Thursday, August 05, 2004

SEC: [INFOCON] Security In The News - August 3, 2004

Gmail - [INFOCON] Security In The News - August 3, 2004: "Security In The News LAST UPDATED: 8/3/04 This report is also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.htmlBush calls on Congress to create ne"

Security In The News


This report is also available on the Internet at

Bush calls on Congress to create new intelligence adviser post:
Also - GovExec.com8/2/04

Also - Government Computer News8/2/04

DHS exorcises SPIRIT:
Federal Computer Week7/30/04

Terror Threat Level Is Raised For Key U.S. Financial Buildings:
EWeek (AP)8/1/04
Also - The Register8/2/04

Also - Washington Times8/3/04

Pondering private infrastructure data:
Federal Computer Week7/30/04

UK.gov deploys IT early warning system:
The Register8/3/04

Dartmouth Computer Hackers:
Also - The Dartmouth8/3/04

Kerry donors targeted by fake e-mail:

European Parliament tries to quash passenger data deal:

Trade deal exports DMCA down under:
C-Net News8/3/04

44,000 prison inmates to be RFID-chipped:

Microsoft offers $1 million for secure computing curricula:
Also - EWeek.com8/2/04

Also - ZDNet8/2/04

Microsoft Money glitch fixed:
Also - Computerworld7/30/04

Data Driven Attacks Using HTTP Tunneling:
Security Focus8/2/04

Mozilla puts bounty on bugs:
C-Net News8/2/04

Oracle software 'riddled with security holes':

Computer Glitch Grounds Thousands of Airline Passengers:
Also - Computerworld8/2/04

Linux security problems are your own fault:

VoIP smuggled into Latin America:

Is Real's hacking of iPod legal?:
ZDNet Australia8/2/04

Symantec sued for labeling product 'adware':

Homeland Security & Infrastructure Protection

Title: Bush calls on Congress to create new intelligence adviser post
Source: GovExec.com
Date Written: August 2, 2004
Date Collected: August 3, 2004
Following recommendations from the National Commission on Terrorist Attacks upon the United States, better known as the 9-11 Commission, President George W. Bush has called on Congress to create the post of a Cabinet-level national intelligence director. The national intelligence director would oversee fifteen federal intelligence agencies in consultation with the CIA (Central Intelligence Agency) Director. The 9-11 Commission's final report called for the national intelligence director to have budgetary discretion over the agencies, but the Bush proposal describes the post as an advisory role. National security advisor Condoleezza Rica and White House Chief of Staff Andrew Card say the intelligence director would have "input" on budgets. Mr. Bush also rejected the Commission's recommendation that the post be within the White House, arguing that a stand-alone group could better coordinate intelligence.

Also - http://www.govexec.com/story_page.cfm?articleid=29118&dcn=todaysnews

Also - http://www.gcn.com/vol1_no1/daily-updates/26821-1.html

Title: DHS exorcises SPIRIT
Source: Federal Computer Week
Date Written: July 30, 2004
Date Collected: August 3, 2004
The Department of Homeland Security (DHS) has cancelled its SPIRIT (Security, Planning and Integrated Resources for Information Technology) program to build an information technology infrastructure for the department, saying SPIRIT does not fit with DHS's overarching strategy. SPIRIT began as an IT project for the US Coast Guard before it joined DHS. DHS chief information officer Steve Cooper and chief procurement officer Greg Rothwell are developing a new acquisition strategy, with attention toward interoperability and configuration management. DHS had previously postponed SPIRIT, worth $5 billion over five years, frustrating vendors poised to reply to requests for proposals. Some, however, are not surprised by the cancellation, describing the project as too ambitious.


Title: Terror Threat Level Is Raised For Key U.S. Financial Buildings
Source: EWeek (AP)
Date Written: August 1, 2004
Date Collected: August 3, 2004
Homeland Security Secretary Tom Ridge has announced that his department has received intelligence that al Qaeda may be planning attacks against four "iconic" financial buildings: The Citicorp building in New York, the New York Stock Exchange, the World Bank and International Monetary Fund buildings in Washington, DC, and the Prudential Financial building in Newark, New Jersey. The intelligence indicates a car or truck bomb using traditional explosives rather than a chemical, biological, or radiological attack. Accordingly, Homeland Security has raised the threat level for the three indicated cities to orange, or high, while the rest of the US remains at yellow, or elevated risk. An unnamed analyst said the intelligence came with "excruciating detail", including pedestrian traffic, the likelihood that the explosion would melt steel, and whether the buildings' structures would collapse under an explosion. Local and state officials have been notified of the threat and additiona!
l security measures are underway.

Also - http://www.theregister.co.uk/2004/08/02/al_qaeda_cyber_terror_panic

Also - http://www.washtimes.com/world/20040803-121321-3188r.htm

Title: Pondering private infrastructure data
Source: Federal Computer Week
Date Written: July 30, 2004
Date Collected: August 3, 2004
Officials from the Department of Homeland Security are grappling with how access to data willingly submitted by the private sector should be handled. The Protected Critical Infrastructure Information Program Office, created under the Critical Infrastructure Information Act of 2002, collects private sector data and determines whether it has bearing on the nation's critical infrastructure. Though the office was created to allay private sector fears that any information submitted to the government regarding vulnerabilities would be available to the public under the Freedom of Information Act, officials still find that most companies do not willingly submit information. The office has only received 19 submissions and is seeking to simplify the submission process and enable electronic submissions.


Title: UK.gov deploys IT early warning system
Source: The Register
Date Written: August 3, 2004
Date Collected: August 3, 2004
The UK National Information Security Co-ordination Center (NISCC), which provides security advice to critical services providers, and NGS Software (NGSS) are creating an early warning system for IT security problems. The notices will be available before patches are delivered, and will provide warnings and mitigation advice. NGSS is well-known in the security arena, having been the first to identify the SQL Servers vulnerability that was exploited by the Slammer worm in January 2003. NGSS will be the first private company to assist NISCC, and other such partnerships are expected to follow.



Title: Dartmouth Computer Hackers
Source: TheWMURChannel.com
Date Written: August 1, 2004
Date Collected: August 3, 2004
Dartmouth College in Hanover, New Hampshire, reports that an unknown party accessed eight servers without authorization, potentially compromising sensitive data on employees, retirees, research staff, and students. According to Larry Levine, Dartmouth's chief information officer, as many as 10,000 people may have been affected by the breach. The attacker's motivation is unclear, though such attacks are common for people seeking to illegally access movies and music. The college has removed malicious software installed on the server and added additional security measures. Dartmouth has informed affected individuals of the breach, advised them on checking their credit records for identity theft, and is cooperating with the Federal Bureau of Investigation regarding the incident.

Also - http://www.thedartmouth.com/article.php?aid=2004080301010

Title: Kerry donors targeted by fake e-mail
Source: MSNBC
Date Written: August 2, 2004
Date Collected: August 3, 2004
A hoax targeting Senator John Kerry's presidential campaign was discovered by researchers over the weekend of August 1, 2004. An edited version of an e-mail recently sent by the campaign was used to solicit donations, directing donors to a fake website where payments could be made, and may possibly have been used for ID theft. The Kerry campaign's webmaster discovered that the e-mails linked to an image of Senator Kerry's brother from the campaign website and altered the image to include a warning to recipients. The hoax was timed to coincide with the Democratic convention, and any donations made through the website are likely lost.



Title: European Parliament tries to quash passenger data deal
Source: Computerworld
Date Written: July 30, 2004
Date Collected: August 3, 2004
The European Court of Justice reports that the European Parliament has formally filed requests to annul two decisions that would require European airlines to share passenger data with the US Bureau of Customs and Border Protection. The Parliament has also asked the Court to fast-track the case toward a final judgment within three months. The Parliament objects to the deal, made between the European Commission and US officials in the wake of the September 11, 2001, terrorist attacks, arguing that it violates European data protection laws, and wants to force the US to renegotiate. The European Commission says this is the best possible deal the US would accept.


Title: Trade deal exports DMCA down under
Source: C-Net News
Date Written: August 3, 2004
Date Collected: August 3, 2004
A recently signed trade deal between the United States and Australia, which would eliminate many of the tariffs on the $28 billion of trade between the two countries, also requires Australia to implement laws regarding circumvention of copy-protection technologies and other intellectual property issues. Under the agreement, Australia will recognize software patents, extend the duration of copyrighted works, and adopt key portions of the Digital Millennium Copyright Act (DMCA). The agreement commits both countries to passing law bannings the tampering with "rights management information". The agreement has been criticized by Australia's Linux community, as well as some Parliamentarians who want tighter regulations on drug companies and television and radio content.



Title: 44,000 prison inmates to be RFID-chipped
Source: Silicon.com
Date Written: August 2, 2004
Date Collected: August 3, 2004
The Ohio Department of Rehabilitation and Correction (ODRH) has awarded a $415,000 contract to Alanco Technologies for a pilot project testing whether the state should track its 44,000 prisoners via RFID (radio frequency identification) tags. The ODRH will conduct the pilot at the Ross Correctional Facility in Chillicothe. Prisoners will wear wristwatch-sized transmitters that send an alert if prisoners try to remove them. Staff will also have transmitters on their belts; warders can activate an alarm on the belt themselves, or the belt will automatically send an alert if the warder is knocked down or the transmitter forcibly removed. Prisons in Michigan, California, and Illinois are already experimenting with RFID, while Alanco chief executive Robert R. Kauffman believe three new states will deploy the technology.


Title: Microsoft offers $1 million for secure computing curricula
Source: InfoWorld
Date Written: August 2, 2004
Date Collected: August 3, 2004
In a speech at the software maker's annual Faculty Summit in Redmond, Washington, Microsoft senior vice president Rick Rashid announced that $1 million would be made available to help develop curricula in computer science, business, and law relating to secure computing. Asserting that current curricula are underdeveloped, Mr. Rashid said that the goal was to "improve the state of the art in terms of education for students." The fund is part of Microsoft's Trustworthy Computing initiative to focus on security, which was launched by Microsoft Chairman Bill Gates in January 2002.

Also - http://www.eweek.com/article2/0,1759,1630578,00.asp

Also - http://zdnet.com.com/2100-1104-5293764.html

Vulnerabilities & Exploits

Title: Microsoft Money glitch fixed
Source: Computerworld
Date Written: August 2, 2004
Date Collected: August 3, 2004
Microsoft has released a patch for Money 2004 addressing a bug that prevented users from accessing their financial data, even when they kept it locally on their hard drives. The problem resulted from changes to Microsoft's servers made on Sunday, July 25, 2004, which caused a disconnect between Passport authentication and Money's file encryption keys. When users who used any online features, such as e-banking and electronic bill paying, tried to sign on, they got an error message, and were later unable to access their data. Rob Enderle, principal analyst for the Enderle Group, notes that Microsoft created a public relations "nightmare" for itself by failing to immediately notify users of the problem and by spinning the situation as proof that no one could break into financial data.

Also - http://www.computerworld.com/hardwaretopics/hardware/server/story/0,10801,94935,00.html

Title: Data Driven Attacks Using HTTP Tunneling
Source: Security Focus
Date Written: August 2, 2004
Date Collected: August 3, 2004
While many systems administrators are turning to firewalls and routers to control content on port 80, HTTP (hypertext transfer protocol), as well as intrusion detection and prevention, attackers can use HTTP tunneling to bypass access control restrictions. Tunneling involves encapsulating traffic in HTTP headers; a tunneling program receives the HTTP traffic, strips out the headers, and forwards the traffic. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) packets can be sent in this way. An attacker, once inside a network, can install an HTTP tunnel program to covertly access other parts of the network using other ports and services, such as Telnet (TCP port 23). An attacker could also gather intelligence about a network without alerting administrators with a visible port scan. Penetration testers can use HTTP tunneling to find holes that would otherwise go unnoticed, since most networks inspect inbound traffic with few restrictions on outbound traffic.


Title: Mozilla puts bounty on bugs
Source: C-Net News
Date Written: August 2, 2004
Date Collected: August 3, 2004
A week after confirming that its software has problems regarding digital certificates, the Mozilla Foundation has announced that it will offer a $500 reward for every significant bug reported in its browser. The Linux software company Linspire and entrepreneur Mark Shuttleworth have each pledged $5000 to fund the Mozilla Security Bug Bounty Program. Chris Hofmann, director of engineering for the Mozilla Foundation, said that Mozilla's security is good despite the bugs and that the reward is intended primarily to thank individuals who help increase the products' security. Few other companies have offered rewards for reporting software vulnerabilities, and almost all have been for vulnerabilities in competitors' software.


Title: Oracle software 'riddled with security holes'
Source: ZDNet
Date Written: August 3, 2004
Date Collected: August 3, 2004
UK security firm Next Generation Security Software (NGSS) claims it has discovered holes in current and previous versions of Oracle's database software. The flaws would allow intruders to gain access to information without passwords or authentication. NGSS's managing director David Litchfield said the firm has found as many as 34 such holes, and that they can allow intruders to access and own data. Oracle is working on the patches, but has not provided a time scale.


Title: Computer Glitch Grounds Thousands of Airline Passengers
Source: TechNewsWorld
Date Written: August 2, 2004
Date Collected: August 3, 2004
Thousands of passengers were delayed August 1 as American Airlines and US Airways lost critical take-off information. The error was caused by the provider of the airlines' flight operation system, Electronic Data Systems, who attributed the error to some bad information that was added to the system. Flights already in the air were unaffected, as the data lost was strictly pre-takeoff information, and though a majority of 2,400 flights were affected, most delays were less than one hour.

Also - http://www.computerworld.com/softwaretopics/software/story/0,10801,94984,00.html

Title: Linux security problems are your own fault
Source: InfoWorld
Date Written: August 2, 2004
Date Collected: August 3, 2004
According to a new survey of Linux developers by Evans Data Corp., the largest proportion of security problems on Linux systems are due to users. 78% of the Linux developers said they had never been hacked, compared to 40% in a recent study conducted by Evans of developers of all types. Of the 22% of respondents who admitted that their systems had been hacked, the largest proportion of the attacks at 23% were by internal users with valid login IDs, and the most common factors allowing the attacks were misconfiguration, Internet service vulnerabilities, and Web server flaws. Linux is commonly considered by developers to be the most secure platform, and 92% of respondents claimed that their systems had never been infected with a virus.


Civil & Consumer Issues

Title: VoIP smuggled into Latin America
Source: Silicon.com
Date Written: August 3, 2004
Date Collected: August 3, 2004
In Latin America, where regulation of VoIP (Voice over Internet Protocol) is stricter than in the United States, users are circumventing local laws with help from friends and relatives in the US. Panama has levied a 12% tax on VoIP phone calls, while Internet cafes face fines of $10,000 to $50,000 for letting patrons use VoIP. According to Jose Otero, director of InfoAmericas, the governments of Mexico and Columbia tightly restrict VoIP to protect local telephone companies. Many users in Latin American countries are asking friends and relatives in the US to sign them up for accounts with such VoIP providers as Vonage, whose service is 80% cheaper than local phone networks, and only require a broadband connection. Vonage says certain rules could limit Latin American use of its service--users cannot get customer service outside North America--but the company does not limit the number of accounts a person can open with the service.


Title: Is Real's hacking of iPod legal?
Source: ZDNet Australia
Date Written: August 2, 2004
Date Collected: August 3, 2004
Many legal experts find that RealNetwork's Harmony technology, designed to allow music from the RealPlayer store to play on Apple's iPod, does not violate US copyright laws. The Digital Millennium Copyright Act (DMCA) prohibits circumvention of digital copy protections. Since Harmony only allows users to play RealNetwork's music on Apple technology, but does not enable piracy or digital copying of music protected by Apple's Fairplay, the DMCA may not apply. Rather, it appears to be a form of reverse engineering, which is permissible under US law. However, Apple may have a case of wrongdoing against RealNetworks under contract law, since the iPod license forbids reverse engineering. Interoperability has been an issue among digital music players, as different vendors include differing digital rights management (DRM) systems with their players. Consumers can use music from one store, but not others. The DMCA allows for technology to be reverse engineered for interoperability. H!
owever, reverse engineering require meticulous records to ensure adherence to law, something RealNetworks has done in the past.


Title: Symantec sued for labeling product 'adware'
Source: ZDNet
Date Written: August 2, 2004
Date Collected: August 3, 2004
TrekEight of San Diego, California, has sued Symantec for including its Spyware Nuker software on a list of adwares, causing damage to its reputation and sales. According to TrekEight, also known as Trek8, TrekData, and TrekBlue, its Spyware Nuker is designed to find and remove spywares and adwares, and does not share any of their capabilities. TrekEight also sells e-mail marketing and web advertising services. While Symantec's website lists Spyware Nuker as adware, other analyses say they have not found the software installing any advertising or spying components.


To change your delivery preferences please go to:

If you wish to stop receiving the 'Security in the News' service please go to:

The Institute for Security Technology Studies (ISTS) accepts no responsibility for any error or
omissions in this e-mail. The information presented is a compilation of material from various
sources and has not been verified by staff of the ISTS. Therefore, the ISTS cannot be made
responsible for the factual accuracy of the material presented. The ISTS is not liable for any loss
or damage arising from or in connection with the information contained in this report. It is the
responsibility of the user to evaluate the content and usefulness of this information. References in
this e-mail to any specific commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by
the ISTS. ISTS is a research, not operational, organization, and makes its Security in the News
e-mail available as a public service on a best-effort basis. Security in the News will be sent out
on most business days, but not all.

Institute for Security Technology Studies
Dartmouth College
45 Lyme Road, Suite 200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: dailyreport@ists.dartmouth.edu

Information is the currency of victory on the battlefield.
GEN Gordon Sullivan, CSA (1993)

INFOCON Mailing List @
IWS - The Information Warfare Site

To subscribe, change your subscription or unsubscribe go to http://www.iwar.org.uk/mailman/listinfo/infocon/


Post a Comment

<< Home

Get Firefox!