|
[networknewsletters]
||
[Date Prev]
[01-2006 Date Index]
[Date Next]
||
[Thread Prev]
[01-2006 Thread Index]
[Thread Next]
[Security-News] January 11, 2006 update
- From: Educational CyberPlayGround <admin@xxxxxxxxxxxxxxx>
- To: NetworkNewsletters@xxxxxxxxxxxxx
- Date: Thu, 12 Jan 2006 10:03:21 -0500
**************************************************************
Network Newsletters Mailing List ©1994
Subscribe - Unsubscribe - Email Preferences
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
Educational CyberPlayGround Community Mailing Lists
http://www.edu-cyberpg.com/Community/
Advertise Network Newsletters Guidlines
http://www.edu-cyberpg.com/Community/Subguidelines.html
**************************************************************
Date: Thu, 12 Jan 2006 00:01:04 -0500
SECURITY IN THE NEWS
updated on January 11, 2006
HOMELAND SECURITY & INFRASTRUCTURE PROTECTION
Admiral: â??Commonality of systemsâ?? vital to military communications:
Government Computer News, 2006-01-10
Anti-terror scanning tech tested on London commuters:
Silicon.com, 2006-01-11
CYBERCRIME-HACKING
IDs of 50,000 Bahamas resort guests stolen:
C-Net News, 2006-01-10
FBI says attacks succeeding despite security investments:
SearchSecurity, 2006-01-11
POLITICS-LEGISLATION
Feds to banks: Put security policies in writing:
C-Net News, 2006-01-10
Report: E-gov helps government share info:
Federal Computer Week, 2006-01-10
Government attacks anti-road safety SMS service:
ZDNet Australia, 2006-01-11
MALWARE
Expert: Microsoft TNEF flaw could lead to superworm:
SearchSecurity, 2006-01-10
Malware on tap scheme draws flak:
The Register, 2006-01-10
TECHNOLOGY
Qualys vulnerability research put in peril:
Techworld, 2006-01-11
Homeland Security helps secure open-source code:
C-Net News, 2006-01-10
Open-source software revolutionises patent system:
Techworld, 2006-01-10
VULNERABILITIES & EXPLOITS
Apple patches five big QuickTime holes:
Techworld, 2006-01-11
Microsoft patches two critical holes:
Techworld, 2006-01-11
BEST PRACTICES & RISK MANAGEMENT
Should all your staff have a security qualification?:
ZDNet Australia, 2006-01-10
CIVIL & CONSUMER ISSUES
Dodgy anti-spyware firms to cough up $2m:
The Register, 2006-01-10
HOMELAND SECURITY & INFRASTRUCTURE PROTECTION
Title: Admiral: â??Commonality of systemsâ??
vital to military communications
Source: Government Computer News
Date Written: 2006-01-10
Date Collected: 2006-01-11
Hurricanes Katrina and Rita highlighted communication problems
between federal, state and local organizations, according to
Admiral Thomas F. Hall, assistant secretary of Defense for
reserve affairs. At the Armed Forces Communications and
Electronic Association International's West 2006 Convention, Hall
called for development of a " commonality of systems" led by the
Federal Emergency Management Agency.
http://www.gcn.com/vol1_no1/daily-updates/37960-1.html?CMP=OTC-RSS
Title: Anti-terror scanning tech tested on London commuters
Source: Silicon.com
Date Written: 2006-01-11
Date Collected: 2006-01-11
British authorities have begun a four week trial of body scan
technology and closed circuit television (CCTV) surveillance at
London's Paddington railway station to reduce the risk of a
terrorist bombing. Volunteers traveling from Heathrow to
Paddington will undergo a body scan using millimeter-wave
technology to detect guns and bombs underneath clothing. Scans
should take only a minute. The CCTV system comes with new
technology to alert police of unattended baggage. Transport
Secretary Alistair Darling says if the trial is successful, the
systems will only be deployed at strategic points in the
transportation network; widespread deployment would be too costly
and disruptive.
http://www.silicon.com/0,39024729,39155531,00.htm
CYBERCRIME-HACKING
Title: IDs of 50,000 Bahamas resort guests stolen
Source: C-Net News
Date Written: 2006-01-10
Date Collected: 2006-01-11
The luxury Atlantis resort located on Paradise Island in the
Bahamas disclosed that 55,000 guests have had personal
information, such as "names, addresses, credit card details,
Social Security numbers, driver's license numbers and bank
account data" stolen. An investigation hopes to determine if the
information was stolen from the hotel's database through an
inside job or by hackers. Affected people have been informed and
offered free credit monitoring, and the investigation continues.
<http://news.com.com/IDs+of+50%2C000+Bahamas+resort+guests+stolen/2100
-7348_3-6025591.html>
Title: FBI says attacks succeeding despite security investments
Source: SearchSecurity
Date Written: 2006-01-11
Date Collected: 2006-01-11
The 2005 FBI Computer Crime Survey concludes that "despite
investing in a variety of security technologies, enterprises
continue to suffer network attacks at the hands of malware
writers and inside operatives" and that "many security incidents
continue to go unreported". The major points gleaned from the
survey are: "security technology doesn't catch everything", "few
can avoid attacks", "repeated attacks are common", and that the
"insider threat persists". The report also states that "Computer
related crime is the third-highest priority in the FBI, above
public corruption, civil rights, organized crime, white collar
crime, major theft and violent crime."
<http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_g
ci1157706,00.html?track=sy160>
POLITICS-LEGISLATION
Title: Feds to banks: Put security policies in writing
Source: C-Net News
Date Written: 2006-01-10
Date Collected: 2006-01-11
The Federal Reserve Board issued a new guide that clarifies the
1999 Graham-Leach-Bliley Act, which outlines data security
standards for financial institutions. Among the institutions
responsibilities are to "tightly control who can access their
customer information systems", "monitor physical storage of paper
records, set up monitoring systems to detect intruders and
provide written contracts outlining how they will respond to
suspected breaches". New congressional action on these issues is
expected in 2006, with an emphasis on setting uniform federal
standards.
<http://news.com.com/Feds+to+banks+Put+security+policies+in+writing/21
00-7348_3-6025354.html>
Title: Report: E-gov helps government share info
Source: Federal Computer Week
Date Written: 2006-01-10
Date Collected: 2006-01-11
The Office of Management and Budget issued a report concluding
that the "federal government offers more timely and accurate
information to the public and government leaders through e-
government initiatives" such as electronic tax filing and the
Disaster Management Interoperability Services e-government tool
that enables first responders to share information. The report
resulted from a new provision in the Transportation, Treasury,
Housing and Urban Development, the Judiciary, the District of
Columbia, and Independent Agencies Appropriations Act of 2006,
which requires agencies to submit a report to gain funding for
e-government initiatives.
http://www.fcw.com/article91934-01-10-06-Web&RSS=yes
Title: Government attacks anti-road safety SMS service
Source: ZDNet Australia
Date Written: 2006-01-11
Date Collected: 2006-01-11
The government of the Australian state of Queensland is seeking
advice on whether it can shut down Road Spy, a service that
alerts motorists to speed traps and random breath test locations
through SMS. Adam Bush, director of Road Spy, says the service is
meant to encourage prudent driving by informing drivers of speed
cameras, radars, traffic jams, and breath tests so they slow down
or refrain from drunk driving. More than 300 people supply
intelligence for the service. However, acting Premier Anna Bligh
said she would consult with police officials, saying the service
undermines road safety by helping motorists avoid police. If
current laws do not allow for a crackdown on the service,
Queensland may consider passing a law that would.
<http://www.zdnet.com.au/news/communications/soa/Government_attacks_an
ti_road_safety_SMS_service/0,2000061791,39232176,00.htm>
MALWARE
Title: Expert: Microsoft TNEF flaw could lead to superworm
Source: SearchSecurity
Date Written: 2006-01-10
Date Collected: 2006-01-11
According to Mike Murray, director of vulnerability and exposure
research for nCircle Network Security, motivated attackers could
exploit the Transport Neutral Encapsulation Format (TNEF) flaw in
Microsoft's Outlook and Exchange Server to create the fastest-
spreading worm ever. Since the flaw allows an attacker to execute
code without user interaction, a malicious e-mail could infect
every Exchange server between origin and destination. However,
such an attack would be highly skilled and sophisticated, making
it far from likely. The TNEF vulnerability was publicized in
Microsoft's January 2006 patch release, only five days after the
software company rushed out a patch for the critical WMF (Window
Metafile) flaw.
<http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_g
ci1157759,00.html?track=sy160>
Title: Malware on tap scheme draws flak
Source: The Register
Date Written: 2006-01-10
Date Collected: 2006-01-11
Dutch firm Frame4 Security Systems will launch MD:Pro (Malware
Distribution Project) on February 1, 2006, to distribute malware
to antivirus developers. The service will cost â?¬1,000 a month
and offer 6,500 files -- 120,000 by the end of the year --
including some undetectable to many antivirus products. Sophos'
Graham Cluley questions the value of the service, noting that the
antivirus industry has been sharing data for years. The offer
also appears similar to virus writer websites, which sell malware
under the pretense of research. Frame4 spokesman Anthony Aykut
says the malware will only be distributed to a closed list of
corporate customers and calls the antivirus industry "too
exclusive".
http://www.theregister.co.uk/2006/01/10/malware_distribution_project/
TECHNOLOGY
Title: Qualys vulnerability research put in peril
Source: Techworld
Date Written: 2006-01-11
Date Collected: 2006-01-11
Qualys is assuring its customers that the departure of lead
researcher Gerhard Eschelbeck will not affect its Laws of
Vulnerability research program. The program uses data collected
from the Qualys customer base to analyze real-world
vulnerabilities. Qualys will also remain involved in the SANS Top
20 and Common Vulnerability Scoring System (CVSS). However,
Qualys has not yet appointed anyone to take over the research.
Eschelbeck has taken a job at Webroot as it moves from consumer
business towards enterprise customers.
<http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5128>
Title: Homeland Security helps secure open-source code
Source: C-Net News
Date Written: 2006-01-10
Date Collected: 2006-01-11
Through the Science and Technology Directorate, the US Department
of Homeland Security (DHS) is "extending the scope of its
protection to open-source software". DHS is proiding $1.24
million in research money to "Stanford University, Coverity and
Symantec to hunt for security bugs in open-source software and to
improve Coverity's commercial tool for source code analysis".
<http://news.com.com/Homeland+Security+helps+secure+open-source+code/2
100-1002_3-6025579.html>
Title: Open-source software revolutionises patent system
Source: Techworld
Date Written: 2006-01-10
Date Collected: 2006-01-11
The US Patent and Trademark Office (USPTO), IBM and Open Source
Development Labs (OSDL) have announced plans to improve the speed
and quality of the patent approval process. The Patent Office
will now accept open source software as prior art, and a database
built by OSDL, IBM, Novell, Red Hat and SourceForge.net will help
patent examiners determine whether an open source software
impacts a patent application. The new system will also allow the
public to review and comment on patent applications noting cases
that may be subject to prior art. The USPTO will also use a
patent quality index to gauge the strengths and weaknesses of
various patent applications. The reforms come in response to
concerns in the software community that the patent process has
become bogged down in patent disputes.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5127
VULNERABILITIES & EXPLOITS
Title: Apple patches five big QuickTime holes
Source: Techworld
Date Written: 2006-01-11
Date Collected: 2006-01-11
Apple has issued patches for five flaws in its QuickTime media
player that could allow an attacker to run malicious code on both
Mac OS X and Windows machines. In order to exploit the flaws, an
attacker would have to trick a user into viewing a malicious file
with QuickTime, possibly by posting the file to a website.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5132
Title: Microsoft patches two critical holes
Source: Techworld
Date Written: 2006-01-11
Date Collected: 2006-01-11
Microsoft's patch release for January 2006 addresses two critical
vulnerabilities. The first affects Outlook's and Exchange
Server's Transport Neutral Encapsulation Format (TNEF) for
sending e-mails in RTF (rich text format), and could allow remote
code execution. While Alain Sergile of the ISS X-Force team
believes the flaw would be difficult to exploit, iDefense
director Michael Sutton notes an exploit would not require any
interaction with the user. The second flaw allows an attacker to
execute malicious code through specially crafted embedded web
fonts; a user would have to view a malicious webpage or e-mail
for the code to execute.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5130
BEST PRACTICES & RISK MANAGEMENT
Title: Should all your staff have a security qualification?
Source: ZDNet Australia
Date Written: 2006-01-10
Date Collected: 2006-01-11
Rob Chapman, founder of the Training Camp, argues that companies
should give all their employees basic training in cybersecurity
to better protect their business. Many companies have IT security
policies that their employees must follow, but most do not assure
that employees know how to follow policy. Companies may object to
the cost of training every employee, but the costs of an innocent
mistake could have disastrous effects on a company. Staff are
often considered the primary weakness in any company's security;
in certain industries, such as finance, companies could see
insurance benefits from employee security training. Stuart Okin,
a partner in Accenture's security practice, calls security
training a necessity, not only for its potential to mitigate
risk, but also to give a company a competitive edge.
<http://www.zdnet.com.au/jobs/news_trends/soa/Should_all_your_staff_ha
ve_a_security_qualification_/0,2000056653,39231874,00.htm>
CIVIL & CONSUMER ISSUES
Title: Dodgy anti-spyware firms to cough up $2m
Source: The Register
Date Written: 2006-01-10
Date Collected: 2006-01-11
Spyware Assassin and TrustSoft will pay $76,000 and $1.9 million,
respectively, in settlements with the US Federal Trade Commission
(FTC). The two anti-spyware operators "used email and pop-up ads
to drive net users to their websites for a 'free spyware scan'"
which "revealed that spyware was present on computers even when
they were clean" and advised users to buy software for $39.95.
http://www.theregister.co.uk/2006/01/10/ftc_spyware/
The Institute for Information Infrastructure Protection (I3P)
accepts no responsibility for any error or omissions in this e-mail.
The information presented is a compilation of material from various
sources and has not been verified by staff of the I3P. Therefore,
the I3P cannot be made responsible for the factual accuracy of
the material presented. The I3P is not liable for any loss or
damage arising from or in connection with the information
contained in this report. It is the responsibility of the user to
evaluate the content and usefulness of this information.
References in this e-mail to any specific commercial products,
processes, or services by trade name, trademark, manufacturer, or
otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the I3P. I3P is a research, not
operational, organization, and makes its Security in the News
e-mail available as a public service on a best-effort basis.
Security in the News will be sent out on most business days, but
not all.
The Institute for Information Infrastructure Protection
45 Lyme Road, Suite 300
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: listmanager@xxxxxxxxxx
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
Copyright statements to be included when reproducing
annotations from Network Newsletters
The single phrase below is the copyright notice to be used when
reproducing any portion of this report, in any format:
EDUCATIONAL CYBERPLAYGROUND
http://www.edu-cyberpg.com
Network Newsletters copyright
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
FREE EDUCATION VENDOR DIRECTORY LISTING
http://www.edu-cyberpg.com/Directory/
HOT LIST REGISTRY OF K12 SCHOOLS ONLINE
http://www.edu-cyberpg.com/Schools/
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
|
