corporate information that could be resold to marketers or used for industrial espionage. Phishers can use more effective social engineering with a smaller group of targets instead of general spam messages. An attack via the Yahoo! Messenger platform in March leveraged contacts in people's address books, and shows that phishers could also be targeting teenagers who might be more prone to divulge personal information. Another innovative social engineering attack mimicked antiphishing messages from eBay and other firms, warning users not to release personal information via email, said Mail-Filters' Dan Ashby. Among legitimate links included in those messages was a link to a fraudulent site. Phishers are also becoming more professional, changing their techniques in response to publicized security information. When warnings about cross-site scripting were published, some attackers began loading content into Web pages' internal frame rendering so that it would reach people who had turned off JavaScript applications. Click Here to View Full Article From ACM's Queue, April 4, 2005 Understanding Software Patching: Developing and deploying patches is an increasingly important part of the software development process. Read the article. From ACM's Queue, March 28, 2005 An Update on Software Updates: Editor Ed Grossman passed me the pen this month to tell you about our topical focus on software updates. Read the article. Kill the Bots!, an article at Technology Review.com, May, 2005. From EduPage, April 11, 2005 Program Teaches Hacking To Raise Awareness BBC, 8 April 2005 The University of La Salle in Barcelona has begun a program to raise awareness of computer hacking and to teach teens how to protect themselves. Sponsored by the Institute for Security and Open Methodologies (ISECOM), the Hacker High School invites students from local high schools to the La Salle campus to expose them to the ins and outs of hacking. Pete Herzog, managing director of ISECOM, said the program shows participants how computer hacking is accomplished so that they can understand the concepts behind what computers do, how to clean them, how applications can compromise computers, and the implications for personal privacy. According to one official from the program, the goal is to provide experiences for students to learn how hacking happens so that they will become "ethical hackers, good hackers, knowing what they do and what the limits are." School officials believe having skills as an ethical hacker could be beneficial when students go looking for jobs later. http://news.bbc.co.uk/2/hi/programmes/click_online/4423351.stm From EduPage, April 4, 2005 Higher Ed Fares Below Average For Computer Security New York Times, 4 April 2005 A recent spate of computer-security incidents at colleges and universities has drawn attention to the apparent tension between concerns over academic freedom and the need to protect sensitive information. Stanton S. Gatewood, chief information security officer at the University of Georgia, which suffered a security breach last year, noted that higher education is "built on the free flow of information and ideas," saying that college and university networks are designed based on that ideal. The result, however, is a tempting target for information thieves. According to the Office of Privacy Protection in California, colleges and universities in that state have accounted for more data incidents since 2003--close to 30 percent--than any other group. Although some states now prohibit using Social Security numbers as identifiers in many databases, their continued prevalence makes changing structures difficult. The University of Michigan, for example, spent seven years weaning itself off Social Security numbers. Because testing agencies and other organizations continue to use them, however, the university finds it still has to track them. (registration req'd) http://www.nytimes.com/2005/04/04/technology/04data.html From New York Times, April 4, 2005 Some Colleges Falling Short in Security of Computers By Tom Zeller Jr. If the computer age is continually testing how well institutions protect personal information, the nation's colleges and universities may be earning a failing grade. Read the article. From ACM's TechNews, April 4, 2005 "Carnegie Mellon Unit Looks to Advance IT Security, Reliability" Computerworld (03/28/05) P. 23; Thibodeau, Patrick Pradeep Khosla, dean of Carnegie Mellon University's Carnegie Institute of Technology and co-director of CyLab, explains in an interview that CyLab is focusing on next-generation IT systems that incorporate measurability, sustainability, security, and trustworthiness. He says that CyLab absorbed the Sustainable Computing Consortium, whose goal was to enhance the quality and reliability of software by reducing the number of bugs. Khosla says CyLab splits up its research into "thrusts:" Its resilient and self-healing systems thrust, for example, is not about security per se, although it does address some security issues. Other thrusts Khosla mentions cover user authentication and access control, data and information privacy, business economics, and threat detection modeling. The CyLab co-director notes that CyLab has the same goals as IBM's autonomic computing initiative, although their approaches differ--CyLab, for instance, usually concentrates on higher-risk problems. Khosla reports that CyLab has produced a practical secure storage demo system which is being expanded to include self-security, self-analysis, and self-repair. Such a system would enable users to trace data packets back to the source, and Khosla predicts that a lab-developed coding scheme for facilitating packet tracing will become commonplace in the next three to five years. He thinks CyLab's backers could put malicious code detection on the CyLab 2006 agenda at next month's meeting. Click Here to View Full Article From EduPage, April 1, 2005 Spammer Files For Bankruptcy Protection BBC, 1 April 2005 Scott Richter, proprietor of one of the world's best known spamming operations, said the company has been forced to file for bankruptcy protection. OptInRealBig.com has been the target of several lawsuits for violating antispam laws, including one lawsuit filed by Microsoft, which is seeking $46 million in damages. Spamhaus, an organization that monitors junk e-mail globally, ranks OptInRealBig.com third on its list of spam operations around the globe. The company is alleged to have sent billions of e-mail messages that appeared to come from hijacked return addresses, including those of the Kuwait Ministries of Communication and Finance, the Seoul Municipal Boramae Hospital, and the Virginia Community College System. In its announcement, OptInRealBig.com said that the ongoing lawsuits and possible damages have made it impossible for the company to "still run a viable business." An attorney for OptInRealBig.com said the company expects ultimately to prevail. http://news.bbc.co.uk/2/hi/technology/4400335.stm Lawsuits Target Phishers Reuters, 31 March 2005 Microsoft has filed 117 "John Doe" lawsuits against operators of Web sites involved in phishing scams. Phishers send e-mail messages that purport to be from a bank or other financial services institution. The e-mails tell recipients that they must visit a Web site and disclose personal information, typically under the pretense of updating account records or something similar. Disclosed information is then used for credit card fraud and other types of identity theft. Microsoft said it was filing the lawsuits in an effort to discover who is behind the largest phishing operations and put them out of business. Microsoft's Aaron Kornblum said, "We must work together to stop these con artists from misusing the Internet as a tool for fraud." http://www.reuters.com/newsArticle.jhtml?storyID=8051350 From ACM's TechNews, March 30, 2005 "Secure Flight Faces Uphill Battle" Wired News (03/29/05); Zetter, Kim The Transportation Security Administration (TSA) has only fulfilled one of 10 requirements set by Congress for the Secure Flight passenger screening system, set to launch in August. The Government Accountability Office (GAO) says the TSA has set up an oversight committee for the Secure Flight program, but has not yet formulated policies to guide that committee. In addition, the TSA has not yet tested the accuracy and efficacy of data nor chosen what commercial data, if any, it plans to use; also lacking are redress procedures for passengers to challenge the system's assessments or change incorrect information. Secure Flight improves on the previous CAPPS II system by placing passenger screening functions in the hands of the TSA instead of the airlines. The TSA will combine airline passenger data, government information including terrorist watch lists, and commercial data to identify possible terrorists. ACLU Technology and Liberty Project director Barry Steinhardt says airlines might have to begin collecting new information from passengers to pass on to the TSA and help verify matches against watch lists, and he doubts Secure Flight will be ready by the August deadline, when the TSA is expected to begin testing Secure Flight with two domestic carriers before rolling it out for all domestic air travel. But TSA's Yolanda Clark says the GAO report should be considered a progress report, not a final evaluation; Secure Flight is a 14-month project and was evaluated by the GAO at the eight-month point, she says. The TSA recently finished testing airline, government, and commercial data, and IT infrastructure and hardware are already in place. Click Here to View Full Article "Identity Theft Made Easier" Wall Street Journal (03/29/05) P. B1; Delaney, Kevin J. Identity thieves made headlines with security breaches at ChoicePoint and LexisNexis, but common search engines provide a much easier route to obtaining illicit personal information. Google hacking, the practice of crafting specific search queries using special commands to find sensitive personal data, was demonstrated at an Agora security industry meeting in Seattle, where teams raced to accumulate the most identity information in an hour. The winning team found a directory with the Social Security numbers of more than 70 million deceased persons, while the second-place team uncovered hundreds of scanned passport documents and a Justice Department site listing employees and their work credit-card numbers. The contest rules limited teams to using only Google to turn up data, though real hackers would likely employ other means to burrow further into exposed systems. Google and other public search engines are not responsible for the privacy breaches since they only index publicly available Web data; instead Web site operators and negligent users are to blame for data left open to the public, says Seattle chief information security officer Kirk Bailey, who organized the Agora Google-hacking contest. Data exposed via Google is often left open by people who think the information is hidden. Organizations have a responsibility to perform audits of their own networks to ensure sensitive data is not left exposed, and to enable firewall software that blocks public access to sensitive areas of the network; Google also plays a cat-and-mouse game with hackers as it tries to disable the most effective Google hacks while keeping the service as accessible as possible, say Google-hacking experts. There are a number of books and Web sites that provide information on Google hacks, and non-technical people can make use of them. "Cars Are Getting Computer-Jacked" CNet (03/25/05); Spooner, John G. The presence of automotive electronics is expanding both in the dashboard and under the hood, reducing clutter and freeing up designers to experiment aesthetically. "Everything is blending into one unified theme," notes Ford Motors designer Anthony Pozzi, who designed the Meta One concept sports car displayed at the New York International Auto Show; the car boasts a fluent design that features recessed buttons rather than stalks for changing gears, and a trio of LCD screens for displaying speed, navigation data, and other traditional gauges that can be customized to the driver's preferences. Nearly all auto models are expected to offer some type of MP3 player link in the next several years, and demand for in-vehicle iPod connectors has spurred several manufacturers to plan such offerings, although embedded hard drives may eventually outdate such devices. Electronics are also permeating car safety systems, such as networked sensors for measuring the vehicle's wheel speed, steering wheel angle, and yaw, which can be used to support dynamic stability control and other fail-safes. Eventually, car computer systems will be imbued with predictive capabilities so that they can facilitate collision avoidance and other safety-enhancing operations. Such systems are currently offered in deluxe models only, but auto executives at the show predicted that they will be incorporated into cheaper vehicles, either as an option or as standard gear. Computer systems perhaps have the greatest penetration in hybrid cars that run on both gas and electricity. Hybrid vehicles from Toyota use such systems to control the switch between electric and gas, and make the transition imperceptible. Click Here to View Full Article From EduPage, March 30, 2005 Thief Grabs Laptop And 100,000 Identities Inside Higher Ed, 29 March 2005 Officials at the University of California at Berkeley said that a laptop stolen from the university's graduate division contained personal information for nearly 100,000 individuals. The computer included records for applicants to Berkeley's graduate programs from fall 2001 to spring 2004; students enrolled in the school's graduate programs from fall 1989 to fall 2003; and individuals who received doctorates from Berkeley between 1976 and 1999. Although no evidence exists that any of the stolen information has been used fraudulently, according to a statement from the university, the institution is required by a California law to disclose the breach to those affected. The statement said the university is making "every reasonable effort to notify by mail or e-mail all 98,369 individuals whose names and Social Security numbers were on the computer." http://www.insidehighered.com/index.php/news/2005/03/29/theft From ACM's TechNews, March 28, 2005 "Terror Plot to Cripple UK in Cyber Attack" Scotsman (UK) (03/22/05); Kirkup, James Due to a growing dependence on electronic networks in Britain and throughout the world and increasing technological sophistication of terrorists, Britain's counter-terrorism coordinator David Omand issued an alert that both government and private sectors need to ramp up electronic anti-terrorism defenses. Omand says terrorists are working on launching a crippling cyberattack, warning that top al Qaeda operatives that have been arrested or are being tracked have shown significant technological sophistication. Former Metropolitan Police Authority Chairman Toby Harris warns of "significant vulnerability in the systems we all rely on," and Omand believes the defense against cyberterrorism will fail unless businesses in the private sector begin taking the threat seriously and upgrading their defenses. Attacks could come in the form of denial of service attacks, hacking into sensitive electronic systems, attacking electricity grids or systems controlling hydroelectric dam flood gates, or carrying out a coordinated physical and electronic attack on emergency systems. The global aspect of the Internet has Britain working with countries they often regard with hostility to prevent cyberattacks. Harris says, "Britain could be quickly reduced to large-scale disorder, including looting and rioting, in the event of a serious disruption of critical national infrastructure." Click Here to View Full Article "Security Counterattack" Network World (03/21/05) Vol. 22, No. 11, P. S12; Gittlen, Sandra Experts warn that new data center technologies and Web services will increase security burdens because of the added complexity; instead of guarding a perimeter and managing internal application security, IT managers will have to be able to secure every node on their network and validate the security of Web services building blocks from outside sources. Complexity is not only an issue for IT managers, but for users as well: A Palo Alto Research Center (PARC) study showed laptop users spent an average of two hours configuring 802.1X security. PARC developed an enrollment station architecture for enterprises that would allow users to configure their system settings according to network policy in just two minutes using close-proximity communications such as infrared. Cornell University's Information Assurance Institute, meanwhile, is working on language-based security that builds security basics into programming in hopes of fostering more secure Web services in the future. Web services pose serious security risks because of their connectivity and the interdependence of various services' code, and Information Assurance Institute director Fred Schneider advocates safe systems languages for building Web services and other extensible applications. Internet2 researchers have created the Shibboleth Project for simplifying authentication in cross-organizational situations where users would otherwise have to register multiple times; by reducing the amount of personal information sent out by users, these systems would be less prone to identity theft and fraud. Grid computing organizations have accepted Shibboleth as an important security technology. ContentGuard, founded by former PARC researchers, offers technology to protect content after it has left the network; the group's Extensible Rights Markup Language (XrML) has been submitted to OASIS and offers a way to control content distribution and accessibility. Click Here to View Full Article From ACM's TechNews, March 25, 2005 "War of Words over Operating Systems' Safety" New Scientist (03/23/05); Biever, Celeste Recent reports on Linux-based Web servers, the open-source Firefox Web browser, and Apple's Mac OSX operating system raise doubts about their security, which experts contend is still better than their Microsoft equivalents. Symantec's biannual Internet Security Threat report issued on March 21 indicates that 21 new programming errors were uncovered in Firefox between July and December 2004, compared to 13 in Internet Explorer. ScanIT also released on Monday a conflicting report that low patching rates made 98% of IE users exploitable in 2004, while just 15% of Linux users were vulnerable; ScanIT founder David Michaux also notes that Symantec found fewer severe errors in Firefox than in IE. The Symantec report lists 37 vulnerabilities in Mac OSX, and takes the Repeno worm discovered last October as a sign that the Mac operating system is increasingly being targeted for hacks usually associated with Microsoft and numerous Unix-based OSes. Independent security consultant Richard Forno counters that the Symantec report inflates the significance of the Mac OSX vulnerabilities, arguing that hackers "want to go after the low-hanging fruit and the Mac OSX is still not as bug-ridden as Windows." A March 22 report commissioned by Microsoft and released by Florida Institute of Technology computer scientist Richard Ford takes note of 174 vulnerabilities in an open-source Linux server, compared to 52 in a Microsoft counterpart. In addition, the interim between reporting a flaw and patching it was substantially shorter with the Microsoft server than the Linux server. Sophos security consultant Graham Cluley calls these findings immaterial since Linux users are far fewer in number and more likely to patch their systems than Windows users, which makes them less attractive to hackers. Click Here to View Full Article "Does IM Stand for Insecure Messaging?" CNet (03/23/05); Hines, Matt The threat of instant messaging (IM) worms is growing, and a key factor in their spread is the obliviousness of users and IT administrators. "A person unaware of the IM threat is the biggest risk that exists for these viruses to have some success," warns McAfee research fellow Jimmy Kuo. Most IM worms are disguised as attachments to messages that appear to originate from trusted sources, so that the recipient opens them without ever realizing that he or she has downloaded malware that rapidly spreads to all the names on their IM buddy list. Aladdin Knowledge Systems technology VP Shimon Gruper reports that IM's scant built-in security has made it unnecessary for hackers to target the IM code, but some experts think such attacks are inevitable. Furthermore, IM's popularity as a communications medium between computers and smart phones could make mobile devices vulnerable to viruses sent from PCs. The workplace penetration of public IM applications is increasing corporate networks' susceptibility to IM-borne threats, although businesses are usually better fortified against malware than consumers. There is also evidence to suggest that recent IM worms are being employed as a way for hackers to communicate with one another. VeriSign principal scientist Phillip Hallam-Baker says that although there have been few IM attacks so far, that could change. He says "that as email systems are being secured, there's a displacement effect and people are moving their efforts over to IM." America Online's Andrew Weinstein feels that user awareness of the IM threat is the best defense, and recommends that users regard every IM they receive with caution, even if it appears to come from a familiar sender. Click Here to View Full Article "Cyberterrorism Isn't a Threat Yet, One Expert Says" Fort Worth Star-Telegram (03/23/05); Batheja, Aman Cyberterrorism is a concept that has been overblown by the media and poses no threat, though someday it will evolve into a threat worth worrying about, according to longtime computer security expert Marcus Ranum, the inventor of the proxy firewall. Ranum made his comments at Texas Christian University on Tuesday during a lecture on computer hacking and terrorism. Cyberterrorism is an impractical means for terrorists to carry out their objective of striking fear into the hearts of their enemies, Ranum said. "Is it more cost effective to train yourself a cadre of cyber-ninjas or is it more effective to find idiots who will believe in your cause and wrap themselves in plastic explosives?" asked Ranum. Hackers have the capability of disrupting large parts of the Internet, but the Internet would be up and running again within 10 minutes, Ranum says. Despite his contention that cyberterrorism is not worth worrying about, Ranum does allow that the U.S. is vulnerable to cyberterrorism, pointing out that the vulnerability that produced the East Coast blackout of 2003 went undetected. Also, there is little security protecting the infrastructure that controls the nation's sewage systems, he says. Click Here to View Full Article (Access to this site is free; however, first-time visitors must register.) From New York Times, March 19, 2005 Growth of Wireless Internet Opens New Path for Thieves By Seth Schiesel The spread of the wireless data technology known as Wi-Fi has reshaped the way millions of Americans go online, letting them tap into high-speed Internet connections effortlessly at home and in many public places. ... But every convenience has its cost. Federal and state law enforcement officials say sophisticated criminals... From ACM's TechNews, March 23, 2005 "IBM Embraces Bold Method to Trap Spam" Wall Street Journal (03/22/05) P. B1; Forelle, Charles Efforts to block spam are getting more aggressive, as the fight moves from passive spam filters to counterattacking measures such as "teergrubing," where spammers are trapped by tying up their servers. Although open-source counterattacking software has been available for a while, new products from IBM and Symantec have made the practice less problematic for corporate users. A new service from IBM that sends junk email directly back to the machine identified as the spammer is scheduled to debut on March 22. The system, which is based on IBM's FairUCE technology, scans incoming data packets bearing email and checks their point of origin against a continually updated database of established spamming machines, routing the data back to the sender if the source is in the database. The zealousness of the response is proportional to the amount of spam received. The system can also delay rather than unequivocally reject data packets originating from a computer that is probably but not definitely spamming. Symantec, meanwhile, released a product in January that uses "traffic shaping" to slow links from suspected spamming machines: Data streams that appear to be coming from a spammer are throttled down so that data moves slowly; Symantec's Carlin Wiegner says the product is designed to "slow [spammers] down so much that it is more interesting for them to spam some small business or some other country." Both IBM and Symantec's products are geared toward large companies with sizable enough email traffic to realize significant profits from less spam. The products do not break anti-hacking laws that criminalize unauthorized entry to a remote system, even to protect another system; but they can boost network traffic, which is generally unwanted. "Yes, we are adding more traffic to the network, but it is in an effort to cut down the longer-term traffic," argues IBM corporate security strategy director Stuart McIrvine. "Decrypting the Future of Security" Globe and Mail (CAN) (03/18/05); Kirwan, Mary Lawyer, writer, and IT security expert Mary Kirwan notes that there was "universal agreement" among speakers and panelists at the recent RSA Security Conference that innovation is a fundamental component of IT, that security is important, and that something must be done to improve security; from there the debate over what to do devolved into a blame game where most fingers were pointed at software vendors. Vendors, most clearly represented by a panel of lawyers, warned that imposing liability and subjecting them to government regulation would choke innovation and lead to higher prices, arguing that the burden of security belongs to users. One panelist disagreed, noting that customers are demanding better software licensing terms, as well as input into the code development lifecycle, greater transparency, and code escrowing in the event vendors are unavailable when customers need them. In-house Microsoft lawyers dominating the panel implied that the legal concept of "intervening criminal act" would spare vendors from being found guilty of negligence, and raised the possibility that consumers would be charged with contributory negligence. Audiences, however, generally favored legislation mandating software quality assurance and liability for code development as long as it improved IT security and eliminated vaporware providers. Security guru Bruce Schneier, former U.S. cybersecurity czar Richard Clarke, one-time U.S. elected House representative Rick White, and ITAA President Harris Miller formed a panel debating software regulation. White and Miller, representing the industry, argued that government intervention is "highly undesirable," with Miller damning widely adopted European Union software security liability laws as globally out of touch. Clarke, meanwhile, reflected the attitude of many senior government officials who have lost patience with the IT industry. Click Here to View Full Article From ACM's TechNews, March 21, 2005 "Study Criticizes Government on Cybersecurity Research" New York Times (03/19/05) P. B2; Markoff, John The federal government's cybersecurity research investments are woefully insufficient, concludes a report prepared by a subcommittee of the President's Information Technology Advisory Committee (PITAC). The report says the U.S. should give $148 million annually to the National Science Foundation to be channeled into Internet security research, as well as greater research investments by the Homeland Security Department and the Defense Advanced Research Projects Agency (DARPA). "The federal government is largely failing in its responsibility to protect the nation from cyberthreats," declared panel co-chair Edward Lazowska, who also chairs the University of Washington's computer science and engineering department. SRI International computer scientist Peter Neumann criticized both the White House and Congress for giving civilian cybersecurity research a low priority. Panelists were also concerned about DARPA and the National Security Agency's shift in focus from long-term academic research to short-term classified research, and noted a basic shortage of leadership and coordination in the federal cybersecurity research effort. They proposed the creation of a federal interagency group to address this shortage. The subcommittee argued that the cybersecurity research community lacks the numbers to fulfill a federal objective to at least double the population of civilian cybersecurity researchers by 2010. The report criticizes the commercial cybersecurity strategy of patching, and lists 10 cybersecurity research areas that should take precedence, including cyberforensics, authentication technologies, monitoring and detection tools, and secure protocols. Click Here to View Full Article "Cleaning Spam From Swapping Networks" CNet (03/18/05); Borland, John Cornell University researchers led by assistant computer science professor Emin Gun Sirer have developed "Credence," a new open-source software program designed to clear peer-to-peer (P2P) networks of spam by allowing different computers to "gossip" with each other to determine which P2P files are trustworthy. Credence starts out in the manner of many contemporary P2P networks, in which users rate the legitimacy of files; but the gossiping function checks to see how users on other systems have rated the same files, looking for similar evaluations. During a file search, Credence gives priority to results that receive high ratings by this user community with matching ratings. Spammers who rate their own files as legitimate are thus segregated from these communities of well-reputed computers. "I believe in people; I think most people are honest," notes Sirer. "I think it will be people on the periphery who will be kept out." However, antipiracy companies plant decoys of popular digital content in file-swapping networks in an effort to curb copyright infringement, and the Credence software could filter out these decoys as well. Still, Overpeer general manager Marc Morgenstern is confident that antipiracy companies such as his will inevitably find a way to bypass such filters as part of the arms race between digital pirates and copyright holders. Click Here to View Full Article From ACM's TechNews, March 16, 2005 "Schneier: Secure Tokens Won't Stop Phishing" IDG News Service (03/15/05); Roberts, Paul Strict government regulation is more important for e-commerce security than technology solutions, says Counterpane Internet Security founder Bruce Schneier in an interview. Schneier's article in the April issue of Communications of the ACM argued that two-factor authentication and other end-user technology solutions will not be enough to thwart determined hackers. He says online fraud is becoming more active and immediate; multi-factor authentication is useless when Trojan programs monitor plain text and keystrokes or when man-in-the-middle attacks dupe users into entering information on fake Web sites. Two-factor authentication is useful in some applications, such as securing internal access to company servers, but not for e-commerce. Schneier says a more effective solution to e-commerce fraud is to make banks liable for financial fraud in the same way credit card companies face most of the cost of credit card fraud. After regulations in the credit card industry, those companies began tightening down on fraud through detection technology in their own databases instead of focusing on how customers use their cards; Schneier believes the banking industry will similarly take steps to identify and stop online fraud if their bottom line is threatened. In the battle against online fraud, absolute security is impossible because security is a continuum--the aim is to manage risk enough so that commerce can continue. Security tokens issued by U.S. Bancorp, e-Trade, and America Online will provide improved security against some e-commerce threats, but eventually the benefits from multi-factor security will diminish as hackers shift tactics, says Schneier. Click Here to View Full Article "Crack in Computer Security Code Raises Red Flag" Wall Street Journal (03/15/05) P. A1; Forelle, Charles A flaw in a "hash function" technique for encrypting online data has been uncovered by a team of Chinese researchers at Shandong University, and this has raised alarms in the computer security industry because it casts doubt on the so-called impenetrability of hash function-based cryptography. The researchers found the vulnerability using the SHA-1 hash algorithm, a federal standard circulated by the U.S. National Institute of Standards and Technology (NIST) that is also considered to be cutting edge as well as the most popularly employed hash function. The Shandong team learned that "collisions," in which two different chunks of data yield the same hash, can be uncovered in SHA-1 far faster than previously thought. Cryptographers say the exploitation of the flaw, though seemingly impractical, could affect applications involving authentication, theoretically enabling a hacker to erect a bogus Web site with convincing security credentials and steal data sent to it by unsuspecting users. Counterpane Internet Security CTO Bruce Schneier confirms the existence of the SHA-1 flaw, which the Chinese researchers have not publicized. NIST is advising federal agencies to keep SHA-1 out of any new applications, and urging them to devise plans to eliminate SHA-1 from existing applications. Recently demonstrated vulnerabilities in other hash functions such as MD4 and MD5--which SHA-1 is based on--have also made cryptographers nervous. Concerns about information security are at an all-time high even without revelations about hash functions' vulnerability, most recently thanks to break-ins at data aggregators LexisNexis and ChoicePoint. From EduPage, March 28, 2005 GEORGIA UNCOVERS MISUSE OF ONLINE PORTFOLIOS After discovering files containing personal information on its e-portfolio system, officials at the University of Georgia are reviewing the institution's policies for online portfolios. A student in the university's New Media Institute--part of the school's journalism program--had used the e-portfolio system to store a list of names and credit card numbers on a university-owned server. Officials at the school are not sure how the student obtained the list, which came from a North Carolina company that sells pharmaceutical products online, or what the student intended to do with it. The server where the file resided was immediately taken down, and officials are now combing through the rest of the files before re-posting them, looking for any other inappropriate information. According to Scott Shamp, director of the New Media Institute, the incident has raised questions about how long and under what terms the university will offer online portfolio services to its students. Shamp, who expressed support for online portfolios, pointed to the possibility of third-party options to address concerns over liability for the institution. Chronicle of Higher Education, 1 April 2005 (sub. req'd) http://chronicle.com/prm/weekly/v51/i30/30a04102.htm Tech Companies Coordinate Efforts To Fight Hackers CNET, 28 March 2005 A group of leading technology companies has formed the Fingerprint Sharing Alliance to coordinate efforts to fight hackers. Members of the alliance include British Telecommunications, Cisco Systems, EarthLink, MCI, NTT Communications, and the University of Pennsylvania. When any member of the alliance experiences an attack by a hacker or notices evidence that would suggest an attack, all other members are notified, increasing the odds of limiting damage from the attack. Jim Slaby, senior analyst with the Yankee Group, expressed support for the new alliance and the kind of intercompany communication on which it is based. "Service providers that are cooperating by sharing attack fingerprints are helping mitigate these threats more quickly and closer to the source," he said, "thus making the Internet a more secure place." http://news.com.com/2100-7355_3-5642840.html From EduPage, March 21, 2005 Dartmouth Decides To Penalize, But Not Eliminate, Hackers Pittsburgh Post-Gazette, 18 March 2005 Applicants to the Tuck School of Business at Dartmouth College who used a hacker's tips to try to access admissions records were not automatically disqualified, though their actions were considered by school officials in their admissions decisions. The decision to consider applications of those involved in the hacking was made after consultations with faculty and staff and with the appliants themselves. Unlike officials at Harvard University, Duke University, MIT, and Carnegie Mellon University, administrators at Dartmouth decided that the hacking, while serious, "did not reach the level that would necessarily bar a person from being a valued member of the Tuck community," according to Paul Danos, dean of the school. Attempting to access restricted records was viewed by the school as "a very important negative factor" in considering the applications, but ultimately the school's decision did not rest on that single factor. Of the 17 applicants involved, some were admitted, and those who enroll will be monitored and counseled. The incident will also become a part of their files. http://www.post-gazette.com/pg/05077/473361.stm Applying Old Scams To New Technologies Wired News, 20 March 2005 The emergence of voice over Internet protocol (VoIP) phone service has opened a new door for hackers and others to fool users. Using the Internet to transmit phone calls allows callers to spoof Caller ID systems, something that isn't possible with traditional phone service. Although telemarketers are required by the Federal Communications Commission to properly identify themselves, Caller ID spoofing is otherwise not prohibited. As a result, someone can, for example, call Western Union, which requires customers to call from their home phones to initiate money transfers, using a faked source number, and make a fraudulent transfer. In other instances, debt collectors and private investigators use Caller ID spoofing to trick people into answering their phones and possibly divulging information they otherwise would not. Scams similar to e-mail phishing rackets also take advantage of Caller ID spoofing, deceiving people into believing that a caller is at a bank or a financial institution and helping persuade them to reveal personal information to the caller. http://www.wired.com/news/privacy/0,1848,66954,00.html From EduPage, March 18, 2005 Hackers Target Boston College Alumni Database ZDNet, 17 March 2005 A computer at Boston College with access to an alumni database has been found to be infected with a virus that may have exposed personal information on more than 100,000 individuals. According to officials at the college, the computer was operated not by the college but by a third-party IT service, which officials declined to name. Although no evidence has so far surfaced that any of the information in the database was in fact accessed by hackers, officials decided to notify anyone who might have been affected. Jack Dunn, spokesperson for Boston College, said, "We thought it was necessary to send out the precautionary advisory to alert the alumni and to offer them steps that they could take to ensure their privacy." Dunn also noted that Boston College will hereafter delete Social Security numbers from its records, despite their usefulness in maintaining accurate records. Social Security numbers have lately been highlighted as one of the pieces of personal information that pose the greatest risk for identity theft. Members of Congress have recently proposed strict restrictions for how and when Social Security numbers can be gathered and sold. http://news.zdnet.com/2100-1009_22-5623084.html From EduPage, March 23, 2005 Study Blames Users For Encouraging Spam BBC, 23 March 2005 A new report lays much of the blame for the ongoing problem of spam at the feet of computer users who open spam messages and even buy products or services advertised in spam. According to the survey, conducted by Mirapoint and the Radicati Group, nearly one-third of users have opened such messages, and one in ten has made a purchase. The report calls such actions "bad e-mail behavior" and said it encourages not just marketers but con artists to continue sending vast amounts of spam. Many adult-themed e-mail messages lure computer users into visiting Web sites that then install spyware or other malicious code. Graham Cluley, senior technology consultant for security firm Sophos, agreed that users bear much of the responsibility for spam's continued presence. "If no one responded to junk e-mail and didn't buy products sold in this way," he said, "then spam would be as extinct as the dinosaurs." http://news.bbc.co.uk/2/hi/technology/4375601.stm From BBC News, March 22, 2005 Rise of zombie PCs 'threatens UK' BBC News, March 22 The UK leads the world in home computers that have been hijacked by malicious hackers, warns a report. Read the article. From New York Times, March 13, 2005 Can a Virus Hitch a Ride in Your Car? New York Times, By Tom Zeller Jr. And Norman Mayersohn What if viruses, worms or other forms of malware penetrated the computers that control ever more crucial functions in the car? Read the article. From New York Times, March 12, 2005 What to Expect of 'Spamalot'? A Lot of Spam New York Times, By David F. Gallagher A security glitch exposed the names and postal and e-mail addresses of more than 31,000 people who had signed up for newsletters for "Spamalot" and "Movin' Out." Read the article. From Edupage, March 11, 2005 Schools Criticized Over Rejection Of Nosy Applicants Chronicle of Higher Education, 11 March 2005 A number of business-school applicants who were rejected due to their looking at university admissions records online without authorization have spoken out against the universities' decision to exclude them. Carnegie Mellon University, Harvard University, and MIT have rejected the applications of 153 individuals who used a hacker's instructions to try to find out if they had been accepted. Although some applicants involved acknowledged that accessing the records was wrong, they contended that the actions do not constitute hacking and that the institutions have overreacted. One rejected applicant wrote a letter to Harvard, admitting a "lapse in judgment" but noting that he "wasn't trying to harm anyone and wasn't trying to get an advantage over anyone." Len Metheny, CEO and president of ApplyYourself, the software that all the affected schools used for applications, said the procedure to access the records was sufficiently complicated that anyone doing so would have to have known it was unauthorized. (sub. req'd) http://chronicle.com/prm/daily/2005/03/2005031104n.htm From ACM's Tech News, March 2, 2005 "'Perfect Storm' for New Privacy Laws?" CNet (03/01/05); Lemos, Robert A spate of high-profile data security breaches has caught the attention of a number of U.S. senators who are advocating more unified privacy laws. Just 10 days following the announcement of ChoicePoint's loss of more than 145,000 individuals' information to fraud, Bank of America said it lost backup tapes containing customer records of 1.2 million federal employees. Sen. Ron Wyden (D-Ore.) five years ago warned colleagues against an "Exxon Valdez of privacy," and Electronic Privacy Information Center executive director Marc Rotenberg says recent events will likely be the trigger for serious congressional action. Sen. Bill Nelson (D-Fla.) is preparing to revise the Fair Credit Reporting Act to treat data aggregators such as ChoicePoint and Acxiom like credit-reporting agencies. Another possibility is a federal version of California's Security Breach Information Act, which Sen. Dianne Feinstein (D-Calif.) proposed in June 2003 without success. That measure would require government agencies and businesses to notify individuals whose personal data may have been compromised. Cato Institute analysts suggest the use of tort law to force companies to strengthen their data security, and one California woman is already suing ChoicePoint for not adequately protecting her information. Besides business interests, the Bush administration may not want too strong regulation on data aggregators because agencies such as the Department of Homeland Security and Department of Justice rely on those firms for identity-verification services. Click Here to View Full Article From Edupage, March 4, 2005 Harvard Rejects Applicants Who Peeked Wall Street Journal, 8 March 2005 Officials from the Harvard Business School said they will reject 119 applicants who used a hacker's instructions to try to find out whether they had been accepted by the school. Calling the action "unethical" and saying that it cannot be rationalized, a statement from Harvard said, "Any applicant found to have done so will not be admitted to this school." Administrators at Carnegie Mellon University have also said they will reject candidates who attempted to gain unauthorized access to admissions records. Applicants to several other institutions affected--including Stanford University, Duke University, and Dartmouth College--will have to wait to find out how those schools decide to treat the situation. Using the instructions posted online by a hacker, applicants were able for a short period to use a name and password to access the admissions records. Institutions have been able to identify applicants who accessed admission records based on the name and password. For many who looked, there was no decision in the system, and school officials stressed that even if an applicant located an answer, those decisions were not necessarily final. Some have criticized Harvard officials for responding too harshly to the incident. (sub. req'd) http://online.wsj.com/article/0,,SB111029921614173536,00.html Hackers Compromise Publisher's Database CNET, 9 March 2005 Hackers compromised a database owned by publisher Reed Elsevier, gaining access to names, addresses, Social Security numbers, and driver's license numbers of about 32,000 individuals. Other information, including credit history and financial data, was reportedly not involved. The breach happened at Seisint, a data-collection company that the publisher bought last year. Seisint is a competitor to ChoicePoint, which recently reported an incident in which hackers accessed records on 145,000 individuals. According to officials at Reed Elsevier, the fraud came to light when a billing complaint from a customer showed unauthorized activity with a user name and password. Reed Elsevier is contacting the individuals affected and working with the FBI and the Secret Service to locate the hackers. http://news.com.com/2100-1029_3-5605736.html From Edupage, March 4, 2005 Hacker Exposes Admissions Records San Jose Mercury News, 3 March 2005 A hacker who was able to access admissions records for dozens of business schools posted instructions online for how applicants could access those records. Among the universities whose records were exposed were Harvard University, Stanford University, Duke University, Carnegie Mellon University, and Dartmouth College. All of the affected schools use an online application and notification system called ApplyYourself. The vulnerability that allowed the unauthorized access has been fixed, but during the nine hours in which the systems were exposed, several hundred students attempted to find out if they had been accepted to schools to which they applied. Final decisions and notifications of acceptance are not expected for several more weeks. School officials have been able to identify at least some of the applicants who gained access to the records systems, and officials from some schools said such activity would factor into the admission decision. Steve Nelson of Harvard's MBA program said, "Hacking into a system in this manner is unethical and also contrary to the behavior we expect of leaders we aspire to develop." Even if a student saw a decision, said Nelson, that decision isn't final until March 30. http://www.siliconvalley.com/mld/siliconvalley/11044063.htm From ACM's Tech News, February 28, 2005 "Thwarting 'Evil Geniuses'" Spokane Journal of Business (02/24/05); Read, Paul Blue Water Technologies CEO John Shovic teaches computer-science majors at Eastern Washington University about cyberthreats and their perpetrators so that they can shield themselves against such dangers. He teaches four courses: The first two detail computer network operations, the deployment of security measures, and the hacking of networks; the second two courses educate students in malware creation, hacking strategies, and defensive measures by having them practice information warfare in a controlled, network-isolated environment. "Before you can learn to defend, you have to learn how to attack," argues Shovic, noting that his students attempt to breach computers in a special facility and learn computer forensics techniques to analyze security exploits and trace hackers. One exercise involves student teams attempting to disable each other's systems while simultaneously defending their own systems. Shovic divides hackers into two varieties: "Script kiddies" who download software that automates the location and infection of victims, and "evil geniuses" who craft malware and inflict serious harm; he says his courses focus on both mentalities, while the advanced classes primarily concentrate on the second, more damaging kind of hacker. To shore up against cyberattacks, Shovic recommends that businesses install internal security policies, such as restrictions on employees downloading software without supervision; protect networks from the Internet with firewalls; run and constantly update antivirus software; regularly update operating systems with patches issued by the manufacturer; make a greater effort to bolster internal security; and encrypt all data routed along wireless networks. Shovic says graduates of his courses have an easy time finding employment, given the desirability of network security expertise and the current scarcity of training in that area. Click Here to View Full Article From Edupage, February 28, 2005 Bank Loses Sensitive Data New York Times, 26 February 2005 The Bank of America has lost backup tapes containing details of Visa cards that the bank issued to 1.2 million federal employees, who use the credit cards for travel expenses and other purchases related to government business. About 900,000 of those affected work in the Defense Department, according to Alexandra Trower, a spokesperson from the bank. Trower said that following a shipment of a number of such backup tapes, it was discovered that some were missing. The Secret Service was notified and is investigating the disappearance, but according to Trower, no evidence has surfaced that any of the lost information has been put to improper use or that the loss resulted from theft. The bank does not plan to change any of the affected credit card numbers, but it has notified those individuals whose information was included on the missing tapes. (registration req'd) http://www.nytimes.com/2005/02/26/national/26data.html From ACM's Tech News, February 25, 2005 "Cybercorps Scholarships Fund New Generation of Security Gurus" Software (02/05) Vol. 22, No. 1, P. 98; McLaughlin, Laurianne The goal of the National Science Foundation's Cybercorps scholarship program is twofold: To increase leading computer science students' knowledge of information assurance and security, and to encourage them to apply that knowledge to government work after they graduate. Professors think the scholarship students will enhance the safety of America's public and private digital infrastructure in the future. The program funds either an undergraduate's junior and senior years or a two-year graduate program, on the condition that recipients spend two years in the employ of a government agency following graduation. Participating universities can also receive capacity-building awards to help upgrade information assurance and security curricula and courses, as well as help the schools qualify as National Security Agency Centers for Academic Excellence. Cybercorps was motivated by a number of factors, including the need for more students with information assurance and security skills in government agencies. Cybercorps lead program director Diana Gant notes that nearly 90% of all Cybercorps graduates have earned a government job and been employed by government agencies, while Carnegie Mellon University Cybercorps program coordinator Don McGillen reports that students are electing to remain with government agencies even after their term of service ends. Placing Cybercorps graduates in government jobs can be a slow process because of the need for security clearances, although Gant says participating agencies are attempting to resolve this problem. The program's future targets include making government agencies more aware of the program, boosting the amount of real-world content that students use in classes, and addressing information security across multiple disciplines, including anthropology, engineering, political science, and sociology. Click Here to View Full Article From Edupage, February 16, 2005 Companies Point To Education For Poor Security Training CNET, 16 February 2005 In a panel discussion at the Secure Software Forum in San Francisco, a number of major software makers pointed to inadequate security training at colleges and universities as a main reason software continues to be plagued with security flaws. Mary Ann Davidson, chief security officer at Oracle, said, "Unfortunately, if you are a vendor, you have to train your developers until the universities start doing it." Although other problems were identified, including a lack of sophisticated, automated tools to identify flaws, representatives of other software companies included in the panel agreed that at least some of the blame falls on colleges and universities for not providing graduates with sufficient understanding of security issues. Fred Rica, a partner in PricewaterhouseCoopers' Threat and Vulnerability Assessment Services, disagreed, saying that "Functionality still trumps security." When companies must decide how to allocate development money, he said, they choose new features over security for existing applications. A study by Gartner noted that although companies cite lack of skills among developers as a significant problem, those same companies put relatively little funding into training programs. http://news.com.com/2100-1002_3-5579014.html From ACM's Tech News, February 14, 2005 "How to Stop Junk E-Mail: Charge for the Stamp" New York Times (02/13/05) P. BU5; Stross, Randall Author and historian Randall Stross suggests that re-thinking the email system along the lines of the postal service, in which the sender pays for sending messages, can plug up the flood of spam. He describes the Can-Spam bill as "worse than useless," noting that prominent experts such as John Marshall Law School professor David Sorkin say the measure has effectively legalized unsolicited commercial email. Can-Spam places the burden of authorizing or not authorizing direct marketers to send junk email on the recipients through its "opt out" system. Stross writes that the recently created Messaging Anti-Abuse Working Group, whose members include ISPs such as Yahoo!, AOL, and EarthLink, is a promising venture, in that members are sharing anti-spam methods and courting other ISPs to adopt protective measures by screening both incoming and outgoing emails. Stross also notes that ISPs have begun to attach digital signatures of their customers' domain names to outgoing mail, preventing forgery or alteration via open-source DomainKeys encryption software. However, he doubts that authentication technologies or legislation will solve the spam problem, and calls for a scheme to make spammers pay for sending email that forces legitimate companies to concentrate on the best business prospects and makes spamming unprofitable for the more flagrant abusers. One such scheme is an email "stamp" proposed by computer scientists Cynthia Dwork and Moni Naor, in which the sender is charged a levy of time for each message he sends by forcing his computer to solve a complex computational puzzle. The Penny Black Project system would be used on a voluntary basis, and not be needed when the sender fires off email to friends and relatives. Another anti-spam strategy backed by AOL's Carl Hutzler is "Port 25 blocking," which would deny individual PCs from acting as a mail server; all outgoing mail would be forced to go through an ISP, where spam mail could be easily identified and blocked. Click Here to View Full Article "Terror's Server" Technology Review (02/05) Vol. 108, No. 2, P. 46; Talbot, David Terrorists have a diverse array of online tools and techniques at their disposal with which to fund their causes, spread their messages, swell their ranks, orchestrate malicious acts, and generate fear. Examples include the ghoulish posting of murder imagery; terrorist Web sites, which University of Haifa professor Gabriel Weimann says have exploded in recent years; and coded communications via email or chat rooms. Filters that block offensive Web content are available but imperfect, while Internet content regulation faces both legal challenges such as First Amendment rights and technical challenges such as filtering tools' tendency to sometimes shut out needed content. Still, the public and private sectors are aggressively developing and deploying new technologies for detecting and monitoring terrorist activity so that more effective anti-terrorism strategies can be formulated and implemented. A Rensselaer Polytechnic Institute research group is working on an algorithm that targets online social networks that could be used to plan terrorist activities. Industry efforts to combat spam and other forms of cybercrime also have anti-terrorist applications, as terrorists often use such scams to get funding; defensive measures in this vein include new email authentication schemes and moves by major ISPs to more conscientiously enforce their terms of service, which include provisions to remove objectionable content upon request. However, SRI International computer scientist Peter Neumann reports that these various efforts come up short because the cultural impetus to create trustworthy systems is lacking. Experts also think a cyberterrorism incident or the emergence of concrete connections between online fraud and terrorist attacks could provoke an overreaction in which government and industry transform Web content into a rigidly controlled and monitored resource. Click Here to View Full Article From ACM's Tech News, February 11, 2005 "Virtual Jihad" Newsweek (02/09/05); Isikoff, Michael; Hosenball, Mark; Horesh, Andrew Radical Islamic Web sites are urging readers to launch a cyber-jihad against their enemies; this calls attention to the potential for cyberterrorism, which national-security experts have identified as a major threat that could damage the United States far more seriously than the general public believes. Experts warn that critical, digitally-controlled U.S. infrastructure such as broadcasting networks, public utilities, and transportation systems are ripe for cyberattack--as is the FBI, which admitted as much after intruders broke into one of the bureau's commercial servers last week. One of the more notorious examples of well-coordinated cyberattacks was highlighted at a recent conference for federal computer-security experts hosted by the Defense Department's Computer Crime Center. The attack took place in the fall of 2000 when the capture of three Israeli soldiers by Lebanese Shiite fighters prompted angry hackers to deface the Shiite Hizbulla movement's Web site, which in turn triggered a cascade of Israeli-Palestinian cyber-warfare that eventually extended to U.S.-based targets. Israeli officials believe the online conflict was directly responsible for economic and governmental disruptions. The incident shows that nation-states, not just private citizens, are capable of cyberterrorism, according to Kenneth Geer with the Navy Criminal Investigation Service. Cybersecurity experts also point to a case in Australia in which a disgruntled former public utility contractor released raw sewage into public areas by breaking into the computer system that controlled a local sewer network, thus illustrating the potential damage that could be caused by crafty or well-informed hackers. SITE Institute director Rita Katz notes that almost all extremist Islamic Web sites calling for a holy war have how-to sections on cyberterrorism. Click Here to View Full Article From ACM's Tech News, February 9, 2005 "Project Honeypot Aims to Trap Spammers" New Scientist (02/05/05) Vol. 185, No. 2485, P. 26; Biever, Celeste The tide of spam can only be countered by a partnership between technology and legislation, stresses John Praed of the Internet Law Group. This was established by the trackdown, prosecution, and conviction of spammer Jeremy Jaynes, who may face nine years of incarceration for his activities, which netted him about $750,000 per month. Paul Graham, organizer of MIT's annual Spam Conference, says evidence uncovered at Jaynes' office suggests that spammers think spam filters are easier to thwart than they actually are. Filters, which scan messages for words typical of junk email, can sometimes be fooled by large amounts of random text spammers insert within their messages; or spammers can hijack computers with viruses and use them as spam launching pads. One tool Webmasters can use to build evidence against spammers is Chicago lawyer Matthew Prince's Project Honeypot software, which exploits a provision in the federal CAN-SPAM Act that criminalizes the harvesting of email addresses for spamming. The software can transform a Web site into bait for such harvesters: When "crawler" software visits the site, the software produces a bogus email address that the crawler captures, and records the time, date, and crawler address; this ensures that any mail sent to the fake address originates from the spammer. Prince admits that spammers will likely come up with anti-honeypot countermeasures, but says he has countermeasures of his own to deal with this scenario. Still, Graham notes that though Jaynes' conviction was cause for rejoicing at the Spam Conference, the battle against spammers is far from over. Click Here to View Full Article From ACM's Tech News, February 2, 2005 "Law Barring Junk E-Mail Allows a Flood Instead" New York Times (02/01/05) P. A1; Zeller Jr., Tom Instead of curbing the growth of unsolicited junk email, the year-old federal Can Spam Act has helped it along: Estimates reckon that spam currently accounts for about 80 percent of all email sent, compared to between 50 percent and 60 percent before the law was enacted. Antispam proponents such as Spamhaus Project founder Steve Linford contend that the law has legalized spamming by essentially granting bulk advertisers permission to send junk email as long as they adhere to certain regulations. Critics argue that Can Spam's biggest loophole is the requirement that recipients must opt out of being retained on an emailer's list, and violators simply use opt-out messages to confirm the validity of email addresses and the likelihood that people are using them. Institute for Spam and Internet Public Policy CEO Anne Mitchell says it is ridiculous to think that law enforcement agencies could halt spam's growth instantly, and notes that filters' general success probably contributed to the increase by forcing spammers to send out more junk email in order to maintain the dollar rate of return. Sen. Conrad Burns (R-Mont.) says judging Can Spam's effectiveness now is premature, noting in an email that the Federal Trade Commission may simply need a little prodding to enforce the law. Microsoft Internet safety enforcement lawyer Aaron Kornblum sees value in pursuing lawsuits against spam enablers under Can Spam, explaining that "Our objective with sustained enforcement activity is to change the economics of spamming, making it a cost-prohibitive business model rather than a profitable one." Unfortunately, analysts foresee the spam problem worsening as spammers take advantage of malware to turn PCs into "zombie" spam distributors and steal working email addresses from ISPs, while spam-friendly merchants subscribe to "bulletproof" Web host services to keep their Web sites offshore and out of U.S. jurisdiction. Click Here to View Full Article From New York Times, October 25, 2004 New I.B.M. Report Will Warn of Computer Security Threats New York Times, October 25, 2004, by John Markoff I.B.M. plans to begin releasing a monthly report of threats to computer networks in an effort to establish an indicator similar to the federal government’s Homeland Security Advisory System. Read the article From Is Your Job Going Offshore?, October 24, 2004 Outsourcing booms, although quietly THE WALL STREET JOURNAL, By Jesse Drucker and Jay Solomon Read the Article From New York Times, October 24, 2004 Identities Stolen in Seconds by Timothy L. O'Brien Identity theft, thanks mainly to the growth of the Internet, is epidemic. Can it be stopped? Read the article From ACM's TechNews, October 20, 2004 "Tech Firms, Lawmakers Target Spam, E-Mail Fraud" Baltimore Sun (10/18/04) P. 1A; Bishop, Tricia Spam and email fraud have entered the crosshairs of legislators and technology companies, making Bill Gates' prediction that spam would be eliminated by 2006 seem less unlikely now. "I think you'll see some real changes within three years," declares Pew Internet and American Life Project researcher Deborah Fallows. The general consensus among experts is that spam now accounts for 70 percent to 80 percent of all email, compared to approximately 10 percent three years ago. Meanwhile, the Anti-Phishing Working Group reports that phishing--the practice of scamming consumers into revealing personal financial data by using bogus Web sites and logos that resemble familiar financial services firms--has increased by a factor of 17 since December 2003 to almost 2,000 distinct scams. "One very big fear about spam is it will turn off people from electronic commerce and using email in general," notes John Palfrey of Harvard Law School's Berkman Center for Internet and Society. One of the more significant anti-spam developments was this month's passage of a Maryland law that carries a maximum fine of $25,000 and a 10-year prison sentence for violators, although some experts say such measures lack teeth in the absence of an effective method for verifying email senders. However, a trio of email authentication techniques is currently being tested by Internet service providers: One method focuses on verifying the authenticity of the address posted on the email's "envelope;" another aims to confirm the legitimacy of the address listed in the "from" line of an email; and the third employs a digital signature for message authentication. The Federal Trade Commission has stated that it will intercede and prescribe an email authentication standard if the industry cannot. Click Here to View Full Article From ACM's TechNews, October 13, 2004 "The Quest for Secure Code" Globe and Mail (CAN) (10/12/04); Kirwan, Mary Poor software quality is responsible for every one of the SANS Institute's top 20 Internet security vulnerabilities, yet universities still fail to teach proper coding techniques and government remains cowed by industry lobbying efforts. SANS Institute research director Alan Paller says evaluation and certification programs are needed to ensure that programmers have the proper training, and he notes that even universities appointed by the government to be "Centers of Excellence in Cybersecurity" do not require security courses for their IT graduates. Carnegie Mellon University computer science department head Jeannette Wing says even if students are taught more security, practical realities at the workplace will mean feature-focused code produced quickly, if that is what those students' employers desire. Meanwhile, millions of business customers are hindered by restrictive licenses from tweaking their software purchases. Microsoft emphasizes security during its interview process for prospective employees and evaluates workers on their ability to deliver quality code, but the company has a huge legacy infrastructure and backward compatibility issues, says Wing. The government has made many efforts to intervene and make vendors liable for their products, but have been met with hundreds of millions of dollars in lobbying efforts, notes Paller. Even attempts to make vendors liable with caps on potential damages has not worked, as IT industry lawyers are reluctant to admit that secure code is possible. Rep. Adam Putnam (R-Fla.) is expected to make a new push for legislation soon and is chair of the House subcommittee on cybersecurity policy, and the Federal Information Security Management Act is also expected to make a change as vendors cater to the $40 billion federal IT market. Click Here to View Full Article "A Matter of Trust: Privacy and Security in the Information Age" IST Results (10/08/04) A number of FP6 IST projects seek to improve privacy and identity management (PIM) in the hopes of enabling Europeans to interact in cyberspace safely and securely while allowing them to manage their personal data, a critical ability if citizens are to adopt new online services. Notable initiatives include Privacy and Identity Management for Europe (PRIME), the Future of Identity in the Information Society (FIDIS), Government User IDentity for Europe (GUIDE), and Roadmap for Advanced Research in Privacy and Identity Management (RAPID). The RAPID project, which was completed in June 2003, influenced the FP6 research agenda by recognizing two categories: A technical category concerning multiple and dependable identity management, infrastructure, and enterprise, and a nontechnical category that dealt with socioeconomic and legal issues. PRIME involves a 20-member international consortium that aims to improve the usability and functionality of privacy-enhancing technologies (PETs) through the application of "privacy by design" and "data minimization" principles: The former focuses on building PETs into information systems using basic technologies such as human-computer interfaces, ontologies, authorization, and cryptology, while the latter stresses permitting the collection of personal data on an as-needed basis. Both the FIDIS and GUIDE projects emphasize the need for an integrated, coordinated, Europe-wide identity research effort to achieve their respective goals. FIDIS members will collaboratively investigate interoperability of IDs and ID management systems, forensic applications, mobility issues, profiling, the "identity of identity," and de-identification and the high-tech ID. GUIDE's objective is to construct an open architecture for secure, compatible e-government electronic ID services and transactions for Europe. Click Here to View Full Article From EduPage, October 11, 2004 Antispam Conference Calls For International Cooperation BBC, 11 October 2004 Attendees of the International Spam Enforcement Workshop this week heard officials from the United States and the United Kingdom make the case that a key element to addressing the problem of spam is increased international cooperation. Data suggest that 60 percent of all e-mail is spam and that 80 percent of spam originates in a different country from where it is delivered. More than 20 nations were represented at the workshop, organized by the U.S. Federal Trade Commission (FTC) and the U.K.'s Office of Fair Trading (OFT). Deborah Majoras, chairwoman of the FTC, said that the biggest challenge to stopping spam is locating its source, which requires governments to share information on suspected spammers. Richard Thomas, the U.K.'s Information Commissioner, called for expanding powers of enforcement to shut down spammers. He said governments should pass laws requiring Internet service providers (ISPs) to disclose information about spam sent on their systems, something ISPs currently are not forced to do. http://news.bbc.co.uk/2/hi/technology/3733864.stm From ACM's TechNews, October 8, 2004 "Mission: Critical" Information Security (09/04) Vol. 7, No. 9, P. 26; Barlas, Stephen; Earls, Alan; Fitzgerald, Michael An Information Security survey of professionals in the financial, energy, transportation, telecom, and government sectors highlights the vulnerability of the U.S. critical infrastructure to online attack: Fifty-one percent of financial services professionals say their industry is not prepared for cyberattacks, a sentiment echoed by 57 percent of energy industry respondents, 65 percent of transportation industry respondents, 60 percent of telecom workers, and 62 percent of federal IT/security personnel. Still, most respondents agree that their sector is better prepared for cyberattacks than they were before Sept. 11, 2001. The cyberterrorist threat has spurred workforce, infrastructure, and data redistribution, as well as the erection of flexible backup centers and lines of communication, among financial institutions; sector-wide collaboration to understand and protect against individual and collective threats is being facilitated by data exchange channels such as the Financial Services Information Sharing and Analysis Center. The energy sector's cyber-vulnerability is growing as the system control and data acquisition (SCADA) systems that direct the majority of energy automation link to the Internet, and the industry response's has been to build security standards and information sharing, while the departments of Homeland Security (DHS) and Energy are studying and lowering risks through a National SCADA Testbed. Each sub-sector of the transportation industry is exploring and implementing cybersecurity strategies, with air transportation being scrutinized the most because of privacy issues related to the personal data airlines are collecting. Telecom experts are more fearful of the damage potential of a multi-pronged assault rather than a single attack, but few think such a siege would cripple the United States. Especially frustrating are the poor marks the DHS has been receiving from security experts, although the government security improvement budget will increase while administrative bodies such as the DHS' National Cybersecurity Division will continue to disseminate security info to both federal and private entities, stage incident response exercises, and build more secure government networks. Click Here to View Full Article From ACM's TechNews, October 6, 2004 "Hacking 101: It's For Your Own Good" Charlotte Observer (10/05/04); Choe, Stan UNC Charlotte (UNCC) professors such as Bill Chu believe the best way to cultivate network security professionals is to "expose our students to dark side techniques so they gain insight on how bad guys can penetrate systems and how to effectively protect them." Chu teaches Vulnerability Assessment and System Assurance, an ethical hacking course that assigns homework assignments such as breaking into a computer network or spreading malware. Students enrolled in the course are required to sign a legal agreement in which they promise not to employ the techniques or information they learn for malevolent purposes. Russell Shackelford, who heads ACM's education board, notes that teaching students responsible, ethical behavior has been a difficult task for computer science and IT programs, and the usual strategy has been to teach a separate course on ethics that often bores students. More and more "white hat" hackers are being hired by businesses to attempt to crack corporate network security so that vulnerabilities can be spotted and remedied before malicious hackers can exploit them. At a recent UNCC lecture, a visiting professional white hat hacker told students that courses such as Chu's merely provide the tools to learn hacking skills, which cannot be cultivated without a student's drive. "It goes to fundamental human curiosity," he remarked. Ethical hacking students often find work in companies' IT staffs. Click Here to View Full Article "Cyber Center Targets Internet Plagues" NewsFactor Network (10/05/04); Martin, Mike Much like the Centers for Disease Control study how to prevent and contain human sicknesses, the National Science Foundation (NSF) is funding a new Center for Internet Epidemiology and Defenses (CIED) that will study computer viruses and worms. The Internet's openness and efficiency may have led to its phenomenal success, but those qualities also pose the biggest challenge to the Internet as well, says CIED project director and University of California computer science professor Stefan Savage. "Infection is spread via contact, and the Internet allows a host infected in one place to rapidly contact any other system on the planet," he explains. Outbreaks occur so fast that only fully automated defenses will be able to control them, which is why CIED is focusing on classes of computer infections, not just single versions of computer code. University of California at Berkeley International Computer Science Institute senior researcher Vern Paxson says creating defenses against a known infection is easy, but understanding entire classes of pathogens requires deep insight into the behavior of those infections and how it differs from normal network activity. CIED will use technology such as "network telescopes" and "network honeyfarms" to monitor and measure ongoing Internet infections in real time in order to gather evidence. Eventually, the researchers expect to produce algorithms that can automatically create virus and worm signatures to inoculate systems. CIED is part of the NSF's $30 million Cyber Trust program that aims to not only deal with current problems, but create more secure and resilient infrastructure for the future, notes NSF Cyber Trust program director Carl Landwehr. Click Here to View Full Article "The Search for Computer Security" Harvard University Gazette (09/30/04); Powell, Alvin Greg Morrisett, a professor at Harvard University's Division of Engineering and Applied Sciences (DEAS), believes the burden of trusting an incoming program to be free of bugs or malware should be transferred from the computer user to the program itself. "What we're aiming for is a day when you don't have to 'trust' a code, where you can state your guidelines [for acceptable code] and the builder would have to give you a [mathematical] proof that you can check," he explains. Morrisett, a programming language pioneer who has developed tools that identify exploitable flaws in computer programs, is authoring software tools designed to help programmers write less buggy code. He estimates that one bug exists for every 100 to 1,000 lines of code, and the growing complexity of computer programs makes manual checking for bugs impractical without computerized assistance. Morrisett's tools scan code for consistency in a process that the DEAS professor likens to checking that speed calculation formulas use the same units. Morrisett acknowledges that the programs he designs for tracking down and eliminating software bugs can just as easily be used for exploitation by hackers. He predicts that "The next round of questions [pertaining to computer security] will be ethical, legal, and social," and he hopes to use his position at Harvard to help address these questions. He says, "We have to understand that technology gets you to a certain place, and the remaining questions are harder." Click Here to View Full Article From EduPage, October 4, 2004 Survey Shows U.S. Computer Users Unaware Of Security Risks BBC, 3 October 2004 A survey commissioned by the National Cyber Security Alliance (NCSA) shows significant gaps of understanding among U.S. computer users about the actual threat posed by computer security problems. According to the survey, 30 percent of Americans believe they are more likely to be hit by lightning, to be audited by the IRS, or to win the lottery than be the victim of a computer security problem; among users under the age of 25, the rate of those who believe this rises to 40 percent. In truth, cybersecurity threats, including viruses, phishing scams, and hacking, affect about 70 percent of computer users, while the odds of being hit by lightning are 0.0000102 percent, according to the U.S. National Weather Service. The survey also found that 90 percent of computer users remember Janet Jackson's "wardrobe malfunction" during the Super Bowl, but only 60 percent remember when the security software on their PCs was last updated. Ken Watson, chairman of the NCSA, said that 91 percent of PCs are infected with some variant of spyware. The NCSA has declared October to be National Cyber Security Awareness month in the United States and is sponsoring educational efforts to teach users about the real risks of ignoring cybersecurity. http://news.bbc.co.uk/2/hi/technology/3708260.stm From ACM's TechNews, October 4, 2004 "E-Cyclers Embrace Data Destruction" eWeek (10/01/04); Hachman, Marc Computer recyclers are taking measures to verifiably destroy data as well as hardware in order to comply with federal regulations such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, which prohibit the public exposure of confidential data by financial and health care institutions; meanwhile, fears of civil suits are driving more traditional companies to pursue the same goal. Debate has sprung up over the best techniques to destroy data, which range from Department of Defense-compliant overwriting software to the physical shredding of disk platters. Software vendors say that overwriting a hard disk once either with other files or random bits of data is inadequate, as some or all of the information in a file can be revealed by latent magnetism. The DOD's 5220.22-M specification advises overwriting each disk sector several times with nonrandom and pseudorandom data. However, shredding is recommended for both nonfunctional drives and drives with more than 10 defects. A Sept. 30 teleconference between members of the National Association for Information Destruction (NAID) failed to resolve differences between supporters of software wiping and supporters of shredding, but attempts will be made to reach an accord before the NAID board's final recommendation on Nov. 29. Small-scale nonprofit recycling organizations are also joining the data destruction bandwagon, and a lack of certification procedures for compliance with the DOD's 5220.22-M spec is benefiting these firms by boosting competition in the data-destruction product market. Data destruction certification has been adopted by many recyclers as a saleable service, and there is little oversight in the negotiation of contracts and certifications between recyclers and clients. Click Here to View Full Article "App Developers Need to Redouble Security Efforts" eWeek (09/30/04); Schindler, Esther The recent Gartner Application Development Summit included new statistics underscoring the need for development and quality assurance teams to increase their security efforts. Gartner research director Theresa Lanowitz says the problems of IT network and physical security have been solved for the most part, which means that the application layer is the most vulnerable. Companies must take responsibility for security issues during development, or have a higher risk of a catastrophic event. According to Gartner, if 50 percent of software vulnerabilities were dealt with before production use, enterprise configuration management costs and incident response costs would each be reduced by 75 percent. Lanowitz says someone in the organization must be responsible for security issues, such as an "application security architect." This person's primary focus is the risk that a company faces, and articulating that risk to staff and management. Lanowitz says government agencies and financial institutions have been leading the way in creating application security architects that work on the same level as application architects and ensure that security testing is added to the quality assurance framework. Gartner predicts that 80 percent of development teams will incorporate application security architects by 2006. Lanowitz also expects to see a wave of development tools integrating security functions by 2007, although the market for now is in its infancy. Click Here to View Full Article From EduPage, September 29, 2004 California Gets Tough On Spyware Reuters, 28 September 2004 Arnold Schwarzenegger, governor of California, this week signed an antispyware bill that criminalizes placing software on another user's computer without authorization. The bill bans surreptitious software that monitors users' surfing habits or tracks keystrokes, among other types of spyware. Under the legislation, computer users can sue those responsible for spyware for actual damages from the applications. Several other states and the federal government are currently working on similar measures to try to limit unauthorized software. Critics of the law say it lacks adequate enforcement provisions. Spyware expert Ben Edelman called the bill "a piece of junk," saying it is "the most superfluous of all legislation." http://www.reuters.com/newsArticle.jhtml?storyID=6359582 From EduPage, September 24, 2004 Concern Grows Over JPEG Flaw BBC, 24 September 2004 Some security experts are warning users that a recently announced flaw in the way some Microsoft applications handle JPEG images could lead to the next large-scale virus infection. David Perry of anti-virus firm Trend Micro noted that the combination of several factors has his firm especially worried about the JPEG flaw. Those factors, Perry said, include the number of applications that are affected by the flaw--more than a dozen--and the fact that there has not been a significant virus attack for some time, which may have the effect of lowering users' attention to preventive measures. When the flaw was announced, no code had yet appeared that exploited it. Within the past week, however, such code has been written and has appeared on a private mailing list and a public Web site. Perry characterized the current situation as "the virus equivalent of a harmonic convergence." Others were not as worried about the threat posed by the flaw. Graham Cluley of anti-virus firm Sophos noted that so far no malicious code is being delivered using the flaw. "It is purely being done as a 'proof of concept,'" said Cluley. http://news.bbc.co.uk/2/hi/technology/3684552.stm From ACM's TechNews, September 22, 2004 "Reports on Spam Levels Paint Differing Views of the Problem" Wall Street Journal (ONLINE) (09/21/04); Bialik, Carl; Creighton, Deborah S. Accurately measuring the extent of the spam problem and the effectiveness of strategies to combat it is complicated by inconsistent statistical reports on the volume of junk email, and the fact that the most oft-cited reports are furnished by antispam software vendors. An August estimate by MessageLabs determined that spam constituted 84 percent of all email, while a report from Brightmail indicated 66 percent. Meanwhile, FrontBridge Technologies and Brightmail claim that the spam problem continues to expand, while AOL contends that spam growth has been level for the past 12 months. The antispam companies supplying these reports usually cull their data from email they scan for corporate clients, which may not represent a cross-section of Internet users, though both vendors and certain analysts believe spam-fighting products' mainstream penetration is reducing this sampling partiality. Still, the inconsistency between spam level reports has been a frustrating factor for legislators: For example, spam level estimates accumulated by the Organization for Economic Cooperation and Development (OECD) varied so wildly as to discourage the organization's attempt to evaluate the spread of spam and the performance of countermeasures. "There's not much out there except what's coming from private companies, where the methodology differs and we don't know how it differs," remarks Dimitri Ypsilanti with the OECD. Muddling matters are divergent definitions of spam among antispam companies and nations, while some spam filters operate by amassing reports from users, whose characterization of spam is not always objective. Furthermore, the reported numbers are mean averages that can be distorted by major spam attacks against a few companies. Click Here to View Full Article From SANS' News Bites, September 22, 2004 FTC Considers Offering Bounties for Spammer Convictions 17 September 2004 The US Federal Trade Commission would like to be able to prosecute more spammers, but given the lack of admissibility of much of the evidence they use in identifying spammers, this has proven problematic. What they need is hard, admissible evidence, probably provided by an insider. Such evidence would likely be provided only if there were a bounty program, much like Microsoft's $250,000 bounty for the successful prosecution and conviction of malware authors. http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=story&AT=39124098-39025001t-40000011c Phishers Target Gmail Accounts 15 September 2004 Some phishers are now trying to steal Gmail accounts. The phishing email informs Gmail users that they can invite friends to sign up for a Gmail account if they fill out a form that includes their Gmail address and password. Gmail accounts are in demand because of their limited availability. Google does send out free invitations for users to send to friends, but all the users need to do is click on a button, rather than providing their personal account information. http://news.com.com/2102-1032_3-5367986.html?tag=st.util.print From ACM's TechNews, September 20, 2004 "'Dirty Dozen' Tips From Former Cybersecurity Czar" Computerworld New Zealand (09/14/04); Watson, David Richard A. Clarke, the former cybersecurity advisor to President Bush, claims hackers and phishers are keeping e-commerce and e-government from reaching their full potential. Clarke says security worries are the primary factor thwarting the widespread take-up of Internet banking and other transactions that can be done more cheaply and efficiently online. Clarke lists a dozen trends that will influence IT security in the future, including encryption of archived data and automated security audits of IT assets with asset management software. In IT security, the future "dirty dozen" trends also include more thorough testing of software code for mistakes such as buffer overflows and protecting the client side as well as the back-end. One of the most crucial trends will be to control the "road warriors"--travelers and visitors who remotely connect their laptops into corporate networks and introduce worms and viruses. Clarke says products that scan and check laptops for security risks will become more widely used. Another important trend is the outsourcing of fundamental security functions such as firewalls and intrusion detection to groups such as ISPs. More attention to security threats from inside, such as former workers who keep access to systems and information at their former workplace, will find corporate networks increasingly segmented so that workers can only obtain access to systems relevant to their position. Clarke says, "People are trying to take back cyberspace from the phishers, identity thieves and hackers and we can all be part of the effort to take it back." Click Here to View Full Article From New York Times, September 19, 2004 Users Find Too Many Phish in the Internet Sea By David F. Gallagher A recent flood of fake Citibank e-mail messages demonstrates the growing arsenal of tricks used by online "phishers." Read the article. Attacks on Windows PC's Grew in First Half of 2004 By John Markoff A survey of Internet vulnerabilities shows a sharp jump in attacks on Windows-based personal computers and a marked increase in commercially motivated threats. Read the article. From New York Times, September 19, 2004 Barbarians at the Digital Gate By Timothy L. O'Brien and Saul Hansell How spyware, a program that creeps onto a computer’s hard drive unannounced, is wrecking the Internet. Read the article From ACM's TechNews, September 17, 2004 "DHS Moves Ahead With Cybersecurity R&D Efforts" Computerworld (09/15/04); Verton, Dan The Department of Homeland Security (DHS) is engaged in several pilot cybersecurity efforts designed to address the scarcity of real-world incident data, such as the Protected Repository for Defense of Infrastructure Against Cyber Threats (Protect) program. The goal of Protect is to convince major private-sector infrastructure companies to voluntarily provide real-world attack data that can be used to test prototype cybersecurity measures, says Douglas Maughan with the Homeland Security Advanced Research Projects Agency. He says the program would be dependent on a trustworthy access repository process featuring a government-backed data repository hosted by a third party, with written contracts with data suppliers; researchers can apply to participate in Protect, while data owners would be permitted to block access for specific researchers. Meanwhile, DHS' Cyber Defense Technology Experimental Research test bed aims to contribute to the creation of next-generation critical infrastructure security technologies by building a homogeneous emulation cluster residing at the University of Utah's Emulab facility. The initiative, which lets researchers concentrate on security hole prevention and detection as well as assess operational systems' security and dependability, has so far received $14 million in funding. Sept. 20 marks the first meeting of the DHS' Border Gateway Protocol steering committee, which is readying R&D pilots to build safe protocols for the routing framework that links ISPs and subscriber networks, which is highly susceptible to human error and router-directed assaults. Another DHS-organized steering committee will analyze and develop cybersecurity pilots for the Domain Name System that will study such dangers and vulnerabilities as denial-of-service attacks and unsanctioned root servers and top-level domains. Click Here to View Full Article "Dozens of Experts Take on Cyberterror" Seattle Post-Intelligencer (09/13/04); Shukovsky, Paul Government and business leaders from across the Pacific Northwest conducted a cyberterror simulation last week to assess the vulnerability of computer-controlled critical infrastructure. The public-private partnership attracted more than 100 experts from several states, the Department of Homeland Security, the military branches, Microsoft, Boeing, the FBI, a number of U.S. and Canadian utilities, the Bonneville Power Administration (BPA), and the Los Alamos, Sandia, and Argonne national laboratories. In opening remarks, Maj. Gen. Timothy Lowenberg, adjutant general of the Washington National Guard, described cybertechnology as a great strength for the nation, but also as an area of tremendous weakness. The exercise, dubbed Blue Cascades II, gave experts an opportunity to determine how telecommunications, utilities, and other major systems rely upon one another, such as how a power failure brings banking and finance to a halt, for example. Participants signed an agreement not to reveal the result of the exercise, and a reporter was asked to leave after introductions. In exercises conducted by the BPA, systems were found to be secure from attacks. However, "there are some utilities that operate on the Internet, and that's a vulnerability," said BPA security manager Robert Windus. Click Here to View Full Article "The Next Threat" Forbes (09/20/04) Vol. 174, No. 5, P. 70; Lenzner, Robert; Vardi, Nathan There is growing evidence that terrorist cells such as al Qaeda are attempting to become skilled in hacking and other forms of cyberwarfare, and experts warn that cyberterrorists could cripple the World Wide Web, interfere with military communications systems, or disrupt electrical grids to catastrophic effect. But few federal agencies or corporations have considered or followed recommendations for shoring up both public and private infrastructure, despite the imminence of the cyberterrorist threat. Reasons for the sluggish response include political in-fighting, beliefs among government officials that the threat is exaggerated, indecision over who should foot the bill for implementing tougher cybersecurity, and regulatory and financial stumbling blocks that are hindering the growth of corporate security spending. American businesses are reluctant to pass on the costs of cybersecurity upgrades to customers, either because they are tightly regulated or are faring so poorly that a price hike could kill them. Rep. William Thornberry (R-Texas) thinks tax incentives would be a far more productive tool to encourage corporate spending than government regulations, while the major automated control system providers contend that customers flatly refuse anything with a price tag, even if it is more secure. However, the deployment of such control systems to run utility grids and other key components of U.S. infrastructure is the reason why America is so vulnerable to cyberattack: Ted Lewis of the Navy Postgraduate School reports that almost 300 facilities responsible for 80% of America's electricity use employ poorly shielded control systems, which lack encryption and are easy to manipulate. Of particular concern are weaknesses demonstrated in the Border Gateway Protocol, which could be exploited to manipulate routing information and corrupt the Internet, and the Domain Name System, which is underpinned by poorly secured root servers. Click Here to View Full Article From Business Week Insider, September 17, 2004 Are Hurricanes Swamping Spammers? Lots of folks think the hits that the Sunshine State (aka Spam State) have taken slowed the volume. Probably isn't so, though http://www.businessweek.com/technology/content/sep2004/tc20040916_1065.htm?c=bwinsidersep17&n=link12&t=email From ACM's TechNews, September 15, 2004 "OpenBSD's Theo de Raadt Talks Software Security" Computerworld Australia (09/10/04); Gedda, Rodney OpenBSD founder Theo de Raadt says the vast majority of software security holes are due to low-level programming errors that are copied and spread throughout many different applications. He says programming errors occur when the code author misuses program functions in seemingly insignificant ways, and these mistakes slip by and get propagated as those portions of code are re-used, until billions of lines of open and closed source code are riddled with potential security vulnerabilities, as is the case today. De Raadt explains that it is impossible to root out all of the vulnerabilities, and that there is basically nothing that can stop hackers from finding and trying to exploit those flaws. The approach de Raadt advocates is making the environment difficult for the hacker to understand, so that even after they have found the bug, they do not know how to use it to obtain the needed system privileges. Software vendors must boost security audits, improve education, and incorporate basic technologies that can thwart hacks in general, de Raadt says. He claims that some Linux variations are using strange-environment defense approaches similar to OpenBSD, and there are even some Unix users who disguise their systems to look like OpenBSD machines in order to discourage targeted hack attacks. Adopting OpenBSD is not a solution to security problems, however, since most hackers are targeting the Internet at large and building up spam or denial-of-service capabilities that threaten even securely coded systems. De Raadt is especially critical of Microsoft, which he says will probably always be vulnerable to security flaws because of integration with a bug-riddled Web client. Click Here to View Full Article From ACM's TechNews, September 13, 2004 "Malware Writers Using Open-Source Tactics" Linux Insider (09/09/04); Mello, John P. Jr. Malware writers have adopted open-source software development techniques to help them create zombie networks of remotely controlled PCs, which are estimated to generate between 25 percent and 30 percent of all spam. "There's a community of worm builders creating, almost in an open-source fashion, Trojan source code that can be downloaded, compiled and released into the wild," says MX Logic CTO Scott Chasin. Zombie networks earn money for their creators when rented out to spammers. Sanvine cofounder and chief architect Don Bowman says the people who control zombie networks have become more savvy to counter defense measures, such as monitoring activity on port 25. Because too much traffic on suspect channels will raise the attention of ISPs and get the account shut down, larger networks of spam software are now programmed to send out fewer messages per hour and operate during hours when the PC user is unlikely to be online. Analysts say that such zombie networks are responsible for anywhere from 25 percent to 80 percent of all spam now being sent; Chasin says the creators of these networks benefit from the open source model of application development. He says, "A lot of these Trojans and their variants borrow from the open-source industry and are built off a community effort in the underground environment." Click Here to View Full Article From ACM's TechNews, September 10, 2004 "House Panel Gets Tough on Spyware, P2P Piracy" InternetNews.com (09/08/04); Mark, Roy The House Judiciary Committee has toughened its stance on peer-to-peer digital piracy and spyware with the Sept. 8 passage of the Piracy Deterrence and Education Act and the Internet Spyware Prevention Act. The former bill goes after the digital dissemination of copyrighted content "with reckless disregard for the risk of further infringement," and proposes a maximum prison sentence of three years to violators who electronically distribute 1,000 or more copyrighted materials over a 180-day period. Furthermore, the bill sets aside $15 million for the establishment of an Internet use education program coordinated by the Department of Justice (DOJ). The Spyware Prevention Act criminalizes the deliberate access of a computer without authorization as well as the intentional circumvention of authorized access, and calls for a maximum jail term of five years if the goal of such an intrusion is to support another federal crime. The legislation also calls for a prison sentence of up to two years for violators who intentionally injure or defraud a person or damage a computer by installing spyware without permission, and allocates $10 million to the DOJ to fight spyware and phishing scams. The act's approval follows the passage of an earlier spyware bill by the House Energy and Commerce Committee that requires consumer notification of spyware's presence prior to downloading software, injunctions against unfair or deceitful practices such as computer hijacking and keystroke logging, and the provision of an opt-in screen before the transmission or enablement of any data collection software by anyone who is not the owner or authorized user of a computer. Judiciary spyware bill co-sponsor Rep. Lamar Smith (R-Texas) says that his bill, unlike the Energy and Commerce version, targets bad behavior rather than technology. "At the same time, the legislation leaves the door open for innovative technology developments to continue to combat spyware programs," attested Rep. Bob Goodlatte (R-Va.). Click Here to View Full Article "System Alert: Web Meltdown" Independent (London) (09/08/04); Grossman, Wendy The Internet has already "melted down" when considering it is impossible for users to avoid spam and viruses, poor-quality software, and vaguely defined restrictions on how they can use their ISP accounts, according to networking expert Lauren Weinstein and other technology experts who met recently in Los Angeles to discuss the dangers to the Internet. Weinstein, University of Pennsylvania professor Dave Farber, and computing expert Peter Neumann convened the gathering of about 50 technology experts, and the atmosphere was pessimistic. Whereas 10 years ago, technologists confidently tackled fixes or workarounds necessary to make the Internet run, the recent gathering seemed unsure of their technologist powers. Part of the problem is the increasing amount of regulation: ISPs restrict whether users can share their connections or use them for Web servers, entertainment industries have successfully squelched file-sharing networks such as eDonkey, ICANN remains a law unto itself, and governments around the world are eyeing telecommunications-style regulation for VoIP. Former ICANN board member and programmer Karl Auerbach says the Internet is rapidly becoming a fundamental utility, even as it is still developing and facing numerous challenges. Government, business, and regular users depend on the Internet for daily activity and core operations. Meanwhile, evidence shows that anti-virus firms are falling behind in the race to provide security solutions and denial-of-service attacks regularly knock out or slow major sites. Internet governance law expert Michael Froomkin, however, says concern about the state of the Internet is nothing to be worried about in itself; instead, it portends a radical change to fix the situation. Click Here to View Full Article "Are Hackers Using Your PC to Spew Spam and Steal?" USA Today (09/08/04) P. 1B; Acohido, Byron; Swartz, Jon Since last year, infectious programs have been turning hacked PCs into zombie computers, making them send spam emails and take part in other illegal activities. Experts say the number of infected machines has reached the millions at a time when computers are more powerful and dangerous than ever. Intelguardians co-founder Ed Skoudis says there has been a sharp rise in the number of machines attacked this year, and he's "worried things will get much worse." Most hijacked computers are in homes, on college campuses, or at small businesses, and the motive for hacking has changed from challenge to profit. Experts say code writers put together networks of zombie PCs and then sell access to identity thieves, spammers, and blackmailers. Most consumers whose computers are taken over are not immediately aware of the problem. Dave Dittrich, senior security engineer at the University of Washington's Center for Information Assurance and Cybersecurity, says, "We have a large population that is easily tricked." Regulators must deal with jurisdictional problems in trying to catch suspects since many are not located in the United States, and critics say that existing laws are too weak. The situation will not change quickly, experts believe, since affecting drastic security improvements means tech suppliers would have to cooperate on universal security standards. While vendors are unlikely to move fast on their own, experts say consumer outrage could speed things up. Meanwhile, cyber security experts say law enforcement has only recently begun to focus on the problem, but they are hindered by weak laws and the enormity of the problem. Keith Lourdeau, deputy assistant director of the FBI's Cyber Division, says, "Hackers can do almost anything with a compromised PC, and there isn't much we can do about it." Click Here to View Full Article "Industry Group Voicing Cybersecurity Concerns in Washington" Investor's Business Daily (09/09/04) P. A6; Howell, Donna Executive director of the Cyber Security Industry Alliance (CSIA) Paul Kurtz says the motivation for the organization's establishment was to give cybersecurity industry leaders "a common voice in Washington on cybersecurity policy issues." The seven-month-old CSIA aims to address such issues as cybersecurity awareness--which Kurtz says is showing signs of progress, although more improvement is needed--and the implications of regulatory measures such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act for IT security. Section 404 of Sarbanes-Oxley, which requires CEOs to affirm their financial statements, is hazy in how it relates to cybersecurity, and Kurtz notes that his organization is attempting to find and cite case studies as examples of strategies companies can employ to comply with the regulation. He explains that when it comes to Section 404 compliance, firms need to track transactions related to collating their financial statements along with their sanction and assent. He says, "While the CSIA doesn't have legal authority to put down guidelines, what we can do is put together a picture of what's happening in the space, how companies are responding, and help other companies determine what to do." Kurtz says he reports to the senior executives of the CSIA's founding firms, who are eager to collaborate with other cybersecurity-focused organizations such as the Business Software Alliance and the Information Technology Association of America. He also notes that the CSIA will be pushing for increased understanding of cybersecurity issues through close collaboration with people on Capitol Hill. From SANS' News Bites, September 9, 2004 --Investigative Report: How Hackers Infect PCs To Spread Spam and Steal Money In a landmark study of the economics and techniques of hackers, two top reporters from USA Today have painted a vivid picture of what is really going on in cyber crime today and how it involves millions of home and business users. This article is the first of two parts. Part One vividly illustrates the problem and ends with the challenge: "Consumer outrage needed." On Thursday, September 9, Part Two shows that the problem will just get worse if vendors and ISPs continue to refuse to do their fair share to reduce the risk. http://www.usatoday.com/money/industries/technology/2004-09-08-zombieuser_x.htm "The Human Factor Trumps IT in the War on Terror" Government Computer News (09/01/04); Jackson, William Information technology can be used as an intelligence gathering and analysis tool in the war on terrorism, but the organization of the intelligence community will need to change to make the data as effective as possible, according to industry experts. The place of IT in the war on terrorism was the topic of a panel of computer scientists at the University of Maryland. "While there is a lot of good information out there, it isn't getting to the right people at the right time," explained William J. Lahneman, coordinator of the Center for International and Security Studies in the School of Public Policy. The culture of "knowledge is power" in the intelligence community prevents more effective sharing of information, and James Hendler of the university's Institute for Advanced Computer Studies agreed that changing the culture of intelligence agencies would be a huge challenge. The scientists also stressed the need for a change in IT architectures, including the Web. And although terrorists have not used the Internet to carry out any significant attacks, they are using the Web more effectively to galvanize supporters than the U.S. government, according to the researchers. Click Here to View Full Article From ACM's TechNews, September 3, 2004 "When E-Mail Points the Way Down the Rabbit Hole" New York Times (09/02/04) P. E8; Johnson, Kirk Spam is a runaway technology phenomenon that focuses on better understanding human interests, according to academics and spam experts. Spam and technologies to counter it develop quickly, but are not developing in the traditional economic sense where the aim is to gain market share; instead, spam technologies are more similar to military stealth technologies, except that to succeed the spam must better understand human behavior. That is why a spam message that offers anti-spam solutions seems eerily self-aware, or at least sensitive enough to know a solicitation to stop messages such as itself is appealing to the targeted reader. Anti-spam research focuses on knowing what is truly of interest to the email user and seeks to block all other messages, while spam purveyors become successful by tapping the messages that users really want, or perhaps did not know they wanted. Interestingly, no one really knows where spam development is headed: "It brings home the idea of technology living an independent existence--a parallel universe of computer programs living in a world of their own, having their own quarrels," says MIT Center on Technology and Self director Sherry Turkle. Unlike self-conscious technology that is developed in the laboratories of science fiction, perhaps a future intelligent spam will be consumed with base human issues such as penis enlargement, online gambling, and debt consolidation. Turkle warns that spam is likely to continue to provide more accurate mirrors of human interests, even to the point where spam filtering technologies may discern users' subconscious desire to read some spam messages. Using Web activity records and personal data, spam and anti-spam software will become more attuned to individual minds. Click Here to View Full Article From EduPage, September 3, 2004 More Compromised Data, Or Simply More Disclosure? San Jose Mercury News, 2 September 2004 Since January 2004, officials in California have notified nearly 600,000 students, faculty, and staff at the state's higher education institutions that personal data about them had been compromised in a number of separate incidents. In June, for example, an auditor working for the California State University system lost a hard drive that contained information including names, addresses, and Social Security numbers for 23,500 individuals. The largest single incident involved data for more that 500,000 individuals, which was accessed by hackers who broke into computer systems for San Diego State University and the University of California, San Diego. A law requiring notification of such security breaches went into effect in July 2003. Joanne McNabb of the Office of Privacy Protection in the California Department of Consumer Affairs noted that the incidence of such compromises likely has not increased. "It's just that we know about them now," she said, "when we didn't hear [about them] before." http://www.siliconvalley.com/mld/siliconvalley/9568329.htm From ACM's TechNews, September 1, 2004 "Organized Crime Invades Cyberspace" Computerworld (08/30/04) Vol. 32, No. 35, P. 19; Verton, Dan Antivirus researchers say a surprising increase in virus and worm activity is linked to an underground economy in identity theft and spam. F-Secure antivirus research director Mikko Hypponen says the connection is not very new, though until recently the writers were thought to be only a rogue subculture. He says MyDoom was the start of a concerted effort to make money from virus and worm infections. Although the MyDoom worm gained notoriety for its denial-of-service attacks against SCO and Microsoft, the more significant activity was going on behind the scenes, when someone scanned millions of IP addresses for backdoors left open by the virus. A network was set up, ready to service the underground spam market. F-Secure analysts decoding encrypted messages in a version of Bagle found warnings to the author of the Netsky.R virus. Bands of hackers, likely Russian immigrants living in different European countries, had been using Bagle and other malware to expand their spam proxy networks, but the Netsky.R author used the infection to clean out those spammers' viruses and was running denial-of-service attacks against their front Web sites. Symantec director Brian Dunphy says that a recent variant of MyDoom featured peer-to-peer networking capabilities that allowed the author to update infected machines and protect his network against rivals. Viruses and worms are also being used to install Web servers on vulnerable systems; Web sites often sell subscription services on compromised computers. Some support identity theft rings, harvesting credit card and other information to sell underground. Click Here to View Full Article From EduPage, August 27, 2004 DNA Analysis Used To Fight Spam BBC, 25 August 2004 Researchers at IBM's TJ Watson Research Center have modified an algorithm--originally created to discern patterns in protein sequencing--to serve as a spam filter. The algorithm, named Chung-Kwei after a Feng Shui character, analyzes e-mail, looking for patterns of letters that exist in spam but not in legitimate messages. Because of the amount of spam in circulation today, the researchers have an abundance of spam e-mail to feed to the algorithm to train it to identify those strings of characters that indicate a message is spam. Chung-Kwei is able to process 88,000 messages in about 15 minutes, said the researchers, and will continue to "learn" as more e-mail arrives. The tool is able, for example, to identify e-mails that have "S" replaced with "$" as spam. Researchers said Chung-Kwei is able to successfully detect nearly 97 percent of spam. http://news.bbc.co.uk/2/hi/technology/3584534.stm From ACM's TechNews, August 27, 2004 "Exhibit Features Viruses as Art" Wired News (08/27/04); Delio, Michelle The "I Love You rev.eng" art exhibit is set to begin a worldwide tour this September in the United States, featuring an historical analysis of hacker culture, hands-on exhibits where people can create and observe computer viruses, and art displays featuring computer code. The show is a second part to the 2002 presentation, "I Love You Computer_Viren_Hacker_Kultur," that was held in Frankfurt, Germany. Curator Franziska Nori says the aim of the show will be to document a range of hacker activities, but especially to highlight how hacker culture embodies the Buddhist teachings of the Dalai Lama. "'Share your knowledge and you will achieve immortality,' and, 'Learn the rules so that you will know how to break them,'" she quotes. Nori says hackers influenced the Internet's development more than any other group, and that there is a large distinction between the large majority of hackers and virus creators and a few that are intent on damaging property. "Most viruses remain to a large extent in private collections within the hacker community and were deliberately never made public," she says. "I Love You rev.eng" refers to reverse engineering, and is a variant from the first show's title as a tribute to virus writing. The show will feature a virus laboratory, called "The Zoo," where people can watch how malware affects computers, and another set-up where people can use virus kits to create their own code and release it on machines in the zoo. In addition to other art exhibits, the show serves as a starting point for Brown University's yearlong study of global networking and will feature a symposium. The show begins at Brown University in Rhode Island on Sept. 11, and will travel to Copenhagen, Denmark, before possibly moving on to other destinations. Click Here to View Full Article "A Proactive Approach to Security" VNUNet (08/18/04); Thomson, Iain Symantec chief technology officer Robert Clyde is also a founding member of the IT industry's Information Sharing and Analysis Center, as well as the group's executive committee treasurer. In an interview, he says virus threats will continue to drive the security business, and notes that malware attacks are increasing in frequency and complexity. He says reactive, signature-based security methods are becoming less effective, and more proactive and predictive security is needed, perhaps through behavior blocking and client compliancy. Clyde says, "The time from software patch to exploit is dropping below the time needed for companies to install the patch. Even if you start when the patch is released, most IT departments will take 30 days to test and patch a system and hackers are faster than that now." Hardware security is not enough, and software will continue to have vulnerabilities, Clyde predicts. He says an average of 53 software vulnerabilities are found each week, and most are high-severity. Although that number has leveled off, Clyde thinks that "we're at a knee in the vulnerability curve and the numbers will continue to rise as new, more feature-rich operating systems come on the market." Vulnerability scanners are useful for writing secure code, but they are by no means perfect, and Clyde believes that vulnerability will be a problem for the next 20 years or so. Outsourcing is a better option for some industries than others. Click Here to View Full Article From ACM's TechNews, August 25, 2004 "Concerns Mount Over Major Web Strike" eWeek (08/24/04); Morgenstern, David A rash of assaults on primary Internet servers and the recent defeat of the MD5 and Shah Level 0 encryption algorithms are raising concerns among Internet operators that a convergence of political activism and hacking is taking place. Compounding these fears are warnings from security experts that terrorists may launch a long-threatened "electronic jihad" against servers sometime this week; in fact, Kaspersky Labs International founder Yevgeny Kaspersky expects an attack against financial and political sites on Aug. 26, according to a Tuesday report from RIA Novosti. Kaspersky's warning appears to imply that the e-jihad will take the form of wide-scale distributed denial of service attacks such as the ones that targeted Akamai Technologies in June and DoubleClick's domain name system in July, although experts hint that major Internet services as well as root servers are under threat as well. Meanwhile, Packet Clearing House research director Bill Woodcock implies that Internet servers and ISPs could be threatened by the cracking of MD5 and Shah-0, which was detailed at the recent Crypto 2004 conference. The algorithms are employed in numerous commercial applications that include financial turnkey systems, enterprise content servers, and Internet routers. Woodcock likens the MD5 and Shah-0 circumvention to tumbling dominos: "A vulnerability is found, and a bunch of smart people follow the trail until bad things happen," he explains. The technique used to crack the algorithms may be unfeasible, but Woodcock notes that Internet operators are worried that Internet services will be adversely affected if hackers adopt and refine the method. Click Here to View Full Article "Selective Shutdown Protects Nets" Technology Research News (09/01/04); Patch, Kimberly Max Planck Institute researcher Adilson Motter has demonstrated that cascade failures triggered by assaults on large, central network nodes could be mitigated by shutting down peripheral nodes. The scientist has built a model showing that the scale of a cascade failure can be dramatically lowered if a certain population of nodes that manage small loads are deactivated before the cascade effect starts, while the overall network load is kept in balance. Finding the right nodes to eliminate is the key challenge, as the wrong nodes can worsen the cascade effect. Nodes have the dual purpose of transmitting and generating load, but central nodes are targeted by attackers because they more often serve as transmitters and thus play a major role in load balancing. Motter's model illustrates that cascade failures produced by sudden load shifts can be diminished by the removal of load-generating nodes, as well as by the shutdown of heavily-loaded connections that convey traffic from load-generating nodes to central distribution nodes. This scheme can be extended to power grids, which consist of generator stations that supply power, local stations that distribute power to customers, and transmission stations that carry power from generators to local stations; automatic devices along the transmission lines shut down grid components when their load becomes unmanageable, and Motter explains that transmission stations are most vulnerable to cascade effects. Intentionally disconnecting local stations from the transmission stations that are about to fail can reduce the size of the cascade, according to Motter's model. "It is still speculative to talk about practical applications [but] I hope to my work will motivate new studies on the control of cascading failures in realistic models of network systems," comments Motter. Click Here to View Full Article From SANS NewsBites , August 23, 2004 London Internet Exchange Members Adopt Code of Practice to Thwart Spammers The Register, 18 August 2004 Internet Service Providers (ISPs) that belong to the London Internet Exchange (LINX) have approved "a code of practice" to shut down web sites that are advertised by spam, even when the spam itself comes from a third party or another network. LINX also would like to see ISPs take down web sites that sell spamming tools. LINX hopes to spread the standard across the globe in a concerted effort to put spammers out of business. LINX boasts 150 members, including most major ISPs in the UK as well as some in continental Europe, the US and Asia. Read more at http://www.theregister.co.uk/2004/08/18/isp_war_on_spam/print.html and http://www.linx.net/press/releases/103.thtml. Yankee Group Study Suggests Most Large Companies will Outsource Security by End of the Decade Information Week, 23 August 2004 According to a Yankee group study, nearly 90% of big US companies will outsource security by 2010. Apart from the cost savings, the reasons companies are moving toward outsourced security include the fact that attacks are arriving more and more swiftly, giving companies little time to put appropriate defenses in place. In addition, companies need to focus on compliance with HIPAA and Sarbanes-Oxley regulations. Finally, it is becoming more difficult to describe network perimeters. http://informationweek.com/shared/printableArticle.jhtml?articleID=29116929. From Peter Coffee's Enterprise It Advantage, August 23, 2004 Immature standards, encryption attacks impose burdens on early adopters eWeek, August 23, 2004 "There must be millions of people," wrote columnist Robert Benchley about 70 years ago, "who are no more equipped than I am to guide a motor vehicle through any more of an emergency than a sudden light breeze. The logical ending to the whole situation is for all the automobiles in the world to pile up on top of one another at one big cross-road." When people talk about an Information Superhighway, Benchley's image quickly comes to my mind. In the same way that Benchley could never have imagined an H2 bearing down on a Mini, the people who built the Internet could never have imagined zombie bot nets mounting distributed-denial-of-service attacks on Net-edge cache servers. The Internet was built to tolerate random failures, not to withstand deliberate and focused attacks; it seems to me that new Internet initiatives still tend toward a science-project definition of technical success that says, "once it can be shown to work, it's done." Read the rest of the column at http://eletters.eweek.com/zd1/cts?d=79-1017-6-7-128123-115810-1. From ACM's TechNews, August 20, 2004 "Convergence Quagmire: Viruses with Spam" TechNewsWorld (08/18/04); Lyman, Jay A July intelligence report from MessageLabs indicates virus authors and spammers are forming a symbiotic relationship that combines their expertise and strategies into a new class of email security threat. The report finds that BugBear, SoBig, MyDoom, and other viruses are employing spamming techniques so they can proliferate, with financial gains being the ultimate goal. "What is 'cool' is to join forces with the spammers and prove that you're capable of making money out of malicious code," states the report. MessageLabs security analyst Natasha Staley says nearly all viruses released this year have been distributed via spam or have been used to penetrate systems used for spamming, and that treating spam and viruses as a single threat is the best defensive measure against the growing convergence of these two practices. "It's actually a pretty incestuous relationship and it's really hard to separate the two anymore," Staley concludes. IDefense malicious code intelligence director Ken Dunham believes the merging of viruses and spam is part of cybercrime's natural evolution, and adds that increasing dependence on network protocols and network shares, among other things, is spurring other kinds of cross-breeding between cybercriminals. He observes that the virus/spam convergence is being accompanied by the growing availability of source code, tools, and knowledge used to create and launch malware or spam. Dunham notes that virus writers use spamming techniques to better mask their identity and the starting point of virus outbreaks. Click Here to View Full Article From EduPage, August 18, 2004 SURVIVAL TIME OF UNPROTECTED PCS DROPS CNet, August 17, 2004 Researchers at the SANS Institute's Internet Storm Center estimate that an unprotected PC will be compromised within 20 minutes of being connected to the Internet, down from an estimated 40 minutes last year. The estimate is based on observations of vacant IP addresses, which received reports approximately every 20 minutes. According to the researchers, if those reports come from Internet worms, the unprotected machine would likely become infected within 20 minutes, which is especially troublesome because most patches that would protect the computer take longer than that to download and install. Scott Conti, network operations manager for the University of Massachusetts at Amherst, said that, as a test, his institution recently put two unprotected computers on the school's network, and both were compromised within 20 minutes. As a result, all computers at the institution will be checked before they are allowed to connect to the network. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 18, 2004 - Vol 6, #33 "Philippine Government Plans National Cyber Security System" IT World, August 10, 2004 he Philippine government has outlined its plan for a national cyber security system to protect government and business systems from cyber attacks. There are six priority initiatives designed to help get the program going. They include enacting a Computer Crime Law, reducing the risk of threat to the country's electronic critical infrastructure with the help of a risk and vulnerability assessment plan and the creation of an Incident Response Team Coordinating Center. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 18, 2004 - Vol 6, #33 "AOL and Yahoo to Use Authentication Technology in Fight Against Spam and Phishing" Computer World, August 12, 2004 America Online and Yahoo both plan to begin using email authentication technology to fight the worsening problem of spam and phishing scams. AOL plans to use Microsoft's Sender ID authentication architecture to verify that incoming email is legitimate; Yahoo will use DomainKeys technology to sign outgoing email. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 18, 2004 - Vol 6, #33 "eMail Security Companies Say They Will Support Sender ID" TechWeb , August 12, 2004 A number of email security companies voiced support for Microsoft's Sender ID sender authentication standard and said they would incorporate it into their products. The companies had gathered at a summit requested by the eMail Service Provider Coalition (ESPC) and hosted by Microsoft. Click Here to View Full Article From ACM's TechNews, August 16, 2004 "Cellphone Viruses: How Worried Should You Be?" Business Communications Review (07/04) Vol. 34, No. 7, P. 14; Krapf, Eric Security experts warn that the Cabir virus, which spread through smart cell phones last month but did not actually do damage, is an example of the havoc that could take place. Cabir may or may not have been the first wild cell phone virus; it used the Bluetooth specification to spread through phones that use the Symbian operating system. Core Competence President David Piscitello says Cabir arrived as a message. "The reason it can infect other phones by proximity is that lots of phones are left with default settings on their Bluetooth interface," he explains. Cell phone viruses can also spread through ring tones, email attachments, text messaging, skins, pictures, or audio recordings. Piscitello considers cell phone viruses serious because the phones' operating systems are fairly fragile. He says, "You can create all sorts of denial of service attacks against the relatively fragile operating systems of handhelds and cell phones. Remember, these devices don't have lots of memory or CPU, so overwhelming them isn't exactly hard." Core Competence vice president Lisa Phifer also notes that few people may even know if their phones are infected. PDAs are also at risk, but there is some antivirus software available for them; users should also consider host-based intrusion-detection and personal firewalls for handheld devices, Phifer adds. Phifer also warns that VoIP is at risk for Wi-Fi-enabled VoIP technology connected to WLANs. Piscitello advises users to consider their IP phones more computer than phone, and thus just as vulnerable to viruses. No Link provided. From ACM's TechNews, August 13, 2004 "Unprecedented Security Network for Olympics" Associated Press (08/10/04); Varouhakis, Miron Security at the Olympic Games in Greece this month will include street surveillance cameras, paired with sophisticated software, that will act as digital security guards collecting intelligence. The $312 million system was developed by a consortium led by Science Applications International and gathers images and audio from more than 1,000 high-resolution and infrared cameras, four mobile command centers, 12 patrol boats, one blimp, 4,000 vehicles, and nine helicopters. Speech-recognition software will put spoken words into text, and the text and other electronic communications will be searched for patterns. The system covers nine ports, airports, greater Athens, and all the other Olympic cities, and has components used by U.K. and U.S. government intelligence agencies. In preparation for the Olympic Games, the Greek government modified legislation to allow increased tapping of mobile and land line phone conversations. With the technology-enabled security measures and surveillance, authorities will be able to respond to critical incidents in the most effective way since they already have important information on hand, explains Greek police spokesman Col. Lefteris Ikonomou. The camera software is intended to spot and rank possible risks, says Dionysios Dendrinos, general manager of consortium member One Siemens. It is also sophisticated enough to distinguish between a tire blowout and a gunshot. The security net also includes a sensor network established throughout Athens designed to detect chemical agents. There have been some protests over the use of the extended security measures, since some people fear the loss of privacy. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "APWG Data Shows Steady Increase in Phishing Scams During First Half of Year" Computer World, August 4, 2004 Data from the Anti-Phishing Working Group indicates that the incidence of phishing scams increased an average of 50% a month during the first half of 2004. A Websense Inc. analysis of APWG's report found that 25% of phishing sites were on hacked servers and that 94% of the sites allowed attackers to remotely download personal information entered by those who fell prey to the attacks. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY" Computer World, August 6, 2004 Sensitive Building Data is Readily Available on the Internet (6 August 2004) Sensitive information about the physical security of various companies has been found on their corporate web sites. For example, there are 3-dimensional models of the exterior and some of the interior of the Citigroup's Manhattan headquarters; there is also information about the building's structural design flaws. Amit Yoran, director of the Homeland Security Department National Cyber Security Division, says they may consider publishing best practices guidelines for companies regarding the availability of such information. Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "Hospitals Defy Patching Restrictions" NW Fusion Ellen Mesmer, August 9, 2004 Concerned that patient safety could be threatened, hospital staff members are applying Microsoft's patches to various Windows-based devices in defiance of the manufacturers' restrictions. Manufacturers often have a long testing period or are concerned that a patch may impair a device's functionality. Hospital staff are concerned that malware could imperil patient safety and that applying patches is a part of HIPAA (the Health Insurance Accountability and Portability Act) compliance. The Food and Drug Administration (FDA) is encouraging hospitals that run into these problems to file complaints in writing which could result in the manufacturers losing their "government seal of approval." Click Here to View Full Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "FCC Rules: Spammers Need Consent to Send to Wireless Subscriber Messaging Service Domains" Washington Post, Information Week Articles The Federal Communications Commission (FCC) has issued a new rule requiring mass marketers to obtain express permission from users before sending commercial messages to mobile phones and PDAs. The Commission is also requiring that the Commercial Mobile Radio Service providers compile a list of all pertinent Internet domains that will be used as a do not spam list; the list would not contain individual addresses. Click Here to View Full Washington Post Article Click Here to View Full Information Week Article From The SANS Institute NewsBites@sans.org, August 11, 2004 "Reverse Engineering of Windows XP SP2" PCWorld.com (08/03/04); Brandt, Andrew Reverse Engineering of SP2 Reveals Strong Security Approach (9 August 2004) Security company F-Secure has reverse-engineered SP2 and believes the update will do a good job protecting against outbreaks of worms like Sasser, Slammer and Blaster; infections will spread more slowly and it will be more difficult for automated worms to spread on updated systems. Click Here to View Full Article From ACM's TechNews, August 9, 2004 "Feds Seek a Few Good Hackers" PCWorld.com (08/03/04); Brandt, Andrew The recent Defcon 12 hackers' conference included a recruitment presentation by federal law enforcement agents searching for talented people to work for the government. "The Department of Defense understands how important computers are to defending the United States, and is always on the lookout for good people," said Alvin Wallace, a supervisory special agent for the Air Force's Office of Special Investigations. The presentation was well-received with many of the twenty-something crowd taking business cards and asking questions about pay, security clearances, and college scholarships. Former National Security Agency director of information assurance Mike Jacobs spoke, urging hackers to help protect the United States from spies and terrorists. He said that when he worked at the agency, he would remind his colleagues that "the hacker community is probably our ally, and we need to pay attention to what they're doing out there." Some hackers may have trouble getting security clearances due to past misbehavior. Jim Christy, director of the Defense Department's Cyber Crime Center, says that the fight against terrorism has reduced security agency resources for cybercrime. The presenters noted that recruitment has to continue because employees tend to move into private industry. Wallace says his office provides "one of the best training grounds...Some of the best computer crime investigators in other federal agencies had their start in the Air Force Office of Special Investigations." Click Here to View Full Article From ACM's TechNews, August 6, 2004 "Stealth Wallpaper Keeps Company Secrets Safe" New Scientist (08/04/04); Fox, Barry BAE Systems, under contract with British telecoms regulator Ofcom, has developed a technique to thwart the interception of Wi-Fi signals from office base stations while ignoring mobile phone signals, through a system based on a secret "stealth" technology originally created to hide military radars. The technology is a wallpaper composed of Frequency Selective Surface sheeting, which can mask radar antennas by being electrically programmed to permit only the exact frequency the antennas wish to transmit and receive, while soaking up all other frequencies. The sheeting consists of a kapton substrate coated with a thin layer of copper on both sides: One side is covered by a grid of copper crosses, while on the other side matching crosses set at a 45-degree angle are etched off, leaving a copper film with a grid of cross-shaped holes. Careful adjustments to the size and spacing of the crosses allows the wallpaper to pass specified frequencies while inhibiting all others, according to BAE. Ofcom engineers say the wallpaper can stop Wi-Fi signals at 2.4 GHz, 5 GHz, and 6 GHz, while permitting the passage of 3G and GSM cell phone signals, as well as emergency calls. Linking diodes between the copper crosses allows frequency filtering to be switched on and off, and the wallpaper can be produced in volume relatively cheaply. Up to now, the only effective measure to prevent interception of office communications was to line walls with aluminum foil and cover the windows with radio-absorbent glass, but such a "Faraday cage" scheme precludes the use of mobile phones in the office. An even thinner, transparent version of the wallpaper is being developed as a window covering. Click Here to View Full Article From ACM's TechNews, August 6, 2004 "Onion Routing Averts Prying Eyes" Wired News (08/05/04); Harrison, Ann Tor is a second-generation communications system being developed by the U.S. Naval Research Lab that employs onion routing to anonymize Web surfers and protect their activities from corporate or government eavesdropping. In an onion-routing scheme, messages are sent through a distributed network of nodes selected at random; each node is aware of its preceding and succeeding nodes only, and each server has a symmetric encryption key that removes one layer of a message and reveals instructions for the next node along the route. Onion routing cannot support flawless anonymity, but it helps shield users from snoopers who are not monitoring both the sender and recipient of the message at the time the transaction transpires. Tor is designed to be easier to use and less problematic than its first-generation predecessor, and developers say the system can thwart the tracking of users by Web sites, inhibit the compilation of Web site visitor lists by governments, keep whistleblowers safe, and subvert local censorship by employers, ISPs, or schools. "The point of the Tor system is to spread the traffic over multiple points of control so that no one person or company has the ability to link people," explains programmer Roger Dingledine, who adds that companies could employ the system to carry out prudent competitive research or route their staff's Web browsing to prevent employment sites from ascertaining which employees are job-hunting. The Navy's motivation in funding Tor's development is to protect the identity of government workers who gather intelligence and conduct politically volatile negotiations through anonymous communication. Dingledine and Nick Mathewson are developing Tor as a research platform with a global pool of open-source software developers; users are allowed to operate as many Tor nodes as they want. Click Here to View Full Article From ACM's TechNews, August 6, 2004 "FCC Takes on Spam, Copying" Wired News (08/05/04); Grebb, Michael The FCC adopted a number of proposals on Aug. 4 concerning wireless spam and digital copying controls, as well as how wiretapping rules should be applied to voice-over-Internet-protocol (VoIP) services. The commission motioned that certain wireless spam messages be banned as part of its deployment of the Can-Spam Act: Unsolicited "mobile service commercial messages" were banned, but short message service messages that go directly to phone numbers were permitted, and spammers could exploit this exemption. "Transactional" and "relationship" messages such as billing statements were also exempt, and the job of defining what messages fit into those categories was left to the FTC. Wireless providers were also mandated by the FCC to submit wireless domain names to the commission so that a public database of not-to-be-spammed domains can be compiled. The FCC also proposed that certain VoIP telephony services fall under the jurisdiction of the Communications Assistance for Law Enforcement Act's (CALEA) wiretapping rules, which currently exclude ISPs, although law enforcement authorities support the application of those rules to the Net. However, the FCC's proposal specified that CALEA could only cover "connected" VoIP providers that permit Internet-to-traditional phone calls, while peer-to-peer VoIP services would be exempt. The commission also approved 13 technologies that digital TV equipment manufacturers can incorporate into devices that work with "broadcast flag" copy controls, although some technologies such as TiVoGuard permit limited cross-platform distribution of copied content. The Motion Picture Association of America expressed its disappointment that the agency approved TiVoGuard without conducting "further analysis," while Fred von Lohmann with the Electronic Frontier Foundation said that users are still left vulnerable to crippling copy protections. Click Here to View Full Article From ACM's TechNews, August 4, 2004 "Talking Computer Security" CyberDefense Magazine (07/04) Vol. 2, No. 7, P. 16 In a roundtable discussion with CyberDefense Magazine, eBay VP and former White House Special Adviser for Cyberspace Security Howard Schmidt, PatchLink Chairman Sean Moshir, and Foundstone President Stuart McClure talk about the current status of the computer security industry as well as future directions it may take. The panelists provide numerous reasons why the Internet's safety and security is so hard to maintain, among them: The design of the Internet to be an open and collaborative environment that supports anonymity; the inability to keep up with new problems, which are being unearthed on a daily basis; and vendors' eagerness to give customers special features and functionalities without considering how they might impact security. Schmidt remarks that America has taken a vanguard position in boosting cyber-defenses through private-sector and international partnerships, and McClure reports good progress in security deployments by American companies and greater security education. A General Accounting Office report indicates that progress has been made in security patch management, but Moshir contends that the narrowing gap between the announcement of a vulnerability and its exploitation means that patch automation can no longer be just a luxury. Schmidt observes that on-demand Web-based vulnerability evaluation is key to patch management, while McClure says, "The two will go hand-in-hand eventually." McClure raises the need for more knowledge about security requirements among small organizations, while Schmidt calls for better identification of IT systems' interdependencies, developers' prioritization of software quality control over new features and usability, expanded cybersecurity education, and better enforcement of cyber criminal investigation and prosecution. The possibility of a cyberattack comparable to 9/11 is debatable: Schmidt says that society's resiliency against network assaults is improving, but this is no reason to relax our vigilance. Click Here to View Full Article From ACM's TechNews, August 4, 2004 "Fingerprinting Your Files" Technology Review (08/04/04); Garfinkel, Simson Cryptographic hash functions are one of the most useful mathematical tools in computing today, because they allow people to easily protect passwords, stored files, and even database information. One of the most recent applications comes from three Stanford University researchers, who created a browser plug-in that scrambles one easily remembered password for different e-commerce sites based on those sites' Web domains; this protects people from hackers who could use their uniform log-in and password to gain access to multiple accounts, while providing users with the convenience of remembering just one set of identifiers. Yahoo! also uses a version of hash cryptography in its registration process where the user computer is sent a "challenge" sequence that must be appended to the entered password, protecting people using insecure public terminals from hackers sniffing Web traffic, for example. Hash functions are mainly based on research done in the 1980s by RSA co-inventor and MIT professor Ron Rivest, who developed the system as a way to ensure the integrity of a file; hash files garnered from a set of computer files can let the owner know those files were not tampered with, for instance, because any change in the input would produce a different hash code. Hash technique is also used in the Surety secure timestamp service to verify a file was in existence at a certain time, and this involves publishing the hash code in a well-known location owned by a third-party, such as the New York Times classifieds. Although the Message Digest #5 (MD5) hash function is the most widely used today, perhaps the most secure is the U.S. government's Secure Hash Algorithm, or SHA-1, which caused some controversy at the time of its announcement because cryptographers theorized it contained a backdoor for U.S. intelligence services. Hash functions continue to be used in innovative ways, and might possibly be used to secure entire databases as proposed in the book "Translucent Databases" by Peter Wayner. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "The Shaky State of Security" InfoWorld (07/26/04) Vol. 26, No. 30, P. 32; Roberts, Paul F. The 2004 InfoWorld Security Survey of over 600 IT professionals paints a fairly bleak picture of enterprise security: Only 38 percent of respondents report strong confidence in their security, while just 8 percent report extreme confidence. IT leaders are also highly concerned with a lack of sufficient personnel and training to bolster security, while the swelling ranks of applications available online has increased concern about application vulnerabilities. Security fears are being stoked by the growing number of worms and viruses plaguing the Internet over the past 12 months--in fact, almost 30 percent of survey respondents called malicious code the greatest single threat to enterprise network security. Thirty percent of respondents have no clue as to how many attacks their network was subjected to in the past year, and 22 percent do not know how many successful attacks transpired at that time. These figures come as no surprise to SANS Institute research director Alan Paller, who explains that "It's difficult to find infected machines when the infection is meant to be kept hidden." Bank of America's John Schramm says low-level passive attacks occur with such regularity on some corporate networks that IT administrators usually ignore them and concentrate on higher-level attack data, while 57 percent of respondents working for enterprises that manage their own network security say the effectiveness of intrusion detection is often determined by the number of staffers on hand. Forty percent of surveyed IT professionals blame network exploits on operating system flaws, 24 percent report their organization suffered a denial-of-service attack, and 19 percent cite buggy Web applications; yet many respondents' loyalty to major software vendors remains steadfast. This year's respondents are chiefly fearful of malicious code, but experts believe that spyware, identity spoofing, and other threats of less concern are becoming increasingly serious, which makes a case for boosting awareness of enterprise security. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Hack This" EDN Magazine (07/22/04) Vol. 49, No. 15, P. 26; Webb, Warren Dealing with malware on desktop systems is often as simple as rebooting the computer, but this strategy does not apply to embedded systems, whose operation must continue even when faced with security threats. The National Institute of Standards and Technology (NIST) has prepared a list of security-related design principles for designers to think about throughout the embedded systems' lifespan, such as defining a security agenda, designing the product, accommodating upgrades and changing threats, incorporating a new technology, erecting multiple security layers, and training programmers to develop protected software. Issues that must be addressed in order to determine the best security measures include what data needs to be protected and what kinds of potential attackers are out there and how sophisticated they are. Because embedded devices, particularly portable ones, are vulnerable to so many more threats than desktop systems, designers are advised to include physical protection, such as hardened enclosures and seals or tapes that provide visible evidence of tampering, in addition to traditional software security. Designers can also follow embedded software security standards, such as the Common Criteria for Information Technology Security Evaluation and Multiple Independent Levels of Security. Users must pass a multi-stage authentication process before they are allowed to interact with secure embedded systems. When an embedded system must be linked to a network or the Internet, designers encrypt the data either symmetrically or asymmetrically, though both methods require a secret key and an encoding sequence to translate plain text into cipher text and back again. Embedded-product-development budgets are expected to grow so these safeguards can be provided. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Search Engines Expose Vulnerabilities" Computerworld (07/29/04); Willoughby, Mark Hackers use search engines to discover vulnerabilities in Web site source code, and security experts forecast an increase in this behavior. "People have discovered that they can make a really tight Google query that comes back with results that show lots of vulnerabilities at once," says SPI Dynamics application security analyst Matt Fisher. He points out that backup files and source code are sometimes stored in clear text or as HTML files, adding that the problem lies with poor Web application security, not search engine security practices. Passwords are sometimes found in embedded code, and searching with an invalid file extension, such as .inc, .bak, or .old, will usually return Web site source code. The information tells what the site is storing, as well as configuration data that could be helpful in a hack. "Developers are not taught secure coding," Fisher says, noting that firewalls will not protect against such invasions. Chris Wysopal, vice president of @stake, says that hackers also use search engines to hide their locations and to complicate forensic investigations. Since hackers view the search engine results through a third-party cache, there is no information left about their IP address. Also, the MyDoom.O worm used search engines to locate email addresses stored in a domain range. Wysopal warns people must understand how attackers work and that they are not usually going after a given site but just searching for an opportunity. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Hackers Plan Global Game of 'Capture the Flag'" CNet (07/30/04); Lemos, Robert Hackers from all over the U.S. are planning to engage in a massive game of capture the flag next February, in which they will launch a cyberattack of unprecedented scale against systems set up and maintained by other hackers. The three-day event will pit East Coast against West Coast hacker teams in what is publicized as the first large-scale hacking competition to be waged over the public Internet; the contest's organizers, the Ghetto Hackers security group, expect to have 1,000 participants signed up by February. The game is being advertised at this week's Defcon hacking convention. So that the game does not leak onto the Internet, the Ghetto Hackers intend to build a network that runs on the Internet but is independent from it, through the use of a virtual private network. Security experts are largely unfazed by the event: Counterpane Internet Security founder Bruce Schneier notes that most players will not resort to "large-scale, uncontrollable attacks." Jennifer Granick of Stanford University's Center for Internet Law and Society reports that in a case where a virus or worm spills over from the game onto the Internet and causes damage, there could be a basis for legal action. Doug Tygar of the University of California, Berkeley doubts that the capture-the-flag game will yield anything significant to scholars, though he does see value in the experiment as a learning experience. Every year for the last three years at the Defcon convention, the Ghetto Hackers have coordinated a small capture-the-flag game in which eight teams hack each other on a closed network, but next year's contest promises not only to be global but to involve more amateur hackers. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Academics Enlist in Spam Battle" eWeek (07/31/04); Hicks, Matt The Conference on Email and Anti-Spam, which brought together researchers from both academic and industry labs, represented the first serious academic conference to focus on spam and spam countermeasures, according to Microsoft Research's Joshua Goodman. The hottest debate centered on the proliferation of economic-based models for spamming deterrents, such as programs where spammers pay a fee for sending unsolicited commercial email, perhaps as a micropayment when a message is determined to be spam by a recipient. The same panel explored a Microsoft research project that employs a computational puzzle strategy to force spammers' computer systems to consume additional CPU or memory resources to send email in bulk, as well as challenge-response questions. University of Cambridge researcher Richard Clayton argued that each deterrent could be subverted by determined spammers. Challenge-response systems, for instance, could be thwarted by cheap labor employed by spammers, while computing power could be stolen from zombie systems in order to beat computational obstacles. "The problem is that not only is my machine insecure and my identity insecure but that my money is insecure as well," Clayton explained. Presentations at the conference included: an analysis of phishing schemes by MailFrontier engineer Jon Oliver, who concluded that even legitimate marketing emails from major companies are being misinterpreted as phishing scams because the problem is so widespread; a report from the University of Illinois at Champaign-Urbana's Ben Gross that 50 percent of people use multiple email accounts; and observations from Geoff Hulten of MSN's Anti-Spam Technology and Strategy Group that spam for non-graphical sexual products is increasing dramatically, while spam for explicit sexual products is falling. Click Here to View Full Article From ACM's TechNews, August 2, 2004 "Hackers Are Discovering a New Frontier: Internet Telephone Service" New York Times (08/02/04) P. C4; Belson, Ken Internet phones are becoming more and more attractive to hackers as the technology proliferates among home and business users. Several malicious attacks directed against Net phone networks have already resulted in millions of dollars in lost business. Hackers or angry employees with access to a corporate phone server can listen in on conversations by secretly setting up software that tracks voice packets, and Net phone tapping is much easier than wiretapping. Phone manufacturers and Internet security experts say the damage caused by Internet phone hacking has been low, while quantifying the extent of the damage is difficult because the technology is immature and many companies are reluctant to reveal problems; however, the general feeling is that Net phone exploitation will become more frequent and more serious as companies establish digital phone networks and integrate them with their data networks. "Voice over Internet phones are not in the spotlight of hackers yet, but in this voyeuristic world, if someone can listen in on people's conversations and get a thrill, they will," warns Avaya security consultant Joe Seanor. Beyond cheap thrills, hackers may eavesdrop on digital phone conversations to gather information that can be sold to rival companies. Measures hackers may take against digital phone networks include programs that seek holes in firewalls and disrupt phone traffic and counterfeit voice packets that can get past security programs. Vonage and other companies supply Internet calling services that are more difficult to hack into, but hackers could still infect an individual phone user's computer and eavesdrop on any emails and voice calls that go through the compromised system. Experts say firms can avert incidences of internal sabotage by installing encryption software and restricting code access to a select handful of employees or resort to "deep packet inspection" in case the first strategy fails. (Articles published within 7 days can be accessed free of charge on this site. After 7 days, a pay-per-article option is available. First-time visitors will need to register.) Click Here to View Full Article From ACM's TechNews, July 30, 2004 "Internet Snagged in the Hooks of 'Phishers'" Washington Post (07/29/04) P. E1; Walker, Leslie Phishing attacks are occurring more frequently, worrying the e-commerce and banking industries. According to Gartner, some 57 million U.S. adults have received a phishing email, and nearly 11 million clicked on a false link, while 1.8 million actually gave out personal information. The Federal Trade Commission is planning a summit this autumn to focus on authentication tools guarding against phishing attacks, and the FBI will start a drive to identify and catch phishers next month. SAIC chief scientist James Jones says that phishers seem to be getting pickier about their targets and appear to be culling target lists. Meanwhile, companies such as Earthlink are feeling the pain along with their customers. Each time a phishing exploit targets Earthlink customers, the company receives 40,000 phone calls from users, says senior manager Scott Mecredy. Earthlink offers ScamBlocker software that keeps a blacklist of known phishing sites on people's Web browsers. VeriSign notes that the attacks are becoming more sophisticated, with 93 percent of the emails the company examined containing spoofed return addresses to make them look more legitimate. Phishers are also getting better at making their fake sites look like the real thing and can camouflage the real Internet address or replicate the small padlock icon at the bottom right-hand corner. There is a need for universal tools to verify the authenticity of emails and Web sites. Next month the FBI will launch a new concerted effort with various law enforcement agencies called Digital Phishnet designed to identify and catch phishers. Meanwhile, experts say online commerce is suffering due to Internet security concerns. Gartner analyst Avivah Litan says, "I think we will see the slowdown accelerate. And if the problems aren't fixed, people will use the Internet for surfing, but they won't transact online." Click Here to View Full Article From EduPage, July 7, 2004 WORM VARIANT CLOGS E-MAIL, SEARCH ENGINES ZD-Net, July 26, 2004 A variant of the MyDoom worm hit early Monday, clogging e-mail accounts worldwide and slowing search engines Google, Yahoo, AltaVista, and Lycos because it automatically performs Web searches on those search engines after it infects a PC. Tens of thousands of PCs have reportedly been infected. Looking for e-mail addresses on search sites is a twist on earlier variants of MyDoom, which looked for addresses only on the host hard drive. ZDNet, 26 July 2004 Click Here to View Full Article From ACM's TechNews, July 26, 2004 "An Eye Opener on Open Source Internet Security" IST Results (07/22/04) The purpose of the Information Society Technologies program-funded SECRETS project was to assess the advantages and disadvantages of open source software for Internet security for the benefit of the public and private sectors, and its evaluation of the toolkit for deploying OpenSSL's Secure Sockets Layer (SSL) and IPSec's Free Secure Wide Area Network (FreeS/WAN) yielded mixed results. The protocols' functionality was tested in the areas of secure e-commerce, secure mobile communications, network monitoring, and intelligent networks. Intrasoft International's Antonis Ramfos reports that one of open source software's major drawbacks is that the organizations that devise the protocols frequently fail to capably support them afterwards, while a dearth of standardization has led to interoperability problems with other open source software. Such problems were typical of FreeS/WAN, according to the SECRETS evaluation. Despite such problems, Motorola's Ross Velentzas says the SECRETS project determined that the protocols' deployment is "worth considering by commercial organizations and governments for integration into the software products" they build or employ. The utilization of OpenSSL by others is much easier than FreeS/WAN because, unlike Free/SWAN, OpenSSL boasts sufficient documentation from its organization. The SECRETS partners, which include Motorola, Intrasoft, and Alcatel, are still working with open source software for Internet security, and Ramfos and Velentzas concur that both the public and private sectors will use such protocols more extensively in the future. Click Here to View Full Article From ACM's TechNews, July 26, 2004 "Wanted: Cybersecurity Experts" Medill News Service (07/22/04); Kumler, Emily The federal government was urged to make a greater commitment to cybersecurity and to have cyberspace experts take on a larger role in Homeland Security efforts during a hearing before the House Science Committee on July 21. Cybersecurity experts said more educational programs are needed, and added that courses will have to be up-to-date and be able to adapt to the latest demands of cyberspace. Chet Hosmer, president of Wetstone Technologies, a cybersecurity research development company, stressed that security experts will need to make adjustments quickly because potential attacks can develop and change at "Internet speed." Hosmer also took issue with the setup of higher-education curricula, which is producing fragmented cybersecurity training programs because of its rigidity. The social science department offers criminal justice programs, while computer science is relegated to math or computer science departments. "Building programs that cross domains is quite difficult for many reasons, and the student typically lacks depth in either area and is ill-prepared for [work in] digital investigation after graduation," said Hosmer. Some educators saw community colleges as an ideal resource for security training because of their focus on practical skill. Military educational programs, such as the National Strategy to Secure Cyberspace, are another form of cybersecurity training. Click Here to View Full Article From ACM's TechNews, July 23, 2004 "Is Your Computer a Loaded Gun?" Salon.com (07/22/04); Vaidhyanathan, Siva The Senate Judiciary Committee will hear testimony today on the Induce Act, which aims to ban technologies that enable copyright infringement and allow civil penalties for users that intentionally assist a third person in violating copyright. Although the Inducing Infringement of Copyrights Act is aimed specifically at changing the behavior of 60 million Americans who have participated in unauthorized file-sharing, it is so broad in its potential application that it makes basic technology components suspect. Not only would this law undermine the landmark 1984 "Betamax case" that provides for reasonable recording and archiving, but it also threatens to stifle technological innovation. Peer-to-peer file-sharing companies would be the direct targets of the Induce Act because they offer the interface software people use to easily share files on the Kazaa and Grokster networks. Last year, a federal court ruled these software makers cannot be responsible for the illegal activities of their users because of the way they are designed; moreover, a previous federal court ruling allowed new digital technologies such as the MP3 player because they had "substantial non-infringing uses." The Motion Picture Association of America and Recording Industry Association of America (RIAA) say the Induce Act does not target normal technology, or "neutral technology," in the words of the RIAA's Mitch Bainwol--yet no technology is neutral, especially when it is as powerful and enabling as networked digital technologies are. When users have the opportunity to use alternative file-sharing technologies such as Gnutella, ICQ, FreeNet, and BitTorrent, they will do so. Unless authorities and industry officials are willing to re-architect the entire system to disallow this misbehavior, interfering policy such as the Induce Act will fail, writes Siva Vaidhyanathan, New York University assistant professor of culture and communication. Click Here to View Full Article (Access to this article is available to paid subscribers only.) From EduPage, July 7, 2004 PIRACY REPORT STIRS CONTROVERSY New York Times, July 19, 2004 A recent report by the Business Software Alliance (BSA) about the cost of software piracy has prompted some to suggest a political motive for the report. Two weeks ago, the BSA issued a report that estimated annual losses to software piracy at $29 billion. To some, however, the timing of the report--released not long after a Senate bill was introduced that would significantly strengthen copyright law--was not merely coincidental. Opponents of the Senate bill argued that it would effectively invalidate a Supreme Court decision that protects those who develop technology that could be--but is not necessarily--used for copyright violations. Overturning that precedent, said critics, would only serve to protect interests of copyright holders and would stifle technological innovation. Critics of the bill contend that the BSA, which has previously estimated losses to piracy at $13 billion, exaggerated the amount and released the report at a time that it would influence senators considering the bill. Supporters of the bill said it is sufficiently focused to target egregious violators of copyright. The BSA defended the new estimate, saying the data that led to the higher number were more comprehensive than in previous studies. New York Times, 19 July 2004 (registration req'd) Click Here to View Full Article From ACM's TechNews, July 19, 2004 "Loose Clicks Sink Computers" Baltimore Sun (07/19/04) P. 6A; Stroh, Michael Stray signals discharged from an electronic device can unintentionally reveal sensitive data, a phenomenon known as "compromising emanations" that has long been an attractive area of study for civilian computer researchers. In one experiment, Cambridge University computer scientist Markus Kuhn can intercept radio waves emitted by laptop video connectors, and he says that "There are probably a half-dozen or dozen exciting phenomena yet to be discovered." In another experiment, Kuhn was able to rebuild the image on a computer screen by analyzing its reflected glow on a nearby wall, while Lockheed Martin Space Systems' Joe Loughry and Auburn University's David Umphress learned that the patterned blinking of light emitting diodes embedded in hardware components can give hints about the information passing through the machine. The exploitation of compromising emanations has been a longstanding tradition, and about four decades ago the U.S. military started a highly classified project run by the National Security Agency to develop hardware that could sense and block such signals. Electromagnetic radio waves have long been the most worrisome kind of compromising emanations, but more subtle electronic signals have been uncovered in recent years. A pair of IBM researchers, for example, developed a relatively inexpensive technique to figure out what a person is typing by training neural network software to translate unique sound waves produced when the keys strike a membrane between the keyboard and its base; the use of a parabolic microphone allowed the experimenters to listen in from a distance of almost 50 feet. Meanwhile, Eran Tromer of the Weizmann Institute revealed at a May conference that encrypted data could theoretically be cracked by monitoring high-frequency noise emitted by Intel Celeron microprocessors. Click Here to View Full Article The Baltimore Sun has removed this link - they may have corrected the problem. From ACM's TechNews, July 14, 2004 "Computer, Heal Thyself" Salon.com (07/12/04); Williams, Sam Berkeley researcher and ACM President David Patterson and Stanford scientist Armando Fox's Recovery Oriented Computing (ROC) project focuses on the design of computer systems that can can rapidly bounce back from malfunctions. The initiative is just one of many "autonomic computing" projects that are sweeping academic and corporate research facilities. Fox says modern systems are plagued with software bugs that programmers have had to contend with since "the beginning of time," and he and Stanford doctoral student George Candea have co-authored a series of papers that probe "micro-rebooting," a strategy in which system managers simply reboot the malfunctioning elements of a computing network, an approach that Candea says often fixes the bug faster than tracking down and correcting the root cause. Both he and Fox have devised recursive restartability, a preventative maintenance process whereby an automated network manager reboots each branch of a network's node tree, while Candea is focusing on the integration of micro-rebooting and fault injection, a strategy he calls crash-only computing. The doctoral student has created a Java applications server split into a management element that periodically queries the software system and looks for any indications of bad data, and a monitoring element that assesses the error path and malfunctioning component and triggers a micro-reboot. The National Science Foundation has funded University of Virginia researcher David Evans' project, which mimics biological systems more closely by having modules in a software network communicate in a manner modeled after chemical diffusion. Each module is programmed to construct and maintain a 3D superstructure, after which various modules are exposed to destructive data and purged from the system when they fail; the network is designed to replace the lost modules by tapping a distributed memory or "signal" of each component's position and function. No Additional Article Link From ACM's TechNews, July 14, 2004 "Hacktivism and How It Got Here" Wired News (07/14/04); Delio, Michelle The term "hacktivism" was not coined until 1998, when several members of the Cult of the Dead Cow (cDc) hacker organization held an online discussion of how hacking could be used to promote political freedom in China after the Tiananmen Square incident. Professor Ronald Diebert of the University of Toronto's Citizen Lab explains, "The combination of hacking in the traditional sense of the term--not accepting technologies at face value, opening them up, understanding how they work beneath the surface, and exploring the limits and constraints they impose on human communications--and social and political activism is a potent combination and precisely the recipe I advocate to students and use to guide my own research activities." He adds that increasing numbers of mainstream human rights activists and major foundations are embracing hacktivism, and singles out cDc in particular for its often irreverent, ethical, and ingenious tactics. CDc leverages the section of the UN Declaration of Human Rights stating that freedom of opinion and expression without interference and through any media is a universal human right. Oxblood Ruffin, a member of cDc, says the group has been establishing relationships with grass-roots and traditional human rights organizations. One cDc group, Hacktivismo, has devised tools that permit people to access and exchange information marked as undesirable by their government. Patrick Ball, who directs human rights programs at the nonprofit Benetech, says "hacktivism is an opportunity for engaged young programmers to do cool and socially beneficial stuff with their technical skill and curiosity--instead of getting in trouble." Click Here to View Full Article From ACM's TechNews, July 12, 2004 "For Hackers, Shop Talk, a Warning and Advice" New York Times (07/12/04) P. C3; Thompson, Nicholas This year's Hackers on Planet Earth (HOPE) conference featured speakers such as Apple Computer founder Stephen Wozniak, who bemoaned that people today consider hackers to be synonymous with terrorists to such a degree that the government has instituted excessively harsh penalties against violators of computer fraud regulations. Wozniak described hacking as mainly "just some kid trying to do something funny," illustrating his argument with his own hacking escapades, which included such pranks as manipulating the phone system to place a free call to the pope. Wozniak told the younger attendees that they should follow a code of ethics and resist the temptation to do harm, a view espoused by many veteran hackers. HOPE conference head of security Mike Roadancer said he thinks younger hackers have a strong need for guidance and discipline. A recurring contention among speakers and participants at the conference was that they hack chiefly to expose security holes in corporate computer systems in the hopes that their actions will lead to improved data protection and privacy. "If a hacker breaks into a company's system, and that system isn't properly secured, that company should be held liable," remarked veteran hacker John T. Draper. A good portion of the event was devoted to arguing the need for the government to loosen its monitoring and control of computer networks. Sessions were held to help hackers become more competent, while others concentrated on tools that could help penetrate or secure computer systems. Click Here to View Full Article (Access to this site is free; however, first-time visitors must register.) From ACM's TechNews, July 12, 2004 "Cybersecurity Research Underfunded, Executives Say" Government Computer News (07/08/04); Jackson, Joab The National Science Foundation (NSF) can only fund about 10 percent of the research proposals it receives in regards to improving IT security, according to testimony at a House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census hearing this week. "There are good ideas in the cybersecurity area that we're simply not able to fund," said NSF computer and information science and engineering directorate assistant director Peter Freeman. He said the foundation has received over 150 proposals for a current solicitation in computer security, about a third of which show promise, but that the agency has only enough money to fund 10 percent of the total. Hratch Semerjian, the acting director of the National Institute for Standards and Technology (NIST), said computer security deserves more emphasis and that it is an important part of nearly every new application developed by the institute. The NSF has requested $751 million for networking and IT research next year, while the NIST has requested $57.9 million for computer science research, with another $6 million specifically for cybersecurity. Overall, Rep. William Clay (D-Mo.) says federal spending on IT-related R&D will total about $2.2 billion this year, but would fall to $2 billion in 2005 under President's Bush budget proposal. Click Here to View Full Article From ACM's TechNews, July 12, 2004 "Corporate Governance Task Force Pushes Security Best Practices" Enterprise Systems (07/07/04); Schwartz, Mathew A new report from the National Cyber Security Partnership's (NCSP) corporate governance task force says getting executives involved in security is the best way to protect the nation's critical infrastructure. The report, "Information Security Governance: A Call to Action," suggests more federal funding for software development tools that root out defects, a management framework for information security governance, and more executive-level and boardroom-level attention to security. Unisys managed security services global director John Summers says the report's aim was to help governments and companies correctly implement and secure an electronic infrastructure. He says, "One of the challenges that all organizations are trying to address--the government in particular--is what is the right way to implement [and] secure an electronic infrastructure." Unisys is assisting the Transportation Security Administration with network implementation, including IT security. Summers believes that critical infrastructure industries are moving from making security imperative to making it routine. Companies usually want others to define security standards and responsibilities, but it is hard to define best practices when things are still evolving, he explains. To complement the NCSP report, Summers recommends the National Institute of Standards and Technology's security infrastructure best practices, which are intended for federal agencies. It is too soon for regulations because threats and responses are changing too quickly. Summers says that security is more about risk management; security assessment should involve the needs of the business overall. Click Here to View Full Article From ACM's TechNews, July 12, 2004 "For Hackers, Shop Talk, a Warning and Advice" New York Times (07/12/04) P. C3; Thompson, Nicholas This year's Hackers on Planet Earth (HOPE) conference featured speakers such as Apple Computer founder Stephen Wozniak, who bemoaned that people today consider hackers to be synonymous with terrorists to such a degree that the government has instituted excessively harsh penalties against violators of computer fraud regulations. Wozniak described hacking as mainly "just some kid trying to do something funny," illustrating his argument with his own hacking escapades, which included such pranks as manipulating the phone system to place a free call to the pope. Wozniak told the younger attendees that they should follow a code of ethics and resist the temptation to do harm, a view espoused by many veteran hackers. HOPE conference head of security Mike Roadancer said he thinks younger hackers have a strong need for guidance and discipline. A recurring contention among speakers and participants at the conference was that they hack chiefly to expose security holes in corporate computer systems in the hopes that their actions will lead to improved data protection and privacy. "If a hacker breaks into a company's system, and that system isn't properly secured, that company should be held liable," remarked veteran hacker John T. Draper. A good portion of the event was devoted to arguing the need for the government to loosen its monitoring and control of computer networks. Sessions were held to help hackers become more competent, while others concentrated on tools that could help penetrate or secure computer systems. Click Here to View Full Article From EduPage, July 7, 2004 United Nations To Address Spam Problem San Jose Mercury News, 6 July 2004 Officials from a United Nations agency said this week it will work to fight spam on an international scale. According to Robert Horton, the acting chief of the Australian communications authority, the International Telecommunications Union (ITU) will work to bring the problem of spam under control within two years. The ITU, which is meeting this week in Geneva to address the growing problem of spam, will write examples of legislation that would allow effective cooperation among governments in fighting spam. Many countries currently lack any legislation dealing with spam, and those that do often have laws that are difficult to reconcile across borders. According to the ITU, spam may account for as much as 85 percent of all e-mail today, as well as a significant portion of text messages received by cell phones. http://www.siliconvalley.com/mld/siliconvalley/9089737.htm Three Countries To Coordinate Antispam Efforts Internet News, 6 July 2004 The United States, the United Kingdom, and Australia have agreed to coordinate their efforts to fight spam. Under the agreement, the U.K. Office of Fair Trading, the Australian Competition and Consumer Commission, and the U.S. Federal Trade Commission will share evidence and investigative information against spammers. The United Kingdom and Australia are expected to benefit from the agreement more than the United States, which is responsible for more global spam than any other country. According to a recent report, the number of spam outbreaks has risen from 350,000 per day to 500,000 since the United States passed the Can Spam Act. The report also estimates that within two years, spam will account for 98 percent of all e-mail. http://www.internetnews.com/xSP/article.php/3377451 Report Shows Steep Rise In Software Piracy CNET, 7 July 2004 A new report from the Business Software Alliance (BSA) estimates that pirated software represented 36 percent of all software installations worldwide during 2003, with corresponding losses to software makers of $29 billion. According to the report, financial losses were highest in Western Europe, at $9.6 billion, and the highest levels of piracy were found in China and Vietnam, at 92 percent. The BSA, which represents companies including Microsoft, Apple Computer, Hewlett-Packard, Intel, and IBM, largely attributes the rise in software piracy to P2P networks. Jeffrey Hardee, the BSA's Asia-Pacific director, said that governments in the Asia-Pacific region "really do want to develop strong IT sectors. And to do that, there's no question they have to bring down the levels of piracy." http://news.com.com/2100-1014_3-5259395.html From ACM's TechNews, June 30, 2004 "Software Fuse Shorts Bugs" Technology Research News (07/07/04); Patch, Kimberly Stanford University researcher George Candea says restraints on input and outputs could make software more stable, preventing much of the bug-related troubles that cost the U.S. economy nearly $60 billion each year, according to National Institute for Standards and Technology estimates. Software fails when operations extend beyond the set of conditions for which the software was tested, and Candea proposes constraining reality for software by rejecting unanticipated inputs and outputs through the use of software fuses, which are protections similar to electrical fuses regulating current flowing through a circuit. Developing these fuses requires correctly defining acceptable input and output, as well as measuring predictability so that trade-offs can be made between predictability, performance, and cost. Candea's approach treats the software application itself as a black box so that the software fuse is similarly deployed with both legacy systems and newer software. Traditional software reliability researchers may eschew limiting inputs and outputs, but Candea says the method is a pragmatic way of dealing with a very difficult problem, and should coincide with regular software quality improvements. He says, "Instead of fixing the product that fails when given wrong inputs, fix the inputs." Software fuses would guard against inputs of unexpected size, such as buffer overflow exploits used by the SQL Slammer worm, for example, or inputs of unexpected content, such as the HTML parsing technique used in denial-of-service attacks with the Apache Web server and Squid proxy cache. Other benefits of the software fuse method include the ability of third parties to install the fuses on proprietary software and their relative cost-effectiveness compared to constantly rewriting software, which often introduces new bugs. Click Here to View Full Article "FTC Mulls Bounty System to Fight Spam" MSNBC (06/29/04); Brunker, Mike The perceived ineffectiveness of the federal CAN-Spam law has prompted the FTC to consider a bounty system in which a person who identifies a spammer breaking the law will receive a reward of at least 20 percent of the civil penalty the FTC eventually collects--a particularly attractive proposition, considering that the FTC will probably seek multimillion-dollar fines against the most flagrant violators. The bounty concept was given currency by Stanford Law School professor Lawrence Lessig, who concluded, "If the vigilantes who are working so hard to keep lists of offending email servers were to turn their energy to identifying and tracking down spammers, then this passion to rid the world of spam might actually begin to pay off--both for the public and for the bounty hunters." The FTC is accumulating and evaluating expert testimony on the plan and is expected to tell Congress whether it is feasible by September, but critics want the plan rejected. Spamhaus.org founder Steve Linford sees no point to such a system, given that the FTC has already compiled so much data about spammers' identities, while Louis Mastria with the Direct Mail Association says the plan would only encourage online vigilantism and probably would not lead to any actual arrests. But disappointment in CAN-Spam's performance is palpable and growing stronger, given reports of steadily increasing volumes of spam. Worse, IronPort Systems' Tom Gillis says spammers are increasingly using "zombie" computers as spam launching platforms in order to avoid being traced by authorities. On the other hand, CAN-Spam advocates feel the law is fulfilling its purpose, and was never intended to be an all-in-one solution, but rather "one weapon in the [anti-spam] arsenal," according to Carol Guthrie, a representative of CAN-Spam co-author Sen. Ron Wyden (D-Ore.). Click Here to View Full Article From ACM's TechNews, June 28, 2004 "Winning the War on Spam" Discover (06/04) Vol. 25, No. 6, P. 24; Johnson, Steven The current model for fighting spam is treating it as a disease, with spam-blocking software, blacklists, and other techniques being disease-fighting antibodies. Some technology experts say this thinking is flawed because it does not try to address the root cause of spam, which is its profitability: If millions of identical messages are sent out, the cost is still basically the same as if the spammer sent only one message. Ferris Research estimated businesses spent $10 billion fighting spam last year, not to mention the inconvenience caused to home users and the millions of hours consumed emptying junk mail. Over the past several decades, environmentalists figured out that industrial pollution, like spam, actually costs more than it appears: People buying gas at the pump pay for the oil extraction, refining, and transportation, but do not pay for the associated damage to the environment; in this sense, email is simply too cheap to reflect the exorbitant costs of spam on users and the Internet infrastructure. Although some experts have advocated a small monetary charge for email, this system would not only be difficult to implement, but would unfairly punish those who could possibly benefit from email most. Microsoft researcher Cynthia Dwork has another solution that involves payment for email, except in computation time, not money: She suggests making sending computers figure out a puzzle so that each email message would cost about 10 seconds in computational time. Dwork's scheme is dependent on a variable element in the puzzle, which can increase the complexity of the puzzle in relation to Moore's law; though this 10-second tax would not likely affect regular users much since they could do other tasks on their PC in the meantime, it would mean a single computer could only send out roughly 8,000 emails per day instead of the millions they currently can churn out. Spammers would have to buy more machines, which would put many of them out of business. Click Here to View Full Article "Internet Takedown" Government Technology (06/04) Vol. 17, No. 6, P. 24; McKay, Jim The United States is depending more and more on the Internet to conduct business and government functions, but this poses a risk given the vulnerability of the Internet. Experts say that the chances of a major disruption--whether from deliberate attack or from an accident like the 2003 blackout--are growing. "The problem with the Internet is we developed it so fast and furiously, and didn't take a step back and build it foundationally with security in mind," says Phyllis Schneck, chairwoman of the FBI's InfraGard board of directors. There is no real short-term solution besides reducing the severity and number of interruptions, including viruses. Georgia Technology Authority Walter Tong says hackers are the most worrisome threat presently. A company with excellent security could still be at risk if it is connected to one with poor security, and Carnegie Mellon University Software Engineering Institute fellow Watts Humphrey says today's software is so defective that hackers easily find flaws in it. There is no real agreement as to how much damage an accident or a hacker can cause, though studies at Ohio State University suggest that the storage of key Internet routing information in only a few nodes is not a good idea, since damaging one could affect many areas. Critical infrastructure such as emergency services and transportation use the Internet, which puts those systems at risk until some technological solution is developed, such as a parallel network with secure routers. John McCarthy, executive director of the George Mason School of Law's Critical Infrastructure Protection Project, is involved with a partnership between the District of Columbia, Maryland, Virginia, and the Homeland Security Department to find out what infrastructures are essential, how they are interdependent, and what to do to protect them. He believes that every sector should understand its role in protecting, and that state governments must determine which infrastructures are most important. Click Here to View Full Article From ACM's TechNews, June 25, 2004 "IT and End Users Differ on Spam Severity" IT Management (06/18/04); Gaudin, Sharon Spam in the workplace is a greater source of concern among IT managers than end users, according to a study performed by Insight Express for the information security firm Symantec. Around 50 percent of polled end users say junk email is not a problem in the office, while 79.1 percent of IT managers report that spam is a weighty problem. Ten percent of IT administrators say spam is out of control, 33 percent claim it is barely under control, and 56 percent are convinced spam is fully under control. In comparison, about 8 percent of end users believe spam is out of control, 23.3 percent think spam is barely under control, and 68 percent are confident that it is firmly under control. IT managers listed spam as their worst problem after malware, according to the Insight survey. Symantec product management director Chris Miller explains that spam is a bigger problem for IT administrators because they must deal with the spam that all the staff receives, not just one employee. "They're dealing with bandwidth usage, storage usage, viruses it may be bringing in, staffing, and the hours they have to put in," he notes. "The end user sees it as garbage they have to deal with. The IT manager has a lot of other issues." One thing IT managers and end users agree on is spam's staying power: Almost 71 percent of IT managers expect to be struggling with spam three years from now, while 72 percent of end users wager that the spam problem will increase in severity. Click Here to View Full Article "Task Force Pushes for Early Warning System" Security Management (06/04) Vol. 48, No. 6, P. 40; Piazza, Peter The Cyber Security Early Warning task force, formed at last year's National Cyber Security Summit, has issued recommendations for the first time, including one for the creation of an Early Warning Alert Network (EWAN) to work with existing public-private information-sharing organizations. The network would be funded by stakeholders and the Homeland Security Department, and would create a network of networks. The task force's aim is to improve the sharing, integration, and dissemination of cybersecurity threat information culled from the DHS' US-CERT, the FBI's InfraGard program, and critical infrastructure information sharing and analysis centers (ISACs). The task force wants to start beta testing EWAN in October and launch it in December, but those dates are not fixed. The task force would also like to create a National Crisis Coordination Center (NCCC) to pull together both private and public constituencies to prevent and respond to crises. Information Technology Association of America vice president Greg Garcia describes the NCCC as "a cross-disciplinary organization in which, working side by side, were representatives from intelligence agencies, law enforcement agencies, the private sector, academia, all working together in a collaborative environment" on both cyber and physical security. However, the center is a ways off from realization. Tekmark Global Solutions managing director Mike Higgins believes that the recommendations will run into the same snags that have hindered similar ventures, such as the private sector's fear of sharing information with the government, and having it thus exposed to the Freedom of Information Act. Nevertheless, the NCCC has strong support from Congress and various government agencies. From New York Times, June 23, 2004 Two Arrested and Charged in E-Mail Theft By Saul Hansell U.S. investigators arrested an America Online employee for stealing the Internet provider's customer list and selling it to a purveyor of "spam" e-mail. From EduPage, June 23, 2004 ISPs Agree On Antispam Measures New York Times, 23 June 2004 Four of the largest e-mail providers have agreed to work collectively on sender-authentication technologies to limit the flow of spam. Despite saying more than a year ago that they would cooperate on such an undertaking, America Online, Yahoo, EarthLink, and Microsoft have been working on separate approaches to the challenge of screening out e-mail that does not come from its purported source. In May, however, Microsoft announced it would combine its technology, called Caller ID, with that of America Online and EarthLink, called Sender Policy Framework (SPF), and name it Sender ID. Meanwhile, Yahoo has been developing a technology called Domain Keys, which is potentially more effective but requires more work to implement. The four companies announced this week they would test each other's technologies, paving the way for a coordinated effort to block spam. http://www.nytimes.com/2004/06/23/technology/23spam.html From ACM's TechNews, June 23, 2004 "Software Industry Seeking New Ways to Fight Piracy" Investor's Business Daily (06/22/04) P. A4; Bonasia, J. The software industry has been attempting to counteract digital piracy through education and technological measures, but the results have been uneven. Business Software Alliance (BSA) VP Bob Kruger says program-sharing employees at small and midsize firms are chiefly responsible for the rampant spread of software piracy, which costs the industry $13 billion annually, by BSA estimates. The software industry's anti-piracy tactics have evolved from unwieldy "dongles" to the application of serial numbers to software products that verify licensed users online when a new program is activated, but Autodesk government affairs director David Crane believes the optimum solution is a greater emphasis on education and anti-piracy enforcement. The nonprofit BSA raises public awareness of digital piracy through representation at industry events, offices, and schools, and via notices and advertisements; in addition, people can report on their current or former employers through a BSA Web site or a toll-free hot line. If companies are not complying with software license terms, BSA fires off a letter of warning to the CEO, and then may request a court order for a surprise software audit if the company remains noncompliant. "We want to bring these companies into the fold of responsible software users," says Kruger. Perpetrators of black-market organized digital piracy may also face the wrath of the Justice Department: Two years ago, John Sankus Jr., chief architect of the notorious DrinkOrDie software piracy ring, received a prison sentence of 46 months. Kruger says such incidents can serve as reminders to corporate tech managers of the importance of software license enforcement. "Spam-Sending PCs Could Be Kicked Offline" MSNBC (06/22/04); Sullivan, Bob The Anti-Spam Technical Alliance, which counts Yahoo!, AOL, Earthlink, and Microsoft among its members, released a set of recommendations on June 22 for halting the proliferation of junk email. One of the recommendations calls for ISPs to cut email service for any users whose computers have been turned into "zombie" spam-launching platforms, even if they are unaware that their systems have been hijacked. MessageLabs.com estimates that almost two-thirds of all spam is sent by zombie systems, while AOL believes that figure could be closer to 90 percent. MessageLabs' Brian Czarny doubts that ISPs would be able to suspend service for so many users, given the massive volume of customer service calls they would be inundated with; a more realistic expectation is for the firms to restrict outgoing emails to 100 or 500 per day, and then notify users that their machines must be purged before they can send any more messages. MessageLabs researchers have also determined that spammers are increasingly personalizing spam by monitoring recipients through spyware programs--in fact, a recent Earthlink poll calculates that one-third of all Net-linked computers have been infected with spyware. More accurately identifying actual email senders is another priority of the Alliance, and among its proposals for reaching this goal is restricting the number of emails spam purveyors can send, if not shutting off their email altogether. "It's much the way a credit-card company would look for...suspicious spending on your credit card and either contact you or secure your account immediately," explains AOL director of anti-spam operations Carl Hutzler. Earthlink chief architect Robert Sanders argues that deactivating consumers' email benefits them since their PCs are already contaminated by malware. Click Here to View Full Article From ACM's TechNews, June 21, 2004 "Shortage of Computer Security Experts Hampers Agencies" National Journal's Technology Daily (06/10/04); New, William Homeland Security Department chief security officer Jack Johnson warns there is a severe lack of IT security professionals in government, and that the government needs to train the "next generation" of cyber experts. Johnson says his agency lacks the IT workforce it needs to build required security systems, and would contract that job out to private-sector workers, except that there are only so many cleared contractors. At the Homeland Security Department, Johnson and CIO Steve Cooper have split data security tasks, with Johnson handling unclassified data and Cooper dealing with more sensitive material. Cooper is currently working on a Homeland Security Information Network he says will be on par with Defense Department security by the end of this year, and is also redesigning personnel security in order to lessen internal cybersecurity threats. Federal Aviation Administration (FAA) deputy director Thomas O'Keefe says that more research and development is needed for cybersecurity, along with more collaboration among industry and researchers. He argues that information-sharing among government security professionals needs to be more efficient and effective than information-sharing among Internet criminals. O'Keefe notes that the nation's air-traffic control system is completely separate from the Internet, protecting it from viral outbreaks. The FAA is moving to an IP-based system, but will still keep its network separate from the general Internet. Click Here to View Full Article "Vigilantes on the Net" New Scientist (06/12/04) Vol. 182, No. 2451, P. 26; Moran, Barbara Counterstrike software is viewed as a panacea by companies frustrated by ineffective laws and enforcement against hackers and other online miscreants, but critics claim that such a tact is unethical, possibly unlawful, and could provoke an all-out war in cyberspace. Most organizations' response to cyberattacks is to bolster their defenses with firewalls, honeypots, and other measures, but network managers are locked into an unending game of one-upmanship with hackers; furthermore, small companies may not have the financial resources to upgrade their protection. It was this conundrum that prompted Tim Mullen of AnchorIS to develop software that strikes back at malware such as the Nimda worm by sending its own mutual exclusion (mutex) program back to the machine the worm came from and causing it to reboot (thus canceling the worm's mutex), while the user of the worm-sending machine is informed of his culpability via a pop-up window. Symbiont's iSIMS software is more sophisticated, and offers more aggressive counterstriking options: The product analyzes attacks to determine their point of origin, the damage they could cause if not stopped, and possible response strategies, leaving the final decision to the individual client. Offensive measures iSIMS is capable of include altering routing data on a malware-laden packet so that it is directed back to its source, and a last-resort option of sending code to the attacking computer that stops the attack. A key concern of critics is that counterstrike software can target innocent users such as owners of "zombie" computers who are unaware that their machines have been hijacked, or people whose addresses have been deliberately spoofed by hackers. In one scenario, malicious parties could exploit counterstrike software and goad two organizations to attack each other. Lawrence Berkeley National Labs engineer Eugene Schultz contends that the mentality behind counterstrike software is typical of "a small number of...hotheads...who want to get back at people." "Decoding Application Security" CSO Magazine (05/04); Violino, Bob The World Wide Web has made business easier, but it has made information security more expensive and difficult. Application security is a major issue for chief information security officers (CISOs). Security product vendors are introducing new products intended to provide application-level security that firewalls cannot, but CSOs and CISOs say that enterprises should proceed cautiously as the processes and products mature. Web application attacks use application flaws to get into systems or computers, and defensive measures include code inspection, outside scanning for flaws, and application-security gateways that scan incoming network traffic more deeply than conventional firewalls. Web-application security monitors applications to make sure they behave the way they are supposed to, explains Gartner's Richard Stiennon, which is more effective than trying to learn every attack signature. Yankee Group predicts that the market for application security products and services will go from 2002's $140 million to $1.74 billion by 2007. The technologies currently available are working well, say early adopters. New York State Office of Cyber Security & Critical Infrastructure Coordination director Will Pelgrin says the state is looking into application-security products, and has included application-security best practices in its state agencies' security policy. The Department of Energy is evaluating a NetContinuum gateway, and senior security analyst John Dias says the agency's vulnerability to application-level attacks has dropped. However, the technologies are hindered somewhat by their impact on application performance, complex implementation, untested record, and funding and training issues. Click Here to View Full Article From ACM's TechNews, June 16, 2004 "FTC Rejects Creation of No-Spam Registry" Washington Post (06/16/04) P. A1; Krim, Jonathan FTC Chairman Timothy Muris announced yesterday that the agency would not develop a do-not-spam list similar to the highly popular do-not-call list; Muris said the list would be ineffective because spammers would simply choose to ignore it. Worse still, he said such a registry could be exploited by spammers to increase their mass sending of junk email. Sen. Charles E. Schumer (D-N.Y.) expressed his disappointment with the decision in a written statement, noting that "The registry is not the perfect solution but it is the best solution we have to the growing problem of spam and we will pursue congressional alternatives in light of the FTC's adamancy." Muris said the FTC would pressure industry to develop an electronic email sender authentication scheme that would make it more difficult for bulk emailers to conceal their locations and mask their identities, and Internet providers such as AOL, Yahoo!, Microsoft, and EarthLink are working toward a standard authentication platform. Lurking beneath the surface of the no-spam registry issue is the question as to whether the federal CAN-SPAM Act is successful, and recent reports have been less than encouraging: A survey sponsored by the Chief Information Officer Executive Council rates the law as ineffective, based on estimates that 39 percent of 141 polled CIOs expect their companies to spend more than $100,000 to combat spam this year. In addition, more than half of the respondents expressed a desire for a no-spam registry. Advocates believe such a measure could help correct what they perceive as a major drawback of CAN-SPAM, which is the reliance on an opt-out system that requires users to ask to be removed from marketing lists. Proponents argue that a no-spam registry would serve the same function as an opt-in system, eliminating much of the complexity of enforcement. Click Here to View Full Article "Is the Future of E-Mail Under Cyberattack?" USA Today (06/15/04) P. 4B; Swartz, Jon Experts fear that email's utility is gravely threatened by a growing prevalence of malware, spam, and various online scams, and individuals and companies are considering or implementing alternate measures and restrictions to mitigate the problem. Many consumers have gotten into the habit of deleting unfamiliar messages, and have stopped attaching large documents to their emails because they are usually deleted by recipients concerned that such packages may contain malicious payloads. Meanwhile, some companies prohibit workers from using email accounts not related to their jobs, and an InsightExpress poll of 500 business owners estimates that roughly 40 percent of small businesses would consider dumping email for business correspondence if junk email gets worse. The situation is prompting security companies to market intrusion detection products, while AOL, Yahoo!, and Microsoft have joined forces to create the email equivalent of a "caller-ID" standard, which is at least a year away from rollout. Market researchers indicate that spam, computer viruses, and unique phishing attacks were responsible for personal losses and lost workplace productivity adding up to over $15 billion in 2003. The erosion of people's trust in email is being driven by an acceleration in spamming and scamming, while many home PCs lack proper security measures. Nucleus Research says the annual cost of spam in terms of lost productivity has doubled over the past year to almost $2,000 per worker; the Anti-Phishing Working Group estimates that the number of unique phishing attacks skyrocketed from 402 to 1,125 between March and April; and security experts report that virus authors, spammers, and phishers are increasingly teaming up outside of U.S. jurisdiction. Click Here to View Full Article From ACM's TechNews, June 14, 2004 "Pay or Go Away: What Would Spammers Do?" EurekAlert (06/08/04) Researchers at the University of Michigan believe that charging spammers for every message they send would solve the spam problem within two to three years. Marshall Van Alstyne, an assistant professor in the School of Information, computer science doctoral students Thede Loder and Rick Wash, and Mark Benerofe, a technology industry and media executive in Atlanta, Ga., were in Washington, D.C., this week to present a proposal to the FTC's Bureau of Economics. The Attention Bond Mechanism (ABM) would have recipients and senders negotiate the terms of communication without any assistance from a third party. "The sender who believes his or her message is not spam is willing to put up that money--to risk it--to prove that if the recipient reads the email, they will agree that it is not spam," says Van Alstyne. The researchers say the technology needed to make the ABM system a reality is already available, adding that changes in infrastructure will be needed as well as proper wiring. The anti-spam technology would boost the "quality of information exchange and reduce the email volume that clogs networks and increases costs for consumers and business," adds Wash. Click Here to View Full Article From ACM's TechNews, June 11, 2004 "Invasion of the Spambots" Salon.com (06/08/04); Williams, Sam Spambots are mutating into numerous varieties that relentlessly penetrate new areas, such as instant messaging, blogs, chat rooms, and cell phones, and these mutations are being driven by two antithetical online publishing trends: Growing homogeneity in the use of Google and other basic software tools, and increasingly specialized content. These new, indirect techniques are designed for the purpose of enhancing visibility rather than solicitation or receipt confirmation, in the hopes that popular search engines such as Google will highly rank links to marketers' sites in search results. Innovative spambots lend themselves particularly well to adult entertainment companies such as Edge Productions, whose VP Domenic Merenda has split the programs into three varieties--address-harvesting bots, URL-proliferator bots, and lead-generation bots, the most advanced and expensive option. The lead-generation bots analyze R- and X-rated chat-room logs, where they scan transcripts to determine the names and addresses of the most active participants, who are then targeted by adult-oriented ads produced by third-party vendors. However, this strategy can backfire due to large numbers of bots disguised as people who turn out to be the most active forum participants. Carnegie Mellon University researchers have developed automated CAPTCHA programs to discourage spammers' use of lead-generation bots in chat rooms, although the safeguard is not foolproof. CAPTCHAs are set up so that users must identify a randomly generated word to prove they are human, the catch being that the word is distorted and often displayed against a patterned background that even the most advanced optical character recognition systems cannot decipher. From EduPage, June 9, 2004 Used Computers Full Of Sensitive Information BBC, 9 June 2004 A British security firm researching the fates of lost or stolen laptops has found significant risk of security lapses in such situations. Pointsec Mobile Technologies purchased 100 laptops and hard drives from auctions and Web sites such as eBay. Despite having supposedly been erased, 70 percent of the hard drives the researchers inspected were easily readable. One of the hard drives obtained by the company for five euros on eBay included personal customer information, including pension plans, dates of birth, and home addresses, from one of Europe's largest financial services groups. In addition, Pointsec was able to access information on one in three laptops, simply by using commonly available password-cracking software. According to the company, most airports and police stations routinely sell unclaimed computers--with all of the information still on them--after three months. http://news.bbc.co.uk/2/hi/technology/3788395.stm From ACM's TechNews, June 9, 2004 "Worst-Case Worm Could Rack Up $50B in U.S. Damages" TechWeb (06/04/04); Keizer, Gregg International Computer Science Institute security researchers Nicholas Weaver and Vern Paxson say that a worm attack could cost the United States as much as $50 billion in direct damages by attacking widely used services and carrying a highly destructive payload. The worst-case scenario combines state-funded attackers exploiting an unpublished Windows vulnerability with a fast-spreading worm. The $50 billion figure includes lost productivity, repair expenses, deleted data, and damaged equipment. The researchers say that worms would be the choice method for the attack because of their speed. The study says state-sponsored hackers would have both the time and resources needed to find an unpublished vulnerability and rigorously test their worm. While past worms have been limited to mostly Windows XP or Windows NT systems, a more effective worm would attack a wide range of Windows environments. The researchers also tested popular motherboard and system configurations, and found that a particularly well-designed worm could force users to replace the motherboard in a third of the tested systems, while the other two-thirds would need to have their BIOS restored. However, although the corrupted PC BIOS could be restored, it would require highly skilled workers. The most likely candidates for the exploit include the SMB/CIFS file-sharing service included on all Windows systems since Windows 98. Possible countermoves for government and businesses include deploying mass-mailed worm defenses, restricting file-sharing on users' desktops, and using SMB/CIFS-compatible servers. Still, Weaver and Paxson warn that "Current defenses are not capable of dealing with threats of this magnitude." Click Here to View Full Article "Recognition Keys Access" Technology Research News (06/09/04); Patch, Kimberly Researchers from Israel's Hebrew University presented their work on a new user authentication scheme at ACM's CHI 2004 conference in late April. The scheme enables people to use a special kind of password that does not need to be consciously recalled, a technique that draws upon the brain's instinctive imprinting process for handling complexity. Hebrew University engineering and computer science professor Scott Kirkpatrick says the method is secure because it is genuinely random and cannot be purloined or voluntarily shared. In the prototype systems, users are trained on a set of images, a few of which must be recognized in order for authentication to be facilitated; users were tested on systems that employed three classes of input: Pictures, pseudo words, and artificial grammar. Tests of the picture version involved users receiving a series of user certificates, or unconscious passwords, first by showing them a set of 100 to 200 pictures randomly chosen from a 20,000-picture database and ordered into groups of between two and nine thematically similar pictures, and then having the users practice selecting certificate images from these theme groups. Next, users had to identify most of a short series of certificate passwords, which are used only once as an anti-eavesdropping measure; tests showed that users could recall previously viewed pictures with more than 90 percent accuracy for as long as three months. Users trained on the pseudo word version boasted a three-month accuracy rate of 70 percent to 90 percent, while tests of the artificial grammar version yielded more variable accuracy rates, the highest being 75 percent. Kirkpatrick says challenges remain, but he envisions using the technology for broader security systems that involve more elaborate computer-human interaction based on trust. Click Here to View Full Article "Cybersecurity: a Job for the Feds?" IDG News Service (06/07/04); Gross, Grant Commentator and Chicago Tribune columnist Bill Press and Gartner research director Rich Mogull both believe that the nation's cybersecurity is too important to leave up to the free market, and said so during a panel discussion at the recent Gartner IT Security Summit. Other panelists suggested that the federal government influence companies through its purchasing power, but Press contended that since software vendors are not held liable for products with security flaws, purchasers ultimately pay for the flaws. Some said that dealing with software security through legislation is almost impossible because of the esoteric nature of software design. Gartner Research vice president John Pescatore said software creation is more art than science, and suggested buyers demand better products instead of government regulation. Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee, said the threat of a huge cyberattack on U.S. technology assets cannot be overemphasized, and former White House counterterrorism expert Roger Cressey said that while the United States is not ready for a concerted cyberattack, the government is moving in the right direction. Cressey thinks that a major cyber outage will prompt hasty national legislation, but Dix hopes that legislation will not be necessary. Press suggested that the software industry work with Congress on legislation. Click Here to View Full Article From New York Times, June 23, 2004 4 Rivals Almost United on Ways to Fight Spam By Saul Hansell, Published: June 23, 2004 Four large Internet service providers agreed yesterday to a partial truce in their battle with one another over potential technology to stop junk e-mail in hopes that they can devote their united energy to fighting spam. Read the article. From ACM's TechNews, May 28, 2004 "Will Code Check Tools Yield Worm-Proof Software?" CNet (05/26/04); Lemos, Robert A report from the Business Roundtable blames buggy and vulnerable software code for most of the major cyberattacks and network breaches that have harried American consumers and businesses in recent years, and says these exploitable code errors stem from software development processes that lack effective testing, review, and safety measures. Though software is tested for flaws, usually the purpose of testing is to see if the software operates properly rather than if it fails when intentionally improper operations are performed. Static source code checkers originally developed by academic researchers to glean data about software flaws are being marketed by several companies as tools for spot-checking security. One such product was so well received by Microsoft that the computer giant bought Intrinsa, the company that sold it; the technology is now a key component of Microsoft's Trustworthy Computing Initiative, and Microsoft security program manager Michael Howard reports that Intrinsa's tools are used to regularly enforce discipline for developers. Fortify Software founder Mike Armistead notes that a commonly held attitude among software developers is that some errors will always be missed, and therefore it is acceptable to ship products and let others alert the developers of any flaws. But security researchers do not always disclose the flaws they detect, and many security experts think that developers could be held accountable for the glitches they fail to find, particularly if checking technology is available--factors that are raising the stock of automatic code error detection tools. Some people believe static source code checkers are not yet ready for commercialization: Immunity founder Dave Aitel perceives a need for such tools, but argues that current products generate too many false positives to be effective. Click Here to View Full Article From EduPage, May 28, 2004 Buffalo Spammer Gets Jail Time A judge in New York this week sentenced Howard Carmack, the so-called Buffalo Spammer, to the maximum three-and-a-half to seven years in prison under the state's new identity theft statute. Carmack was charged with setting up hundreds of e-mail accounts under false or stolen identities and sending 850 million spam e-mails through those accounts. Internet service provider EarthLink previously won a $16.4 million civil judgment against Carmack, though the company has yet to collect any money from Carmack. At his sentencing, Carmack said his prosecution was politically motivated and that he didn't see any victims of his actions. In response, Judge Michael D'Amico said, "I'm having a heck of a time figuring out why you think everybody is unfair to you," telling Carmack he caused a lot of harm to many people. Wall Street Journal, 27 May 2004 Read the article (subscription required) From ACM's TechNews, May 26, 2004 "Viruses Nip Russia After the Cold War" IDG News Service (05/25/04); Blau, John The end of the Cold War and the collapse of the Soviet Union have opened Russia's borders to the Internet, which in turn has given rise to massive computer virus infections. Security experts expect things to get worse now that network intrusions and the authoring of viruses are no longer the sole province of politically- or respectability-motivated hobbyists, but a tool for organized crime. One hacker-turned security expert observes that there is money to be made from hacking and virus-writing, while Mi2g Chairman DK Matai points out that "The Mafia, which has been using the Internet as a communication vehicle for some time, is using it increasingly as a resource for carrying out mass identity theft and financial fraud." Russia's economy is an ideal climate for hacking, as highly skilled but cash-strapped Russian tech professionals direct their talent toward scanning corporate networks for security holes, crafting malware for stealing financial data, setting up illegal spam farms by hijacking infected computers, or ransoming companies' livelihood by threatening to launch distributed denial-of-service attacks against their networks or publicize sensitive information online. Another factor is relatively lenient attitudes toward cybercrime in a nation where violent crime is rampant, according to Sergey Bratus of Dartmouth College's Institute for Security Technologies Studies. Also complicating enforcement is the increasingly global nature of cybercrime, which makes its perpetrators difficult to trace, and differing views on cybercrime's definition. Gus Hosein of the London School of Economics and Political Science predicts that "policies will be developed to enhance the investigation of viruses in order to trace virus makers and other perpetrators of cybercrimes, only to see those same powers used for different purposes, such as pursuing copyright crime and 'indecent' communications." Click Here to View Full Article "RPI Study Eyes Sick Computers" Associated Press (05/25/04); Hill, Michael The National Science Foundation is funding a project at Rensselaer Polytechnic Institute that probes the parallels between biological virus and computer virus epidemics in order to find ways to obstruct the latter. For instance, malware's infection mechanism often takes the form of seemingly innocent emails with seductive subject lines, in much the same way that disease bacteria can invade cells by appearing harmless. NSF grant recipient and RPI professor Biplab Sikdar notes that certain viral infections and computer virus outbreaks follow similar patterns: The spread of highly contagious diseases characterized by short incubation periods usually begins with a small infected population before skyrocketing exponentially, reaching a peak, and fading away at a more gradual rate. Sikdar postulates that routers could be programmed to identify sudden protracted increases in instability and other factors as signs of cyberattacks, and then isolate the virus. The RPI professor believes this measure could eliminate the need for computers with antivirus software to update their programs, and even shield computers that lack virus protection. Symantec senior research director Steve Trilling points out that a lot of recent computer security research is focused on behavior-based threat identification instead of reliance on a database of known threats. Vincent Gullotto, director of Network Associates' McAfee Anti-Virus Emergency Response Team, is skeptical that drawing similarities between biology and the Internet will yield effective antivirus measures. Sikdar's five-year NSF grant also covers research into the life expectancies of wireless networks and how minor router bugs can lead to more complex problems. Click Here to View Full Article "How Are Script Kiddies Outwitting I.T. Security Experts?" NewsFactor Network (05/19/04); Valentine, Lisa Teenage virus writers are known as "script kiddies," and are having an effect on the IT industry, but network security experts and antivirus vendors say their impact is not as great as is believed--most of them are not very good at virus writing. Even badly-written viruses require corporate users to spend time downloading virus updates, but in addition to causing nuisance, script kiddies serve antivirus vendors by finding vulnerabilities for which the vendors must then write protections. Gartner vice president Richard Stiennon notes that this makes things more difficult for professional hackers who would prefer to keep the vulnerabilities unknown. He adds that since so few hackers are caught, it is hard to tell how many viruses are written by professionals. Trend Micro director David Perry says that most script kiddies' viruses never infect computers--they send them directly to antivirus companies to go on detection lists, about which the teens can then brag. These are called "zoo" viruses because they are never released "into the wild," and make up approximately 74,000 of the 75,000 known viruses. Another group of viruses are "intended viruses" that are so poorly written they do not function; virus-protection firms still create defenses against these attacks should they be fixed in the future. Antivirus vendors are improving their ability to detect viruses before they hit, even while the capabilities of virus toolkits improves. Click Here to View Full Article From ACM's TechNews, May 21, 2004 "Executives Criticize the Tech Industry" Associated Press (05/19/04); Bridis, Ted Members of the Business Roundtable say the technology industry sells software that is vulnerable to hackers and too complicated for consumers to use safely. The trade group comprised of executives from the top 150 U.S. corporations estimates more than $1 billion is spent addressing computer worm and virus threats. The Business Roundtable is lobbying for better software design, greater ease of management, and support for older versions, but the group also says that corporate directors and executives should be involved in making their networks more secure. Business Roundtable security task force director Marian Hopkins says that, up to this point, IT vendors have continually passed the onus of computer security onto end users, and that it was time for them to take more direct responsibility. Cyber Security Industry Alliance head Paul Kurtz says that Internet security needs both good products and good user maintenance. Some security experts and consumer groups agree with the Roundtable's complaints, but technology representatives contend that their companies are spending a lot of money to make products easier to defend and more resilient. "Cybersecurity is everyone's responsibility, including the vendors, the users, enterprises, and government agencies," says the Information Technology Association of America's Greg Garcia. However, both the Roundtable and the association oppose government security mandates. Click Here to View Full Article From ACM's TechNews, May 21, 2004 "Senate Hears Mixed Reviews of Anti-Spam Law" Washington Post (05/21/04) P. E5; Krim, Jonathan Witnesses offered differing opinions about the effectiveness of the CAN-SPAM law at a May 20 hearing of the Senate Commerce, Science, and Transportation Committee. FTC Chairman Timothy Muris praised the law, noting that his agency has filed 62 cases against spammers as well as cases against businesses that employ spammers to market their products. Laudatory views were also shared by FBI cyber crime division assistant director Jana Monroe, who said CAN-SPAM permits spammers to be prosecuted as felons by criminalizing their activity rather than forcing the government to pursue them as enablers of fraud; she added that the FBI is developing cases against about 50 targeted spammers with the assistance of the Direct Marketing Association. Negative views were voiced by Consumers Union President James Guest, who called for amendments to CAN-SPAM. He argued that the "opt-out" policy the bill supports overburdens users, particularly because many spammers are circumventing spam filters by using bogus opt-out mechanisms. Despite his support of the law, Postini CEO Shinya Akamine estimated that the amount of email traffic spam accounts for has risen from approximately 78 percent to 83 percent this year. One of CAN-SPAM's provisions authorizes the FTC to consider a do-not-spam list that would be similar in operation to the do-not-call list for telemarketers, but such a measure has been met with opposition from industry and strong skepticism from Muris. Consumers Union legislative analyst Chris Murray reported that his organization wants the option to be considered. Click Here to View Full Article "Flaws Drill Holes in Open Source Repository" CNet (05/19/04); Lemos, Robert As hackers increasingly target Linux-enabled software, E-Matters chief security and technology officer Stefan Esser recently disclosed vulnerabilities in two widely used source code repository applications that could make open-source software projects susceptible to exploitation by hackers. One security hole is in the Concurrent Versions System (CVS), which is run by numerous large open-source projects to build servers that manage the iterations of a program under development; the source code databases are in servers used by groups developing the KDE Linux and Gnome desktops, among others, and Esser reported that these groups were alerted to the flaw earlier this month. An advisory issued by Esser indicates that the CVS bug affects all versions of the software released before May 19, and the occurrence of the flaw, dubbed "heap overflow," stems from inadequate vetting of data from the system's users. The other security hole noted by Esser affects the Subversion application, and its root cause is an error in the code's date-parsing operation; in his advisory, Esser warned that hackers could take advantage of the flaw to permit "remote code execution on Subversion servers and therefore could lead to a repository compromise." It is easier to exploit the Subversion vulnerability than the CVS vulnerability, while Linux is the operating system most often used with CVS. A May 19 alert from the Debian Project whose publication coincided with the e-Matters advisory included a patch for the CVS software. Debian Project developer Martin Schulze said the threat of the CVS vulnerability should be minor with the patch in place. Click Here to View Full Article From ACM's TechNews, May 19, 2004 "Fine-Tuning Spam Filtering" TechNewsWorld (05/18/04); Korzeniowski, Paul Unsolicited commercial email has expanded by more than five times its volume since 2001, and though spam filtering solutions help mitigate the problem, they are not foolproof--and worse, they can unintentionally prevent legitimate email from getting through, often without the user realizing it. The risk of false positives, which has escalated as spammers and anti-spam product vendors play a rapidly accelerating game of one-upmanship, is frustrating for companies that rely on sending large volumes of valid email for their business. One of the more popular spam filtering methods, whitelisting/blacklisting, involves placing incoming spam messages on a whitelist (senders whose emails are permitted into the recipient's inbox) or a blacklist (senders whose messages are blocked because they are assumed to be spam); however, Ferris Research's Richi Jennings warns, "Spoofing [the process of putting another person's or organization's email address in the header] is a major issue, and more than one out of every three spam messages does not come from the address listed." Another widespread spam-blocking technique, content filtering, analyzes message content to statistically determine whether the email is spam, and ranks messages accordingly. With spammers continuously probing filters for work-arounds, and current strategies to avoid false positives resulting in spam overload or reduced productivity, users are clamoring for better spam-blocking measures. Among the techniques vendors are looking at is the use of domain keys that confirm email senders via public-key encryption technology. A successful domain key authentication scheme requires widespread adoption, the creation of a standard supported by all vendors, and upgrading corporate email systems. Though Jennings thinks domain key technology will help curb spam, he notes that "in the short term, it will continue to be difficult for companies to block spam but still deliver needed messages to their users." Click Here to View Full Article From EduPage, May 12, 2004 Canada Urges International Cooperation To Fight Spam Canadian officials this week suggested that international efforts, possibly including a treaty, are necessary to fight the growing problem of spam. Lucienne Robillard, Canada's Industry Minister, said, "Alone, country by country, we cannot solve this problem," noting that 95 percent of spam received by Canadians originates in other countries. According to Robillard, an international treaty on spam could include extradition of those accused of sending spam. Richard Simpson, director general of e-commerce for Industry Canada, compared a potential international agreement on spam to existing tax treaties, which countries use in collecting taxes and "countering other forms of activities like money laundering." A spam treaty is also being discussed at the Asia Pacific Economic Cooperation forum, according to Canadian officials. CNET, 11 May 2004 http://news.com.com/2100-1028_3-5210534.html From EduPage, May 10, 2004 Microsoft Reward Credited With Arrest Of Sasser Suspect An 18-year-old German student has been arrested for, and has confessed to, writing the Sasser worm that began infecting computers around the world last week. The arrest was made after acquaintances of the teen tipped off the Munich offices of Microsoft, which set up a reward program last year to try to catch writers of malicious computer code. The informers, who said they were aware of the reward program, provided Microsoft with details about the worm, convincing the company to notify German authorities. After being arrested and having his computer confiscated, the teen confessed. The informants will receive $250,000 if he is convicted. An official from Microsoft praised the reward program, calling this first instance of its use a "defining moment in demonstrating our ability to combat malicious code in collaboration with the authorities." Wall Street Journal, 10 May 2004 (sub. req'd) http://online.wsj.com/article/0,,SB108401726263605863,00.html Sasser Author Tried To Create Virus-Fighting Virus Sven Jaschan, the German teen who confessed to writing the Sasser computer worm, told authorities he had set out to write a virus, called Netsky, that would remove versions of the MyDoom and Beagle viruses. Jaschan reportedly wrote several versions of Netsky, eventually ending up with the Sasser worm. According to one German investigator, Jaschan is "a really good programmer" but didn't understand the scale of what he was doing. Just before being apprehended by authorities last week, Jaschan released a fifth version of Sasser, intended to limit the damage caused by the previous four. The new version, Sasser e, purported to include information about a patch against the Sasser worm. Instead of limiting the damage of previous versions, however, Sasser e also caused computers to reboot spontaneously. According to Sascha Hanke, a Microsoft official in Germany, Jaschan "did it with good intentions, but it had exactly the same damaging effects." eWeek, 10 May 2004 http://www.eweek.com/article2/0,1759,1589919,00.asp From ACM's TechNews, May 10, 2004 "Breach of Trust" InformationWeek (05/03/04) No. 987, P. 58; Hulme, George V.; Kontzer, Tony Companies are in danger of losing customer trust because of the constant threat of data breaches, which are far more common than the public is aware of. Sensitive customer data can be compromised by hackers who penetrate corporate networks, insiders who steal information, and identity thieves, and they are only the tip of the iceberg. InformationWeek Research's 2003 U.S. Information Security Survey of 815 companies determined that over 80 percent employ antivirus and network-firewall software, but only 23 percent use vulnerability-scanning tools to find exploitable security holes; furthermore, just 43 percent use intrusion-detection systems, while only 40 percent claimed to have evaluated and gauged the effectiveness of their information-security policies. Symantec reports that over seven new software holes cropped up each day last year on average, while software vulnerabilities are becoming easier to exploit, and are being exploited faster as well. To curb data breaches, firms must deploy firewalls, application-security solutions, and intrusion-detection systems; patch newly discovered security flaws before they can be exploited; and institute frequently updated security policies that are rigorously enforced. Data encryption is another security measure companies can employ, but the baggage it brings varies: For instance, encryption key management can complicate security, while encrypting data may slow down system performance. Legislators expect that ID theft and network hacking will be deterred with the passage of tougher laws and stiffer prison sentences. Some companies employ technology to spot fraudulent activity early on and halt it before it inflicts too much damage, a philosophy that accepts ID and customer-data theft as a permanent fact of life; as one anonymous financial-services executive puts it, "The problem is like a water balloon: When you squeeze hard in one spot it gets ready to burst somewhere else." Click Here to View Full Article From ACM's TechNews, May 5, 2004 "Crackers Redux" eWeek (04/26/04) Vol. 21, No. 17, P. 29; Fisher, Dennis Cliff Stoll chronicled the attack on Unix machines at the Lawrence Berkeley National Laboratory in Berkeley, Calif., and university and military facilities nearly 15 years ago in his book, "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage." The story that Stoll, a volunteer system administrator at the Berkeley lab at that time, tells shows that similar methods and tactics were used this spring to hack into Linux machines at Stanford University, the National Supercomputing Center for Energy and the Environment in Las Vegas, the San Diego Supercomputer Center, and some locations of the TeraGrid, the distributed network of supercomputing centers. Although security technology and techniques have improved over the years, Stoll offers a lesson that also would have helped security experts involved at Stanford and the supercomputer centers. The attackers appear to have targeted unsuspecting users to compromise their passwords as well as the poor security practices of the supercomputer centers, in a strategy that was not innovative or original. It is deja vu, according to Mark Rasch, chief security counsel at Solutionary and a former U.S. attorney who prosecuted the attackers in 1986. "They start with a password compromise, which leads to a password attack, then root, then a root kit and so on," says Rasch, adding that changing guessable passwords afterwards comes a bit late. "If this guy is smart, he was creating accounts that aren't root, that they haven't found yet." Click Here to View Full Article From ACM's TechNews, April 28, 2004 "Security From the Inside Out" Tech Update (04/21/04); Farber, Dan Cybersecurity experts are coming up with multilayered approaches to protect enterprises against attack, using a combination of patching, firewalls, intrusion detection systems, antivirus software, deep packet inspection, and access controls. However, application-level attacks go around network-based protections, and detection and antivirus patches alone cannot keep up with worms and viruses. Most security solutions start outside a network and build perimeters across it, but Fortify Software offers an automated inside-out, root-cause solution that removes vulnerabilities as part of the software development process. Fortify CTO Roger Thornton says programmers need to be on the front lines of defending enterprise IT. Systems can be made more secure during development not only through improved code quality, but also the elimination of vulnerabilities such as stack buffer overflows, format string errors, SQL injection exploits, and unconditionals. Thorton says programmers do not generally think about vulnerabilities when writing code, and his company's approach uses static analysis of code to find flaws. This requires a more flexible system that adjusts to attackers' vulnerability probing and allows programmers to build new libraries. Fortify's software rules are sourced through the security establishment, research community, and Fortify's internal team. The company's source code analysis suite includes a software security manager, a developer toolkit, and a source code analysis server, and Fortify is also working on a real-time monitoring application to detect attacks and automatically respond. Fortify's products are intended for larger enterprises. Click Here to View Full Article "Technological Networks and the Spread of Computer Viruses" Science (04/23/04) Vol. 304, No. 5670, P. 527; Balthrop, Justin; Forrest, Stephanie; Newman, J. By studying how computer virus outbreaks relate to technological networks, effective vaccination measures can be developed and deployed. Many technological networks targeted by viruses are not scale-free, and are therefore unlikely to be effectively protected by targeted vaccination. In addition, network topology is not always homogenous, is often influenced by how viruses are written, and can be changed by virus writers to subvert specific control strategies. Four particular networks and the attack strategies they are vulnerable to are outlined: A network of potential connections between machines via the Internet Protocol; a network of shared administrator accounts for desktop computers; an email address book network; and a network of email messages exchanged between users. Targeted vaccinations may be effective for the latter two networks, which boast more continuous distributions. Among the control strategies that are unaffected by network topology changes and do not need managers to know a virus epidemic's modus operandi is throttling, in which a virus is slowed down to the point that it can be cured by conventional measures by restricting the number of new links a computer can make to other computers in a given time period. The technique can also lower the amount of traffic produced as a result of the infection. Throttling reaches its highest level of effectiveness when the malware generates traffic at a dramatically higher rate than regular network communications, write Justin Balthrop and Stephanie Forrest at the University of New Mexico's Department of Computer Science, HP Laboratories' Matthew M. Williamson, and M. E. J. Newman at the University of Michigan's Department of Physics and Center for the Study of Complex Systems. From ACM TechNews, April 19, 2004 "Supercomputer Hacks Highlight Ed Security Challenge" IDG News Service (04/16/04); Roberts, Paul Under pressure from government regulations, increased user demands, Internet-borne attacks, and even legal threats from the private sector, universities are turning to advanced security technologies such as intrusion prevention systems. Universities have historically tried to maintain as open and accessible network infrastructures as possible, but new threats are making that obligation especially onerous: For example, hackers recently broke into the Linux and Solaris supercomputer systems at Stanford University using stolen IDs and passwords, then took advantage of shared folders on the system that were kept up to facilitate data sharing and system management. Unlike companies whose main network task is to protect information, universities act as ISPs facilitating access for users; this job is made more difficult now that students are constantly taking their laptop computers home, where they are often exposed to malware, and then plugging them back into the school network when they return. Boston College has begun using home-grown tools to quarantine infected computers, forcing students to play a more active role in campus network security. University of Georgia chief information security officer Stan Gatewood says some of his school's departments recently deployed a commercial messaging platform from Mirapoint in order to better manage spam email, and notes that managing university IT environments is a politically sensitive task since there are so many stakeholders. The need to manage different groups' needs is driving network management tools that make it easy to provision specific services with as little overhead as possible. Federal and state regulations are also playing a role in determining university IT policy and priorities, as well as legal advisories from the music and movie industries concerning illegally traded material on campus networks. Some universities have begun to segment their networks in order to better manage competing needs, cordoning off student dorm networks, for example. Click Here to View Full Article "FTC to Look Closer at 'Spyware'" Washington Post (04/19/04) P. A4; Noguchi, Yuki Privacy advocates are in a furor over "spyware" and "adware" that is often installed on Windows PCs in many popular programs--free music and file-sharing programs, for example--users download off the Internet, sometimes without the user's awareness. The FTC will investigate the hazards of spyware at an April 19 workshop in Washington, D.C., focusing particularly on whether criminals will exploit such programs to steal users' Social Security and credit-card numbers, notes Howard Beales of the FTC's consumer protection division. Most spyware and adware programs are apparently used to track consumer preferences, but privacy experts and anti-spyware vendors warn that such programs can compromise consumers' control over their PCs, as well as act as impinge on their privacy by acting as surveillance tools for advertisers. Beales and many privacy proponents admit that the installation of adware is often permitted in licensing agreements users are required to consent to in order to download popular programs--agreements that many consumers do not fully read. Pest Patrol's Roger Thompson says a distinction has yet to be made between benign and malign spyware use, noting that the relatively low incidence of "malicious" spyware behavior does not erase the fact that such programs "[open] a back door that allows computers to be updated by the hacker and accept commands to log keystrokes, read files, or turn on the Web cam." U.S. legislators including Sens. Barbara Boxer (D-Calif.) and Conrad Burns (R-Mont.) have proposed a bill that would ban the installation of software on a PC without user notice and consent, and require that such software be easily removable. Click Here to View Full Article "Spam to Go" Technology Review (04/04) Vol. 107, No. 3, P. 22; Roush, Wade Spam is invading text messaging, with the volume of spam text messages originating in North America outstripping legitimate messages last year, according to messaging firm Wireless Services. The European Union, Japan, South Korea, and California have all passed laws to try to stem the tide, and Congress has told the Federal Communications Commission to create rules to protect cell phone users from unsolicited text messages, which can cost users money if their carrier charges for messaging. Both wireless companies and software vendors are acting on their own as well, fearing that mobile spam will discourage users from subscribing to new data services. Advanced 3G networks in South Korea, Japan, Europe, and parts of the United States allow multimedia messages and are already employing "opt-in" systems to help prevent unsolicited multimedia messages. Wireless Services, which shuttles text messages between U.S. carriers' networks, introduced software last year that builds on techniques used to block email spam, including Bayesian filtering and a quarantine system. The company wants to make its filters customizable for users. Lucent Technologies has a prototype that lets carriers create online menus so customers can specify what kinds of messages they want to receive, and when. Rick Hull, Bell Labs' director of network data and services research, says, "If the consumer can block a merchant from viewing his location information, the merchant has no idea they're passing by." Lucent says that such technology will be integrated with its existing Internet infrastructure software within a year. Click Here to View Full Article From ACM TechNews, April 16, 2004 "Hackers Strike Advanced Computing Networks" TechNews.com (04/13/04); Krebs, Brian A number of hackers have compromised U.S. research computing laboratories and networks in the past weeks, doing little damage but raising fears that hugely disruptive attacks are possible. Much like a Canadian teenager used University of California, Santa Barbara supercomputers to knock out Amazon.com, eBay, and CNN.com in 2000, experts say that whoever took over research resources recently could have done much worse. Among the facilities compromised are the Department of Energy's Argonne National Laboratory, the National Center for Supercomputing Applications, and the San Diego Supercomputer Center--all part of the TeraGrid research network. That network was disabled for several days while investigators, including possibly the FBI, gathered evidence about the intrusions. As many as 20 universities and research laboratories could have been targeted, according to sources who asked to remain anonymous because of the ongoing investigation. Stanford University, which is not part of the TeraGrid, has quarantined at least 30 Linux and Solaris machines to reevaluate the maintenance and protection of those Unix-based systems. Stanford computer security officer Tina Bird said the school was alerted by the FBI about the rash of intrusions, and that the focus on Unix systems instead of Microsoft technology was a surprise. Argonne National Laboratory TeraGrid engineering director Pete Beckman said the attacks seemed to be exploratory rather than focused on stealing scientific data or causing damage to other Internet targets. TruSecure chief scientist Russ Cooper, however, said the large-scale intrusion was worrying, especially since those systems were supposed to be among the most secure national resources. In unrelated investigations, U.S. intelligence agencies have monitored al-Qaeda operatives probing the computer networks of critical infrastructure facilities such as dams and power plants. Click Here to View Full Article "DRC Investigation Finds Public Websites 'Impossible' for Disabled People" PublicTechnology.net (04/16/04) The Disability Rights Commission (DRC) in the United Kingdom has condemned Web developers and online companies for throwing up the same barriers to access for disabled people as exist in the physical world. The results of the study and the DRC's recommendations show that the Web could be made much more accessible to disabled users at relatively modest expense compared to what is required for physical services. The DRC report was compiled with the help of City University's Center for Human Computer Interaction Design in London, and surveyed 1,000 public-facing Web sites. An automated test of the 1,000 Web sites showed 81 percent did not meet minimum accessibility requirements as defined by the World Wide Web Consortium and that the average home page presented 108 barriers to access for disabled persons, including complex page structures, disorienting navigation, undescribed images, and little contrast between background and content. Disabled users further evaluated 100 of the Web sites, finding that more than a quarter of the most basic tasks were difficult or impossible for some users. Blind users were the most disenfranchised, even when using screen reader technology. Of the 400 Web developers surveyed, only 9 percent said they had expertise in accessibility while another 9 percent said they used disabled users to test their site's accessibility. DRC Chairman Bert Massie said that while the Web promised equal access, it so far had failed disabled people by keeping them from participating in online discussion, from job opportunities found online, convenient consumer services, and cheaper goods and services. Legal requirements for equal access are already on the books in the United Kingdom, and Massie said it was only a matter of time before disabled people brought legal challenges to noncompliant companies. Click Here to View Full Article "Making Software Systems Evolve" IST Results (04/14/04) The IST is pursuing a project that would make software evolvable, enabling an organization to change its support software without disrupting the operation of the business. Participants in the ARCHWARE project, which will be completed by year end, want to establish a formal architectural specification language that can be used for various domains, in an effort to facilitate the implementation of systems as they change throughout their lifecycle. ARCHWARE is focusing on the architectural description language (ADL) for software, which is an open source process for modeling and encoding software activities that would add flexibility to an organization's systems. Evolvable systems would lower development and maintenance costs, particularly with regard to compliance of systems as user requirements change, and is critical for software such as Enterprise Resource Planning (ERP) systems. Project coordinator Ferdinando Gallo of Consorzio Pisa Ricerche (CPR) in Pisa, touts open source as a good business model because it involves selling knowledge about a product, building a new software paradigm, and becoming the expert. "Others come and create further value by building on that foundation," says Gallo. "In the process, they help with the evolution of the software." Click Here to View Full Article From NY Times, May 31, 2004 When Software Fails to Stop Spam, It's Time to Bring In the Detectives McBride spends a lot of time waiting for spammers to make a mistake. They usually do. Read the article. From ACM TechNews, April 14, 2004 "The Porous Internet and How to Defend It" E-Commerce Times (04/10/04); Millard, Elizabeth Network researchers say the open TCP/IP Internet protocols mean criminals have easy access to their targets, and that there is no simple way to change Internet design. Transmission Control Protocol/Internet Protocol (TCP/IP) was developed to be as open and transparent as possible. Internet designers had no idea the network would become so large and actively tried to lower barriers, not create them. As a result, Internet data packets are not easily traceable if the sender wants to obscure their origin and hackers can probe remote networks with impunity, says Columbia University computer science assistant professor Angelos Keromytis. AT&T Labs research fellow Steve Bellovin says many of his colleagues think TCP/IP is flawed, but he believes the technology receives undue blame for the current state of Internet security. Bellovin explains that roads and highways are not blamed for bank robberies--bank security takes the blame. Similarly, open Internet design should not be blamed for faulty Internet security, but local defenses for each private network need to be set up. And while open network protocols often facilitate security breaches, they also provide for easy patch application and scalable security management. Bellovin says the problem of network security will only grow in the future, with ubiquitous wireless and ad hoc networks. At that time, cryptography will play an even greater role. Changing the fundamental structure of the Internet is beyond the influence on any single institution, since the Internet is composed of so many stakeholders and effecting a fix would mean replacing so much software. Click Here to View Full Article "Concern Grows Over Browser Security" CNet (04/12/04); Reardon, Marguerite The Computing Technology Industry Association's second annual report on IT security and the work force indicates 36.8 percent of respondents experienced one or more browser-based attacks during the last six months, up from 25 percent the year before. Browser-based attacks occur when users view a Web page and hidden code is used to compromise security. Sometimes all that happens is the browser crashes, but hackers can also use browser attacks to steal information. Emails are often used as carriers for the attacks; the emails contain a link to a malicious Web server, and the attack is generally launched when the user clicks on the link. Since most firewall products do not inspect out-going traffic, this type of attack is often not protected against if users are complicit. Products are available to monitor and control corporate Web usage and some firewall vendors have added protections, but these will not eliminate the problem, according to association director Randall Palm. Palm says, "Browser-based attacks are a logical evolution. The better we get at stopping attacks, the more creative hackers get at writing new ones." Browser vendors are trying to add protections as well, but companies still consider viruses and worms to be a bigger security risk. However, there are fewer worm and virus attacks than a year ago, the survey says, and network intrusion issues are also less common. The association reports that 95.5 percent of organizations use antivirus technology, with firewalls and proxy servers in use by 90.8 percent of respondents. Click Here to View Full Article From ACM TechNews, April 12, 2004 "In the Trenches With Antivirus Guru Mikko Hypponen" E-Commerce Times (04/07/04); Millard, Elizabeth F-Secure director of antivirus research Mikko Hypponen is one of the best virus hunters, a type of researcher that is fairly obscure. Hypponen has been working in computer security for 13 years, and says that his assembly language skills have come in handy in reverse-engineering viruses. However, assembler skills are not widely taught any more because the there is not great demand and learning them is tough. He says that "very few people need such low-level skills anymore. It's all C and C++ nowadays." However, he believes that universities will soon start teaching abut malicious code and how to analyze it. Right now, he says university computer science departments focus on some aspects of computer security, such as cryptography, but often do not teach students how to parse and analyze malicious code. Hypponen sees an evolution of computer worms and viruses, from the era of boot viruses to macro viruses to email worms. He predicts that email worms will be replaced by network worms as soon as next year, and that fewer worms are written by havoc-minded teens and more are written by those wanting to make money by stealing data or installing spam proxies. Teens still write most viruses, but the biggest outbreaks seem to come from more organized groups. The most challenging computer viruses or worms Hypponen has fought have been SMEG and Zmist from a technical standpoint, because they modified themselves spontaneously, though the recent Bagle/Mydoom/Netsky variants have been extremely tiring since so many continue to emerge. Click Here to View Full Article "Spamhaus Proposal Aims to Stop Spam" InformationWeek (04/07/04); Gardner, W. David Anti-spam organization Spamhaus has submitted an application to ICANN for a .mail top-level domain name in the belief that its proposed "server-to-server" scheme can prevent spam from reaching email servers. The Spamhaus server-to-server approach is a seamless arrangement that works behind the scenes to keep email at bay, says Spamhaus' John Reid. The way Spamhaus envisions it, .mail users would register with The Anti-Spam Community Registry, which would be staffed by Spamhaus volunteers. The system relies on sending-server operators to register a .mail domain, and receiving-server operators would look up the IP address of the sender and other domain information in order to verify the transmission. This process would allow the receiving server to "easily determine if the sending server is spam-free, as well as determine if the email was forged," according to the application Spamhaus submitted to ICANN. The proposal will not only stop spam, it will also resolve the current problem whereby filters prevent "good" email from getting through, says Reid. Spamhaus, which intends to get started quickly on its proposal if ICANN approves its application, has already contacted some of the more prominent email-server software providers and developers about working on the project. An array of noted anti-spam activists would sit on the Anti-Spam Community Registry's board of directors. Click Here to View Full Article "The Pure Software Act of 2006" Technology Review (04/04); Garfinkel, Simson Spyware is perhaps more insidious than other malware such as viruses and worms, since it mixes commerce and deception in a way morally abhorrent to most computer users, writes Simson Garfinkel. While viruses and worms are clearly illegal, spyware that tracks users' online activity and computer use is often authored and distributed by legitimate companies and with customer consent. But today's click-wrap license agreements fall far short of the labeling regimes in other industries, such as the Pure Food and Drug Act of 1906, which required manufacturers to clearly state ingredients, product weight, and avoid deceptive labeling. Software needs similar labeling to help consumers make more informed decisions about what they are installing on their computer. Almost by definition, spyware hides its true purpose though other software programs with similar functions go out of their way to make it clear what they do. Google's Toolbar for Internet Explorer, for instance, urges users to read the license agreement carefully so they understand their browsing activity will be fed back to Google in order to get the "page rank" for a certain site. A hypothetical Pure Software Act of 2006 would require the Federal Trade Commission to come up with labeling standards and rules for use. Software labeling would have to contain important information without glutting consumers with too much data. Simple icons could be used to denote potential unsavory features, such as remote control, unremovable programs, computer use monitoring, pop-up ads, or modifications to the operating system. Importantly, such a labeling regime would have to be mandatory, as companies such as Google currently do a good job voluntarily informing users of software features while unscrupulous firms do not. Click Here to View Full Article "Email Attack Could Kill Servers" New Scientist (04/06/04); Knight, Will Computer security experts at NGSSoftware have discovered a way to disable email servers by using forged emails with thousands of incorrect addresses in the "copy to" field. The researchers found that sending these emails to large email servers ricocheted enormous quantities of unwanted email back at the email server specified in the "copy to" field, as long as the first machine is configured to return an email and its attachments to each incorrect address. NGSSoftware researcher Gunter Ollman says the email is forged to look as though it comes from the targeted server, and the flood of bounced messages generally makes that server crash. Experts says that 30 percent of Fortune 500 companies' email servers could be used for such an attack, and using an insecure server for the initial messages would make the attack almost impossible to trace. Ollman says that it should be simple to reconfigure mail servers to make them invulnerable to the attack, but he warns that if large firms do not adjust their mailing architecture, it only takes a few of these companies for the attack to work. Click Here to View Full Article "Group Suggests 25 Ways to Improve IT Security" Government Computer News (04/06/04); Miller, Jason The Corporate Information Security Working Group released a report this week that says to improve government and private sector cybersecurity, new legislation, insurance changes, and public outreach efforts are needed. The group, consisting of academic and industry members, has offered 25 recommendations to improve IT security, at the request of Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. Last autumn, Putnam drafted legislation that would require publicly traded companies to include an IT security plan status report with their filings to the Securities and Exchange Commission, but did not sponsor the legislation and instead created the working group. "Since approximately 85 percent of this nation's critical infrastructure is owned or controlled by the private sector," Putnam explains, "I have worked to identify strategies that will produce meaningful improvement in the computer security of corporate America." The working group's subgroups focus on reporting, information sharing and performance metrics, procurement practices, education, incentives and liability, and best practices. The recommendations include enforcing provisions of the Federal Information Security Management Act, which requires agencies to uphold minimum security standards; identifying qualified, certified, or compliant third-party organizations; and providing an antitrust exemption for critical infrastructure industry groups that agree to obligatory security specifications for software and hardware. Click Here to View Full Article "Security Patching: Easy As 1-2-3" Network Magazine (03/04) Vol. 19, No. 3, P. 37; Greenfield, David Network managers will have a much easier job protecting Web applications if two new security protocols automate vulnerability description, assessment, and patching. However, the XML-based Application Vulnerability Description Language (AVDL) and Web Application Security (WAS) standards are not being developed in regards to one another and could have interoperability problems. Cooperation between the standards' developers could come some time in the future, says WAS technical committee Chair Mark Curphey, also consulting director of Foundstone. If the two standards work together, security vendors could publish bulletins that organizations subscribe to via middleware, using the WAS and AVDL standards to define and carry the security information, says Computer Incident Advisory Capability (CIAC) security analyst Jon Diaz. As it is now, network managers spend inordinate amounts of time deciphering application vulnerability scan reports, then reconciling those reports to their particular firewall's rule wizard, and finally rewriting firewall rules to secure the Web application. AVDL is supported by the Organization for the Advancement of Structured Information Standards (OASIS) and five lesser-known security vendors. WAS has the backing of major vendors such as CheckPoint, and would likely win out if the two protocols do not match. WAS tackles the more difficult challenge of defining tasks as opposed to simply communicating information about the attacks between devices. IETF Transport Layer Security working group co-Chair Eric Rescorla, also founder of security consulting firm RTFM, warns that automated scanning descriptions could be harnessed by hackers to quickly create new attack tools based on freshly discovered vulnerabilities. Click Here to View Full Article From Chicago Tribune, May 3, 2004 WORM TURNS UP A computer infection called Sasser has been fouling computers worldwide today. Read the article. From ACM TechNews, April 26, 2004 "Hackers: Under the Hood" ZDNet Australia (04/19/04); Gray, Patrick; Foo, Fran; Gray, Patrick Network security cannot be effective without a thorough understanding of the hacker mindset, and several hackers--Brian Martin, Adrian Lamo, and Raven Alder--agreed to be interviewed to discuss their backgrounds and motivation. Martin, 30, is best known by the moniker "Jericho," and his most notable work is the co-creation of the attrition.org Web site, a catalog for defaced Web sites and security holes. Now employed as an independent security consultant, Martin recalls that his hacking escapades ran the gamut from just plain silly to downright paranoid, such as the time he hacked into the phone network because he was worried that his line was bugged. He says the security industry is in a sorry state, and is characterized by a shortage of "real" skills and overpriced products of exceedingly poor quality. Lamo, 23, started hacking when he was eight years old; disenchanted by hacker culture, he prefers working alone, and has applied his nomadic lifestyle to his online exploits. Though Lamo has never hacked for malicious reasons (he would usually contact network administrators and describe how he penetrated their systems), he was arrested when he broke into the New York Times network and gained access to its contributor database. Lamo calls the security industry dishonest, and says that to work in such an industry would be tantamount to prostitution. Alder, 28, admits she is "geekish," and shares with Martin and Lamo a disdain for the security industry: "The root problem that the security industry has is...unscrupulous people selling to an uninformed market," she explains, although she also reserves some culpability for end users, who remain willfully ignorant. "People who understand security are necessary, and in chronically short supply," Alder laments. Click Here to View Full Article "Can E-Mail Be Saved?" InfoWorld (04/19/04) Vol. 26, No. 16, P. 40; Boutin, Paul Email's usefulness in the enterprise is being threatened by the growing problem of spam, which is why email's role in the workplace needs to be reconsidered; a panel of a half-dozen software entrepreneurs offer various solutions, but all concur that the effectiveness of any solution stems from positive identification. Sendmail author Eric Allman believes that email problems are not restricted to spam, and his solution is to redesign SMTP with a focus on cryptography rather than DNS-based authentication. He also thinks a standard domain-authentication mechanism should be implemented across the entire Internet. Bill Warner, developer of the Wildfire voice system, says challenge-response systems should be patterned after the U.S. Postal Service's method for identifying abuse by using caller ID schemes to identify the people sending the email instead of the servers. Reinventing email is not the answer, according to Ray Ozzie of Groove Networks: What is called for is a move away from the email paradigm, in which workplace activities are transferred to other, more appropriate paradigms such as instant messaging and RSS. Userland Chairman Dave Winer states that email is no longer valid as a publishing tool, and the best solution is RSS, which he has made immune to spamming by keeping the system opt-in at both ends. Proofpoint Chairman Eric Hahn says email content must be made automatically parsable, and this shift is being driven not just by spam, but by the Sarbanes-Oxley Act of 2002; his solution involves converting email into metadata packaged in XML. Inventor Brewster Kahle offers the bluntest solution to spam, in which spammers are prosecuted by law enforcement for committing acts of fraud. Moreover, Kahle says this can be done without passing excessive new laws; for instance, he suggests that spammers who conceal their real names and addresses should be reported to the FBI for sending forged documents. Click Here to View Full Article From ACM's TechNews, April 12, 2004 "In the Trenches With Antivirus Guru Mikko Hypponen" E-Commerce Times (04/07/04); Millard, Elizabeth F-Secure director of antivirus research Mikko Hypponen is one of the best virus hunters, a type of researcher that is fairly obscure. Hypponen has been working in computer security for 13 years, and says that his assembly language skills have come in handy in reverse-engineering viruses. However, assembler skills are not widely taught any more because the there is not great demand and learning them is tough. He says that "very few people need such low-level skills anymore. It's all C and C++ nowadays." However, he believes that universities will soon start teaching abut malicious code and how to analyze it. Right now, he says university computer science departments focus on some aspects of computer security, such as cryptography, but often do not teach students how to parse and analyze malicious code. Hypponen sees an evolution of computer worms and viruses, from the era of boot viruses to macro viruses to email worms. He predicts that email worms will be replaced by network worms as soon as next year, and that fewer worms are written by havoc-minded teens and more are written by those wanting to make money by stealing data or installing spam proxies. Teens still write most viruses, but the biggest outbreaks seem to come from more organized groups. The most challenging computer viruses or worms Hypponen has fought have been SMEG and Zmist from a technical standpoint, because they modified themselves spontaneously, though the recent Bagle/Mydoom/Netsky variants have been extremely tiring since so many continue to emerge. Click Here to View Full Article "Spamhaus Proposal Aims to Stop Spam" InformationWeek (04/07/04); Gardner, W. David Anti-spam organization Spamhaus has submitted an application to ICANN for a .mail top-level domain name in the belief that its proposed "server-to-server" scheme can prevent spam from reaching email servers. The Spamhaus server-to-server approach is a seamless arrangement that works behind the scenes to keep email at bay, says Spamhaus' John Reid. The way Spamhaus envisions it, .mail users would register with The Anti-Spam Community Registry, which would be staffed by Spamhaus volunteers. The system relies on sending-server operators to register a .mail domain, and receiving-server operators would look up the IP address of the sender and other domain information in order to verify the transmission. This process would allow the receiving server to "easily determine if the sending server is spam-free, as well as determine if the email was forged," according to the application Spamhaus submitted to ICANN. The proposal will not only stop spam, it will also resolve the current problem whereby filters prevent "good" email from getting through, says Reid. Spamhaus, which intends to get started quickly on its proposal if ICANN approves its application, has already contacted some of the more prominent email-server software providers and developers about working on the project. An array of noted anti-spam activists would sit on the Anti-Spam Community Registry's board of directors. Click Here to View Full Article "The Pure Software Act of 2006" Technology Review (04/04); Garfinkel, Simson Spyware is perhaps more insidious than other malware such as viruses and worms, since it mixes commerce and deception in a way morally abhorrent to most computer users, writes Simson Garfinkel. While viruses and worms are clearly illegal, spyware that tracks users' online activity and computer use is often authored and distributed by legitimate companies and with customer consent. But today's click-wrap license agreements fall far short of the labeling regimes in other industries, such as the Pure Food and Drug Act of 1906, which required manufacturers to clearly state ingredients, product weight, and avoid deceptive labeling. Software needs similar labeling to help consumers make more informed decisions about what they are installing on their computer. Almost by definition, spyware hides its true purpose though other software programs with similar functions go out of their way to make it clear what they do. Google's Toolbar for Internet Explorer, for instance, urges users to read the license agreement carefully so they understand their browsing activity will be fed back to Google in order to get the "page rank" for a certain site. A hypothetical Pure Software Act of 2006 would require the Federal Trade Commission to come up with labeling standards and rules for use. Software labeling would have to contain important information without glutting consumers with too much data. Simple icons could be used to denote potential unsavory features, such as remote control, unremovable programs, computer use monitoring, pop-up ads, or modifications to the operating system. Importantly, such a labeling regime would have to be mandatory, as companies such as Google currently do a good job voluntarily informing users of software features while unscrupulous firms do not. Click Here to View Full Article "Email Attack Could Kill Servers" New Scientist (04/06/04); Knight, Will Computer security experts at NGSSoftware have discovered a way to disable email servers by using forged emails with thousands of incorrect addresses in the "copy to" field. The researchers found that sending these emails to large email servers ricocheted enormous quantities of unwanted email back at the email server specified in the "copy to" field, as long as the first machine is configured to return an email and its attachments to each incorrect address. NGSSoftware researcher Gunter Ollman says the email is forged to look as though it comes from the targeted server, and the flood of bounced messages generally makes that server crash. Experts says that 30 percent of Fortune 500 companies' email servers could be used for such an attack, and using an insecure server for the initial messages would make the attack almost impossible to trace. Ollman says that it should be simple to reconfigure mail servers to make them invulnerable to the attack, but he warns that if large firms do not adjust their mailing architecture, it only takes a few of these companies for the attack to work. Click Here to View Full Article From EduPage, April 9, 2004 New Virus Targets Mac Users A new Trojan horse represents what one security expert said is "the first native Mac OS virus." Brian Davis of Mac security firm Intego said the MP3Concept or MP3Virus.gen Trojan horse, which masquerades as an MP3 file, does not cause an infected computer any harm but merely accesses files in the System folder. According to Davis, the virus is probably a test to see what is possible with Mac systems, which historically have not been targets of malicious code. Given the growing popularity of Apple Computer's online music service, however, OS X systems have become a more tempting target. Because Windows--with its dominance in the operating system market--has traditionally drawn the attention of virus writers, most Mac users do not use antivirus software and are generally unconcerned about opening attachments in e-mail. With the new Trojan horse, said Davis, these habits for Mac users could change quickly. "They're all susceptible to viruses and Trojans," said Davis, "just as Windows is." Wired News, 9 April 2004 http://www.wired.com/news/mac/0,2125,63000,00.html Security Experts Debate Appropriateness Of Exploit Tool A new security tool from the Metasploit Project has drawn criticism from some security experts who say it offers potential hackers an easy means to launch attacks. Computer scripts called "exploits" take advantage of known security holes in systems. The new tool is essentially such an exploit that can be easily modified to test new vulnerabilities. According to Metasploit founder HD Moore, the tool is a boon for security personnel, who use it to test systems for flaws and in quality assurance programs. Peter Lindstrom of Spire Security, however, sees the tool as having real value for only "about 10 academics and serious researchers who may find this interesting." Beyond those people, Lindstrom said, the tool could allow thousands of others to become hackers. Moore conceded that the tool could be used in malicious ways but argued that it is nonetheless valuable for those seeking to protect systems from attack. He said exploits are "required for many types of legitimate work." Other security companies have developed similar tools to aid in security computer systems, and HP has created an attack tool to test network security. ZDNet, 8 April 2004 http://zdnet.com.com/2100-1105_2-5187776.html From ACM's TechNews, April 2, 2004 "Face-Off: Is Patch Management the Best Defense Against Vulnerabilities?" Network World (03/29/04) Vol. 21, No. 13, P. 44; Schultze, Eric; Hofmeyr, Steven Shavlik Technologies chief security architect Eric Schultze contends that intrusion-prevention systems (IPSes), anti-virus software, and firewalls alone cannot shield computers against known software flaws, and that patch management is the key ingredient for ensuring network security. Schultze likens a software patch to medicine in that it attacks the disease--the flaw itself--rather than the symptoms. He explains that it is not always known that a patch for one bug could also remedy another error elsewhere in the operating system, which is why applying a firewall or an IPS to fix one specific bug may not protect other susceptible portions of the code; Schultze argues that the operating system or application vendor is optimally positioned to fix the flaw because it truly understands the nature and breadth of the error. He adds that patches not only contain the latest version of the buggy code, but often also contain all known security fixes, so applying a patch guarantees that the user is running the latest iteration of the vendor code, correcting public and non-public vulnerabilities in the associated code. Sana Security founder Steven Hofmeyr calls patch management a miserable failure: He explains that faulty patches can carry more organizational cost than a security breach by bringing down vital servers, and cautions that vendors must conduct thorough regression testing before deployment. Hofmeyr also points out that misconfiguration and other certain vulnerabilities cannot be remedied by patching, while vendors sometimes fail to develop a patch because they lack the time and resources, or ascribe no importance to a bug. In addition, hackers are adding new tools to their arsenal to accelerate the reverse-engineering of patches to determine flaws, speeding up the race between hacker exploitation and patch deployment. Hofmeyr believes host-based IPSes are a more effective solution, because they block attacks against unpatched flaws and furnish immediate protection. Click Here to View Full Article "New Marking Process Traces Spammers, Pirates, and Hackers" EurekAlert (03/31/04) Penn State researchers have proposed a new process to make it impossible for hackers, spammers, and digital pirates to spoof source addresses in order to thwart attempts to trace them. The method involves using border routers to mark each message or data packet with an identifying number. The marks are formed from the border router's 32-bit IP address and would reside in obsolete fields in the IP packet headers; should the available obsolete field be less than 32 bits long, the researchers suggest partitioning the border router's IP address into overlapping segments, each of which would be employed by the router as a potential mark. Fragments from packets that have been labeled as malevolent are combined to form the names of the border routers that tagged and forwarded them to the victim's computer, while false positives can be reduced because the overlapping fields permit the victim to compare fragments from the same router. The marking scheme generated fewer than 1% false positives per 1,000 attacking addresses in simulated distributed denial of service attacks, and had a 100% success rate in tracing addresses transferring copyrighted content in another simulation. "The technique offers Internet access providers a real-time, cost-effective way to conduct forensics and improve security for the Internet," notes Penn State's Dr. George Kesidis, who developed the process with Ihab Hamadeh. "In addition, the approach will be demonstrably effective during an incremental deployment phase, thereby, creating incentives for broader deployment to satisfy the cyber security concerns of the Internet services industry and government regulators." Click Here to View Full Article "Yoran Rejects Claims of Slow Progress in Securing Key IT Systems" InformationWeek (03/30/04); Hulme, George V. Amit Yoran, director of the Department of Homeland Security's National Cyber Security Division (NCSD), refutes recent claims by Sen. Joseph Lieberman (D-Conn.) on the Senate Government Affairs Committee that the White House's efforts to secure the United States' critical infrastructure IT systems have been sluggish and unfocused. He lists significant accomplishments his division has achieved since its inception last June, among them: The creation of the U.S. Computer Response Team (US-CERT) to oversee participation between federal and non-federal cybersecurity entities, examine and reduce cyberthreats and security holes, issue cyberthreat warnings to affected parties, and coordinate incident-response operations; the establishment of the National Cyber Alert System, which currently disseminates cybersecurity data to 1 million Americans with technical and non-technical backgrounds; and the co-hosting of the National Cyber Security Summit, where both the government and the private sector started working on an architecture for corporate security governance. Another notable achievement was the Homeland Security Department's participation in the Livewire cyberattack simulation, which demonstrated the need to improve the public dissemination of cyberprotection data and two-way information exchange with private companies, and also spurred Yoran's department to form the Cyber Interagency Incident Management Group. The creation of the group, which enables law enforcement, defense, and intelligence officers to leverage federal resources to facilitate the most effective response to intragovernmental cyberthreats, was accompanied by the organization of the Chief Information Security Officers Forum and the Government Forum of Incident Response Teams. Yoran says the U.S. Homeland Security Department is deeply involved in the securing of digital control systems and the development of germane and rational metrics to evaluate how effective its initiatives are. Click Here to View Full Article From ACM's TechNews, March 31, 2004 "Time to Enlist a 'National Guard' for IT?" Network World (03/29/04) Vol. 21, No. 13, P. 8; Greene, Tim Military emergency management officials, speaking at the recent Norwich University e-ProtectIT conference, said the United States is not prepared to recover quickly should a major cyberterrorism attack take place. They also say that such an attack might require government mobilization of IT professionals. Retired Army National Guard Maj. Gen. Jack D'Araujo suggested the possibility of a cyber national guard to react to attacks, noting that there is no existing official chain of command for such an organization. D'Araujo says, "We're really plowing some new ground. We flat-out aren't prepared to deal with it." Former National Computer Security Center director Patrick Gallagher said that IT community members do know what to do during a cyberattack, but they lack leadership. Gallagher says that "we have network groups who can and do talk to each other and speak a similar language and have the same training. What we need is the leadership to pull that together." Qovia vice president Pierce Reid pointed out that since no cyberdisaster has yet taken place, it is not known what will be required or how fast damage can be fixed. The Cyber Security Early Warning Task Force recently issued a report urging the creation of an early-warning network and a CERT-run national crisis coordination center to collect attack information and issue warnings. Information-sharing systems already exist, but they do not have official powers, D'Araujo said, and many companies are reluctant to share information. Norwich CIO Phil Sussman, who led a seminar on network security, says even minor attacks "will shake confidence in the network itself with a series of things people expected but are no longer there." U.S. Marine Gen. Commendant Alfred Gray says IT professionals must get "street-wise" and examine their systems the way attackers do to look for cracks and seams in their operations. Click Here to View Full Article "Computer, Heal Thyself" Federal Computer Week (03/29/04) Vol. 18, No. 8, P. 42; Moore, John Computers that can self-configure, self-repair, and self-optimize are highly desirable for organizations that implement information grids and other highly distributed computing models, while autonomic computing's promised benefits to others include more reliable and resilient machines that require less hands-on maintenance. "It addresses the out-of-control costs of doing basic monitoring of operations and maintenance of IT systems," says Ric Telford of IBM's Autonomic Computing effort. Autonomic computing has attracted the most interest from scientific and technical government entities such as NASA, the Energy Department, and the Defense Advanced Research Projects Agency (DARPA), which often undertake projects that require distributed data analysis; vendors pursuing the technology besides IBM include Sun Microsystems, Hewlett-Packard, and specialty firms such as Stottler Henke Associates. Some officials believe autonomic computing can provide augmented security, and DARPA has created the Self-Regenerative Systems program for such a purpose--namely, the development of systems capable of automatic response to cyberattacks. Other projects, such as Sun's N1Grid, aim to manage multiple machines as if they were a single computer, notes Dennis Govoni of Sun's government division. Peter Hughes of NASA Goddard Space Flight Center's Information Systems Division reports that autonomic computing could find its way into NASA projects such as the Mission Services Evolution Center, which will supply a unified framework for ground and flight systems. The IRS, meanwhile, plans to use autonomic computing to cut operational costs and bolster customer service in one of the few initiatives outside of the technical computing arena. Industry and government executives think agencies should prepare for the emergence of autonomic computing by refining their IT management practices. Click Here to View Full Article From ACM's TechNews, March 29, 2004 "IT Security and Software Development" TechNewsWorld (03/26/04); Halperin, David As hardware and software proliferates, there is a pressing need to address interoperability and security issues, such as whether the technologies will interoperate reliably under all potential test scenarios. Unfortunately, the number of software combinations that need to work together in a secure manner--and in an environment that faces a rising tide of malware--is nearly limitless. Aberdeen Group VP Jim Hurley explains that it is simply too exhaustive a job for a software supplier to model all possible hacking outcomes. British IT consultant David Quinn thinks part of the interoperability problem stems from the large teams tasked with major applications and operating systems, contending, "You try to set standards and 'middle bits' that everything talks to [in order to] try and cut down the diversity. But you're never going to completely cut it down." Quinn adds that flawed system design concepts are also a major part of the problem, but eliminating them is unlikely to happen because of business imperatives. Mi2g Intelligence Unit executive chairman D.K. Matai says configuration management is responsible for 90 percent of successful hacker attacks, and his suggestion is that, whatever the established security holes are, "the appropriate patches ought to be applied, and the default configurations and services which are running on a particular system ought to be shut off if they are not needed." Matai predicts that more ruthless security measures will be implemented in the future, including: Stricter authentication, such as random passwords that are changed frequently, and a biometric/smartcard combination; the transfer of complex data from a user's computer to an upstream "vault" ensured by a bank-like entity supplying data custody services; and governments and countries either limiting the capabilities of commercially sold computers or requiring users to demonstrate their competence in being more circumspect should their computers be hacked. Click Here to View Full Article "Spam-Busters" Network World (03/22/04) Vol. 21, No. 12, P. 69; Ulfelder, Steve Unspam CEO Matthew Prince, one of the top spam fighters in the United States, argues that for spam to be curtailed several things must happen: Technology that can help establish and confirm a sender's identity must be developed, which will allow anti-spam laws to be more enforceable and effective. These laws, Prince contends, must "decrease the cost of tracking down spammers, decrease the cost of bringing a trial, increase the likelihood of success at trial or increase the social benefit from winning a trial." Shlomo Hershkop, a Ph.D. candidate at Columbia University, is amazed that spam has become such a large problem, given that technology intelligent enough to effectively combat it already exists. He also thinks that spam will linger far past Microsoft Chairman Bill Gates' projected mid 2005 deadline. Freelance anti-spam software developer Matt Knox attests that spam is a technical problem that must be remedied with a technical solution, and echoes Bill Gates' optimism that spam's demise is imminent, partly because of improving, easier-to-use spam filters. At the same time, he acknowledges that anti-spam legislation is important, although he is uncomfortable with leveraging the Digital Millennium Copyright Act against spammers. Software developer Terry Sullivan says authentication technologies are being overemphasized as a spam solution: He explains, "Every day users do not make their ham/spam judgment based on the source of the message. They make it based on the content of the message." Sullivan likens the war against spam to the Pacific Theater in World War II, where progress was made in fits and starts; he also notes that there already exist strategies that could effectively derail spam at the cost of email's convenience, and formulating a less brutal solution will be a tough challenge. Click Here to View Full Article From ACM News, March 26, 2004 "When Instant Messages Come Bearing Malice" New York Times (03/25/04) P. E4; Junnarkar, Sandeep Instant messaging (IM) is the next big target for spammers and hackers now that the number of people who use the technology has grown significantly. Popularized by teenagers during the late 1990s, IM has now spread to the business world where people find it useful for quickly sharing files and communicating. The immediacy of the format makes it especially vulnerable to social engineering schemes such as an "Osama Captured!" game spread over America Online's IM network: That IM spam message, known in IM parlance as "spim," got people to click on a link claiming Osama Bin Laden was captured, which then took them to a game download site; when users downloaded the game, they also got a load of adware and executable code that sent copies to everyone on their buddy list. America Online chief trust officer Tatiana Gau says filters are in place now to screen out the Osama message, and Zone Labs' John LaCour says the exploit was relatively benign since it did not carry a more potent payload. The CERT Coordination Center at Carnegie Mellon University has repeatedly warned about the danger social engineering attacks pose to IM networks. Promises of free products, pornography, and intriguing links have long been used to trick email users, and now are expected to increasingly show up on IM. IM is also inherently less secure than email since it is sent as plain text over the network, allowing unethical system administrators to cull messages for passwords or personal information. IM users also often have the option of opening shared files to people on their buddy list, and those files can contain important documents or other pieces of information possibly aiding identity theft. Major IM client vendors Yahoo!, Microsoft, and America Online all use closely guarded code which experts say makes them more susceptible to have software flaws. Click Here to View Full Article From ACM News, March 24, 2004 "Technology Solution to Slicing Spam Lags" CNet (03/22/04); Olsen, Stefanie; Festa, Paul Efforts to develop anti-spam technology standards are displaying a profound lack of unification, and some anti-spam experts are taking a long, hard look at the standards issue's progress in the wake of AOL, EarthLink, Microsoft, and Yahoo!'s joint lawsuit against scores of spammers. There have been few public signs of teamwork between the members of the Anti-Spam Technical Alliance (who are also the plaintiffs in the lawsuit), but they are individually developing anti-spam measures: AOL recently started testing its DNS-based Sender Policy Framework (SPF); Yahoo! often discusses plans to support the proposed DomainKeys email sender authentication scheme; and Microsoft has devised an email verification scheme of its own, Caller ID for Email, that focuses on message headers rather than senders. Members of the alliance acknowledge that agreement on common standards has proceeded slowly, partly because the problem is so complicated and there is little conclusive research into how effective these separate standards would be. Outblaze CTO Suresh Ramasubramanian predicts that components of the more viable of these standards initiatives will eventually be integrated into a compromise proposal. An AOL spokesperson says coalition members intend to test each other's proposed solutions, but are still engaged in separating the workable from the unworkable solutions. SPF, which has been deployed by AOL and Google and selected for IETF assessment, is a leading candidate for the common technical anti-spam solution. MX Logic's Scott Chasin suggests that proposed technical solutions developed by the Internet Research Task Force's Anti-Spam Research Group might attract more backing than any one company's proposal, and adds that technical solutions will have to be complemented by education and legislation if spam is to be effectively corralled. Click Here to View Full Article From ACM News, March 22, 2004 "Experts Publish 'How to' Book for Software Exploits" IDG News Service (03/15/04); Roberts, Paul Leading security researchers have published a book that teaches how to write hacker code exploiting software security holes. "The Shellcoder's Handbook: Discovering and Exploiting Security Holes," set for release next week, is intended for network administrators, but includes working examples of code and some previously published attack techniques. Malicious hackers frequently use shellcode in their attacks on computer systems. The book has chapters on stack overflows, format-string bugs, and heap overflows, among other topics, but co-author Dave Aitel says the information is necessary for administrators who want to secure their systems. "People who know how to write exploits make better strategic decisions," he adds. Co-authors Chris Anley and David Litchfield say the book has information that can already be obtained online from discussion groups, or from university courses. The book has increased debate over whether researchers should publicly expose software flaws, especially since it contains previously unknown information about how to launch kernel attacks, for example. Novel hacking techniques used for the first time are called "zero day" exploits. Anley says the book is designed to defend against hackers, not instruct them. He says, "This isn't a collection of exploits. It's a book that tells you how to find the bugs and understand what the impact of the bugs is." Despite the controversy, SANS Institute director of research Alan Paller says the book will benefit those working to defend their networks against attack more than it will hackers, since it provides advice that makes sense. Click Here to View Full Article From ACM News, March 19, 2004 "The Web: Hacker Turf War Raging Online" United Press International (03/17/04); Koprowski, Gene J. A turf war between three groups of rival hackers is being waged over the Internet, the prize being the many computer systems their malware threatens to compromise and zombify worldwide. In computer worms such as MyDoom, Netsky, and Bagle, Central Command analysts have uncovered messages intended to provoke virus writers, such as "wanna start a war?" Central Command VP Steven Sundermeier characterizes this battle as "a war for power and seniority," while experts fear that this rivalry could have a substantial negative commercial impact on the government and economy of the United States, and even become a serious threat to U.S. national security. Futurist R. Pierce Reid, formerly with General Dynamics, says the federal government is not entirely ready to counter a coordinated attack orchestrated by cyber-terrorists. A continuing source of mystery is who is training these cyber-vandals and what their political motivations are, although there have been reports of a North Korean military facility where hacking is taught. Several projects are underway to root out cyber-terrorists by scrutinizing the code of the malware they use: Britain's National Hi-Tech Crime Unit is studying connections between extremist organizations and virus-authoring cooperatives, looking for patterns in source code that could offer clues to the hackers' identities. The U.S. Northern Command's Joint Protection Enterprise Network, which was launched this month, is an Internet-browser-based system that facilitates the rapid exchange of anti-terrorism data between intelligence agencies online. Computer experts think terrorist hackers could do substantial damage to the private sector, although it is unlikely they could cripple the federal government. However, some specialists do not exclusively blame Islamic extremists for all cyber-crimes: Some perpetrators are amoral businesses that want to commit corporate espionage or sabotage. Click Here to View Full Article "Viruses Lurk as a Threat to 'Smart' Cellphones" Wall Street Journal (03/18/04) P. B4; Nasaw, David The growing power of "smart phones" is increasing their susceptibility to malware, which Network Associates predicts could cost North American wireless carriers as much as $2.5 billion in two years. As a result, the wireless industry is preparing itself for a major virus assault that targets intelligent cellular phones. Less advanced "dumb" phones may not be vulnerable to a virus infection, but an attack on smart phones could have an impact on voice traffic for all phones in a cell network, because voice and some data are piped along the same channels. U.S. wireless carriers claim they can shield themselves from infection by scanning wireless data traffic and filtering out suspicious behavior, which would thwart phones from transmitting viruses embedded within text messages to multiple numbers. Although IDC researcher Sally Hudson says the wireless industry is making a valiant effort to address the threat of smart-phone viruses, she warns that "the current protection for mobile networks is poor." Symantec and Network Associates have responded to the threat by issuing antivirus products for the leading handheld platforms, while F-Secure has devised software that can wirelessly transmit antivirus updates to phones, as well as an antivirus filter that wireless carriers can deploy on their download platforms to safeguard users retrieving games, ring tones, and other programs. Meanwhile, operating-system manufacturers are working to reduce vulnerabilities: Symbian, for example, is building a program that will permit a certain degree of authentication to the integrity of applications written for its operating system. For now, the prospect of launching a virus attack against smart phones is not attractive to hackers, given the small number of vulnerable phones currently in use." "New Hacker Program Prompts Alert" Washington Post (03/18/04) P. E5; Krebs, Brian A new hacker tool has emerged to take advantage of the peer-to-peer networking abilities that file-sharing networks use, and computer security experts are watching for it. The Phatbot tool is thought to have already infected hundreds of thousands of computers that use the Windows operating system, which means that hackers could control the computers and link them into P2P networks to send spam or flood Web sites. The Department of Homeland Security (DHS) has sent out an alert to some computer security experts about the tool, warning that it hunts for passwords and tries to take down antivirus and firewall software. Symantec senior director Vincent Weafer describes Phatbot as "a virtual Swiss Army knife of attack software;" the tool is a kind of Trojan horse, but much more evolved than most such programs. It usually gets in through security flaws in Windows or through a backdoor installed by the Bagle or Mydoom Internet worms, and links the computers into a network so that hackers can issue orders through a variety of routes, making it much harder to shut down. Most major antivirus products detect the tool, but it can disable the software. A DHS cybersecurity official says, "The concern here is that the peer-to-peer like characteristics of these 'bot networks may make them more resilient and more difficult to shut down," since Phatbot attacks can only be completely shut down if every infected computer is found. Home broadband users and computer networks at colleges and universities are the primary Phatbot targets so far, but TruSecure chief scientist Russ Cooper says "U.S. e-commerce is in serious threat of being massively attacked by whoever owns these networks" if P2P networks of hundreds of thousands of computers are infected. Click Here to View Full Article From ACM News, March 17, 2004 "In E-Mail Warfare, the Spammers Are Winning" Baltimore Sun (03/14/04) P. 1A; Shane, Scott; Packard, Jean In the arms race between spammers and anti-spam proponents, the bad guys have the upper hand thanks to underhanded tactics such as using computer worms to compromise vulnerable systems and turn them into "zombies" for mass-mailing spam. Spamhaus director Steve Linford predicts that spam will probably account for 80 percent of all email in the United States by summer. Worms are not the only tool in spammers' arsenal: Other methods include counterfeiting return addresses, and tweaking the spam with odd spellings and blocks of random text to thwart electronic filters. The profit potential is irresistible for spammers: Spam can be cheaply distributed to millions of people in a few hours, and profits can be realized even if only one spam recipient out of 10,000 makes a purchase. Spam hurts the productivity of businesses that must use up precious time to get rid of junk email, while filters, despite their increasing sophistication, cannot avoid mistaking legitimate email for spam. One proposed approach for curtailing spam involves challenge-response systems designed to authenticate the legitimacy of email if the sender types in a certain word or code, thus indicating that the sender is an actual person and not a computer program; another is to charge senders a penny for each email they send. Legislation such as the CAN-SPAM Act appears to have had little effect on the spam problem, though the biggest U.S. email providers recently invoked the law to file lawsuits against scores of spammers. Linford believes spam can only be effectively controlled through combined technological, litigious, and prosecutorial efforts, though the situation is likely to worsen in the short term. Click Here to View Full Article "Can Social Networking Stop Spam?" NewsFactor Network (03/15/04); Martin, Mike A new algorithm developed by UCLA professors P. Oscar Boykin and Vwani Roychowdhury applies social networking principles to spam filtering. "We routinely use our social networks to judge the trustworthiness of outsiders...to decide where to buy our next car, or where to find a good mechanic," notes Roychowdhury. "An email user may similarly use his email network, constructed solely from sender and recipient information available in the email headers, to distinguish between...'spam,' and emails associated with his circles of friends." The researchers' algorithm processes a specific user's personal email network to concurrently determine both the user's trusted networks of friends and spam-spawned sub-networks, Boykin explains, adding that the algorithm distinguished between spam and legitimate email with no errors or false negatives in a recent test. The researchers studied six weeks' worth of emails from assorted individuals so they could ascertain the "components" of their email network, a component being a series of nodes that can connect to each other in the network, according to Boykin; analyzing "clustering coefficients" in a network--provided the network is big enough--is an easy way to tell spam and non-spam components apart. Boykin says he and Roychowdhury observed that clustering coefficients run high for non-spam components, and are equal to zero for spam components. Roychowdhury's colleague attests that the algorithm can be used to train content-based filters to recognize words and phrases typical of spam and non-spam, once 50 percent of email can be accurately classified as either junk or legitimate email. Boykin points out that the tool also produces white lists and blacklists used to verify that content filters are properly classifying email. Click Here to View Full Article "The End of Passwords" E-Commerce Times (03/13/04); Millard, Elizabeth Lavasoft vice president Michael Wood says the way that passwords are currently used poses a danger to companies since individuals could use keylogging spyware to record keystrokes and so learn passwords. However, alternative user authentication technologies such as smart cards have not caught on widely. Users themselves often open the greatest security holes by writing down passwords or using the same password for multiple systems. The recent RSA conference showcased a number of user authentication choices, including SecurID technology, which was created by RSA and Microsoft for Windows in particular. It uses a personal identification number and an authentication token, and generates new passwords every 60 seconds. VeriSign has announced an alliance with Microsoft for authentication services based on the Windows Server 2003 products, and Sun Microsystems says it will create an identity-management solution for Microsoft environments such as Windows. Given the widespread corporate use of Windows, such technologies could change network security. IT departments must find a balance between security and usability, and blended techniques are likely to become more popular this year. Forrester analyst Michael Rasmussen says, "There can be a trade-off on speed for security, depending on your architecture. The decision on what to implement is going to come down to an IT department's preferences and needs." Click Here to View Full Article From New York Times, March 18, 2004 Malicious Computer Worm Detected By John Schwartz Malicious computer program known as phatbot or polybot can create networks of remotely controlled computers to take part in online attacks, send junk e-mail messages and engage in other shady activities; program uses technology like that developed as Gnutella and Kazaa to control machines. The worm can create networks of remotely controlled computers to take part in online attacks, send junk e-mail messages and engage in other shady activities common to the bad neighborhoods of cyberspace. From EduPage, March 17, 2004 Putnam Blasts Federal It Security Rep. Adam Putnam (R-Fla.) had harsh words this week for federal agencies' failure to adequately protect their IT infrastructures. A December report gave federal agencies an overall grade of "D" for IT security, and a new report from the Government Accounting Office (GAO) indicates growing numbers of cyber attacks against government systems. According to the GAO report, cyber attacks on government offices rose from 489,890 in 2002 to 1.4 million in 2003. The report said blame for the lack of security falls more with poor management practices within federal agencies than with technology. Putnam, chair of the House Government Reform Subcommittee on Technology, noted that the nation has gone to great lengths to protect physical security but said "protecting our information networks has not progressed commensurately." Jeffrey Rush of the Treasury Department acknowledged the failings but noted that since the creation of the Department of Homeland Security, his agency has seen a 70 percent reduction in staff. Internet News, 17 March 2004 http://www.internetnews.com/infra/article.php/3327081 From ACM News, February 23, 2004 "Computer-Security Efforts Intensify" Wall Street Journal (02/23/04) P. B4; Clark, Don; Wingfield, Nick; Hanrahan, Tim An annual conference hosted by RSA Security will be held this week, with email fraud, spam, and new ways to hinder such practices through the authentication of company and user IDs being major topics of discussion. Bolstering information has increased in importance because corporations may now be liable for lost or compromised data thanks to new legislation. One proposed solution is Sender Permitted From (SPF), in which senders' servers post their IP addresses so that email recipients can verify that incoming messages are from legitimate sources. Time Warner's America Online unit has tested SPF, which is also being embedded in MailFrontier software and other products. Meanwhile, PassMark Security will announce a Web site authentication solution on Feb. 23 whereby users are assigned a random image on their first visit to a site that employs the PassMark system; they would be shown the same image when they revisit the site before entering their user names and passwords, or otherwise know that something is wrong. Sun Microsystems wants to widen the scope of smart cards or security tokens, which reportedly offer better protection for Web sites than passwords and more accurate identification of emailers. VeriSign will today announce new technical guidelines to reduce the cost of smart cards and other robust ID measures. The open authentication reference architecture (OATH) is a joint project between Sun, IBM, Gemplus International, BEA Systems, and others that aims to help companies develop simple, interoperable online ID products. "Spam: A Reality Check" PC Magazine (02/18/04); Ulanoff, Lance The CAN-SPAM act has not stymied the rising tide of spam email, but it has influenced changes in the content and targeting of spam messages: Spammers are using provisions in the CAN-SPAM law to make their email look legitimate, including unsubscribe links and postal mailing addresses, for example. SurfControl's Susan Larson says one in 20 spam messages her company captures for enterprise clients has some new information added as a guise, and notes that new spam messages appear to disseminate nonpromotional content, such as trivia, but have normal spam text appended. CAN-SPAM's requirement of snail-mail return addresses is addressed by spammers who insert invisible white text inside addresses, making them appear legitimate to users but keeping anti-spam software from capturing traceable addresses. The unsubscribe links are just a bad idea, according to MessageLabs CEO Mark Sunner, who says anyone even opening spam email puts themselves at risk of virus infection, not to mention those who click on inserted links. Sen. Conrad Burns (R-Mont.), one of the co-authors of the CAN-SPAM legislation, defends the bill but admits the unsubscribe links were one area of compromise; he looks forward to spam volume decreasing in coming months as the Federal Trade Commission and FCC work out enforcement rules that will likely give protections to legitimate email marketing firms and companies that distribute information to clients via email. Burns also looks forward to international gatherings such as the upcoming International Telecom Union meeting for the creation of international enforcement mechanisms. That would no doubt pressure the majority of spam senders who keep their servers outside the United States. Burns also says he has been in contact with colleagues in the United Kingdom and Australia about the international spam problem. Click Here to View Full Article "Serious Linux Security Holes Uncovered and Patched" eWeek (02/19/04); Vaughan-Nichols, Steven J. ISec Security Research, a Polish nonprofit organization, discovered a number of security vulnerabilities in the Linux kernel on Feb. 18 and released an advisory. Linux kernel developers verified the problems and fixed them with updates. One flaw would have allowed a hacker to get full super-user privileges, while the other would have allowed whole systems to be hijacked or disabled. However, both would have required local users with sophisticated knowledge and Unix shell access, notes Debian Linux security expert Martin Schulze. Linux distributors including Novell/SuSE Linux, Red Hat, and the Debian Project have released patches. Although not related, both of the flaws were located in Linux's virtual memory kernel subsystem; one of the flaws was found in the mremap(2) system call of Linux 2.4 and 2.6's kernel memory management code. Click Here to View Full Article "Unlocking Our Future" CSO Magazine (02/04); Garfinkel, Simson Sandstorm CTO and technology writer Simson Garfinkel maintains that computer security has Grand Challenges equivalent to putting a man on the moon or forecasting weather via supercomputing--in fact, he was one of dozens of leading security researchers invited by the Computing Research Association and the Association for Computing Machinery to find and present such challenges at a November workshop. The end result was a quartet of challenges that deserve "sustained commitments." The first information security Grand Challenge lies in eliminating epidemic-style worm, virus, and spam attacks within a decade, and Garfinkel writes that most conference attendees favored the development of a completely new approach to solving the problem, rather than the installation of antivirus software and the continuous updating of systems. The second Grand Challenge is the development of tools and principles for building large-scale systems for critical and trustworthy applications that also make lucrative targets, such as medical records systems. The third Grand Challenge is finding a reliable way to measure risk in information systems, which could allow people to determine how much an organization could save by deploying a specific piece of software, for instance. Practitioners usually establish "best practices" designed to reduce the changes of computers being breached, but such measures provide no metric for making purchasing decisions, nor do they tell organizations how secure their systems are at the moment. The last Grand Challenge is to give end users easily understandable security controls as well as privacy they can control for the pervasive, dynamic computing environments of the future; meeting such a challenge could involve a fundamental shift in the way people look upon and work with information systems. Garfinkel concludes, "Ultimately...we need to start thinking more strategically about computer security, or else we are going to lose this war." Click Here to View Full Article From ACM News, February 20, 2004 "Converging on Network Security" Military Information Technology (02/09/04) Vol. 8, No. 1; Gerber, Cheryl Solving the most formidable network security problems is one of the goals of the National Security Agency (NSA), which has launched programs to address Internet interoperability, network convergence, and wireless security bugs. The convergence of different networks and appliances has prompted the agency to add compatibility both inside and between commercial infrastructures and existing, secure communications: Secure interoperability between certain wired and wireless systems was attained when the NSA started an industry/government coalition that approved the Future Narrow Band Digital Terminal (FNBDT) as a common signaling specification; FNBDT has moved beyond narrow band to include a common voice processing capability, a crypto-algorithm base, and a key-management process, which has helped it grow into the chief security protocol for cell phones, military radios, and emerging public safety communications devices for first responders and homeland security initiatives. Convergence of voice and data over secure wireless networks has moved closer thanks to the inclusion of secure voice and data interoperability in FNBDT mode, while the emergence of electronic re-keying has also helped advance FNBDT interoperability. NSA intends to finalize a Wireless Technology Vulnerabilities Database, which federal agencies can use to check commercial wireless products prior to purchase, by year's end. The Federal Information Processing Standard 197 doctrine issued by the National Institute of Standards in Technology (NIST) declared that AES is the standard encryption tool for government communications below the Type 1 level, which has spurred many vendors to start devising or offering AES in their non-Type 1 secure wireless products. The NSA also has set up the Secure Mobile Environment Integrated Products Team to cover mid- and long-term secure mobile environment challenges such as vulnerability discovery, research, product development, and certification. Click Here to View Full Article "Spam-Busters Sort Out the Fakes" New Scientist (02/07/04) Vol. 181, No. 2433, P. 26; Biever, Celeste Email authentication strategies announced to delegates at the annual Spam Conference could be a more effective measure against the growth of unsolicited commercial email than content filters or anti-spam laws. Most spammers resort to spoofing, a tactic in which their junk email pretends to originate from the addresses of innocent senders; this technique thwarts blacklisting measures, and makes owners of spoofed addresses the targets of angry spam recipients, as well as any spam bounced back by content filters. Authentication schemes require checking each email to see if its sender is genuine, a strategy that could foil spoofing. The Internet Engineering Task Force is currently examining a pair of email authentication protocols as possible candidates for standardization: Yahoo!'s Domain Keys protocol and the Lightweight Message Access Protocol (LMAP). Domain Keys would tag all emails with an encrypted signature that links message to source, and this signature would be decrypted by the receiving server and checked to ensure that content and coded sequence match, while the identity of its domain would also be inspected for verification. LMAP, an extension to the Simple Mail Transfer Protocol, would require email providers to augment their servers with a program designed to check the legitimacy of the address entered in the email's "from" field; if the claimed source's IP address does not match that of the actual source, the email will be deleted as a spoof or labeled as "suspected spam" and shunted to a file for later examination. Authentication schemes will give spammers little choice but to use real domain names, which means it will be tougher for them to conceal themselves. Meanwhile, Martian Software is developing TarProxy, an anti-spam tool designed to channel suspected spam through a "tar pit," thus slowing down its transmission and discouraging spammers from sending more junk email. From ACM News, February 18, 2004 "Passwords to Guard Entry Aren't Enough to Protect Complex Data" ScienceDaily (02/16/04) Shielding complex data from unauthorized users with passwords and other access controls is only part of the equation; outgoing data must also be protected through filters, argues Stanford computer science professor Gio Wiederhold, who will discuss trusted information databases at the annual meeting of the American Association for the Advancement of Science. The access-driven security model cannot function unless data is well organized and contained in tidy boxes for use by people with authorized roles, while complex, unstructured, multipurpose data generally has poor protection. Furthermore, even the most secure access controls are useless if trusted users turn, such as when a malcontented employee with access to the database decides to hurt the company by exploiting or damaging its information assets. The biggest detriment of the access control model is its failure to take collaboration into account, which can hinder research that requires multiple types of users to access data, such as patient medical records. Wiederhold contends that complementing access control with release control, in which the content of documents being sent to the requestor is monitored, will ensure that the requestor only receives material that is appropriate for a specific project. The Stanford professor adds that diverse systems with data output such as email, file systems, Web sites, and databases are prime candidates for document release protection. However, Wiederhold cautions that though privacy may be better shielded with access controls working in parallel with release control, complicated security parameters could come into conflict or even make data less secure. "The scope of potential use of data is so large that no approach that relies on any specific data organization will be adequate for all future needs," he comments. Click Here to View Full Article "New Anti-Spam Initiative Gaining Traction" eWeek (02/12/04); Callaghan, Dennis Spammers would no longer be able to send junk email anonymously if the SMTP protocol was changed so that sending servers could be authenticated; the SMTP+SPF working group is developing the Sender Policy Framework (SPF) in the hopes that the Internet Engineering Task Force (IETF) will approve it as an anti-spoofing standard. SPF only works if domain owners publish sender IP addresses, which would then be matched to client IP addresses provided by mail transfer agents; email would be rejected if the client IP address and the published domain IP address fail to match. Pobox.com CTO Meng Weng Wong plans to argue his case for the IETF to establish a working group to study SPF at the 59th IETF Meeting in late February, although he really wants the task force to adopt the framework directly, without going through a workgroup phase. He says the SMTP+SPF working group has already done most of the legwork, adding, "It may take a year from now [before SPF goes through the regular IETF process], and no one wants another 12 months of spam." Wong says that existing spam filters can be tweaked to support SPF, and anti-spam technology providers such as CipherTrust and InboxCop are backing the framework. In addition, almost 7,000 domain holders have posted their sender IP addresses at the SMTP+SPF Web site, while Wong reports that SPF would be available for free and on a voluntary basis. Mark Wegman at IBM's T.J. Watson Research Center cautions that SPF, though a good starting point, cannot halt all spam, and notes that the framework can be supported by a new spam filter his company is working on. The filter assesses email according to numerous factors, such as delivery patterns and account content. Click Here to View Full Article "Security Still Reigns as Wireless 'Weakest Link'" E-Commerce Times (02/17/04); Gallagher, Helen Though Amry Junaideen of the Deloitte & Touche Security Services division reports that wireless devices such as laptops and personal digital assistants have become more productive, that productivity is offset by their lack of security, which means that information could be compromised if the devices are stolen, employed, or tapped by unauthorized users. He recommends that corporations institute a top-down wireless security framework that covers why the corporation is using wireless, what its business goals are, and what policy supervises the entire enterprise in this area. "A policy should require strict adherence to standards and contain specific information on what people should do to protect their devices once wireless has been deployed," Junaideen explains. Devices used to store the most sensitive data should get the highest priority, while critical data files should be encrypted in the event the portable device is lost, even though encryption is an expensive option. Junaideen says protective measures for wireless devices include not just file encryption, but firewalls, virtual private networks, quarantining tools, and data wipe technology. He suggests that users cut wireless connections immediately if a sniffer detects that a device has been compromised, while data wipe software can erase all data from a lost device if someone attempts to exploit it. Network Associates' Sydney Fisher says the security risks of wireless are related to its advantages: "It's important to have appropriate security so data is stored properly, travels properly and is protected from people who shouldn't get it, but [is] accessible to those who do need it." Fisher notes that sniffer products are well suited for wireless environments such as WANs, LANs, or ATM networks. Click Here to View Full Article "Spammers Exploit High-Speed Connections" Associated Press (02/16/04); Jesdanun, Anick Spammers are hijacking home computers with high-speed Internet connections to use as proxy spam relays, and email security companies estimate that between one-third and two-thirds of junk email is sent by "spam zombies" whose owners misconfigure their software or fail to implement or update their PCs' security. Proxy relays could be run from any Internet-connected machine, but most of the malware that installs these proxies targets PCs that run Windows. The shift in spamming tactics spurred the Federal Trade Commission to issue a consumer advisory in January, recommending that consumers employ firewall and antivirus programs as well as check "sent mail" folders for suspicious content. Visiting windowsupdate.microsoft.com regularly to download the latest updates to the Windows operating system is advised by others. EarthLink's Mary Youngblood explains that ISPs have a lot of trouble detecting and blocking proxy spam relays; some remain open for a short while and vanish by the time ISPs are aware of the problem, while newer, more versatile proxies constantly reconfigure themselves and are harder to lock down. "Fighting Spam for Dummies" co-author John Levine speculates that as proxies spread, ISPs could be forced to restrict the number of messages a subscriber is allowed to send in a given time period. Brightmail chief technology officer Ken Schneider predicts that the situation will only get worse, now that virus writers have an economic incentive to create malevolent code. Click Here to View Full Article "Hackers for Hire" TechNewsWorld (02/13/04); Germain, Jack M. It has been a common practice for companies to hire "White Hat" hackers to test their network security, but some experts are questioning the wisdom of such an approach, especially as new, stronger, and more potentially damaging cybersecurity threats emerge and government regulations about data security and customer privacy increase. Former regional partner for Deloitte & Touche Security Services Group Thomas Patterson compares hiring one-time hackers to putting a fox in a henhouse, and advocates several fundamental rules for cutting risks. "We believe we can achieve the same level of success without sacrificing the trust of our own clients," notes Patterson. "We may go to the hacking conferences and stay up on what's the latest in the hacking community, but it's a fine line. We hire the good guys." Invisus co-founder James Harrison draws a very fine boundary between White Hat and Black Hat hackers, and argues that software security products and certified computer experts offer far more safety, since they engender reliability and trust. On the other hand, security consultant Gary Morse claims there are big differences between good and bad hackers: White Hat hackers, he insists, are veteran programmers with no criminal histories, and they devote more time to writing lengthy documentation on a company's security flaws than actually penetrating networks. He also downplays the threat of email worms and viruses, arguing that hacker threats are far more dangerous. Click Here to View Full Article "Congress and Cybersecurity" TechNews.com (02/12/04); Krebs, Brian In an online discussion of cybersecurity issues, Rep. Adam Putnam (R-Fla.) raised such points as the need for increased awareness of such issues, and the progress both the public and private sectors have made. He acknowledged that there is still a lot to be done in many areas, such as improving awareness, instituting more oversight, and encouraging safe computing practices. In response to a question posed by discussion moderator Brian Krebs, Putnam said that he decided to postpone introducing a bill that would require public companies to confirm their compliance with cybersecurity standards after receiving a great deal of feedback from the private sector indicating that it would give IT security serious consideration, adding that he would vouch for an industry-promoted plan that sets up sound cybersecurity practices, even without direct federal mandate. He also praised the National Cyber Alert System launched last month, arguing that more than 250,000 visits to the system's official Web site in its first week of operation was a clear sign that "public interest and awareness are high." The congressman addressed a question from a inquirer in Jacksonville, Fla., in which he admitted that 85 percent of U.S. critical infrastructure is controlled by private industry, and explained that his subcommittee is conducting hearings that seek to make Congress more proactive about cybersecurity without hurting innovation. Putnam told an inquirer from Portland, Maine, that he has established a working group to make software companies more responsible for improving cyberattack measures, pointing out that Congress has investigated the possibility of expanding common criteria standards for sensitive defense and intelligence purchases to the software industry. Putnam maintained that making home users aware of safe computing practices is important to both the government and industry, noting that manufacturers and educators have their roles to play. Putnam contended that the White House Office of Management and Budget has improved its IT spending oversight efforts significantly under President Bush's Management Agenda, while more cybersecurity-minded issues are being bundled into the National Security Cyber Division of the Homeland Security Department. Click Here to View Full Article From Edupage, February 13, 2004 IBM AND CISCO TO PARTNER ON SECURITY IMPROVEMENTS IBM and Cisco Systems this week announced a partnership to build security into their products, reflecting a growing awareness among technology companies that security applications work better when they are integrated into basic design rather than added on to otherwise completed products. The new partnership means that various hardware and software products from the two companies will be able to communicate, lowering the chance for security weaknesses in networks. The IBM-Cisco deal echoes the recent acquisition of network security firm NetScreen Technologies by Juniper Networks. Chris Christiansen, analyst with IDC, said that although he is skeptical of such partnerships because "so many of them have failed in the past," he is more optimistic about the IBM-Cisco deal. The companies have worked together previously, said Christiansen, and have little product overlap. San Jose Mercury News, 13 February 2004 http://www.siliconvalley.com/mld/siliconvalley/7946744.htm From ACM News, February 13, 2004 "Is Cyberspace Getting Safer?" Medill News Service (02/11/04); Newell, Adrienne The Homeland Security Department's National Cyber Security Division (NCSD) is evaluating the progress of cybersecurity over the past year and outlining future security projects. Among the 2003 milestones the NCSD notes is the government's creation of a critical infrastructure information network, an Internet-independent federal communications resource that can be used in the event the Internet and other computer-based communications media are knocked out; NCSD director Amit Yoran reports that his agency has "significantly" widened the scope of the network. Another NCSD watershed is the establishment of the Cyber Interagency Incident Management Group, which brings together different experts to develop preventative cyberattack strategies as well as bolster the government against future cyberspace-based assaults. The NCSD unveiled a National Cyber Alert System in January designed to keep computer users apprised of viruses, worms, and other cyberthreats via email; Yoran notes that millions of computer users have accessed the system's Web site, and says his agency plans to expand the site to increase public awareness of security issues. The NCSD partnered with the private sector in a December 2003 summit to determine areas where cybersecurity needed to be heavily emphasized, such as spreading awareness and providing early warnings about intrusions, but Yoran calls current public-private partnerships to meet these goals "unacceptable," and is calling for additional participation. He adds that his division is forging new public-private collaborations to push for unified security objectives, and is advising software developers to increase their programs' security while making them less buggy and loose. Yoran says that developers are "encouraged [to] adopt...automated technologies that guide and force [them] to produce code with fewer vulnerabilities and fewer bugs." Click Here to View Full Article "Coming Soon to Your IM Client: Spim" Network World (02/09/04) Vol. 21, No. 6, P. 30; Garretson, Cara Instant-messaging spam (spim) may not be as widespread as email spam, but experts believe spim could become just as problematic as junk email as IM proliferates throughout the corporate sector: Analyst Sara Radicati estimates that IM is used as a corporate service by 26 percent of companies, while 44 percent say their workers employ IM. The most popular IM services are offered for free, which means that spammers only need a list of screen names to deluge these systems with spam. In addition to consuming network sources and hurting productivity, spim could exacerbate workplace tensions by posting pornographic or other objectionable content on employees' screens. The most apparent spim countermeasure is to block incoming messages from unknown senders, but users who depend on IM for communications could miss important messages. Some of the top IM service providers downplay the spim threat--Yahoo! Messenger's Lisa Pollock Mann reports that less than 2 percent of the traffic Yahoo! Messenger processes is spim, while security measures such as IM network monitoring and Yahoo! IDs to authenticate senders fortify the service against spamming. The past year has seen the emergence of new anti-spim software and services: IMlogic, Zone Labs, and Sybari offer spim-filtering software, while end-to-end encryption and message archiving for regulatory documentation are some of the extra features included in such products. CipherTrust, Brightmail, and other anti-spam filter providers are also looking into ways of tackling the spim problem in the hopes that the additional layer of security will make IM more palatable to companies as a communications tool. Click Here to View Full Article From ACM News, February 11, 2004 "The Virus Underground" New York Times Magazine (02/08/04) P. 28; Thompson, Clive The year 2003 was a banner year for malware, with the release of network worms that spread with increasing rapidity and insidiousness, and such events are putting elite virus writers on the spot. Even though many top virus and worm authors have not technically transgressed any laws and profess to hold no malevolent intent, security experts argue that they are complicit in the spread of malware, even if they never actually release it into the wild. Despite the writers' inventiveness in creating new forms of malware that can be used for nefarious purposes, many claim to adhere to an ethical code and refuse to distribute their viruses onto the Internet, while still others will post virus source code online, where less experienced hackers or "script kiddies" can appropriate it for their own ends. Unfortunately, there is little to stop script kiddies from unleashing the malware, either intentionally or unintentionally. Security and law enforcement experts call this irresponsible action on the part of the authors, and a sign of their ethical naivete: "It's like taking a gun and sticking bullets in it and sitting it on the counter and saying, 'Hey, free gun!'" argues Purdue University's Marc Rogers. Many elite virus writers also reside outside the United States, where virus writing is not against the law, while some U.S. legal scholars claim that malware is protected under the First Amendment, and only becomes unlawful when it is released into the wild and inflicts considerable damage. Virus authors' arguments are being further weakened by recent outbreaks of stealth viruses such as Sobig, which experts say clearly illustrate the presence of malicious creators motivated by greed; these particular viruses or worms are designed to infect vulnerable systems without damaging them so that they can secretly harvest data for exploitation. But it is more than likely that even worse financially or politically motivated cyberattacks are on the horizon, such as "cryptoviruses" that allow users to ransom their victims' files by encrypting them. Click Here to View Full Article "Can E-Mail Survive?" PC Magazine (02/17/04); Metz, Cade Email reform is desperately needed, not only because of the convergence of spam and viruses, but because email is also threatening to collapse from overload. Legislation alone will not solve the problem: Laws such as the recently passed CAN-SPAM are unlikely to significantly reduce spam because so much of it comes from overseas, beyond U.S. jurisdiction. The best solution might involve a retooling of email on a fundamental level, as unappetizing as such a measure may be. Some email experts think a scheme should be set up in which a small fee is charged for every email sent, while a similar proposal would have users pay in CPU cycles. The solution favored by industry will probably be an email authentication scheme, perhaps one based on proposed standards such as Reverse MX authentication or SMTPi. However, years will probably pass before industry arrives at and deploys a single email authentication standard. Meanwhile, the combined problem of spam and viruses is making email less and less palatable for users and businesses, according to recent studies from InsightExpress and the Pew Internet and American Life Project. People discouraged from using email are turning to phones, voicemail, and instant messaging to fill the void. Click Here to View Full Article "The E-Mail Mess" Governing (01/04) Vol. 17, No. 4, P. 40; Perlman, Ellen Some states have strict laws against spammers, with some laws focusing on deceptive email and others trying to stop spam before it starts, but the new federal Can-Spam Act will hinder many of those laws. The federal legislation strengthens the rights of Internet users in states that lack anti-spam laws, and may help residents of states with weak laws, but in other areas people are displeased with the new law. It does not let individuals sue spammers, and its opt-out feature is held to be weaker than some states' opt-in requirement. EPrivacy Group chief privacy officer Ray Everett-Church says that previous attempts at opt-out provisions have proven that they do not work. The federal law's exception for providing a valid return email address also offers a large loophole, according to the National Association of Attorneys General. Companies that use email as a legitimate business tool support the federal law, saying that stricter laws--such as those in California, Washington State, and Delaware--are too dangerous for businesses, and support a national "do not email" registry. Although supporters of strong anti-spam laws agree that federal guidelines are better than a hodgepodge of laws from states, they say the weaker federal laws hurt overall anti-spam efforts. Delaware state prosecutor Steven Wood says the parts of Delaware's law that target selling software for falsifying routing information and making it a crime to access a person's computer to send them spam will remain under federal law. Washington State believes that its laws, which have been used to prosecute five spammers targeting state residents, will also complement, and not be superceded by, federal laws. Still, whether any laws can really stop the flow of spam is an open question; despite anti-spam laws in 36 states, the flood of spam continues. Click Here to View Full Article From Edupage, February 9, 2004 REPORT SAYS CAN-SPAM ACT NOT EFFECTIVE A report from California-based e-mail filtering company Postini seems to indicate little immediate change in the volume of spam as a result of the CAN-SPAM Act, signed into law by President Bush in December. At that time, spam accounted for 80 percent of all e-mail according to Postini. One month later, that figure remained at 79 percent. Critics of the bill had argued that it would do little to stem the flow of spam, saying that the bill simply outlined steps spammers must take for their e-mail to be "legitimate." Critics also noted that many spammers operate outside the United States, beyond the jurisdiction of the law. Postini's Andrew Lochart said spam can only be effectively controlled through a combination of technology and legislation. BBC, 9 February 2004 http://news.bbc.co.uk/2/hi/technology/3465307.stm From ACM News, February 9, 2004 "Software Innovation Is Dead" NewsForge (02/07/04); Love, Jonathan Jonathan Love, a computing student at Imperial College, London, claims that software innovation is dead, arguing that software developers are no longer motivated to pursue innovative projects. He reports that security software has experienced the largest amount of growth in the last several years, chiefly because of the growing frequency of hacker attacks. Many respectable software engineers, especially the younger ones, prefer making a name for themselves by inventing malware, Love contends. The student also observes an increase in the copying of features from competing products, which is an easier strategy for developers than inventing completely new features. "And what incentive is there for a developer to implement a new feature when said developer knows that any good feature will be copied by his competitors?" he adds. Love writes that an innovative software developer has two choices: He can release his software free online, or attempt to market it. Selling his software is a difficult proposition because there are so many licenses to choose from. Love asserts that creating truly innovative software will be beyond the abilities of next-generation developers. "If I am going to spend three or four years at university studying computer science, yet not be able to offer any significant advantage to a major software development house compared to a simple 'code-monkey' who can churn out lots of code at a very low wage, where is my incentive to do software development?" he writes. Click Here to View Full Article "False Hope for Stopping Spam" Technology Review (02/04/04); Garfinkel, Simson Legislative attempts to control spam, such as the recently passed CAN-SPAM Act, are unlikely to significantly impede the deluge of junk email, partly because the amount of spam originating outside the United States is growing. Anti-spam advocates gathered at MIT's Spam Conference in January expressed hope that overhauling the fundamental workings of email would be a more effective measure, but author Simson Garfinkel thinks the odds are stacked against them. His argument is based on indications of an alliance between hackers, spammers, and organized crime. Brightmail estimates that 56 percent of all Internet email is spam, but Garfinkel cites personal experience to give credence to his belief that the spam situation is far worse; he found that spam constituted 94 percent of all email he received on Jan. 26, accounting for legitimate email, spam blocked by his filter, and emails automatically rejected by his server because they were sent to invalid addresses at his domain. Worse, spam originating from Asia exceeds legitimate email by almost 10 to 1, while spam from the United States runs approximately 50/50 with legitimate email. The growing sophistication of spam attacks is spurring email providers to roll out more advanced countermeasures such as Yahoo!'s Domain Key, but these products could cement the providers' market supremacy, thus making it harder for small businesses to maintain their own email systems. Garfinkel doubts that these next-generation tools will be effective in the long term, and is concerned that biotechnology and nanotechnology, like email, could be harnessed by just a few people as weapons against most users. "If we can't tackle the spam problem, then the future may be quite bleak," he warns. Click Here to View Full Article "Tackling the Secure Web Mail Challenge" E-Commerce Times (02/04/04); Pasley, Keith The secure Web mail technology sector is trending toward appliances that serve other email infrastructure security purposes besides Web mail protection, but they require some knowledge of how to handle Web mail security, writes information security professional Keith Pasley. Web-based email is a good way to distribute information to workers outside the office, but the perceived security risk makes many businesses reluctant to deploy it. Most such systems use a multitiered architecture and separate databases for mail and user authentication information, raising security issues for identity management, availability, privacy, and data integrity. Many systems support a variety of authentication methods, and cryptography is usually used to ensure privacy and data integrity; redundant servers and load balancing can increase availability. The management of session cookies is a main issue of Web mail session management; if they are not erased at user logoff and the browser is not closed, an attacker can get in, but countermeasures are available. Management commitment to using secure methodologies helps counter flaws, as does a secure software development philosophy and proper training. Security technology or outsourcing or hosting the service can increase security as well. Click Here to View Full Article From Edupage, February 6, 2004 MICROSOFT PROPOSES NEW STRATEGIES TO LIMIT SPAM Software giant Microsoft, which has lately announced its intention to help stem the flow of spam, is working on programs designed to place a significant burden on those who want to send vast amounts of unsolicited e-mail. Under an initiative called "Penny Black," computers that send e-mail would be required to spend several seconds solving a complex math problem. Such a scenario would cause virtually no slowdown for average users, but spammers trying to send millions of e-mails would be faced with an enormous computational demand. Officials from Microsoft noted that the company is working on several other anti-spam programs and does not consider the Penny Black program to be a "silver bullet." For any solution to be effective, said Microsoft's George Webb, it must have "broad-based deployment across the e-mail system." Washington Post, 5 February 2004 From ACM News, February 4, 2004 "Europe Blames Weaker U.S. Law for Spam Surge" Wall Street Journal (02/03/04) P. B1; Mitchener, Brandon Brightmail estimates that more than half of all email in the European Union is spam, and Europeans claim U.S. anti-spam laws, which are far more lax than European regulations, are chiefly to blame. Eighty percent of EU spam is written in English, and that same percentage apparently originates from North America. EU law subscribes to an opt-in policy, in which email marketers cannot send unsolicited commercial email unless recipients specifically ask for it; U.S. law follows an opt-out policy, whereby spammers do not have to obtain prior permission from recipients to send them spam. Canada, Australia, and Switzerland have implemented an opt-in anti-spam policy similar to the EU model, while Japan, South Korea, and Mexico follow the opt-out strategy. Europe is demanding that the United States crack down harder on spamming, a vital issue in a week when the Organization for Economic Cooperation and Development is meeting in Brussels to call for more international cooperation on anti-spam enforcement. "The ball is very much in the [U.S.] Federal Trade Commission's court," notes European Coalition Against Unsolicited Commercial Email Chairman George Mills. The U.S. counters that adopting an opt-in policy would be detrimental to small businesses that rely on unsolicited email to market themselves and compete with bigger players, and force companies into the onerous task of proving they had permission to send email. Howard Beales III, head of the FTC's bureau of consumer protection, dismisses the notion that opting out worsens the spam problem, and urged conferees in Brussels to help deflate this "urban myth." "Why This One Is Scarier" San Francisco Chronicle (02/03/04) P. B1; Kirby, Carrie The Mydoom computer worm's success in shutting down the SCO Group's Web site through a denial-of-service attack waged by 25,000 to 50,000 infected "zombie" computers raises the bar for malware in terms of damage and sophistication, but some security experts believe Mydoom was created as a spamming tool, rather than a political weapon wielded by fringe Linux advocates against SCO's attempts to halt the distribution of the Linux operating system. Such a possibility highlights the growing prevalence of financial gain as a motive for virus development and exploits. F-Secure systems engineer Tony Magallenez observes that viruses often follow a parallel evolutionary track to communications technology--for instance, the Melissa email virus made a big splash back in 1999 because email had just become a breakout communications medium. As email viruses became more advanced and threatening, email users grew more cautious, which in turn prompted virus authors to resort to new strategies to spread their malware, such as writing deceptive lines and messages. Bugs that spread automatically online, such as Code Red, Nimda, and Slammer, soon followed, and each new major worm proliferated faster than the one before it. Mydoom, the latest email worm, installs "back doors" in victims' computers, allowing hackers to commandeer those machines for their own ends. The original Mydoom permutation infected around 500,000 computers, according to Network Associates; a far smaller number of systems was tainted by the variant Mydoom.B worm, which is targeting Microsoft. Network Associates' Craig Schmugar reports that approximately 7 percent of Mydoom.B-infected computers will launch an attack on www.microsoft.com, which may hardly make a dent in its operation. Click Here to View Full Article "Dual Curses: Viruses and Spam" Computerworld (02/02/04) Vol. 32, No. 5, P. 29; Ubois, Jeff; Betts, Mitch A Web-based survey of senior executives conducted by Computerworld and Ferris Research finds that viruses and spam are the biggest email-related headaches. IT managers are fearful of zero-day attacks because virus authors are exploiting software vulnerabilities faster. Meanwhile, spam is a source of frustration because it leads to lost productivity as well as embarrassment: A Nucleus Research study estimates that system administrators lose an average 4.5 hours of productivity a week to spam-related problems, while CIOs may feel pressured to solve spam problems because they are a source of irritation and humiliation in the workplace. Respondents to the Ferris/Computerworld survey also list regulatory compliance as a major email issue; in addition, a surprising result of the poll is the indication that concerns about dealing with denial-of-service attacks are growing among CIOs. Email downtime is apparently not a source of concern with CIOs, but respondents have expressed fears about prolonged periods of disabled email service stemming from hacker attacks. Instant messaging from wireless devices, migrating between email packages, switching messaging servers to Linux, and using mainframes as email servers are among the issues generating the least amount of concern among survey respondents, while email budget issues such as total cost of ownership are not among the top 10--an unexpected conclusion given how cost-conscious the CIOs are. Robert W. Reeg of MasterCard International reports that respondents generally frown upon switching email platforms partly because of the problems and costs inherent in such a migration, such as training and the loss of email archives. "I don't see any business case [that would justify migrating], unless someone's on a really antiquated, unsupported package," he argues. Click Here to View Full Article From ACM News, January 14, 2004 "Is the Tide Turning in Battle Against Hackers?" IT Management (01/04); Robb, Drew Despite the Internet and computer systems appearing to be under constant assault by ever craftier hackers, security safeguards are progressing faster, as demonstrated by a documented slowdown in exponential damage increases in 2003, compared to previous years. According to a joint Computer Security Institute/FBI report, the percentage of companies experiencing unauthorized computer use fell from 60 percent in 2002 to 56 percent in 2003; furthermore, significant security incident totals remained about the same, but financial losses reported by respondents fell from $455 million in 2002 to $202 million in 2003. The greatest losses in 2003 were attributed to theft of proprietary information, but damages were again significantly lower than in the previous year. However, fewer numbers of organizations experiencing Denial-of-Service attacks were countered by an increase in damage, from $18 million in 2002 to $66 million in 2003; the third biggest threat was viruses, whose collective damage last year totaled $27 million, almost half that of the year before. Symantec's most recent Internet Security Threat Report indicates significant growth in the number of blended threats and a shrinking interval between the discovery of vulnerabilities and the launch of exploits. Odds are more favorable toward network security right now because companies are regarding threats with more seriousness, according to the results of a Business Software Alliance/Information Systems Security Association poll released last December. Seventy-eight percent of respondents claimed their companies were better fortified against major attacks than they were 12 months earlier. However, these positive reports are not an excuse for companies to relax their vigilance or their deployment of cyber-defenses, given the increasing sophistication and speed of hacks, as well as indications that such attacks are the work of organized groups sponsored by enemy governments. Click Here to View Full Article From ACM News, January 12, 2004 "Security Threats Won't Let Up" InformationWeek (01/05/04) No. 970, P. 59; Hulme, George V. The state of information security, which took a hammering last year, is expected to worsen this year as security vulnerabilities increase in severity, the use of spyware grows, and spammers adopt hacking tools and techniques to distribute junk email. To bolster themselves against these threats, businesses may have to add commercially available intrusion-prevention applications to an arsenal that includes fast patching, firewalls, regularly updated antivirus software, and strict remote-user security regulations. A Yankee Group poll of 404 security decision-makers finds that over 50 percent of respondents expect their security budgets to grow significantly over the next three years. Gartner VP John Pescatore notes that virus writers are getting craftier and launching spyware attacks, many of which are designed to fool users into thinking they are dealing with trustworthy parties so that they will give out confidential information that can be exploited. The good news is that more and more effective anti-spyware tools are available from software vendors, while antivirus vendors are enhancing their offerings with spyware-detection and -removal software. In addition, anti-spyware legislation such as an overhauled Safeguard Against Privacy Invasions Act is slated to be introduced in 2004. Meanwhile, Vincent Weafer of Symantec anticipates that spammers will continue to employ Trojan horses and viruses to hijack computers and use them as spam launching platforms; experts also believe hackers will start taking advantage of popular peer-to-peer networks and instant-messaging services, and target cell phones, handhelds, and emerging operating systems as well. Though well-publicized "zero-day" worms are of less concern to security analysts, Pescatore points out that more worms are appearing within one to two weeks after a software flaw is discovered. Click Here to View Full Article From ACM News, January 7, 2004 "Security: From Bad to Worse?" InformationWeek (12/29/03); Keizer, Gregg A TruSecure study issued Dec. 29 indicates that spyware and peer-to-peer file-sharing software will make 2004 just as bad as 2003, if not worse, for businesses beleaguered by cybersecurity woes. Bruce Hughes of TruSecure's ISCA Labs reports that "perimeter killer" worms that attack networks directly through software flaws and unprotected Internet ports experienced a 200 percent increase in 2003, and such worms will constitute the biggest danger to businesses in 2004; he predicts that such worms will incur at least $1 billion in damages in the coming year. Hughes also projects a rise in "zero day" attacks, in which exploits appear prior to the disclosure of a software vulnerability. "Some hacker is going to release exploit code ahead of the patch and create significant damage to those unprepared," he warns. Hughes notes that spyware may be relatively less malign than viruses, but the two have begun to overlap, so companies should be vigilant for more malevolent spyware iterations. He foresees peer-to-peer (P2P) software as an especially frustrating headache for businesses, and has learned through analysis of hundreds of files shared on Kazaa that almost half include worms, viruses, and Trojan horse programs. Hughes urges companies to limit P2P usage on their networks, audit the enforcement of such regulations, and familiarize workers with the risks of P2P. Hughes sees the collaboration between government and the private sector in catching and prosecuting virus authors as a hopeful sign. Click Here to View Full Article From ACM News, December 29, 2003 "Device Guards Net Against Viruses" Technology Research News (12/24/03); Patch, Kimberly The communicability of computer viruses is often related to people's unwillingness to install and regularly maintain virus-filtering software on their systems, and Washington University and Global Velocity researchers have devised a new, hardware-based countermeasure called the Field Programmable Port Extender. The reconfigurable device scans data packets passing through a network byte by byte, blocking any packets that contain an Internet worm or computer virus signature. The Field Programmable Port Extender's reliance on hardware rather than software makes the system sufficiently speedy to scan high-speed backbone Internet traffic for viruses. Global Velocity co-founder John Lockwood says the device boasts a data-filtering rate of 2.4 billion bits per second, and claims the network-level protection offered by the Field Programmable Port Extender could make the system more effective at stopping worms and viruses than software running on end-users' computers. The hardware produces an abundance of specially-tailored circuits that individually scan data for a specific virus or worm type, and Lockwood notes that network managers can easily update the system's worm or virus signature database via a Web-based interface. He explains that the viability of the Field Programmable Port Extender stems from the construction of protocol processing circuits capable of scanning high-speed TCP/IP traffic as well as recognizing malware even when it is fragmented and distributed among multiple data packets and traffic flows. Click Here to View Full Article "DARPA Evaluates Proposals for Self-Regenerative Systems" Computerworld (12/22/03); Anthes, Gary H. The goal of the Defense Advanced Research Projects Agency's (DARPA) Self-Regenerative Systems (SRS) initiative is to develop next-generation security and survivability technologies enhanced with coarse-grained diversity so as to minimize the impact of any given vulnerability, which is key to waging network-centric warfare. The agency says that such systems must be capable of self-optimization, self-diagnosis, and self-repair through self-awareness and reflection, and will use biological processes and human cognition as templates. DARPA program manager Lee Badger comments that the introduction of computerized diversity based on natural systems could help reduce the security vulnerabilities stemming from an electronic monoculture, a problem due to the widespread use of common software because of current economies of scale. Badger remarks that there are several possible strategies to achieving software diversity: In a rewriting approach, an existing software component could be specialized by passing it through a filter, or the code could gradually drift within its functional specifications via a genetic algorithm strategy. In talking about why such approaches work better than making a larger effort to write better code, Badger explains, "Our strategy has been to find and remove defects in software, but as software grows to a very high level of complexity, our chances of actually finding and removing all flaws...are getting very small." The program manager notes that defensive systems that learn to combat threats by updating their virus or attack signature databases can only fight new, unforeseen attacks by employing "anomaly detection," which is inherently flawed because of the potential to tag valid behavior as anomalous. Badger hopes that biologically inspired systems could become capable of learning about their environment over time so they can anticipate threats, in the same way that the immune system learns and adapts its defenses from exposure to germs. DARPA will assess proposals from universities and companies to develop technologies for its SRS program. Click Here to View Full Article "We Hate Spam, Congress Says (Except When It's Sent by Us)" New York Times (12/28/03) P. 1; Lee, Jennifer 8. The federal spam control law that goes into effect on Jan. 1 does not extend to members of Congress who send out unsolicited messages to constituents in order to attract voluntary subscribers to the legislators' email lists; these messages are not subject to House rules that bar taxpayer-supported congressional mass communications 90 days before an election, although free postal mail from House members to voters is still banned. Many congressional members laud the policy, passed by House Administration Committee vote in September, for enabling less expensive and more efficient correspondence with constituents, but consumer advocacy organizations claim the measure may give an unfair edge to incumbents over challengers, adding that such bulk emails constitute spam when they are sent to constituents without their permission. "They are regulating all commercial spam, and at the same time they are using the franking privilege to send unsolicited bulk communications which aren't commercial," observes David Sorkin of Chicago's John Marshall School. "When we are talking about constituents who haven't opted in, it's spam." Prior to the institution of the policy, messages sent to over 500 constituents had to be approved by the franking commission and was subject to a 90-day blackout before an election, while individual responses to citizens were free of such strictures. Congressional officials criticized the old policy as unwieldy, but the unsolicited messages they send to constituents to build their email lists under the new policy still must be approved by the franking commission and must halt 90 days before an election or primary. House members insist that their unsolicited emails are not spam, since they are directed to constituents who have the right to opt out. However, critics note a striking similarity between the technology behind both political and commercial bulk email. Click Here to View Full Article From ACM News, December 17, 2003 "The Spies Who Come in Through the Keys" Financial Times (12/17/03) P. 15; Morrison, Scott Snoopware--software that can be installed surreptitiously on victims' computers and record their keystrokes, emails, passwords, chatroom postings, and Web site visits without them knowing--is thought by security experts such as Earthlink VP Matt Cobb to be "the next big threat" to both corporate and individual privacy. There are various snoopware programs currently available, promoted mainly as tools for employers to monitor Internet use in the workplace or for parents to keep track of their children's computer activity. But the products' potential for abuse--potential that has only recently come to light by real-world instances of such abuse--is even greater. For instance, a New York hacker confessed this year that he installed keylogging software on public computers at 13 Manhattan Kinko's outlets so that he could record and purloin personal data from over 450 people, which he sold online and also used to divert money from his victims' bank accounts into new accounts he set up in their names. Most snoopware victims have been individual users, but corporations have recently become targets. Snoopware is often innocently downloaded by unsuspecting victims off the Internet, as well as buried in email attachments, viruses, and pop-up ads that trigger snoopware downloads when users click on the "close" button. Though Symantec and other computer security organizations have begun to offer snoopware detection programs, Network Associates' Ryan McGee believes snoopware authors will inevitably make their software harder to identify. People at the greatest risk of being victimized by snoopware are users of public computer terminals, while broadband users also have a high degree of vulnerability. From ACM News, December 24, 2003 "Digital Defense" Computerworld (12/22/03); Anthes, Gary H. Hackers and malware authors may currently have the upper hand thanks to the growing number of vulnerabilities stemming from increasing software complexity, a rise in computer connectivity, and the emergence of sophisticated and simple-to-use digital weapons. But computer security experts meeting at the Santa Fe Institute's recent Adaptive and Resilient Computing Security workshop believe new defensive concepts may turn the tide: Such concepts--some of which are biologically inspired--can identify new kinds of attacks by eliminating reliance on predetermined definitions (virus signatures, attack scenarios, vulnerability exploits, etc.); they are supposed to continue to operate even when an attack is underway, though their effectiveness may be somewhat reduced; they are adaptable to changing attack strategies; and they reduce false alerts. Dipankar Dasgupta of the University of Memphis' Intelligent Security Systems Research Lab reports that there is no one computer safeguard capable of defending systems against all kinds of attacks, but his facility's Security Agents for Network Traffic Analysis combines neural networks and "fuzzy rules" to enable mobile software agents to detect network intrusions. Stephanie Forrest of the University of New Mexico notes that biodiversity makes systems stronger and tougher, and she is developing "automated diversity for security" whereby uniqueness is instilled within each system by arbitrary random changes. Using a measure known as Kolmogorov Complexity, GE Global Research scientist Scott Evans has learned that attacks can be predictably quantified as less or more complex than normal behavior, which makes a tool for attack identification and blockage feasible. Meanwhile, Steven Hofmeyr has created Primary Response, a commercial defense product that uses agents to profile an application's normal behavior based on the code paths of a running program, so that abnormalities in those paths are easy to spot. Click Here to View Full Article From ACM News, December 3, 2003 "Computer Security in Focus" SiliconValley.com (12/03/03); Ackerman, Elise Lobbyists, elected representatives, business leaders, and security experts are worried that the White House has lost focus on the implementation of its National Strategy to Secure Cyberspace, and plan to use the National Cyber Security Summit on Dec. 3 to spur the Bush administration to take a more proactive stance. The national cybersecurity initiative has been plagued by a lack of forward momentum and the resignations of two cybersecurity czars--Richard Clarke, who left two weeks before the strategy was adopted by President Bush, and Howard Schmidt, who departed just two months after his appointment. Their responsibilities now reside in the Department of Homeland Security's National Cyber Security Division, whose director, former Symantec executive Amit Yoran, has only been in office since mid-September. Yoran calls the National Cyber Security Summit "a call to action" that will inform the public that his division is up and running, and initiate dialogue between both industry and government and security technology users and academic experts. Greg Garcia of the Information Technology Association of America says that five industry-backed task forces will present several recommendations at the summit, including making computer users more aware of the need to regularly update their software and deploy security measures; establishing best corporate and business cybersecurity practices; lowering the number of computer vulnerabilities; and setting up a national cybersecurity response system. Among those expected to attend the summit are Homeland Security chief Tom Ridge and Homeland Security Department assistant secretary of infrastructure protection Robert Liscouski. "Our goal has been to really encourage the senior people in the department to make sure a high priority is given to this aspect of security," says TechNet CEO Rick White. Click Here to View Full Article "Rules to Address Holes in Software" Los Angeles Times (11/28/03) P. C1; Menn, Joseph Major technology companies, working under the aegis of the Organization for Internet Security (OIS), are formalizing rules to determine the best time for hackers and researchers to publicly disclose software bugs so that vendors should not have to worry about malicious parties exploiting these vulnerabilities. The guidelines outline what someone should and should not do after discovering a software security hole, as well as how the software's authors should respond. According to the plan, a hacker who finds a bug must report it to the software maker and give the company time to study the flaw and develop a patch; it is recommended that the software maker keep the hacker apprised of its progress. Around a month is the prescribed time a software maker should have to devise a patch, while the hacker ought to wait another month before publicly disclosing the patch. The OIS advises hackers never to broadcast details of the vulnerability if a patch cannot be developed. Few hackers who work for tech companies or on their own are fans of the guidelines: Many contend that software firms would lie about their failure to build a patch just to prevent flaws from being exposed, while experts are concerned that patches will be reverse-engineered by talented virus writers so they can learn the holes they are designed to fix and develop malware to take advantage of them. The major tech companies feel they must take some kind of action, especially with pressure building for Congress to pass legislation making them liable for shoddy software. Some hackers are trying to mobilize into a trade group to fight the OIS guidelines, which PivX Solutions researcher Thor Larholm claims would endanger the livelihood of hackers who are paid to discover and help repair software bugs. Click Here to View Full Article (Access to this site is free; however, first-time visitors must register.) "A Two-Pronged Approach to Cybersecurity" CNet (12/01/03); Lemos, Robert Amit Yoran, who was recently appointed director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection Directorate at the Department of Homeland Security, plans to bolster the security of the United States and its cyberinfrastructure during his tenure. He believes that cyberterrorism is something people must always be aware of, and sees little difference between safeguards used to thwart cyberterrorists and those used to shield against other threats. Yoran advocates a two-pronged strategy to combat outbreaks of worms and viruses such as Code Red, Slammer, and Nimda. The first part of the approach involves implementing long-term projects such as the improvement of software engineering and the invention of better software development processes, and the second part is the pursuit of short-term objectives such as boosting cybersecurity awareness, and improving the national response system and coordination with critical infrastructures. Yoran says the key players in this effort--critical infrastructure owners, software developers, and the system operators--can receive government advice, guidance, and aid through a secure communications infrastructure. Although Yoran says the level of security called for by the National Strategy to Secure Cyberspace has yet to be reached, he has been encouraged by what he has seen in his first month in office, as well as the private sector's enthusiasm to contribute to the cybersecurity effort. He notes that the National Strategy cannot succeed without coordinated public-private collaboration. How the country can better deal with future cyberattacks will be the focus of a talk Yoran will give in Silicon Valley this week. Click Here to View Full Article "Fighting the Worms of Mass Destruction" Economist (11/27/03) Vol. 369, No. 8352, P. 65 A lot of fear is circulating that viruses and worms could be used by terrorists to threaten entire societies with destruction and anarchy, but fewer than 1 percent of recent cyberattacks originated from terrorist-sympathetic nations, and the majority were conducted by hackers within the United States. Hackers are more likely to be money-hungry thieves or techno-savvy adolescents hoping to disrupt networks to satisfy their egos than terrorists; network security expert Bruce Schneier also notes that terrorists face greater difficulties than seasoned hackers in penetrating computer systems, while physical attacks remain a more effective technique of hurting people than disrupting networks. The Internet must become more trustworthy in order to reach its full potential, but the growing frequency, intensity, and speed of cyberattacks, along with hackers' increasing use of self-propagating worms, is eroding Net security--and this threat will only escalate as users move from dial-up access to broadband and connect even more devices to the Internet. Nor is cybercrime limited to worms and viruses: Brand spoofs, counterfeit Web pages, and "phishing" are just a few of the fraudulent practices running rampant online. Though cybersecurity measures such as firewalls, intrusion-detection systems, and anti-virus software are effective to a degree, experts such as Stanford University professor Lawrence Lessig contend that legislators need to pressure companies to make their software more secure. Former @Stake executive Dan Geer blames most of the Internet's security problems on Microsoft's operating system monoculture, and adds that the complexity of the software only makes it harder for users to secure their systems. Schneier says that software vendors must be made accountable for insecure products, which sets up an economic incentive to fortify their software against cyberattacks. Another strategy calls for Internet users to become better versed in good security practices while making it easier to trace online criminals, a development that will require a reduction of online anonymity. Click Here to View Full Article From Edupage, December 3, 2003 New Computer Worm A Friend Of Spammers Reuters, 2 December 2003 A new e-mail computer worm appears to be the work of spammers trying to defeat anti-spam forces. The W32/Mimail-L worm replicates as do other worms, by e-mailing itself to those in an infected computer's address book, but it also sends a second message promising delivery of a CD with pornographic content. The link to supposedly prevent delivery of the CD in fact sends an e-mail to one of eight anti-spam organizations. Steve Linford of the Spamhaus Project said his organization is being flooded with complaints from computer users who believe Spamhaus is responsible the CDs. In addition, the worm can turn infected computers into drones that can be used in denial-of-service attacks against the same eight organizations. Security experts commented that this latest worm provides further evidence that virus writers and spammers are working together. http://www.reuters.com/newsArticle.jhtml?storyID=3925183 From eWeek Security Update, December 4, 2003 Researchers Find Serious Vulnerability in Linux Kernel by Larry Seltzer It's become very ho-hum to find major vulnerabilities in Windows, but it's not the only imperfect operating system out there. Recent developments remind us that Linux admins also need to be on the alert for known vulnerabilities and ready to patch quickly. Several weeks ago the maintainers of the respected Debian Linux distribution revealed that the main server for the project had been compromised. Last week they revealed that the attack came through a vulnerability in the Linux kernel itself, patched in very recent versions. The vulerability doesn't directly give root access, but it gives the attacker access to all of memory, through which other evils may be perpetrated. Today a similar attack was announced against Gentoo Linux's servers. Debian Linux Under Attack by Hackers http://eletters.eweek.com/zd1/cts?d=79-347-5-8-168492-41600-1 Researchers Find Serious Vulnerability in Linux Kernel http://eletters.eweek.com/zd1/cts?d=79-347-5-8-168492-41603-1 Crackers Strike Gentoo Linux Server, Code Unharmed http://eletters.eweek.com/zd1/cts?d=79-347-5-8-168492-41606-1 The Debian attack wasn't exactly a zero-day exploit, in which the vulnerability is discovered through an already existant attack, but as with Windows the time frame is getting shorter. Whatever your operating system, you must be dillegent if you're going to stay ahead of the bad guys. From ACM News, November 26, 2003 "Taking Cues From Mother Nature to Foil Cyberattacks" Newswise (11/25/03) A National Science Foundation-supported cyberdefense project operates on the premise that many computer systems are vulnerable to viruses, worms, and other forms of malware because they use identical software that has the same vulnerabilities, in much the same way that genetically similar individuals are susceptible to the same diseases or disorders. The project, which enlists collaborators from Carnegie Mellon University and the University of New Mexico through a $750,000 NSF grant, is investigating how "cyber-diversity," like biodiversity, can bolster systems' resistance to dangerous agents. "Our project seeks to reduce computer vulnerability by automatically changing certain aspects of a computer's software," explains Carnegie Mellon researcher Dawn Song. "Adapting this idea in biology to computers may not make an individual computer more resilient to attack, but it aims to make the whole population of computers more resilient in aggregate." Earlier attempts to diversify software had independent teams develop different versions of the same software in the hopes that different sets of vulnerabilities would evolve from each version, but researchers call such an approach time-consuming and economically costly. University of New Mexico computer science professor Stephanie Forrest says they are exploring ways to automate the diversity process, which could be more effective and less economically taxing. NSF program director Carl Landwehr says the Carnegie Mellon-New Mexico collaboration represents the kind of innovative research his organization expects to encourage through its CyberTrust program. Click Here to View Full Article "Q&A: Improved Security Requires IT Diversity" Computerworld (11/24/03); Vijayan, Jaikumar Security guru and author Bruce Schneier contends that physical security is not a function of technology but a function of people: Technology by itself cannot make people safer because that is not its purpose; safety comes from how people implement and use technology. Schneier argues that his report "CyberInsecurity: The Cost of Monopoly" is not a condemnation of Microsoft's operating system per se--it is not the operating system that lies at the core of IT security problems, but rather the prevailing monoculture, which carries greater risks than benefits. Schneier explains that bad patching and the lack of secure software is attributable to economic rather than technical problems, and claims that the solution is to essentially hack the business climate. He suggests that software manufacturers should be made liable for the damages users suffer as a result of insecure software, which will give them a direct economic incentive to fix those vulnerabilities. Full public disclosure of security holes is also forcing software companies to take security seriously, while virus and worm outbreaks--and the publicity they generate--is an additional source of pressure for CEOs. Schneier says that patching is a useless gesture, given that there is an overabundance of patches marked by generally poor performance--and what is more, companies cannot catch up with the rate of vulnerability disclosure. His argument is to shift focus from threat avoidance to risk management, and achieving this requires that the CFO be placed in charge of security, since security people have too narrow a view to make such decisions. Schneier admits that measuring effective security is difficult, because "there is no standard benchmark against which to measure your own security." Click Here to View Full Article From ACM News, November 24, 2003 "Computer-Security Experts Challenge Researchers to Focus on Long-Term Solutions" Chronicle of Higher Education (11/21/03); Carnevale, Dan Purdue University's Eugene Spafford was one of five speakers at a recent Virginia conference who suggested strategies computer scientists could follow to implement long-term cybersecurity solutions. Spafford declared at a news conference that computer networks should be rethought to include embedded, effective, and easy-to-use security. However, he remarked that "Near-term needs are so pressing that they have soaked up most of the resources and most of the funding and left little for long-term thinking. It's an ongoing arms race in cyberspace." Spafford, who predicted that better network security will encourage people to engage in more online activity and create better services, identified four "grand challenges" that researchers should address within a decade: The halt of spam, viruses, worms, and denial-of-service attacks; the development of tools to build large-scale, highly trustworthy networks; the creation of systems that give users the ability to comfortably control their privacy and security; and the design of risk-management analyses for computer systems that offer just as much reliability as financial investment risk-management analyses. Spafford also expressed hope that the federal government will allocate more funds to network security research. Other speakers at the forum included Sun Microsystems' Susan Landau, who noted that medical care could be significantly enhanced if security and reliability were incorporated into computer networks. The Virginia conference was held by the Association of Computing Machinery and the Computing Research Association, while the National Science Foundation used the event to announce that it would soon start accepting research proposals for improving computer security under its CyberTrust program. "Proposed Spam-Blocking Technology Is a Long Way Away" InternetWeek (11/21/03); Gonsalves, Antone The Anti-Spam Research Group (ASRG), an alliance of consumer email providers, and other organizations are attempting to control spam by developing and implementing sender-authentication solutions, but many are finding the challenge much more difficult than previously anticipated. ASRG co-chair John R. Levine admits that his predecessor Paul Judge's May forecast that some ASRG technologies would be ready for deployment within a few months was "too optimistic." The ASRG has no personnel and no budget--Levine says it is merely a coordinating body of anti-spam researchers affiliated with the Internet Engineering Task Force (IETF). Levine says that three major sender-authentication schemes are currently under consideration by his organization: Reverse MX, Sender Permitted From, and Designated Sender Protocol. All three proposals would permit a mail server receiving a message to query the email's originating domain as to whether the server that transmitted the message has authorization to send from that domain; at least a year will pass before the ASRG will be able to submit one proposal to the IETF as a suggested international standard. Meanwhile, a commercial alliance that includes Yahoo!, America Online, Microsoft, and Earthlink was established in April to develop technology ahead of the ASRG's efforts. Their proposal calls for ISPs and any other body that owns its own domain name system (DNS) to use a private key in their mail servers to embed an encrypted code in the header of each outgoing email message; upon the mail's arrival at its intended destination, the receiving mail server would get its sender's key from its DNS server to decode the header and authenticate the email's origin, while spam and other unwanted messages would cause that DNS to be automatically blocked. "What we really want to do is make sure that the Internet community is in agreement that this is a good solution, and an appropriate solution," says Yahoo! Mail's Miles Libbey. But the technology is in an early developmental stage and no general release deadline has been set. Click Here to View Full Article "EU Cybercrime Agency Gets the Go-Ahead" IDG News Service (11/20/03); Meller, Paul A plan to form a European Network and Information Security Agency (ENISA) that would ease cooperation and data exchange pertaining to network and information security has gained the approval of European telecommunications and communications ministers. ENISA will receive $39 million for its first five years, and act to back the internal European Union market. The group is set to start operations in January in Brussels, but will be placed in a permanent location later. ENISA will act as an advisor on security concerns for member states and the European Commission, deal with the necessity of higher awareness about Internet security issues, and manage activities centered on assessing and managing risk. Telecommunications interests are pressing for ENISA to work with private groups. "Until today there has been no systematic cross-border cooperation or information exchange between the EU Member States," notes the European Commission, adding that the various states have made progress to different degrees with different approaches. "This is the challenge that the ENISA is set to meet," the commission states. Click Here to View Full Article "The Future of Open Source in Security" EarthWeb (11/19/03); Bourque, Lyne Open source tools help network administrators develop more robust defenses against electronic infiltration, according to academic and industry attendees at the second annual Open Source Symposium held at Seneca College in Toronto. Though proprietary applications have benefits such as support agreements, open source technology provides security-minded administrators with the tools necessary to innovate. A presentation on wireless security highlighted the number of open source accessibility testing tools available, including wavemon, airtraf, and wave stumbler, as well as network vulnerability tools such as Kismet, Air Snort, and Moxy. Using these tools, network administrators can view their wireless network from an outsider's perspective and adjust accordingly. Open source and computer security have a long shared history as many existing tools have open source roots, including Nmap, SATAN, SAINT, SARA, GnuPGP/PGP, and OpenSSL. Open source tools exist for virtually every security topic, and the ease at which these tools can be obtained has also brought more people into the computer security field, and avoided in many instances the building up of a high-cost proprietary system. Support for these technologies is available on mailing lists and forums, and often rivals that offered by traditional technical support. Integrating open source security technology into the system also means greater diversity and protection against particular vulnerabilities; attacks that exploit one vulnerability will more likely be isolated to a single server or service, unlike in a monoculture environment where products often share vulnerabilities. Click Here to View Full Article From ACM News, November 17, 2003 "The Virus at 20: Two Decades of Malware" silicon.com (11/11/03); Sturgeon, Will The twentieth anniversary of the first computer virus, created by U.S. student Fred Cohen as a Unix research project, has established malware as an important--if unfortunate--part of the IT landscape. MessageLabs' Alex Shipp, Computer Associates' Simon Perry, Sophos' Graham Cluley, and Roger Levenhagen of Trend Micro say the spread of personal computing, the Internet, and technical sophistication of viruses and worms have marked two decades of malware development. Cluley cites the first PC virus, Brain, as a significant milestone, as well as Tequila and Concept, which were the first multipartite and document-infecting viruses, respectively. After those, Melissa was the first truly successful email virus, while The Love Bug and Kournikova email viruses established social engineering tactics. TruSecure's Bruce Hughes says the ability of viruses such as Nimda to spread via multiple vectors was a significant advance in malware, while Levenhagen says more recent viruses such as SQL Slammer have shown how fast some malware can spread worldwide--to the point of clogging Internet traffic and even affecting ATM networks. Clearswift's Peter Simpson says hybrid variants have been an important malware milestone, because they allow viruses to accept updates in the field and sometimes operate beneath anti-virus radar. The continuing SoBig Project attacks have also been significant as it signals malware technology joining with illegal activities such as spam, identity theft, and denial-of-service attacks. Over the next 20 years, Perry believes a major war or terrorist attack will include a serious computer-based component. Cluley says security technology is also getting much better and is learning to use the Internet to its advantage, while Shipp sees new, costly technology that can eliminate most security threats but also exclude poorer nations. Click Here to View Full Article "Spam Nation" InformationWeek (11/10/03) No. 963, P. 59; Claburn, Thomas Twenty-five percent to 60 percent of all email is spam, and an October Pew Internet & American Life Project survey estimates that 70 percent of email users do not like spam. Though national laws such as the Can-Spam Act and state statutes such as the recently enacted California anti-spam law are designed to target bulk commercial emailers, tracking them down and prosecuting them is difficult; for one thing, they often obscure their identities through various techniques and operate outside the United States, beyond the reach of anti-spam enforcement. This tendency to hide also puts spam trackers at a disadvantage for lack of insight into spammers' motivations, notes Brightmail's Francois Lavaste. EPrivacyGroup.com chief privacy officer Ray Everett-Church places spammers into two camps: Naive Internet users who think spamming is a fast route to easy riches and become quickly discouraged, and "professional criminals." Laura Atkins of the Word to the Wise anti-spam software and consulting firm says that spammers are in it for the challenge, while others believe they have the right to market to anyone, regardless of recipients' desires. There are, however, email marketers who take offense at being classified and hounded as spammers: OptInRealBig.com owner Scott Richter argues that his company is legitimate because, unlike spammers, it does not cover up its existence, and it is generating profits as a direct result of email marketing. Richter goes on to say that many people who complain of spam have given marketers permission to send them email without realizing it by registering for prizes at Web sites, for instance. Companies such as CNet, which retain lists of customers for communication and marketing purposes, demonstrate clear value for clients and work closely with ISPs to stay in their good books, says CNet's Markus Mullarkey. Click Here to View Full Article From ACM News, November 17, 2003 "Encryption Revolution: The Tantalizing Promise of 'Unbreakable' Codes" Associated Press (11/16/03); Bergstein, Brian Supposedly uncrackable quantum encryption has begun to emerge in the wake of two decades of research, as signified by a new system MagiQ Technologies began to sell commercially this month. MagiQ CEO Bob Gelfond says the new system, dubbed Navajo, offers a major advantage over current encryption schemes: In addition to using individual photons to transfer encryption keys--which are highly sensitive to interference or monitoring attempts--Navajo changes the keys 10 times every second, making the keys useless to anyone who acquires them. Navajo is comprised of black boxes that produce and read quantum-encrypted signals over a fiber-optic line across a maximum distance of 70 miles. Similar efforts are underway in the United States, Europe, and China--Switzerland's id Quantique has a Navajo-like system in the pilot phase; IBM researchers are investigating how to reduce the size of quantum systems so they can mesh more smoothly with existing computing and communications networks; and Britain's QinetiQ and the Los Alamos National Laboratory are exploring the wireless transmission of quantum keys. Quantum encryption operates on Heisenberg's Uncertainty Principle, which decrees that subatomic particles exist in multiple potential states simultaneously until something interacts with them. Researchers expect to be able to harness these states and interactions to build a quantum computer, which would boast exponentially more power than current supercomputers; Peter Shor of AT&T Labs demonstrated in the 1990s that quantum computers would be able to decrypt any code--except that produced via quantum cryptography. Click Here to View Full Article "Spammers Target Instant Message Users" TechNews.com (11/13/03); McGuire, David Unsolicited commercial messages are not restricted to email or pop-up ads; now spammers are exploiting instant messaging to annoy users with an even more intrusive form of advertising called "spim." Spim is even more aggravating for users because it can appear at any time, and there is more risk of embarrassment because, unlike email, users cannot check instant messages at their leisure. Although unmasking the culprits behind spim and the methods they use is no easy task, users can take solace in the fact that IM spammers will find it difficult to send such messages in bulk, as AOL, Yahoo!, and other companies are already taking action to ensure that spim never becomes as overwhelming as spam. "I don't think IM spam has become anything on the scale of the problem that regular spam is," says AOL's Andrew Weinstein, whose company employs rate limiting and other kinds of spim-blocking measures. Though IM does not produce a lot of revenue, companies have a vested interest in curbing the appearance of unwanted content such as spim, since IM is often regarded as a gateway service that helps attract customers to paid Internet offerings. Patricia Faley of the Direct Marketing Association reports that her organization intends to adopt an IM marketing policy within the next six months, and says there is little interest among established vendors to use IM for marketing purposes. FTC staff attorney Brian Huseman assures that the commission is keeping tabs on spim, even though consumer complaints have been small. Grant Toomey, a representative of CAN-SPAM Act sponsor Sen. Conrad Burns (R-Mont.), says the congressman is also tracking the spim problem and may take a legislative course of action in 2004. Click Here to View Full Article From the Crabby Office Lady: Crabby's Top 10 Spam-Fighting Tips, including Spam Laws and National e-mail Opt-Out List. From ACM News, November 17, 2003 "Could Antivirus Apps Become Law?" IDG News Service (11/06/03); Gross, Grant Rep. Charles Bass (R-N.H.) suggested at a Nov. 6 congressional committee hearing that the nation's critical infrastructure could be bolstered by a federal mandate for all U.S. computer users to deploy antivirus software on their PCs. His proposal was sharply criticized by computer experts, who cited both ethical and technical reasons why such a measure would not work: VeriSign's Ken Silva said that such a law would be "tantamount to trimming a little fat off the Constitution" and that users would balk, while Internet Security Alliance CEO Bill Hancock noted that computers used for factory automation or power plants are not antivirus-enabled and would lead to an infrastructure collapse. There was also a lack of consensus over other ways the government could encourage cybersecurity--Richard Pethia of Carnegie Mellon University's CERT Coordination Center suggested that software vendors should be pressured to write more glitch-resistant code, a goal Silva claimed is unattainable. Silva and Hancock supported congressional promotion of cybersecurity education, while Pethia was skeptical that enough computer users could be reached through such an initiative, insisting that vendors must be held liable for security flaws in their products. Rep. Gene Green (D-Texas) declared that "The combination of email spam and viruses is like putting a SARS patient on every airline flight in the country," and argued that his Anti-Spam Act of 2003 would be an effective antivirus measure. A greater commitment of law enforcement resources to anti-cybercrime efforts was supported by Hancock and Business Software Alliance (BSA) President Robert Holleyman, with the latter also lobbying for international accords for cybercrime law enforcement and the creation of a global "culture of security." Hancock pointed out that American statutes will not curb cybercrime by themselves, since hackers and spammers will still find safe havens outside the United States. Click Here to View Full Article From ACM News, November 11, 2003 "Spammers Can Run But They Can't Hide" New York Times (11/09/03) P. 3-1; Hansell, Saul The Spamhaus Project, based in England, is a nexus in the battle against spam: Founded by activist Steve Linford in 1998, Spamhaus.org compiles the most reputable nonprofit list of known spammers and is used by many second-tier and smaller U.S. ISPs to identify spammers operating from their networks. Large ISP organizations such as Time Warner and Microsoft's Hotmail use commercial anti-spam services. Linford's team of 15 volunteers has been credited with preventing up to half of all sent spam from reaching its intended target, but new spam techniques have degraded Spamhaus' ability to track and identify sources of spam. A common technique Linford uses to identify spam is to find the IP address of a Web site cited in the spam email and check if it has been added to Spamhaus' block list already. Other Spamhaus members conduct deeper investigative work, sometimes lurking in chat rooms or actively engaging spammers in an effort to dissuade them from continuing their work. Spammers have been actively increasing their abilities too, joining with crackers, or hackers with malicious intent, to propagate spam through Internet viruses and worms; harnessing large numbers of zombie machines, these spam-allied crackers route spam messages and conduct distributed denial-of-service attacks against Spamhaus.org and other anti-spam groups. Linford, who personally finances Spamhaus with funds from his Web design and hosting firm, says he does not intend to give up the fight against spammers and is making headway, such as newfound respect from Chinese ISPs which are loath to have their email traffic on Spamhaus' block list. Linford praises a recently passed European Union law that makes spam illegal, but thinks the U.S. Can Spam Act is too weak and will eventually be replaced. Click Here to View Full Article From ACM News, October 24, 2003 "Senate Votes 97-0 to Restrict E-Mail Ads" Washington Post (10/23/03) P. A1; Krim, Jonathan The Senate yesterday unanimously passed an anti-spam bill from Sens. Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), after amendments were made that clear the way for the establishment of a national no-spam registry similar to the do-not-call list. The legislation bans unsolicited commercial emails that promote bogus body-enhancement wares, financial scams, and pornography, while provisions proposed by Sens. Orrin G. Hatch (R-Utah) and Patrick J. Leahy (D-Vt.) outlaw methods spammers use to evade detection. Under the bill, the FTC has six months to develop a do-not-spam registry system and outline the technical challenges. The registry, proposed by Sen. Charles E. Schumer (D-N.Y.), has been criticized by FTC Chairman Timothy J. Muris, who argues that such a measure would make little difference to spammers, who would simply ignore it. The Burns-Wyden bill itself has also come under fire from several consumer and anti-spam groups because it only allows ISPs, not individuals, to sue spammers; the legislation would also preempt all state spam control laws, some of which are regarded as draconian by members of the business community. The bill is backed by the marketing, retailing, and Internet-access industries, which have long lobbied for a federal law that does not prohibit legitimate enterprises from sending commercial email to customers who desire such messages. Entities that have endorsed the bill, with varying degrees of commitment, include the White House, the Coalition Against Unsolicited Commercial Email, Yahoo!, and Microsoft. The House Energy and Commerce Committee is debating a similar measure, and the differences between it and the Senate bill will need to be resolved; both bills allow consumers to opt out of receiving email if they so wish. Meanwhile, a new poll from the Pew Internet Life Project found that 25 percent of respondents say they have reduced their use of email due to spam. "Carnegie Mellon to Launch New Initiative to Ensure Cybersecurity" EurekAlert (10/22/03) The expertise of over 50 researchers and 80 students from Carnegie Mellon University's College of Engineering, School of Computer Science, H. John Heinz III School of Public Policy and Management, and the CERT Coordination Center will be combined under Carnegie Mellon CyLab. CMU President Jared L. Cohon says the CyLab facility "is designed to work with speed and great efficiency to shore up security breaches that can compromise the Internet-based electronic ties that enhance communications and services that bind so many enterprises together into a network that is the foundation of our economic prosperity." Another of CyLab's goals is to nurture government-business collaboration to bolster the security of the cyber-infrastructure. CyLab co-director Pradeep Khosla says the center will be a convergence point for CMU's information assurance specialists, including those working in the fields of research and development, public policy, response, and prediction. Much of CyLab's research funding is coming from a sizable federal investment shepherded by Rep. Mike Doyle (D-Pa.). The Internet's vulnerability to malicious software, hackers, and cyberterrorism will spur CyLab to concentrate on the development of state-of-the-art technologies designed to keep information private and fortify the security of distributed systems and wireless and optical networks. The facility will also be dedicated to sustaining CMU's CyberCorps program and its effort to boost cybersecurity competence among 10 million home users. Cisco CTO Greg Akers says, "We look forward to helping CyLab craft a focused research initiative centered on tools, technologies and practices to improve dependability, secure the Internet, embed security in computer and communications systems, and design a public/private partnership to accelerate outreach training and education." Click Here to View Full Article "Spammers Clog Up the Blogs" Wired News (10/24/03); Ulbrich, Chris A recent spate of aggressive spamming on Weblogs (blogs) has raised questions about what tradeoffs bloggers may be willing to accept to rid their sites of this growing nuisance, and what strategies they can employ to stave it off. Blog-spamming often takes the form of links embedded in key phrases such as "diet pills" or "buy viagra" placed in bloggers' comment threads by spambots, while a more insidious method involves spambots posting seemingly harmless comments with spammers' URLs embedded in the signature. Dealing with comment spam can be even harder than dealing with email spam--comment spam is more difficult to recognize and delete, while removing the spam once it has been spotted can be an onerous and laborious job. Spammers apparently hope that such a massive amount of URLs cropping up in blog comments will convince search engines that such products interest the blog community, and cause spammers' sites to be ranked highly in search query results. The most recent blog-spamming wave targeted Six Apart's Movable Type publishing system, which does not require registration to post comments and only allows bloggers to refuse comments according to IP address. Six Apart founders Ben and Mena Trott say upcoming versions of Moveable Type and their TypePad hosted blogging service will feature improved comment handling, and may include mass deletion of comments originating from a specific IP address, or a way to remove comments directly from notification emails. SearchEngineWatch.com editor Danny Sullivan doubts that comment spam will affect search-engine results for very long. "They may work for a very short period of time, but search engines come back, and it's another step in the constant arms race between search engines and the people who optimize for them," he observes. Click Here to View Full Article From ACM News, October 29, 2003 "Antispam Methods Aim to Merge" CNet (10/24/03); Festa, Paul A new subcommittee established in October by the Internet Research Task Force's Anti-Spam Research Group (ASRG) seeks to reconcile and merge competing email sender verification protocols. Proposed measures include Reverse Mail Exchange, Sender Permitted From (SPF), and the Designated Mailers Protocol, which are designed to verify the identity of an email's sender without replacing the Simple Mail Transfer Protocol. All of these schemes are based on the revision of the Domain Name System database so that email servers can post associated IP addresses, enabling ISP recipients to instantly confirm a message's origin. Such a system would certify that email servers and individual address owners are not spamming. "We can solve spam with a technical solution, rather than by going through the Congress or by implementing micropayments," declared Meng Wong, CTO of ASRG subcommittee member Pobox.com, which supports the SPF protocol. He added that sender verification systems must operate in tandem with a reputation system that would allow recipients to identify the domains of established spammers. "Once you have reputation systems that work on the basis of domains, which spammers cannot forge, then no matter how many machines you hack into, you still have to use the spammer's domain," Wong explained. ISPs and antispam firms agree that halting the spread of spam is a difficult challenge because of the prevalence of email address spoofing. Click Here to View Full Article From ACM News, October 29, 2003 "Patchy Years Ahead for Software Users" IDG News Service (10/23/03); Pruitt, Scarlet Network administrators are finding most of their time taken up with deploying software patches to fix network vulnerabilities or upgrade features, and there appear to be few signs of relief on the horizon, despite announcements from patch vendors that they are aware of the problem and are working to simplify the patching process. Ecora CEO Alex Bakman estimates that applying a patch to each machine in a company's system takes half an hour on average, and notes that recent outbreaks of worms such as Slammer and Blaster have exacerbated the situation. He also says that many companies are not installing essential patches out of concern that they might "break" applications, and they refuse to deploy them during critical times in the fiscal year, such as prior to a major retail or holiday season. Gartner analyst John Pescatore declared at the Gartner Security Summit that patching on the desktop, and its associated problems, have at least two more years of life. Gartner analysts recommended in March that companies institute a patch management strategy in which the most critical security patches are prioritized and the patch installation requirements are thoroughly assessed. Gartner advised companies to test all patches before implementation and to define server and desktop configurations as standard and nonstandard so they can be patched according to their particular requirements; it was also recommended that enterprises only accept official patches and give the patch management infrastructure the same level of protection as their outward-facing Web and application servers. Users say the patching situation is symptomatic of wider software problems, in which new security flaws that must be patched are continuously discovered, adding to the total cost of ownership. Writing flawless software is an impossible goal, since human coders are inherently vulnerable to error. Click Here to View Full Article From ACM News, October 17, 2003 "Anti-Spam List Wouldn't Fly, Experts Warn" Investor's Business Daily (10/17/03) P. A5 Experts argue that fundamental distinctions between phone and email systems and the marketers who use them will be insurmountable barriers to the usability of a do-not-spam list, while even antispam advocates admit that such a measure would not cure the spam problem. The FTC is skeptical that a do-not-spam list run by the government would be effective: The phone network is strictly regulated and features central control and strong anti-spoofing measures, but email systems are decentralized and information about spammers is not difficult to falsify. A no-spam list can quickly become outdated because people switch email addresses more often than phone numbers. In addition, Direct Marketing Association CEO Bob Wientzen doubts that spammers, who already regularly violate consumer-protection statutes, will adhere to any lists. Critics note that spammers based overseas would be difficult to track down, while the existence of a no-spam list raises questions of what would happen if the security of that list is compromised. Still, Sen. Charles Schumer (D-N.Y.) has introduced legislation calling for the creation of a national no-spam list, and similar bills have been passed by State Senates in Michigan and Louisiana. Furthermore, the Direct Marketing Association and at least three private firms have instituted do-not-spam lists, but critics charge such measures as toothless. From ACM News, October 15, 2003 "Lawmakers Hammer on Spam" Medill News Service (10/14/03); Chang, Rita The spam problem has inspired a raft of antispam proposals, but most of the half-dozen spam control bills currently making the rounds in Congress legitimize junk email, according to Spamcon Foundation executive director Andrew Barrett. "Frankly, they protect the status quo, and the language in the bill tends to frame spam as fraud," he explains. Two bills--the Criminal Spam Act and the CAN-SPAM Act--have cleared committee in the Senate, but lack the support of Sen. Charles Schumer (D-N.Y.), who wants the bills to include a provision for a national do-not-spam list; critics decry the measure as cost prohibitive, and the FTC has doubts about its practicability. The CAN-SPAM Act gives federal prosecutors and ISPs the right to sue emailers who use misleading subject lines, do not let recipients opt out of emailing lists, or spam via dictionary attacks, while the Criminal Spam Act outlines stiff fines and prison sentences for spammers. The progress of antispam legislation in the House of Representatives has stalled because of conflicts between the Wilson-Green bill and the RID-SPAM Act; both proposals require users to opt out of receiving unsolicited email, but Rep. Heather Wilson's (R-N.M.) bill includes enforcement by state attorneys, a provision opposed by the author of the RID-SPAM Act, Rep. Billy Tauzin (R-La.). Wilson's proposal also bans corporate affiliates and subsidiaries from sending spam to users who have opted out once. Tauzin's bill prohibits deceptive messages and email address harvesting, and allows ISPs to sue spammers for damages, but Barrett says the legislation cedes a certain degree of legitimacy to spam. He says Wilson's bill is not much of an improvement, and adds that all the proposals give spammers complete freedom to spam until users opt out. Ari Schwartz of the Center for Democracy and Technology says, "There is no one piece of legislation that will solve the [spam] problem overnight." Click Here to View Full Article From KSDK News, October 10, 2003 Two lawsuits filed in St. Louis today by Missouri Attorney General Jay Nixon alleging violations of the state's new anti-spam law. The suits seek injunctions to prevent both defendants from further violations, as well as civil penalties of up to five thousand dollars for each violation. One lawsuit names Phillip Nixon of Palm Beach, Florida, claiming he sent unsolicited e-mails advertising the sale of an architectural plan. The second suit was against Fundetective.com of Boca Raton, Florida. Nixon says the company sent several spam messages advertising payday loans and other services. He says none of the e-mails were labeled as required. (Copyright 2003 by The Associated Press. All Rights Reserved.) The full rules are complying are at http://moago.org/nospam/nospam.htm. "To comply with the law, senders of spam must provide a valid method for you to get your e-mail address removed from the sender's list. Once you have asked to be removed, the sender must stop sending you spam." You have to email the spammer asking them to stop, and CC:  nospam@moago.org on that email. If you then get more spam from that person, you can complain to spamcomplaint@moago.org. You can also complain if they use a false identity, don't have "adv:" or "adv:adlt" as the first characters in the subject line, don't give you a way to opt out, or send child pornography. In these cases, you forward the message to spamcomplaint@moago.org. From Edupage, October 13, 2003 Survey Shows How Users Deal With Spam Internet News, 13 October 2003 A new survey by DoubleClick shows some of the methods that consumers are using to deal with the growing tide of spam in their inboxes. Most users agreed that spam is the biggest problem with e-mail, though 90 percent acknowledged they have received permission-based commercial e-mail. Users tended to favor "common-sense" approaches to dealing with spam rather than technological ones. Only 16 percent of respondents said they use a software filter for e-mail. Most users said they inspect e-mail, particularly the "from" line, and will simply delete mail they suspect of being spam. Respondents to the survey also complained about the frequency of permission-based messages. "Even permission based e-mail can be offensive if it's received too often," said Scott Knoll, vice president and general manager of market solutions at DoubleClick.http://www.internetnews.com/IAR/article.php/3090961 From ACM News, October 6, 2003 "Outwitting Spammers" Network World (09/29/03) Vol. 20, No. 39, P. 48; Bort, Julie The growing spam glut is a source of frustration for enterprises, which lose precious productivity in order to deal with unwanted emails. Spam filters are a popular anti-spam tool, but they come with their own drawbacks: Keeping networks up-to-date with the latest filters means frequent upgrades, while the risk that such tools will mislabel legitimate emails as spam increases as more filters are activated. "Machine-learning" technologies such as Bayesian filters and neural networks are being heralded as much more effective anti-spam measures, although they are not perfect. Users of Bayesian filters place spam and non-spam messages into two separate folders, and the filter trains itself to distinguish between the two by analyzing the unique identifying characteristics of the folders' contents; any errors the filter makes are sent by the end user to the appropriate folder, so the filter can note them. In this way, Bayesian filters can adapt to spammers' changing tactics, but the technology's chief disadvantage is its client-side orientation, making it unable to relieve the pressure that spam exerts on network processors. Some vendors are calling for Bayesian-like solutions that run at the email gateway to prevent both network clogging and false positives. Meanwhile, some vendors tout neural networks as a safer machine-learning alternative. The networks' spam-training software is placed on vendors' sites rather than on users' clients, and the email the network trains on is culled from bogus in-boxes set up for the express purpose of capturing spam. Neural network-enabled products function best when users update the gateway software at least once daily. http://www.nwfusion.com/buzz/2003/0929spam.html "Ruling Over Unruly Programs" CSO Magazine (09/03); Garfinkel, Simson Sandstorm Enterprises CTO Simson Garfinkel writes that technical rather than legal issues make it theoretically impossible to write a program that can analyze any given suspect program to ascertain whether it contains friendly or unfriendly code. He explains that "The mathematics of computing make it impossible to write software that can figure out what other programs can do, prior to execution," and notes that current antivirus systems label programs as clean or infected by scanning them for known virus signatures--an approach that is ineffective when confronted with unknown viruses. Mathematician Alan Turing proved almost 70 years ago that the actions of even the simplest type of hostile program cannot be predicted. A popular strategy people use to "solve" the desktop security conundrum is to modify the operating systems so they will only run programs certified by publishers such as Adobe and Microsoft; but Turing's research demonstrates that even those programs may contain vulnerabilities. "Just about the only way to take back computer security from the morass that Turing created is to restrict what computer programs can do--that is, make computers less general-purpose," writes Garfinkel, who adds that a program's behavior can be made incalculable with very little effort. Another theoretically insurmountable barrier is computers being unable to crack truly complex "NP" problems such as code-breaking by deactivating the mathematics that support the problem's complexity. Brute-force search--the longest and most arduous technique--is the only way people know to search for a solution. Garfinkel acknowledges that solving an NP-complete problem, unlikely as that may seem, could facilitate the reverse-engineering of practically all encryption schemes that have ever been developed. http://www.csoonline.com/read/090103/shop.html From eWeek, September 29, 2003 "Just Can the Spam", by Cameron Sturdevant: Read the Article "Six Spam Fighters Face Real-World Test: Benchmarking Anti-Spam Tools", by Cameron Sturdevant: Read the Article From New York Times, October 6, 2003 "Spam Fighters Turn to Identifying Legitimate E-Mail", by Saul Hansell: Read the Article From ACM News, October 3, 2003 "E-Mail Is Broken" Salon.com (10/02/03); Mieszkowski, Katharine Four computer scientists--Carnegie Mellon University's Dave Farber, Brandenburg Consulting principal Dave Crocker (a former student of Farber's), Electronic Frontier Foundation chairman of the board Brad Templeton, and Nielsen Norman principal Jakob Nielsen--separately discussed the sorry state of email and what can be done to solve the spam problem. Templeton observed that "Computers amplify both the good and the bad we can do, and spam is yet another example." Farber declared that email's reliability has gone downhill because more and more people are installing poorly performing spam filters, and he warned that time is running out to staunch the growth of spam; Crocker noted that many people are frustrated by spam because its sheer volume makes it hard to find legitimate email. Nielsen said he thinks an anti-spam law is a good idea, but this would do little to deter spammers based overseas, while Templeton characterized most anti-spam legislation as "worse than useless." Farber commented that a Massachusetts law permitting people to sue spammers is unlikely to be effective, given the difficulty in tracking spammers down, but said that an enforcement scheme set up by the FTC or FCC would at least rein in spamming by big companies. Technical solutions suggested by the computer scientists include authentication standards, but Farber pointed out that no one appears to want to invest in deploying such a solution; Crocker favored incremental email revisions coupled with non-onerous methods of locating spammers, and an increase in accountability. Nielsen considered a radical and unpopular solution--to wipe the slate clean and phase out all existing email protocols. This would involve a global upgrade by all companies simultaneously, which Nielsen called an impossible task. Crocker concluded that people should stop wasting time looking for a magic bullet, for there is no single solution to the spam problem. From ACM News, September 24, 2003 "Davis Signs Bill to Ban Online Spam" Los Angeles Times (09/24/03) P. A1; Ingram, Carl California Gov. Gray Davis signed Sen. Kevin Murray's (D-Calif.) anti-spam legislation into law Sept. 23, thus criminalizing the sending of unsolicited commercial email to Californians and allowing state Attorney General Bill Lockyer, ISPs, and individual residents to file civil suits against spammers and their advertisers. Spam marketers and advertisers exempt from the law, which imposes a $1,000 fine for every unsolicited message, are those who get specific requests from recipients to send them email or who have previous business relationships with recipients. In addition, a fine of up to $1 million can be charged against bulk emailers who conduct blitz campaigns, in which hundreds of thousands, sometimes millions, of unsolicited messages are sent out on a daily basis. Murray, who called his legislation "the toughest [anti-spam] bill in the nation," said the measure is the first to target advertisers as well as spam marketers. Some legislators foresee problems in recovering damages from out-of-state or overseas spammers that do business in California, though Murray said that practically all online transactions involve the use of four U.S.-based, internationally acknowledged credit card firms, thus making spammers' bank accounts traceable. Still, industry observers insist that the most infamous spammers, who reside outside the United States, would be immune from the California law. Davis declared that he had or would soon pass other bills as part of a package that aims to uphold Californians' privacy and shield them from identity theft, although he cautioned against pushing for federal legislation that could roll back new state privacy safeguards and already existing identity-theft laws. In a letter to leaders on Capitol Hill, Davis proclaimed that "Congress should consider California legislation as a model for the rest of the nation." Click Here to View Full Article From Edupage, September 19, 2003 Latest Virus Masquerades As Virus Patch Internet News, 19 September 2003 A new virus making the rounds on the Web pretends to be a security patch in an e-mail. Security experts worry that the recent spate of high-profile, damaging viruses will encourage many users to open the attachment in the new virus e-mails, which have subject lines such as "Microsoft Internet Update Pack" and "Microsoft Critical Patch." The new virus, called the Swen/Gibe virus, was described as "highly virulent" by Ken Dunham of iDefense. The .exe attachment to the e-mail reportedly has the ability to auto-execute on computers that have not been patched against a known Microsoft vulnerability, and, when started, the virus can steal users' names, passwords, and server information. Symantec Security Response reports that the virus also attempts to defeat antivirus and firewall applications when it infects a computer. http://www.internetnews.com/dev-news/article.php/3080001 From ACM News, September 19, 2003 "Self-Policing Added to Spam Bill" Washington Post (09/18/03) P. E1; Krim, Jonathan A provision recently inserted into antispam legislation sponsored by Reps. Richard Burr (R-N.C.), W.J. Tauzin (R-La.), and F. James Sensenbrenner Jr. (R-Wis.) would make bulk emailers exempt from penalties if they agree to regulate themselves. The requirement would involve the formation of a self-regulatory organization that uses an independent third party to give "legitimate" senders of commercial email an electronic seal of approval, but certain consumer groups, legislators, antispam organizations, and state prosecutors balk at the prospect. "[Bulk emailers] are writing the law so that it places them where they think they belong: Above it," declared Jason Catlett of Junkbusters. The bill the provision has been added to requires bulk emailers to comply with consumer requests to stop receiving unsolicited commercial messages and criminalizes both the electronic "harvesting" of email addresses and the masking of spammers' locations. Tauzin representative Ken Johnson argued that the provision is an improvement because it allows individual consumers to direct complaints to an authorized body rather than attempting to contact law enforcement agencies that may not respond. But a representative of Rep. Heather A. Wilson (R-N.M.), who is pushing for stricter antispam legislation, declared that the provision "continues to protect spammers at the expense of consumers." The antispam bill was drawing criticism even before the addition of the self-regulation provision: Some lawmakers and consumer organizations are worried that the bill would displace more stringent state regulations and prevent consumers from launching civil suits against spammers. Click Here to View Full Article From ACM News, September 15, 2003 "China Joins Global Fight Against Spam" IDG News Service (09/10/03); Lemon, Sumner China has had particular problems with spam, partially because network administrators in the country are not as stringent in overseeing systems as are administrators in other nations-says Justin Mallen of Silk Road Technologies--and partially because telecommunications companies such as China Telecom Corp. are so large. The Internet Society of China (ISC) has decided to address the problem of spam by preventing emails from 127 servers known to have been points of origin of spam from reaching its members. The organization also has put forth a group of steps for the purposes of blocking spam and preventing problems that result from placing blocks on email service providers in China. The ISC's Anti-Spam Email Coordination Team was responsible for determining the group of servers associated with spam, which includes 90 servers in Taiwan, just eight servers based in China, 16 servers based in the United States, and six servers in South Korea. The ISC's proposed steps for improving China's handling of spam would ask for tougher laws for preventing the spread of spam, urge Chinese ISPs to employ anti-spam measures, ensure that ISPs block spammers from using email, teach users about spam, and maintain a list of entities with "evil intentions" that send unsolicited email. Still, according to the Spamhaus Project, 633 servers at Chinese ISPs act as spam sources--some of them members of the ISC. Previously, the ISC located spam from many more servers than the current list indicates. http://www.idg.com.hk/cw/printstory.asp?aid=20030910006 From Knowledge@Wharton, September 10, 2003 System Alert: You've Got ... Worms With names like Sobig, Blaster, and Welchia, computer viruses have been wreaking havoc around the world. No longer confined to e-mail attachments, the latest bugs can spread through the Internet, as they take advantage of vulnerabilities in exposed computers. Was the recent spate of attacks just more of the same – or are virus writers beginning to infect computers with other gains in mind? Experts at Wharton and elsewhere weigh in on possible motives, what businesses should do to protect themselves, and which industry sectors stand to gain from the chaos. Read Article From ACM News, September 5, 2003 "Computer Antivirus Strategies in Crisis" New Scientist (09/03/03); Graham-Rowe, Duncan Malware such as viruses and worms has overtaken antivirus software, according to a study that Hewlett-Packard researcher Matthew Williamson will present at a Toronto conference in September. Although most antivirus software that identifies virus "signatures" can eventually stop the spread of malicious code, it cannot effectively prevent viruses from inflicting damage because malware propagates faster than patches can be issued. Williamson finds that the proliferation of a virus cannot be stopped even if the viral signature is available from the moment of its release, if the virus breeds quickly enough. Furthermore, he notes that antivirus software checks for updates no more than once an hour, which is not fast enough to combat the type of viruses that have caused so much trouble recently; too much checking can be misconstrued as an attack. Moreover, signature-based antivirus measures have to scan incoming email for all documented viruses, an unwieldy procedure that can cause system bottlenecks. Williamson thinks signature-based approaches still have value as a way to purge infected computers, but a more effective antivirus tool must be able to take action before signatures become available. The HP scientist based his research on a computer model that simulates the spread of viruses using a model that tracks the propagation of biological viruses as a template, and added specifications to represent the response pattern of antivirus software. Netherlands-based McAfee Avert is developing a heuristic antivirus approach that is very effective at detecting new viruses, but it can also generate false positives. Click Here to View Full Article "Many More Worms Will Wriggle Into Our Future" San Francisco Chronicle (09/04/03) P. B1; Kirby, Carrie Lawrence Livermore National Laboratory chief cybersecurity officer Mark Graff posits that a lack of incentive for software companies to design secure products means that software and the Internet will suffer worse virus and worm attacks in the near future. He says that future viruses could cause massive power outages similar to the recent East Coast blackout if the cyber-infrastructure is not better protected. However, Graff is convinced that embedding flawless security in software will not become an industry habit until an even worse hacker-driven catastrophe transpires. He declares that until then, "The attacks are going to come faster and faster, closer together...Eventually, as far as we're concerned, it will be one constant attack." Graff notes that major technological advances are often partly spurred by tragedy. To fend off constantly evolving viruses, networks will need to take combative action automatically and become self-repairing. "We have to look at the network as an immune system that can defend itself with intelligent agents--software that can react and is highly mobile inside the network, that can go to the trouble spot just like white blood cells are transported to a wound spot by the bloodstream," Graff notes. He adds that reliability and security will become even more essential as computers and the Internet spread practically everywhere, including the human body. Click Here to View Full Article "Email Updates Six Degrees Theory" Technology Research News (09/03/03); Patch, Kimberly Columbia University researchers have validated the small-world phenomenon first discovered by Stanley Milgram's famous 1967 sociology study, but have shown some of the associated hypotheses to be wrong. Rather than starting letter chains aimed at finding a specific individual, the Columbia researchers recruited 24,163 volunteers to send emails to acquaintances who they thought might know the target or someone close to that person; out of the 24,163 original chains, only 384 reached the 18 target persons by way of 166 countries and a total of 61,168 email messages. The researchers surveyed participants to find out why they did or did not forward the email, and why they chose their contact if they did forward it. The successful chains reached their target in five to seven steps, on average, similar to Milgram's study; but analysis of those successful chains showed participants chose contacts based on geography and their field of work, not on their social connectedness, as was hypothesized in Milgram's work. Cornell University applied mathematics professor Stephen Strogatz says the study confirms the basic tenet of a small-world model, but reveals methods that Milgram did not have the resources to investigate. Other conclusions show that more numerous, weak friendships are better for connectedness than close friendships that are insular. Ohio State University sociology assistant professor Jim Moody says the study will help understand widespread email communication and the proliferation of viruses. Columbia research scientist Peter Sheridan Dodds says a similar study is being designed that will allow participants to send the message to more than one contact and will ask more questions about their methods. He says the research has implications for peer-to-peer networks and knowledgebases, as well as social, pathological, and economic fields of study. Click Here to View Full Article "Outsmarting Spam" InformationWeek (09/01/03) No. 953, P. 18; Kontzer, Tony Growing animosity toward unsolicited commercial email and the productivity losses associated with it is making the battle against spam a priority for many businesses, although most respondents to a recent InformationWeek survey report that their spam-filtering controls leave a lot to be desired, while over 50% do not even know how much spam they receive. Approximately one-third of the 550 polled business-technology executives say their companies have made the elimination of spam a high priority, while most consider it a moderate priority. The Radicati Group just issued a study estimating that a 10,000-employee company without spam-fighting tools will spend $49 per user on server resources to deal with spam in 2003, and the firm expects the per-user cost to skyrocket to $257 by 2007. Fifty percent of the InformationWeek survey's respondents are resigned to spam becoming a routine part of everyday life, while companies that do not monitor spam in their in-boxes blame their lack of vigilance on the ineffectiveness of filtering tools as well as the speed at which spam methods change. Some companies are also frustrated that handling spam eats up time that could be put to better use. However, Osterman Research principal analyst Michael Osterman thinks spam-fighting technology has improved significantly over the last 12 months, while the general level of satisfaction with such tools is rising. Daiwa Securities America co-CIO Stephen McCabe adds that third-party firms can relieve internal IT staff of some of the burden of tackling spam by scanning inbound email for unsolicited commercial messages. IT groups that are able to successfully reduce or control spam may be able to get senior executives in their corner to support other projects. Click Here to View Full Article "Does IM Have Business Value?" Business Communications Review (08/03) Vol. 33, No. 8, P. 40; Bellman, Bob Instant messaging is valued among enterprises for its presence, which allows users to know ahead of time who is available and unavailable to chat; near-real-time message delivery, which offers a higher level of interaction than email; and multiple correspondence, which enables users to be more efficient and productive. "IM lets you work more effectively in an information-rich, time-critical world," declares Jon Sakoda of IMLogic. Other benefits of IM include significant savings in international phone calls and other forms of communication--a February report from Osterman Research estimates that almost 81% of responding companies lowered phone use and 67% reduced email use through IM. In addition, IM does not cause network congestion, nor does IM inhibit network operations. Though some IM services are free, the companies that offer them expect to realize new revenue by bundling IM with other products and value-added services, or via IM "bot" applications. However, IM's availability to anyone worries managers concerned with upholding network security; viruses and hacks can piggyback on IM-enabled file transfers, and IM easily allows business transactions to be carried out and proprietary data to be disseminated without an audit trail. Other drawbacks to IM include incompatible IM applications, the intense difficulty in deactivating IM once it is activated, and IM's potential to interrupt important tasks. A number of years will pass before IM standards are mature enough to facilitate interoperability, and before companies understand the best ways to leverage IM. Click Here to View Full Article From ACM News, September 3, 2003 "Spamming Sleazebags Ruining E-Mail" SiliconValley.com (08/31/03); Gillmor, Dan Dan Gillmor places the blame for email's declining appeal mainly on the shoulders of unscrupulous, corrupt virus authors and spammers who exploit poor software and oblivious users, ISPs, and systems administrators. He notes that spammers would be undone if enough people would stop purchasing things in response to their unsolicited entreaties, but the futility of this gesture prompts the need to institute more stringent legislation. Yet Gillmor estimates the chances of resolving the spam dilemma relatively quickly are "next to zero." He adds that virus and worm writers, who cover their tracks in much the same way spammers do, are exacerbating the situation, and they have found unwitting help in companies such as Microsoft, whose software architecture is notoriously exploitable and homogeneous. Worse, Gillmor severely doubts that Microsoft will voluntarily strive to overcome the business model that fosters the continued support of consistently lousy software. He lays better odds of more systems administrators and users prevailing against their own laziness and updating their systems, but does not think enough are doing so. Meanwhile, chances are higher that ISPs will improve their security measures by providing firewalls and email virus protection to customers as standard service features. Gillmor acknowledges the potential of a radical new email architecture that would track miscreants through authentication and other safeguards, but warns that deploying it would be very difficult, and would cost users their anonymity. His own strategy is to not open email attachments under any circumstances unless he has foreknowledge of the message contents or is very sure it does not contain malware; relegate critical communications to private email addresses Gillmor hands out to a small group of people; and use instant messaging or other alternative Internet communication options. Click Here to View Full Article From ACM News, August 29, 2003 "Fight Against Viruses May Move to Servers" Washington Post (08/28/03) P. E1; Duhigg, Charles Many security experts contend that desktop anti-virus software and firewalls may soon not be enough to thwart increasingly crafty and sophisticated computer viruses, and they expect the server to become the new front line of defense. "[Virus writers] are making viruses that are as difficult as possible to analyze, and they are crafting attacks so that anti-virus people can't download malicious code to neutralize it before it is executed," says Mikko Hypponen of F-Secure. Viruses and worms proliferate at such speed that predictive systems are the only effective deterrent, but desktop computers do not have the computing capability to support such systems, according to the computer security industry. Mark Sunner of MessageLabs says computer security will shift from desktops to large databases at key Internet exchange points; he insists that "Our databases know what an outbreak looks like, and can identify it much faster and more aggressively [than desktops]." Adding fuel to this migration are growing demands from consumers and security experts that Microsoft and other major software providers beef up the security of their products. Ken Dunham of iDefense reckons that at any one time at least 100,000 Internet-connected home computers in the United States are infected with malware that allows hackers to launch attacks from the compromised machines. Worse, security experts caution that worms are being designed to change tactics in the middle of an attack; another fear on experts' minds is the emergence of "superworms," though Lurhq security researcher Joe Stewart claims that user awareness is currently so poor that hackers do not necessarily have to resort to such highly intelligent malware. Experts place most of the blame for poor computer security at the feet of two trends: Software standardization and too much emphasis on system performance. Click Here to View Full Article "Software Self-Defense" ABCNews.com (08/27/03); Eng, Paul Computer security experts say that users are the weakest link in the defense against computer viruses and worms, and that automated security updates and PC scanning are needed to fill the gap. The SoBig virus, which has infected over 100,000 PCs since Aug. 18, is only activated when users open an email attachment. Central Command COO Keith Peer says the software security industry's continual drumming about not opening suspicious email attachments is not working because users are "glazing over." Furthermore, the MSBlaster virus could have been stopped if many users had updated their Windows systems with a new software patch. Microsoft is considering shipping Windows XP with Auto Update on by default, so that non-technical users would not have to figure out what software patches do and how to install them. Network Associates' McAfee VirusScan and Symantec's Norton AntiVirus already use automatic updates and might even scan users' computers for suspicious activity signaling an unidentified infection; any program collecting email addresses from the hard drive or changing Web browser settings would be flagged and possibly disabled remotely by the software firm. Electronic Frontier Foundation technologist Seth Schoen says taking control away from the user is dangerous, and suggests security companies might introduce code that would discourage use of competitors' products. In addition, license agreements often waive manufacturers' responsibilities in case of defects. Schoen would approve of intrusive security measures if vendors give users a clear understanding and choice to reverse updates. However, Network Associates' Bryson Gordon warns that even with stringent software protections, viruses will continue to proliferate by way of social engineering tricks rather than technical prowess. Click Here to View Full Article "Saving Private E-mail" IEEE Spectrum (08/03); Vaughan-Nichols, Steven J. Winning the war against spam requires eliminating--or at least dramatically reducing--the likelihood of false positives, which no automatic filtering or blacklisting technique currently in use is able to do. However, some programmers are hoping that Bayesian filtering strategies will be an effective solution. A Bayesian filter uses statistics and probability theory to analyze the entire message instead of focusing on key terms, and it does not rely on an artificial scoring system. The user teaches the filter to recognize spam by classifying emails as such, while the filter itself extracts rules from those classifications that enable it to evaluate new messages. Self-employed software engineer Paul Graham, who developed a practical open-source deployment of the Bayesian filter, says the program's accuracy is boosted because it takes into account not just words that frequently pop up in spam, but those that do not. The Bayesian filter was also incorporated into the MSN8 Internet reader from Microsoft, and will be included in the upcoming version 11 of Microsoft Outlook. Steven Curry of EarthLink states that the elimination of false positives is more likely if humans are kept within the equation, and advocates an approach in which people study email first and confirm if it is spam, adding such recognition to the filtering protocol. Alternative strategies to controlling spam, such as anti-spam legislation, are hampered by the lack of a clear definition over what constitutes spam, while Jupiter Research analyst Jared Blank argues, "The true problem is that spam is effective." From ACM News, August 25, 2003 "Could Spam One Day End Up Crushed Under Its Own Weight?" Wall Street Journal (08/25/03) P. B1; Berman, Dennis K. Dennis K. Berman offers a ray of hope to people frustrated and demoralized by the spread of spam: Spamming could eventually burn itself out by becoming a victim of its own proliferation, he muses. Thousands of people are becoming spammers because operating costs are virtually nonexistent, an especially attractive lure in a down economy; another easy road to profit for spammers is to fool small businesses to pay for "electronic marketing campaigns." Author Robert L. Fitzpatrick is confident that an upturn in the economy will result in the disappearance of casual spammers as well as the gullible people and businesses they rely on. Berman adds that many spams are business propositions without a hope of success, which means eventual burnout. One of the biggest problems is that the spam model works, but Berman partly attributes its success to inexperienced Internet newcomers. He writes that the continued maturation of the Net population will dampen spam's power. Berman insists that spam could be hobbled even further through a broad educational campaign as well as "downright social coercion" to stop supporting spammers. He suggests that the companies losing money while they struggle to control spam could help sponsor an anti-spam public-service campaign. Berman recommends that everyone follow a strategy to curb spam by refusing to buy products through spam advertisements; never clicking on a Web link contained in spam; and never posting their email addresses on public Web pages. "Spam Wars" Technology Review (08/03) Vol. 106, No. 6, P. 32; Schwartz, Evan I. The Internet is plagued with over 13 billion spam emails each day, and Ferris Research estimates that spam will add up to $10 billion in lost U.S. productivity this year, while Microsoft Research analyst David Heckerman predicts that spam could account for 90 percent of all email in a short time. There are three combat tactics against spam: Spam blockers and filters, anti-spam legislation, and a dramatic reworking of basic email and Internet operations; the most effective strategy may be found in concurrently employing all of these solutions. Critical to any spam filter's effectiveness is its filtration and false-positive rates, which vary among popular filters such as Brightmail, heuristic filters such as SpamKiller, and Bayesian-model-based filters. However, some people note that more effective filters only encourage spammers to send even more spam, as well as tweak spam to appear more "friendly." EarthLink's Mark Petrovic argues that curbing spam will "require a cooperative solution to augment the basic way email works." Examples of this type of solution include IP address books listing companies determined to be spammers or associated with spamming (black lists), address books listing parties who are authorized to send email (white lists), a proposed email tax designed to cripple the medium's use to spammers, and special license codes distributed by email providers in return for royalties; key to deploying such measures is making future email traceable by fundamentally changing the Simple Mail Transport Protocol (SMTP). Thus far, legal recourse in both the United States and Europe has done little to dam the flood of spam: A pan-European law upholding opt-in licenses was passed, but most spammers operate in the United States, where the law has no jurisdiction. Meanwhile, recent U.S. opt-in anti-spam legislation has died in Congress, while other bills have stalled because legislators cannot agree on whether a federal spam ban would be effective, or even appropriate. http://www.technologyreview.com/articles/schwartz0703.asp From ACM News, August 22, 2003 "Record Computer Infections Slow U.S., Private Work" Washington Post (08/22/03) P. E1; Duhigg, Charles; Krebs, Brian Computer viruses that have proliferated at record rates over the past 10 days appear to be tapering off slightly, according to security firms such as MessageLabs. However, this news hardly breeds optimism for federal agencies--the Small Business Administration, the Department of Commerce, and the FCC among them--reporting productivity and operational slowdowns, computer outages, and unprecedented numbers of infected emails attributed to worms such as Sobig.F, Blaster, and Welchia, whose global reach encompasses at least 1 million residential, business, and government computers. Department of Commerce CIO Tom Pyke says that his department's virus-defense systems intercepted 40,000 Sobig.F-laden messages before Commerce computers were compromised on Aug. 21, and between 500 to 750 emails are being quarantined every hour. Though the damage caused by these viruses is repairable, computer experts say the worms could easily be programmed for more malevolent tasks, and are worried about the next epidemic. Sallie McDonald of the Homeland Security Department notes that both her agency and Microsoft warned of the Windows vulnerability the viruses are exploiting in July, but the record spread of the worms is a clear indication that few people took advantage of the warning, or the patch that was issued. She adds, "If industries and agencies don't start regulating themselves, Congress may put in legislative requirements." Click Here to View Full Article "Strong Attackers, Weak Software" Washington Post (08/21/03) P. E1; Duhigg, Charles Computer security experts posit that the recent upswing in fast-spreading virus epidemics is the apex of a long-gestating trend as the skills and daring of virus programmers increased, while the quality of software security decreased. A rise in virus activity at this time of year is often attributed to college students on summer break who are out to make a name for themselves, but Ken Dunham of iDefense says the motivation of virus authors is changing: No longer content with notoriety, some programmers are writing malicious code to be used for ID theft, financial scams, or to make political statements. MessageLabs CTO Mark Sunner thinks that profit may be one of the motives behind the Sobig.F worm, which installs a Trojan horse program that spammers could use to distribute their spam from infected machines. Fred B. Schneider of Cornell University's Information Assurance Institute warns that even more insidious viruses may be on the horizon. "There's nothing stopping someone from taking Blaster or Sobig.F and making it delete all your files or change software on your computer so it no longer works," he explains. But even more helpful to virus writers is the prevalence of poorly designed software, which results from a lack of thorough testing and vendors' eagerness to add bells and whistles. But though companies such as Microsoft hope to address this problem by slowing down software development, there is a trade-off: Schneider observes that more secure software is harder to use. Analysts also note that building more security into software could add to consumer costs, and slow the pace of technological innovation. Technology adviser David Sklar predicts that, should a "software Chernobyl" take place, "We'll start putting up more walls, and thinking that computers should have the same level of reliability we demand from food or cars or fire-retardant pajamas." Click Here to View Full Article "Spam Technology Seeks Acceptance" TechNewsWorld (08/15/03); Fontana, John Sieve, a proposed IETF standard filtering technology designed to organize email and mitigate message overload, is being tapped by vendors such as Brightmail and ActiveState as a tool that enables customers to write personalized spam filters. Sieve author Tim Showalter explains, "Email overload has not been the result of receiving too much legitimate email. It has been because of spam." Nevertheless, he is surprised that some vendors altered Sieve for use with their anti-spam engines. Vircom, for example, employs Sieve as the cornerstone of its ModusSieve product, and the company reports that it has devised 13,000 lines of Sieve scripts that are updated 24-7 and enhanced by scripts from clients who have organized into the Vircom Anti-Spam Coalition. "We can quickly modify scripts to react to spammers and share those scripts throughout the coalition," notes ModusSieve product manager Daniel Roy. Rockliffe has deployed Sieve in the Web-mail interface of its MailSite Express messaging server, and Sieve will be included in an upcoming Rockliffe anti-spam filtering product featuring a policy editor extracted from ActiveState's PureMessage anti-spam software. The policy editor boasts a GUI interface designed to make Sieve scripting easier for users. Brightmail CTO Ken Schneider says that Sieve is not a core ingredient of the company's anti-spam engine, but is used to address more site- or platform-specific problems. http://www.technewsworld.com/perl/story/31350.html From ACM News, August 20, 2003 "Head of FTC Opposes Bills To Curb Spam" Washington Post (08/20/03) P. E1; Krim, Jonathan In a speech to attendees at a yearly technology-policy forum in Colorado, FTC chief Timothy J. Muris sharply criticized a number of anti-spam measures currently being debated in Congress, describing them as "largely ineffective." He placed special emphasis on Sen. Charles E. Schumer's (D-N.Y.) proposal for establishing a do-not-spam registry, and argued that enforcing such a registry would be futile because the most notorious spammers conceal their identities. Schumer declared, "A do-not-spam list isn't going to solve all the problems with spam, but it's the most broad-based and aggressive approach we know." Thus far, a Senate committee has passed one of the bills Muris finds fault with, a proposal from Sens. Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.) advocating an increase in penalties for deceptive or fraudulent spammers. Muris also harbors strong doubts about the anti-spam community's desire that no consumers should receive any unsolicited commercial email unless they specifically request it. ISPs and marketing companies prefer an opt-out policy in which consumers receive commercial email unless they request not to. Muris said that it is impossible to determine if most consumers would favor an opt-in or opt-out system, meaning proposals including such ideas are inappropriate for anti-spam legislation. Bills that companies favor also fell under Muris' scrutiny. He contended that the language in some of the proposals would blunt the FTC's ability to guarantee that marketers conform to consumers' requests to opt out. Such bills, he claimed, would make it the commission's responsibility to prove that companies using third-party marketing firms to distribute email ads were aware that consumer opt-out requests were being disregarded. Click Here to View Full Article "Grappling With Virus Invasion" Wired News (08/20/03); Delio, Michelle Security experts such as Sophos' Chris Belthoff speculate that the rapid spread of the Blaster worm has inspired other virus authors to wreak havoc on the Internet by unleashing their own malicious code, as evidenced by recent outbreaks. Analysts contend that the opportunity for hacker mischief has only been amplified by carelessly written Microsoft code and end users' slowness to patch their vulnerable systems. The experts concur that the only effective strategy for curbing these computer epidemics is to develop better applications, institute more ethical behavior, and boost threat awareness through education. The most critical step, they argue, is for Microsoft to dramatically improve the security of its applications and operating systems, while Microsoft recently advised users in newspaper ads to bolster their PC protection with regular patching, firewalls, and antivirus software. Microsoft security program manager Stephen Toulouse admits that his company must "do a better job of educating and informing our users and delivering patches to them." However, security experts note that Microsoft has created a climate of distrust among users, which is why most are unlikely to accept automatic patch updates. Virus researcher George Smith considers antivirus companies' strategy of continuously advising users to update their security themselves to be pointless, arguing, "People who are not susceptible to viruses and worms don't need the advice and those who are susceptible just aren't reachable." Meanwhile, security researcher Robert Ferrell doubts that security issues will fully disappear, given people's creativity and the fact that morality and ethics will never be observed equally. Still, he believes a secure Internet is a reachable goal if the worldwide online community can unite to solve the security problem. Click Here to View Full Article "Are You a Good or a Bad Worm?" Wired News (08/19/03); Delio, Michelle Machines affected by the recently released MSBlaster worm are being cured and patched by a variant, AntiMSBlaster, but although many computer users welcome this development, experts warn that there is no reason to think the new worm is benevolent. "Some may call this a good worm, but it can cause all sorts of problems when patches are applied to a computer unbeknownst to the administrator of a network or the owner of that computer," notes iDefense's Ken Dunham, who adds that AntiMSBlaster could install back doors that leave computers vulnerable to future hacker intrusions. AntiMSBlaster and MSBlaster share a similar modus operandi: Both enter systems via a network connection rather than as an email attachment, and only Windows 2000 and Windows XP machines that have not been patched for the RPC DCOM buffer overflow security vulnerability are susceptible. MSBlaster was designed to exploit contaminated computers to launch a denial-of-service attack against Microsoft's Windows Update Web site on Aug. 16, but Microsoft was able to fend off the attack by removing the windowsupdate.com domain name, which was specified in the worm's code. MSBlaster is relatively easy to purge, leaving some security experts curious as to why users seem incapable of fixing their own computers. However, certain users bemoaned the lack of any clear-cut information about removing the worm. "These virus and worm removal advice I see are obviously written by nerds for nerds," says user Paul Pacifico. Systems administrator Mike Fergamo admits that Microsoft needs to find a more effective way of notifying users of security flaws and distributing patches. Click Here to View Full Article "Patching Becomes a Major Resource Drain for Companies" Computerworld (08/18/03); Vijayan, Jaikumar Keeping computer systems secure against worms and viruses through regular software patching is putting a strain on companies' limited resources. Banner Health System security analyst Dave Jahne warns, "The thing about patching is that it is so darn reactive. And that can kill you." Art Manion of Carnegie Mellon University's CERT Coordination Center notes that larger and more expansive companies have the added burden of testing each new patch prior to deployment. Testing is important because patches do not always work properly and can interfere with the applications they are supposed to safeguard, according to TippingPoint Technologies CTO Marc Willebeek-LeMair. Ramping up patch testing and implementation is vital as virus proliferation is accelerating, argues Arlington County, Va., infrastructure technologies director Vivek Kundra. He explains that his county can no longer afford to spend three or four days to fully patch its networks; the job should be done in a matter of hours, if not minutes. Possible solutions Arlington County is investigating include handing the patch management process over to an outsourcer and adopting a more automated patch testing and deployment procedure. "There will be times when you may need to make a judgment call balancing risk, appropriate testing [and] mitigating factors," explains Online Resources security officer Hugh McArthur. Meanwhile, Tessenderlo Kerle CIO Bruce Blitch maintains that software patching is still the best strategy for companies, for lack of a way to guarantee absolute code security. Click Here to View Full Article "Profile of the Superworm: SoBig.E Exposed" TechNewsWorld (08/13/03); Germain, Jack M. Internet security experts say that the SoBig.E variant poses a serious long-term threat to the Internet because it has opened up so many computers to hackers. SoBig.E, which is primarily spread via shared files on corporate networks and secondarily through email, opens a large back door on infected machines and contains a built-in maintenance channel where the hacker can update code. Cable & Wireless chief security officer William Hancock says SoBig.E is the first worm to exploit hacking technology to deploy spam tools en masse. The maintenance channel poses an extra threat in that other hackers could reverse-engineer the code to create their own SoBig variants. To date, each version up to SoBig.E has been timed out by the worm's author and followed up by another version, but so far, SoBig.F has not appeared. Once the worm is written to network users' startup folder, only possible if people leave write access open, or opened in a ZIP email attachment, SoBig.E sends itself to all contacts in the user's address book as well as to all email addresses stored in other documents on the computer. In the email mode, the live part of the virus is called details.pif, but copies itself into winssk32.exe once opened and creates a MSRRF.DAT file some analysts say is a foothold for remote control. Hancock estimates that SoBig.E will increase the amount of spam sent over the Internet by a factor of 10 because of the number of unsophisticated victims whose computers have been hijacked. http://www.technewsworld.com/perl/story/31321.html "Patching Things Up" CIO (08/01/03) Vol. 16, No. 20, P. 79; Violino, Bob The growing number of software patches released every year is threatening to become a costly administrative nightmare for companies, which are turning to automated patch management products to ease the process--but these tools can only work in tandem with an organizational effort to bring computing environments under control. Patch management products are designed to search for and study new patches, check network-connected devices for security holes, and implement the appropriate fixes; expected benefits include less downtime due to software failures, reduced vulnerability to hack attacks, and lower costs than manually deploying patches. However, customers are often forced to buy multiple products to cover all software and systems, for lack of a one-size-fits-all patch management tool. Paccar CIO Patrick Flynn notes that coupling patch tools to existing software can be difficult, and advises companies to employ a patch management software supervisor to guard against inefficiencies. To stabilize computing environments and boost patch management software's effectiveness, Forrester Research analyst Laura Koetzle recommends that enterprises choose and standardize on a handful of standard configurations. Some companies, Qualcomm being one, are attempting to spur vendors into streamlining patch management. "We're pushing Oracle to simplify the patching process and either help us provide a better patch solution or adopt [technology from a vendor] like Kintana as a standard," explains Qualcomm's Tom Fisher, who emphasizes the importance of logs that track patch distribution status. "Give me a log that tells me [the status of a patch distribution], so I know that it only happened on this machine, and I don't have to worry about the 18 other machines I pushed to today," he says. http://www.cio.com/archive/080103/et_article.html From ACM News, August 11, 2003 "Should E-mail Still Be Free?" Technology Review (08/06/03); Shein, Barry; Crocker, Dave In response to Vipul Prakash's observations and suggestions about spam control, Barry Shein finds fault with his position that there should be no per-message charging for email. Shein writes, "charges should be incurred to help pay for the resources being used and to inject some reality into decision-making about that usage," adding that a combination of statistical sampling and reasonable business relationships can help iron out hard usage problems that traditional network resource accounting is not equipped to handle. Shein notes that credible businesspeople realize how spam is hurting email, and believes that they could be persuaded to accept paying usage fees, provided the fee system is fair. Dave Crocker counters Shein's argument, claiming that usage-based charging would entail "astronomical" intrinsic costs, while setting up such a system would be a huge undertaking. Crocker reiterates Prakash's conclusion that the spam dialogue is overlooking three major issues: Every spam control solution is inherently limited and is not an end-all panacea for the spread of junk email; anti-spam mechanisms are likely to be more effective when combined; and email has accrued key features in the past three decades that people do not wish to give up. Crocker recommends caution, lest any changes to the email model, ostensibly to control spam, devalue Internet messaging. http://www.technologyreview.com/articles/dialog0703.asp From ACM News, July 2, 2003 "Multiple Attack Only Hope in Spam Battle" New Scientist (07/01/03); Knight, Will The problem of rapidly growing spam can only be defeated through a multi-pronged strategy, one that combines new technology, new legislation, and user awareness, according to speakers at Britain's first-ever "spam summit" on July 1. U.K. e-commerce minister Stephen Timms told attendees that legislation alone is not a panacea for spam, but technical experts noted that new laws are still an important ingredient of an effective anti-spam approach. Steve Linford of spam-tracking organization Spamhaus warned that proposed American legislation--specifically the Reduce Spam Act and the Can Spam Act--would backfire and generate a huge surge in spamming. The bills would require users to opt out of receiving unsolicited commercial email; the European Union, by contrast, passed a law requiring bulk emailers to get recipients' permission before sending them spam, a policy known as opt-in. Linford argued that spam would be legitimized by the passage of an opt-out law, and give some 23 million small businesses the legal right to send spam. Linford also stressed the importance of international cooperation, because many spammers are based outside the countries where recipients live, and more will probably relocate if threatened by prosecution. Technological measures such as spam filtering can slow spam's progress, but cannot halt it: No filter can identify spam with 100 percent accuracy, while spammers are fiercely dedicated to subverting every new anti-spam technology. Piper Marbury Rudnick & Wolfe's Jim Halpert warned that spammers are becoming more crafty, using computer-hijacking Trojans and viruses to distribute their wares. Click Here to View Full Article Page Owner: Professor Sauter (Vicki.Sauter@umsl.edu) © Vicki L. Sauter. All rights Reserved.