Thursday, July 01, 2004

SEC: Security In The News - June 30, 2004

Gmail - [INFOCON] Security In The News - June 30, 2004

Security In The News


This report is also available on the Internet at

European betting sites brace for attack:
The Register6/28/04

Latest ID theft victim? A law firm:
MSNBC (AP)6/28/04

Cyber-loafing boss sacks office spyware detective:

Learn computer forensics at Bradford University:
The Register6/30/04

FTC mulls bounty system to combat spammers:

In Wild West of data mining, a new sheriff?:
MSNBC (AP)6/28/04

Rights Groups Seek E-Vote System Source Code Access:
Also - Federal Computer Week6/29/04

Pop-Up Program Snatches Banking Passwords:

In Hungary, creator of computer virus given suspended prison sentence:
Security Focus (AP)6/30/04

There is no anti-spyware silver bullet:
The Register6/30/04

GAO: Net-centric war needs better integration:
Federal Computer Week6/29/04

NIST aims to ease XP security setup:
Federal Computer Week6/29/04

Microsoft haunted by old IE security flaw:
C-Net News6/30/04

ISPs avoid royalties for music downloads:
The Globe and Mail6/30/04

E-Mail Snooping Ruled Permissible:
Wired News6/30/04


Title: European betting sites brace for attack
Source: The Register
Date Written: June 28, 2004
Date Collected: June 30, 2004
German computer magazine c't reports that extortionists may threaten to launch distributed denial of service (DDoS) attacks against online betting sites during the Euro 2004 soccer finals. Popular betting site Betfair estimates that its website will handle over $200 million during the Euro 2004 tournament. Extortionists often demand up to $15,000; DDoS attacks against betting sites, sometimes lasting as long as 16 hours, as in the case of Mybet, can cost far more in lost betting opportunities. Attacks originate from Eastern Europe or Latin America, and leverage armies of zombie computers; some sources believe at least two groups control tens of thousands of such hijacked machines. Some betting sites have gone out of business after such DDoS attacks, or have abandoned websites for phones.


Title: Latest ID theft victim? A law firm
Source: MSNBC (AP)
Date Written: June 28, 2004
Date Collected: June 30, 2004
Paralegal Phoebe Nicholson, 39, has been charged with grand larceny for embezzling nearly $600,000 from law firm Fish & Neave of Manhattan. Ms. Nicholson "basically stole the identity of this law firm", according Westchester County District Attorney Jeanine Pirro. Ms. Nicholson set up a bank account under the name "Fish Neave", forged her boss's signature on phony bills from the law firm, and persuaded her employer, Honeywell International, to send her the checks for delivery. Ms. Pirro surmises that it was only a matter of time before identity thefts targeted corporations as well as individuals. Ms. Nicholson is being held on $5 million bail, and faces up to fifteen years in prison if convicted.


Title: Cyber-loafing boss sacks office spyware detective
Source: Silicon.com
Date Written: June 29, 2004
Date Collected: June 30, 2004
The Alabama Department of Transportation has fired Vernon Blake for installing WinSpy, a freely available spyware, on his boss's computer. Mr. Blake was apparently frustrated over the 'cyber-loafing' of his boss, George Dobbs, and used the spyware to prove that Mr. Dobbs spent 70% of his time playing solitaire. Symantec warns that WinSpy can not only monitor computer use, but also log keystrokes, possibly giving Mr. Blake access to sensitive material in violation of the law. Installing spyware on a boss's computer may also violate company policy, and may result in loss of job. Mr. Dobbs has been given a written warning, reminding him that managers must not "compromise their ability to manage subordinates."


Title: Learn computer forensics at Bradford University
Source: The Register
Date Written: June 30, 2004
Date Collected: June 30, 2004
The United Kingdom's University of Bradford is offering a Masters of Science in Forensic Computing, citing the growing demand for computer scientists to investigate cyber crimes. Courses offered range from such technical topics as "Network Protocols" and "Foundations of Cryptography" to such legal subjects as "Crime analysis" and "Crime scene management, courtroom and expert witness skills". University of Bradford joins such institutions as Cranfield University and the University of Glamorgan in offering a Master in computer forensics.


Title: FTC mulls bounty system to combat spammers
Source: MSNBC
Date Written: June 30, 2004
Date Collected: June 30, 2004
The Federal Trade Commission (FTC) is studying the possibility of offering bounties for information leading to the successful prosecution of mass marketing e-mailers who violate the CAN-SPAM Act. The CAN-SPAM Act, which requires spammers to give accurate information in e-mail headers, to label adult content, and to allow consumers to opt out of future spams, also requires the FTC to study the feasibility of a bounty program offering "not less than 20 percent of the total civil penalty collected" for people who first identify spammers who violate the CAN-SPAM Act. The idea of a bounty was popularized by Stanford Law professor Lawrence Lessig. Steve Linford, founder of the antispam group Spamhaus.org argues that the FTC already has enough information on the identities of spammers, and does not need anymore. Louis Mastria, a spokesman for the Direct Mail Association objects that bounties would promote vigilantism and would probably be ineffective.



Title: In Wild West of data mining, a new sheriff?
Source: MSNBC (AP)
Date Written: June 28, 2004
Date Collected: June 30, 2004
As the US government seeks to leverage data mining technology to search for clues of terrorist activity and government waste, privacy advocates warn that no regulations govern the proper use of the technology. Senator Joe Lieberman (D-Connecticut) says the Transportation Security Administration may have violated the 1974 Privacy Act by acquiring airline passenger data without passengers' consent. The Technology and Privacy Advisory Committee (TAPAC) has released a report finding data mining useful for combatting terrorists, but calls for anonymizing technology to protect US citizens against unreasonable searches. If evidence of terrorist activity is found, investigators could get authorization to uncover identities from the Foreign Intelligence Surveillance Court. TAPAC recommends the restrictions only for general data mining of US citizens, but not for analysis of government employees, airline passengers, or foreign intelligence data. Congress is not expected to pass data m!
ining laws until after the 2004 elections.


Title: Rights Groups Seek E-Vote System Source Code Access
Source: EWeek.com
Date Written: June 29, 2004
Date Collected: June 30, 2004
The Leadership Conference on Civil Rights and the Brennan Center for Justice at New York University School of Law have released a report of security and best practice recommendations to 675 counties using DRE (direct recording electronic) voting machines. The recommendations draw on advice from Eric Lazarus and a team of information technology security experts, including Howard Schmidt, former cybersecurity advisor to the White House. The most prominent recommendation is to have DRE voting machines analyzed by an independent security team with no business relationship with the machine vendor. The teams must have full access to the machines and back-end systems, something vendors have been reluctant to provide, arguing that the code could be misused. Counties should also establish permanent independent panels of computer experts and citizen groups to monitor security and conduct post-election assessments. Election officials should receive security training, develop parallel t!
esting for problems, and establish a standard process for dealing with security incidents and to protect evidence for an investigation. The recommendations have won support from such organizations as the Electronic Frontier Foundation, the Electronic Privacy Information Center, the National Committee for Voting Integrity, and the National Association for the Advancement of Colored People.

Also - http://www.fcw.com/fcw/articles/2004/0628/web-evote-06-29-04.asp


Title: Pop-Up Program Snatches Banking Passwords
Source: EWeek.com
Date Written: June 29, 2004
Date Collected: June 30, 2004
Online banking customers are being hit by a Trojan that infects machines through a pop-up ad to steal user names and passwords for banking sites. The pop-up ad uploads an apparent image file, img1big.gif, which is really a compressed executable containing the Trojan and a DLL (dynamic linked library), which are installed as a BHO (browser help object) for Internet Explorer. The Trojan monitors web use for HTTPS (hypertext transfer protocol secure) sessions with a list of banking sites, including Citibank, Deutsche Bank, and Barclays Bank. The Trojan grabs outbound POST and GET data before its is encrypted by SSL (Secure Sockets Layer). The Trojan then encrypts the data itself and sends it to a remote server. SANS Internet Storm Center learned of the Trojan when a user found it on one of his company's computers after it failed to properly install due to restrictions on the user's account.


Title: In Hungary, creator of computer virus given suspended prison sentence
Source: Security Focus (AP)
Date Written: June 30, 2004
Date Collected: June 30, 2004
The Veszprem City Court in Hungary has convicted a teenager, referred to only as Laszlo K., of unauthorized use of computer systems and sentenced him to two years probation and to pay $2,400 in court costs. Laszlo K. created an e-mail virus that infected tens of thousands of computers in May 2003, tricking users into downloading an e-mail file attachment by promising pictures of Hungarian porn actress Maya Gold. The virus disabled antivirus, disabled the mouse, and printed anti-Microsoft messages. Hungarian newspaper Nepszabadsag reports that Mr. K. created the virus to prove to himself that he had some skills after failing several high school projects. The police were able to track down Mr. K. since the virus was originally e-mailed from his address, and contained his name and postal code in the source code.


Title: There is no anti-spyware silver bullet
Source: The Register
Date Written: June 30, 2004
Date Collected: June 30, 2004
The Meta Group warns that the threat of spyware will continue to grow over the next few years. Only a handful of consumer products and emerging corporate products address spyware, while spyware features often have legitimate uses, making them difficult for antivirus to filter. The Spywarewarrior website notes that many anti-spyware tools are ineffective, are sold through deceptive practices, and are often spywares themselves. Some anti-spyware products are based on databases stolen from other anti-spyware vendors. The Meta Group finds that organizations must address spyware through a combination of policies and software until stronger solutions are available.



Title: GAO: Net-centric war needs better integration
Source: Federal Computer Week
Date Written: June 29, 2004
Date Collected: June 30, 2004
The General Accounting Office (GAO) has found that while network-centric communications and sensors have enhanced the military's battle capabilities, it has also found some barriers to the progress of network-centric warfare. GAO finds that Defense lacks standardized interoperable systems, a unified battlefield information system, ability to quickly assess battle damage, and training to help personnel deal with the increased information. Joint Forces and Special Operations used different Blue Force Tracking systems in Iraq, requiring them to build a make-shift network to allow the two forces to locate each other. Central Command has to deal with 23 reporting formats when assessing battle damage in Afghanistan. The Defense Department responds that a number of program are already addressing these issues, including the Global Information Grid, Joint Network Fires Capability roadmap, the Joint Fires Initiative, Joint Close Air Support, and Joint Targeting School.


Title: NIST aims to ease XP security setup
Source: Federal Computer Week
Date Written: June 29, 2004
Date Collected: June 30, 2004
The National Institute of Standards and Technology (NIST) has released Special Publication 800-68, offering recommendations and checklists for configuring security on Windows XP Professional in accordance with the Federal Information Security Management Act (FISMA) of 2002. The document should help systems administrators avoid mistakes that can cost time and money. NIST worked with the Defense Information Systems Agency, the National Security Agency, Microsoft, and the Center for Internet Security to develop the standards for productivity applications, e-mail, web browsers, personal firewalls, and antivirus. July 2004, NIST will publish details on its Security Configuration Checklists Program, a web portal that will let federal officials research softwares when making purchasing decisions. According to Center for Internet Security chief executive Clint Kreitner, software makers, businesses, and government agencies are reaching a consensus on security controls; Dell and Micro!
soft have begun shipping products already configured for security.


Vulnerabilities & Exploits

Title: Microsoft haunted by old IE security flaw
Source: C-Net News
Date Written: June 30, 2004
Date Collected: June 30, 2004
Security firm Secunia has released an advisory of a flaw in Microsoft's Internet Explorer that had been fixed in earlier versions in 1998. The flaw affects users who have multiple instances of Explorer open. An attacker can use one browser to alter the content of another without the user's knowledge, possibly inserting links to malicious websites to upload malware or trick users into revealing passwords. Secunia chief technology officer Thomas Kristensen comments "It's a concern that a company like Microsoft has a problem that's already been fixed in older versions resurface in newer ones". A number of flaws have been revealed in Internet Explorer recently, prompting the US Computer Emergency Readiness Team to recommend users switch browsers. One flaw allows an attacker to upload a keystroke logger through a pop-up ad, while another downloaded a malicious script from a Russian site when users visited popular website that had been cracked and planted with another malicious sc!
ript. The Russian site has been shut down.


Civil & Consumer Issues

Title: ISPs avoid royalties for music downloads
Source: The Globe and Mail
Date Written: June 30, 2004
Date Collected: June 30, 2004
The Supreme Court of Canada has ruled, 9-0, that Internet service providers (ISP) do not have to pay royalties to composers and artists for music downloaded from the Internet, finding that ISPs are merely intermediaries. The suit was brought to the court by the Society of Composers, Authors and Music Publishers of Canada (SOCAN) which also wanted federal copyright regulations extended to foreign websites that serve Canadians. The Canadian Association of Internet Providers, which includes such companies as Bell, Sprint, America Online, MCI, IBM, and Yahoo, argued that SOCAN should seek royalties from websites that offer music for download. SOCAN's lawsuit differs from those of the American music industry, which sues file-sharing services and individual users.


Title: E-Mail Snooping Ruled Permissible
Source: Wired News
Date Written: June 30, 2004
Date Collected: June 30, 2004
The First Court of Appeals in Massachusetts has ruled that Bradford C. Councilman, owner of a rare and out-of-print books website who provided e-mail service to other book dealers, did not violate the Wiretap Act when he intercepted and read customers' e-mails. Unknown to customers, Mr. Councilman ran code that copied e-mails from competitor Amazon.com before sending them on their intended recipient. Mr. COuncilman used the e-mails to find out what books people were seeking to gain an advantage over Amazon. The court ruled that this did not count as interception under the Wiretap Act, since the e-mails were in memory, and thus 'storage', rather than in transit. The court acknowledged that the Wiretap Act may be out of date for dealing with Internet communications. Kevin Bankston, an attorney with the Electronic Frontier Foundation, criticizes the ruling, arguing that it gives "Internet communications providers free rein to invade the privacy of their users for any reason and!
at any time". Justice Kermit V. Lipez wrote a dissenting opinion, arguing that Congress did not intend for e-mail temporarily stored during transmission to have less privacy than messages in transit.


To change your delivery preferences please go to:

If you wish to stop receiving the 'Security in the News' service please go to:

The Institute for Security Technology Studies (ISTS) accepts no responsibility for any error or
omissions in this e-mail. The information presented is a compilation of material from various
sources and has not been verified by staff of the ISTS. Therefore, the ISTS cannot be made
responsible for the factual accuracy of the material presented. The ISTS is not liable for any loss
or damage arising from or in connection with the information contained in this report. It is the
responsibility of the user to evaluate the content and usefulness of this information. References in
this e-mail to any specific commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by
the ISTS. ISTS is a research, not operational, organization, and makes its Security in the News
e-mail available as a public service on a best-effort basis. Security in the News will be sent out
on most business days, but not all.

Institute for Security Technology Studies
Dartmouth College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: dailyreport@ists.dartmouth.edu

Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)

INFOCON Mailing List @
IWS - The Information Warfare Site

To subscribe, change your subscription or unsubscribe go to http://www.iwar.org.uk/mailman/listinfo/infocon/


Post a Comment

<< Home

Get Firefox!