Saturday, July 10, 2004

SEC: [INFOCON] Security In The News - July 8, 2004

Gmail - [INFOCON] Security In The News - July 8, 2004

Security In The News


This report is also available on the Internet at

Terrorists Rely on Tech Tools:
PC World7/7/04

Feds Drag Feet on Cybersecurity:
PC World7/8/04

Officials bolster security, but not threat warning:
Government Executive7/8/04
Also - CNN7/8/04

HSIN starts five months early:
Federal Computer Week7/8/04

Home PCs Rented Out in Sabotage-For-Hire Racket:

U.S. wins appeal against alleged pirate:
C-Net News7/8/04
Also - The Register7/8/04

Spanish police: beware of lottery scam:
Computer Crime Research7/5/04

Phishing Attacks Linked To Organized Crime:
Security Pipeline7/7/04

Former Alta Vista employee arrested on hacking charges:
Duluth News Tribune (AP)7/2/04

Court refuses to lift California e-voting restrictions:
C-Net News7/7/04
Also - Computerworld7/7/04

Also - Government Computer News7/7/04

Also - The Register7/8/04

Panelists push agencies to boost funding for IT research:
Government Executive7/7/04

Lawmakers Seek to Limit States on Internet Calls:
Also - Siliconvalley (AP)7/7/04

Also - Wired News7/8/04

Libraries to comply with antiporn law or lose federal funding:

Old-school worm loves Windows applications:
ZDNet News7/7/04
Also - Computer Weekly7/5/04

Password-stealing Trojan cut off at source:
ZDNet News7/7/04

Spanish Zombie PC virus author jailed:
The Register7/5/04

'Evaman virus not a major threat':
Sydney Morning Herald7/6/04
Also - ZDNet News7/5/04

Microsoft, biometrics firm to tackle homeland security:
ZDNet (Reuters)7/7/04

Lax data security seen at many Japanese companies:

E-mail glitch exposes private data in California:

Security Failures Threaten Online Shopping:
Channel minds7/8/04

Web app vulnerabilities on the rise:

NIST offers technical guidance for e-authentication:
Government Computer News7/6/04
Also - Federal Computer Week7/7/04

Security spending rises, as do risks:

'Phonics' Co. Settles Privacy Complaint:
Washington Post (AP)7/7/04
Also - Computerworld7/7/04

Also - MSNBC7/7/04

Postini: Half of all e-mail requests rejected:

Homeland Security & Infrastructure Protection

Title: Terrorists Rely on Tech Tools
Source: PC World
Date Written: July 7, 2004
Date Collected: July 8, 2004
Speaking at the New American Foundation in Washington, DC, on July 7, 2004, Gabriel Weimann of the University of Haifa in Israel, said that terrorists are increasingly using the Internet to spread propaganda, recruit new members and raise money for future attacks. According to Mr. Weimann, the number of terrorist websites has grown by 571% since 1997, and terrorist groups such as Al Qaeda are increasingly putting training material, terrorist manuals and recruitment information online, in part to appeal to a new generation of potential terrorists. It is sometimes questioned why so few terrorist sites are taken offline - a possible answer may be that Western intelligence agencies are using the sites to gather information on terrorist plans and strategies. As terrorists' knowledge of the Internet and other technologies matures, the threat of cyberterrorism will grow.


Title: Feds Drag Feet on Cybersecurity
Source: PC World
Date Written: July 8, 2004
Date Collected: July 8, 2004
Some of the business representatives that took part in a major national effort to improve the state of cyber security are concerned that the US Department of Homeland Security (DHS) is taking too long to respond to security recommendations. In December 2003, DHS and several industry groups hosted a cyber security summit. At the summit, five task forces, comprised of representatives from industry, academia and government, were set up - the task forces issued reports with security recommendations in various areas in March 2004. However, "there has been a 'pregnant pause' waiting for a response," according to Rick White, CEO of TechNet. The task forces made numerous recommendations relating to cyber security standards and best practices, software security and security management, but DHS has, so far, failed to provide industry with security priorities or benchmarks based on the recommendations.


Title: Officials bolster security, but not threat warning
Source: Government Executive
Date Written: July 8, 2004
Date Collected: July 8, 2004
On July 7, 2004, FBI Director Robert Mueller and Homeland Security Department Undersecretary Asa Hutchinson briefed members of the US House of Representatives on current terrorist threats and ongoing security measures ahead of the political conventions in Boston at the end of July and New York City in late August and early September, 2004. Although intelligence reports indicate that terrorists continue to pose a serious threat to the US and are plotting attacks, there is currently no need to raise the terrorist threat level, according to Ms. Hutchinson. On July 8, 2004, Homeland Security Secretary Tom Ridge confirmed that Al Qaeda may be planning a "large-scale attack on the United States in an effort to disrupt the democratic process". However, he added that no specific information concerning the possible time, place or method of the attack was available.

Also - http://www.cnn.com/2004/US/07/08/ridge.alqaeda/index.html

Title: HSIN starts five months early
Source: Federal Computer Week
Date Written: July 8, 2004
Date Collected: July 8, 2004
At a press conference in Washington, DC, on July 8, 2004, Homeland Security Secretary Tom Ridge announced that the Homeland Security Information Network (HSIN) is up and running five months ahead of schedule. HSIN is an unclassified network that connects the Homeland Security Operations Center with homeland security officials, law enforcement and first responders in all 50 states and major urban areas. The network will be used to distribute homeland security and terrorist information, intelligence and alerts to officials in real-time. Further, a pilot program is underway to link critical infrastructure owners and operators and other commercial entities in four cities to HSIN.



Title: Home PCs Rented Out in Sabotage-For-Hire Racket
Source: Reuters
Date Written: July 7, 2004
Date Collected: July 8, 2004
Police and security experts are increasingly concerned about botnets - networks of 'zombie' PCs that have been taken over by cyber attackers - that are being rented out to the highest bidder on the Internet and then being used for spamming, fraud and denial of service (DoS) attacks. According to a source in the UK's Scotland Yard computer crime unit: "Small groups of young people creating a resource out of a 10-30,000-strong computer network are renting them out to anybody who has the money." Security experts believe that teenage hackers play a leading role in setting up botnets, but criminal groups in Eastern Europe or elsewhere may be pulling the strings behind the scenes. Such botnets can be rented for anything from $100 per hour to thousands of dollars. There is little individuals or organizations can do to protect themselves against an attack form one of these massive networks of hijacked machines.


Title: U.S. wins appeal against alleged pirate
Source: C-Net News
Date Written: July 8, 2004
Date Collected: July 8, 2004
US authorities have won the latest round of the legal battle to extradite Hew Raymond Griffiths, a suspected leader of the software piracy group DrinkorDie, from Australia to face charges of conspiracy to commit criminal copyright infringement and copyright infringement in the US. Mr. Griffiths was indicted in the US in 2003, but his lawyer does not understand why he should not be tried in Australia, his country of residence. If successfully prosecuted in the US, Mr. Griffiths could face up to ten years in prison and a fine of up to $500,000, while the maximum sentence under Australian copyright laws would be five years in prison. The US Attorney's Office launched a major offensive against DrinkorDie in 2001. It alleges that the group "copied and distributed more than $50 million worth of pirated software, movies, games and music."

Also - http://www.theregister.co.uk/2004/07/08/drinkordie_suspect_remanded_again

Title: Spanish police: beware of lottery scam
Source: Computer Crime Research
Date Written: July 5, 2004
Date Collected: July 8, 2004
Spanish police are investigating a global Internet lottery scam that has conned unsuspecting victims out of thousand of euros. Authorities believe that criminal groups, most likely based in Madrid, Spain, are behind the scam. Internet users are notified that they have won a large prize in the National Spanish lottery, but are then required to pay thousands of euros in advance fees for paperwork and taxes. Not unsurprisingly, the 'winnings' are never paid out. Ki Hon Li of South Korea lost more than $50,000 in the scam.


Title: Phishing Attacks Linked To Organized Crime
Source: Security Pipeline
Date Written: July 7, 2004
Date Collected: July 8, 2004
US federal and state law enforcement agencies, including the Federal Bureau of Investigations (FBI) and the US Secret Service, are finding ties between online phishing scams and organized crime groups, mainly in the former Soviet bloc and Asia. Phishing scams involve sending out e-mails purporting to be from respected online businesses in an attempt to harvest personal and financial information. John Curran, supervisory special agent with the FBI's Internet Crime Complaint Center, says that while "a broad array of criminals...ranging from teenagers to grandmothers" are involved in phishing scams, organized crime groups are playing an increasing role. Such scams are facilitated by a network of hacker websites that sell phishing starter kits.


Title: Former Alta Vista employee arrested on hacking charges
Source: Duluth News Tribune (AP)
Date Written: July 2, 2004
Date Collected: July 8, 2004
According to a statement from the US Attorney's office, 31-year old Laurent Chavet of Kirkland, Washington, was arrested in a Seattle suburb on July 2, 2004 for allegedly hacking into his ex-employer's computer network and causing damage in 2002. Mr. Chavet, who used to work for search engine company Alta Vista, has been charged with one count of unauthorized access to a protected computer and one count of reckless damage to a protected computer and, if convicted, could face up to ten years in prison and a $500,000 fine. He has been released on bail and is scheduled to be arraigned in San Francisco on July 20, 2004.



Title: Court refuses to lift California e-voting restrictions
Source: C-Net News
Date Written: July 7, 2004
Date Collected: July 8, 2004
On July 6, 2004, federal judge Florence-Marie Cooper upheld an April 2004 directive by California Secretary of State Kevin Shelley that "decertified touch-screen voting machines and withheld future certification until vendors of those systems could meet specific security requirements, including voter-verifiable paper audit trails (VVPAT)." The directive had been challenged in court by four California counties (Riverside, San Bernardino, Kern and Plumas), as well as the American Association of People with Disabilities. Judge Cooper supported Mr. Shelley's decision to decertify voting machines, calling it rational and "designed to protect the voting rights of the state's citizens". Five other California counties have already reached agreement with Mr. Shelley and have had their voting machines recertified. With millions of Americans expected to cast their votes electronically in this year's presidential election, grave concerns about the security and reliability of electronic !
voting systems around the country have been raised by election officials and security experts.

Also - http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,94372,00.html

Also - http://www.gcn.com/vol1_no1/daily-updates/26515-1.html

Also - http://www.theregister.co.uk/2004/07/08/getting_e-voting_security_right

Title: Panelists push agencies to boost funding for IT research
Source: Government Executive
Date Written: July 7, 2004
Date Collected: July 8, 2004
On July 7, 2004, technology and policy experts testified before a House Government Reform subcommittee on the US government's information technology (IT) research and development (R&D) efforts. According to Edward Lazowska, many major IT breakthroughs are the result of long-term government investment into basic research. However, recently, the government has not spent enough on IT R&D, especially in the area of cyber security, as evidenced by the fact that the Department of Homeland Security (DHS) is only using 2% of its $1 billion budget for R&D on cyber security to protect critical national infrastructures. However, other government entities, such as the National Institute of Standards and Technology (NIST) and the Department of Defense (DoD), are also conducting extensive IT and cyber security R&D, and the Bush administration's proposed budget for the next fiscal year allocates $2 billion for the National Coordination Office for Information Technology Research and Develop!
ment program, which coordinates R&D activities across the federal government, academia and the private sector.


Title: Lawmakers Seek to Limit States on Internet Calls
Source: Reuters
Date Written: July 7, 2004
Date Collected: July 8, 2004
On July 7, 2004, lawmakers on the House Energy and Commerce Committee heard arguments for and against regulating the growing Internet telephony market and voice-over-Internet protocol (VoIP) technologies. Representatives from Internet voice providers, such as Vonage Holdings Corp., warned that a patchwork of strict state and federal regulations could be complex and could stifle innovation and growth in the industry. Republicans on the committee and at the Federal Communications Commission (FCC) appear to share the view that VoIP regulations should be light, but some Democrats believe regulations will be necessary, particularly those "which pertain to universal service, access, emergency services, law enforcement, and individuals with disabilities," according to John Dingell, the ranking Democrat on the committee. Legislation was introduced on July 6, 2004 that would classify VoIP as an interstate service, placing it under federal regulatory jurisdiction.

Also - http://www.siliconvalley.com/mld/siliconvalley/9099737.htm

Also - http://www.wired.com/news/politics/0,1283,64131,00.html

Title: Libraries to comply with antiporn law or lose federal funding
Source: SearchSecurity
Date Written: July 8, 2004
Date Collected: July 8, 2004
The Children's Internet Protection Act (CIPA) took effect on July 1, 2004. The law will force public libraries to implement Internet filtering to prevent children from viewing pornography or other harmful content on library PCs or face the loss of government technology funding in the form of E-Rate technology discounts. School administrators didn't join a legal challenge by the American Library Association against the law, so many are already adhering to the CIPA's requirements. Experience at schools, captured by a recent survey sponsored by Internet and e-mail filter maker St. Bernard Software Inc., has shown that online filters are imperfect and implementing and managing them can be costly and complicated.



Title: Old-school worm loves Windows applications
Source: ZDNet News
Date Written: July 7, 2004
Date Collected: July 8, 2004
Anti-virus companies have discovered three new variants of the Lovegate Internet worm (Lovgate.AD, Lovgate.AE and Lovgate.AH) this week. Like earlier versions of the worm, the new Lovegate variants spread via e-mail and network file-sharing and by exploiting an old Microsoft Windows vulnerability. The latest variants have been classified as medium risk by McAfee because they use the old, but dangerous, tactic of overwriting executable files on the local hard drive with copies of themselves. This is dangerous because it could lead to the destruction of a large number of executable files on an infected computer.

Also - http://www.computerweekly.com/articles/article.asp?liArticleID=131726

Title: Password-stealing Trojan cut off at source
Source: ZDNet News
Date Written: July 7, 2004
Date Collected: July 8, 2004
According to security firm Symantec, the threat posed by a new password-stealing Trojan, dubbed PWSteal.Refest, has been contained by shutting down the site where stolen information was being sent. The Trojan, which was discovered last week, logged keystrokes and passwords of users of infected machines. PWSteal installed itself through a pop-up advertisement when users logged onto the websites of any one of nearly 50 financial institutions by exploiting a vulnerability in Microsoft's Internet Explorer (IE) web browser. Symantec has not received any reports of information theft from its Asian customers, according to Tim Hartman, Symantec Asia-Pacific's senior technical director.


Title: Spanish Zombie PC virus author jailed
Source: The Register
Date Written: July 5, 2004
Date Collected: July 8, 2004
Valencia Crown Court has sentenced a Spanish man, 26-year old Óscar López Hinarejos, to two years in prison and ordered him to pay compensation to his victims for writing the Cabronator Trojan. Mr. López Hinarejos is the first virus writer to be jailed in Spain. He was arrested by the Spanish Civil Guard in April 2003. The Trojan infected 100,000 computers, turning them into 'zombies' as part of an attack network of infected PCs. Hackers also used Cabronator to collect personal information from infected machines.


Title: 'Evaman virus not a major threat'
Source: Sydney Morning Herald
Date Written: July 6, 2004
Date Collected: July 8, 2004
The Evaman Internet virus, discovered by anti-virus companies over the July 4, 2004 weekend, does not appear to be a major threat. On July 5, 2004, security firm Symantec classified Evaman as a 'category two threat' on a scale that goes up to category five for major outbreaks. The worm is spreading more slowly than had initially been expected. Evaman has been linked to the MyDoom worm that caused extensive damage and disruption in January 2004. Evaman arrives as an e-mail attachment and comes with subject headings like 'failed transaction' and 'failure delivery'. Users are urged not to open suspicious e-mail attachments and to upgrade their anti-virus software.

Also - http://news.zdnet.co.uk/internet/0,39020369,39159581,00.htm


Title: Microsoft, biometrics firm to tackle homeland security
Source: ZDNet (Reuters)
Date Written: July 7, 2004
Date Collected: July 8, 2004
Security software firm Saflink, maker of biometric security software for fingerprint readers and other access control technologies, on July 7, 2004, announced a partnership with software giant Microsoft Corp. to develop security solutions for the US Department of Homeland Security. The idea is to combine Saflink's software with Microsoft's business software, a move that should allow Saflink to get more government contracts. Commenting on the partnership, Mark Belk, Microsoft's chief architect for homeland security software, said: "Together, we provide a compelling solution for Homeland Security programs involving biometrics, smart cards, tamper-proof identities and physical security controls."


Vulnerabilities & Exploits

Title: Lax data security seen at many Japanese companies
Source: Computerworld
Date Written: July 7, 2004
Date Collected: July 8, 2004
A survey contained in the Japanese government's annual White Paper on Information and Communications in Japan, which was published by the Ministry of Public Management, Home Affairs, Posts and Telecommunications (MPHPT) on July 6, 2004, shows that measures taken to protect the privacy and security of personal data stored on computers are inadequate or lacking completely in many organizations. According to the survey, based on responses from about 900 companies and public organizations, almost 42% of organizations have no special technical security measures in place to protect data, while only 5% encrypt data in storage and transit and a mere 1.1% use an intrusion detection system for databases holding personal information. Results in the area of organizational security measures are equally troubling, with 37.2% of companies having no special measures in place. There have been repeated reports in recent years about large-scale data security problems at Japanese companies and !
government agencies.


Title: E-mail glitch exposes private data in California
Source: Computerworld
Date Written: July 6, 2004
Date Collected: July 8, 2004
California's Contra Costa County is launching an investigation after it became known that hundreds of internal e-mails containing sensitive personal information about county Superior Court commissioners and other workers were sent to a Swedish company over a two-year period. The county's CIO (chief information officer) Tom Whittington says a preliminary investigations has revealed that the problem was not caused by a computer virus or another form of cyber attack, but by some county employees using erroneous e-mail address books. Although counties and cities are exempt from SB 1386, California's landmark identity-theft law, some experts believe that Contra Costa County may be required to notify those affected of the security breach.


Title: Security Failures Threaten Online Shopping
Source: Channel minds
Date Written: July 8, 2004
Date Collected: July 8, 2004
A survey by LogicaCMG reveals that over one million UK consumers have experienced "an attempted or actual theft of financial or personal details" whilst carrying out online transactions, such as banking and shopping. According to the study, these security breaches have had real-world consequences for online businesses as 24% of affected consumers decided to switch to an alternative online brand, while 23% decided never to do business with the company again. It appears that online security is the most important issue for a majority of UK consumers (73%) when conducting transactions on the Internet. Companies that allow security breaches to occur could face serious revenue losses and a loss of business and reputation.


Title: Web app vulnerabilities on the rise
Source: vnunet.com
Date Written: July 7, 2004
Date Collected: July 8, 2004
A study by security firm Imperva on the vulnerability of public and private web applications has found that, despite periodic penetration testing and attempts to fix vulnerabilities, 93% of web applications contain 'high' or 'critical' vulnerabilities. In many cases, new flaws are introduced while trying to close security holes after initial penetration tests have been conducted. Such application flaws leave organizations vulnerable to "web attacks, internal database breaches and worms".


Best Practices & Risk Management

Title: NIST offers technical guidance for e-authentication
Source: Government Computer News
Date Written: July 6, 2004
Date Collected: July 8, 2004
The US National Institute of Standards and Technology (NIST) has released two new special publications dealing with information security. NIST Special Publication 800-63, 'Electronic Authentication Guideline,' released on June 30, 2004, provides technical requirements for agencies using electronic authentication based on four security levels previously defined by the Office and Management and Budget (OMB). The second document, NIST Special Publication 800-27 Revision A, 'Engineering Principles for Information Technology Security,' was released on July 2, 2004 and offers basic information on security guidelines and practices.

Also - http://www.fcw.com/fcw/articles/2004/0705/web-nist-07-07-04.asp

Title: Security spending rises, as do risks
Source: vnunet.com
Date Written: July 8, 2004
Date Collected: July 8, 2004
A major survey of 7,000 technology and security professionals in 40 countries, conducted by Computing and its international sister publications, shows that IT security spending is on the rise across the world, but security threats, such as computer viruses, worms and insider attacks, remain a serious worry. According to the 'Information Security Survey', 59% of North American companies and 57% of businesses in Europe will increase security spending in 2004. However, as the number and cost of cyber attacks continue to increase, security remains a major problem. The survey found that often security practices and policies are inadequate. For instance, 60% of respondents do not provide their employees with security awareness training and many do not have e-mail or web usage guidelines.


Civil & Consumer Issues

Title: 'Phonics' Co. Settles Privacy Complaint
Source: Washington Post (AP)
Date Written: July 7, 2004
Date Collected: July 8, 2004
The US Federal Trade Commission (FTC) announced, on July 7, 2004, that it has reached a settlement with Gateway Learning Corp. of Santa Ana, California, makers of the Hooked on Phonics brand of reading instruction programs, for "alleged unfair and deceptive practices in connection with its rental of customer information to third parties". The company's privacy policy had initially promised not to disclose personal customer information to third parties, but was changed in July 2003 without notifying customers to allow for the sale of personal information to marketers. Under the settlement, Gateway Learning has agreed to pay $4,608, but did not admit to any wrongdoing. "If you collected information from customers under one policy, you can't retroactively apply a new policy to that data unless the customer agrees," said Howard Beales, director of the FTC's bureau of consumer protection.

Also - http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,94369,00.html

Also - http://www.msnbc.msn.com/id/5386195

Title: Postini: Half of all e-mail requests rejected
Source: Computerworld
Date Written: July 8, 2004
Date Collected: July 8, 2004
New figures from California-based anti-spam company Postini Inc. show that only 11% of the 10.75 billion SMTP (Simple Mail Transfer Protocol) connections the company receives each month constitute legitimate e-mail messages. Postini manages e-mail for about 3,300 companies and 5 million e-mail users worldwide. The company is dropping 53% of all e-mail connections without examining the content of messages based on analysis of the behavior of Internet-connected machines that send mail. Such 'suspicious' connections increased from 35% in October 2003 to the current level of 53%. The increase is mainly the result of increased activity from compromised home computers that are being used as spam 'zombies', according to Postini. Of the connections that are accepted, 76% of messages are spam and 1-2% contain viruses. Internet service providers, technology firms and lawmakers have recently examined a variety of legislative, policy and technological solutions to the spam epidemic and !
progress is being made in all these areas.


To change your delivery preferences please go to:

If you wish to stop receiving the 'Security in the News' service please go to:

The Institute for Security Technology Studies (ISTS) accepts no responsibility for any error or
omissions in this e-mail. The information presented is a compilation of material from various
sources and has not been verified by staff of the ISTS. Therefore, the ISTS cannot be made
responsible for the factual accuracy of the material presented. The ISTS is not liable for any loss
or damage arising from or in connection with the information contained in this report. It is the
responsibility of the user to evaluate the content and usefulness of this information. References in
this e-mail to any specific commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by
the ISTS. ISTS is a research, not operational, organization, and makes its Security in the News
e-mail available as a public service on a best-effort basis. Security in the News will be sent out
on most business days, but not all.

Institute for Security Technology Studies
Dartmouth College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: dailyreport@ists.dartmouth.edu

Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)

INFOCON Mailing List @
IWS - The Information Warfare Site

To subscribe, change your subscription or unsubscribe go to http://www.iwar.org.uk/mailman/listinfo/infocon/


Post a Comment

<< Home

Get Firefox!