|
[networknewsletters]
||
[Date Prev]
[03-2005 Date Index]
[Date Next]
||
[Thread Prev]
[03-2005 Thread Index]
[Thread Next]
[Security-News] March 23, 2005 update
- From: Educational CyberPlayGround <admin@xxxxxxxxxxxxxxx>
- To: NetworkNewsletters@xxxxxxxxxxxxx
- Date: Thu, 24 Mar 2005 11:07:07 -0500
**************************************************************
-- Educational CyberPlayGround Community
http://www.edu-cyberpg.com/
-- Network Newsletters Mailing List ©1994
-- Subscribe - Unsubscribe - Email Preferences
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
-- Advertise on Network Newsletters Mailing List
http://www.edu-cyberpg.com/Community/Subguidelines.html
-- Mailing Lists
http://www.edu-cyberpg.com/Community/
**************************************************************
SECURITY IN THE NEWS
updated on March 23, 2005
HOMELAND SECURITY & INFRASTRUCTURE PROTECTION
Terror plot to cripple UK in cyber attack:
The Scotsman, 2005-03-22
CYBERCRIME-HACKING
Symantec: Mozilla-based browsers increasingly targeted by hackers:
Computerworld, 2005-03-21
TECHNOLOGY
No easy fix for DOD security issues:
Federal Computer Week, 2005-03-20
'Safe' CD solution for online banking:
Sydney Morning Herald, 2005-03-23
VULNERABILITIES & EXPLOITS
Linux riskier than Windows?:
C-Net News, 2005-03-22
CIVIL & CONSUMER ISSUES
Computer Ethics, From the Grandstands:
Security Focus, 2005-03-21
P2P: Music's Death Knell or Boon?:
Wired News, 2005-03-22
Microsoft in Piracy Battle with Korean Bank:
Chosun Ilbo, 2005-03-23
Spamming spammers?:
Cnn Money, 2005-03-22
DMCA helps Right to Repair campaign score big win:
The Register, 2005-03-21
Kazaa 'built on piracy':
Sydney Morning Herald, 2005-03-23
ChoicePoint's Checks Under Fire:
Wired News, 2005-03-23
'DVD Jon' reopens iTunes backdoor:
C-Net News, 2005-03-22
HOMELAND SECURITY & INFRASTRUCTURE PROTECTION
Title: Terror plot to cripple UK in cyber attack
Source: The Scotsman
Date Written: 2005-03-22
Date Collected: 2005-03-23
Sir David Omand, a former head of Britain's GCHQ (Government
Communication Headquarters), speaking at a defense conference at
Chatham House in London, said al Qaeda affiliates are training
for cyberattacks against the United Kingdom, possibly targeting
critical economic, medical, and transport networks. While the
intelligence community is generally reluctant to discuss threats
to national security, the nation's reliance on civilian private-
sector networks requires all businesses to participate in
national security and harden their networks. While there has not
yet been any real act of "cyberterrorism," Sir David argues that
the vulnerabilities must still be addressed, especially in such
critical infrastructures as electrical grids and financial
networks. Lord Toby Harris, former chief of the Metropolitan
Police Authority, largely agrees with Sir David's arguments,
noting a virus attack that nearly disabled Her Majesty's Coast
Guard in 2004.
http://news.scotsman.com/uk.cfm?id=305582005
CYBERCRIME-HACKING
Title: Symantec: Mozilla-based browsers increasingly targeted by hackers
Source: Computerworld
Date Written: 2005-03-21
Date Collected: 2005-03-23
Symantec's Internet Security Threat Report for July - December
2004 finds that the number of newly documented vulnerabilities in
the Mozilla and Firefox browsers for that period was higher than
the number found in Microsoft's Internet Explorer, with twenty-
one versus thirteen. However, Internet Explorer had a higher
proportion of serious vulnerabilities, nine of thirteen compared
to eleven Mozilla flaws and seven in Firefox. Explorer flaws went
unpatched for an average of forty-three days, compared to twenty-
six for the Mozilla browsers. Mozilla and Firefox have also begun
attracting more attention from hackers as their user bases grow.
Symantec also found an increase in general vulnerabilities:
1,403, a 13% increase over the first half of 2004. However,
hackers are taking longer to exploit new flaws, with an average
of 6.4 days compared to only 5.8 days in the first half of 2004.
http://www.computerworld.com/securitytopics/security/story/0,10801,100541,00.html
TECHNOLOGY
Title: No easy fix for DOD security issues
Source: Federal Computer Week
Date Written: 2005-03-20
Date Collected: 2005-03-23
A panel of industry experts formed by the US Defense Department
and the National Security Agency (NSA) has released its report
on Defense's Global Information Grid (GIG) strategy, finding it
relies on nonexistent and possibly infeasible technologies. The
NSA cautioned that the report is based on early drafts of the
GIG strategy and that later drafts provide a stronger
foundation. GIG is part of Defense's network-centric warfare
designed to link commanders across the world into a single
unified system. Warren Suss, president of Suss Consulting, says
the GIG will require new security technologies since it is the
first network of its kind. GIG-Bandwidth Expansion, for example,
required a new class of gigabit Ethernet encryptor devices to
comply with federal High Assurance IP Encryption standards. The
NSA adds that the GIG is a long-term project that has changed
significantly since its first draft -- the NSA has already
completed a 2,000 page draft for the Grid.
http://www.fcw.com/article88354-03-21-05
Title: 'Safe' CD solution for online banking
Source: Sydney Morning Herald
Date Written: 2005-03-23
Date Collected: 2005-03-23
Australian company Cybersource has released Coastguard, a product
based on the Knoppix live Linux CD to boot a computer and take
the user directly to a bank's homepage. Most attacks against
banking customers involve key-loggers, phishing attacks, spoof
websites, and DNS (domain name system) hijacking. Coastguard
prevents these attacks by using a locked-down operating system
with DNS hardwired to protected servers owned by the bank.
Coastguard would cost a bank AU$250,000 (US$192,820) to
implement, including rights to a customized CD. Such a solution
represents significant savings over security tokens, which can
cost AU$18 a piece.
http://www.smh.com.au/news/Breaking/Safe-CD-solution-for-online-banking/2005/03/23/1111525204778.html
VULNERABILITIES & EXPLOITS
Title: Linux riskier than Windows?
Source: C-Net News
Date Written: 2005-03-22
Date Collected: 2005-03-23
Security Innovations has released a Microsoft-funded study
arguing that Linux suffers from greater security holes than
Windows. According to the study, Windows 2003 servers had fewer
vulnerabilities than Red Hat Enterprise Linux ES 3 in 2004, and
that flaws went unpatched longer in Linux systems than Windows
systems. Red Hat security response chief Mark Cox says the study
has some inaccuracies and does not differentiate critical flaws
from less serious ones. The study found 12,000 "days of risk"
between flaw discovery and patch release for Linux compared to
only 1,600 for Microsoft. A default configuration built from Red
Hat Linux, MySQL, PHP suffered from 174 flaws, while Windows
Server 2003 with Microsoft SQL 2000 and ASP.Net had only 52. Mr.
Cox notes that only eight flaws on the Linux list were critical
and were fixed within an average of eight days.
http://news.com.com/Linux+riskier+than+Windows/2100-7355_3-5630822.html
CIVIL & CONSUMER ISSUES
Title: Computer Ethics, From the Grandstands
Source: Security Focus
Date Written: 2005-03-21
Date Collected: 2005-03-23
Mark Rasch examines some of the ethical issues related to an
incident where business school applicants "hacked" an online
site to check the status of their applications. A hacker going
by the pseudonym "brookbond" discovered a configuration flaw in
the ApplyYourself website that would allow an unauthorized party
to access the site and view the status of applications.
"Brookbond" posted a script to a BusinessWeek forum, and 150
applicants attempted to use it to find out whether they had been
accepted. Different schools replied to the hacks differently;
Harvard will deny admission to anyone who used the script, while
Stanford will review those applicants on a case by case basis.
Part of the problem in determining whether such hackings of
curiosity are ethical or even legal is the difficulty of finding
analogies between cyberspace and the real world and the lack of
consensus on cyber ethics. Mr. Rasch argues that the incident
provides business schools an opportunity to explore ethical
issues in computing, and favors Stanford's approach to the
incident over others.
http://www.securityfocus.com/columnists/309
Title: P2P: Music's Death Knell or Boon?
Source: Wired News
Date Written: 2005-03-22
Date Collected: 2005-03-23
Attendees of the South by Southwest music festival in Austin,
Texas, discussed the effect internet technology is having on the
music business, both from industry and artist perspectives. Jay
Rosenthal, a music attorney and a board member of the Recording
Artists Coalition, says peer-to-peer (P2P) file sharing is
preventing new and emerging artists from breaking into the
business. However, the Electronic Frontier Foundation's Wendy
Seltzer argues that lawsuits against users have little to no
effect on P2P, and the industry should seek ways to capitalize on
P2P use. Mr. Rosenthal argues that most artists are doubtful that
P2P can offer sufficient compensation for their work. Eric
Garland, chief executive of media research firm BigChampagne,
says P2P is becoming the primary distribution channel. Record
labels are looking for ways to gain revenue from a fraction of
P2P traffic. Artists are also interested in possible new revenue
streams such as ring tones and mobile wireless.
http://www.wired.com/news/digiwood/0,1412,66959,00.html
Title: Microsoft in Piracy Battle with Korean Bank
Source: Chosun Ilbo
Date Written: 2005-03-23
Date Collected: 2005-03-23
Korea's Seoul Junbu Police are investigating a local bank after
Microsoft Korea filed complaints alleging the bank has pirated
its software. The bank has licenses for Microsoft Office for only
4,500 computers, but appears to be using Office on 11,400
computers, pirating three billion won (US$2.97 million) worth of
software. Microsoft also claims the bank failed to renew its
4,500 licenses after they expired in November 2004. Police have
questioned the bank's information technology staff and vice
president of IT and may question the president and chief
executive as well. Bank executives deny the charges, claiming
they make as many copies of software as they like and that
accounts were not properly settled during license renewal.
http://english.chosun.com/w21data/html/news/200503/200503230040.html
Title: Spamming spammers?
Source: Cnn Money
Date Written: 2005-03-22
Date Collected: 2005-03-23
IBM Research has announced a new service, FairUCE, to send spams
back to the computer -- not the e-mail account -- they came
from. FairUCE relies on a database of spams to reduce the threat
of spoofing and phishing and to identify incoming spams before
they clog networks, removing the need for content filters. IBM
says it is not worried about liability issues, even for spams
sent from zombie computers, since all the FairUCe service does
is bounce e-mails.
http://money.cnn.com/2005/03/22/technology/ibm_spam/index.htm?cnn=yes
Title: DMCA helps Right to Repair campaign score big win
Source: The Register
Date Written: 2005-03-21
Date Collected: 2005-03-23
Right to Repair, a campaign of independent car mechanics, has won
a court victory against the Society of Automotive Engineers (SAE)
to allow independent shops access to the necessary technology for
auto repair. In 2002, Drew Technologies, a member of SAE, wrote
software to support a draft SAE standard and published it on
SourceForge under the GNU Public License (GPL). SAE claimed the
software violated its copyrights and demanded licensing fees.
Drew Technologies argued that copyright law does not cover ideas,
only the implementation and expression of ideas; while the
reference documentation for an SAE standard may fall under
copyright, the ability to build software for the standard does
not. Drew Technologies has threatened to sue SAE under the
Digital Millennium Copyright Act for violating the GPL. SAE has
dropped its lawsuit and agreed to pay Drew Technologies $75,000.
http://www.theregister.co.uk/2005/03/21/right_to_repair_win/
Title: Kazaa 'built on piracy'
Source: Sydney Morning Herald
Date Written: 2005-03-23
Date Collected: 2005-03-23
The Australian Federal Court began hearing closing arguments in
the music industry lawsuit against Sharman Networks, maker of the
Kazaa peer-to-peer (P2P) software. Tony Bannon, attorney for the
music industry, argued that P2P does not constitute a community
similar to community radio or even Google, since its business
model is built on piracy. The music industry has moved to shut
down Kazaa in its current form, prohibit the exchange of MP3
files over the network, to require filtering of songs, and to
monitor the activity of Kazaa users. Mr. Bannon said the case has
worldwide significant since it is the first investigation into
the companies behind P2P, showing they did nothing to prevent
copyright infringement. The Australian Consumers' Association,
Electronic Frontiers Australia, and the New South Wales Civil
Liberties Council has filed an argument saying there is a broader
public interest in the results of the case.
http://www.smh.com.au/news/Breaking/Kazaa-built-on-piracy/2005/03/23/1111525205604.html
Title: ChoicePoint's Checks Under Fire
Source: Wired News
Date Written: 2005-03-23
Date Collected: 2005-03-23
Following a recent security breach, ChoicePoint has come under
increased security for its background checking services. A
number of lawsuits and consumer complaints allege that data
provided by ChoicePoint to potential employers is inaccurate.
Federal law requires consumer reporting agencies to make sure
that data from public records are kept up to date and to notify
consumers when they provide adverse information to an employer.
However, ChoicePoint and other data aggregators only purchase
data from state databases and periodically refresh it, a
practice Texas investigator Mike Coffey says does not ensure
current records. Instead, background researchers must go
straight to the original source to verify facts. Mr. Coffey
argues that some background researchers want to make sure their
facts are right, but many companies only look to make money
quickly without attention to quality.
http://www.wired.com/news/privacy/0,1848,66983,00.html
Title: 'DVD Jon' reopens iTunes backdoor
Source: C-Net News
Date Written: 2005-03-22
Date Collected: 2005-03-23
A day after Apple Computer blocked PyMusique -- a program
designed to circumvent iTunes copy-protection features by
Norwegian coder Jon Johansen -- hackers have posted new code to
disable the block. The PyMusique project has been one of the
most persistent attempts to hack Apple's iPod and iTunes. Cody
Brocious, an associate of Mr. Johansen and a high school
student in Pennsylvania, says such projects are "necessary for
the Linux community." The software allows Linux users to
purchase music from the iTunes Music Store and requires users
to have an iTunes account. Mr. Johansen says the purpose of the
software is not to strip copy-protection from iTunes files,
but, rather, that copy-protection is built into the iTunes
software and did not need to be replicated in PyMusique.
Apple's iTunes terms of service prohibit users to access the
iTunes store with unauthorized software.
http://news.com.com/DVD+Jon+reopens+iTunes+back+door/2100-1027_3-5630703.html
The Institute for Information Infrastructure Protection (I3P)
accepts no responsibility for any error or omissions in this e-mail.
The information presented is a compilation of material from various
sources and has not been verified by staff of the I3P. Therefore,
the I3P cannot be made responsible for the factual accuracy of
the material presented. The I3P is not liable for any loss or
damage arising from or in connection with the information
contained in this report. It is the responsibility of the user to
evaluate the content and usefulness of this information.
References in this e-mail to any specific commercial products,
processes, or services by trade name, trademark, manufacturer, or
otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the I3P. I3P is a research, not
operational, organization, and makes its Security in the News
e-mail available as a public service on a best-effort basis.
Security in the News will be sent out on most business days, but
not all.
The Institute for Information Infrastructure Protection
45 Lyme Road, Suite 300
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: listmanager@xxxxxxxxxx
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
EDUCATIONAL CYBERPLAYGROUND
http://www.edu-cyberpg.com
Copyright statements to be included when reproducing
annotations from Network Newsletter.
The single phrase below is the copyright notice to be used when
reproducing any portion of this report, in any format.
> From Network Newsletter copyright
> Educational CyberPlayGround.
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
Net Happenings, K12 Newsletters, Network Newsletters
http://www.edu-cyberpg.com/Community/
FREE EDUCATION VENDOR DIRECTORY LISTING
http://www.edu-cyberpg.com/Directory/
HOT LIST REGISTRY OF K12 SCHOOLS ONLINE
http://www.edu-cyberpg.com/Schools/
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
|
|
