[Security-News] December 14, 2005 update
- From: Educational CyberPlayGround <admin@xxxxxxxxxxxxxxx>
- To: NetworkNewsletters@xxxxxxxxxxxxx
- Date: Thu, 15 Dec 2005 09:50:32 -0500
**************************************************************
Network Newsletters Mailing List ©1994
Subscribe - Unsubscribe - Email Preferences
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
Educational CyberPlayGround Community Mailing Lists
http://www.edu-cyberpg.com/Community/
Advertise Network Newsletters Guidlines
http://www.edu-cyberpg.com/Community/Subguidelines.html
**************************************************************
*********************************************************************
Emergency Communication Disaster Plan Check List
HISTORY - have we learned anything yet?
Is your State Prepared? Does your school have a plan?
WHAT TO DO TO GET READY AND THINK ABOUT WHAT YOU'LL NEED
The Personal Disaster Plan
http://www.edu-cyberpg.com/Technology/disaster.html
*********************************************************************
SECURITY IN THE NEWS
updated on December 14, 2005
This report is available on the web at
http://www.thei3p.org/news/today.html
HOMELAND SECURITY & INFRASTRUCTURE PROTECTION
US government slammed for failing on cybersecurity:
Techworld, 2005-12-14
Senate committee OKs national alert bill:
Federal Computer Week, 2005-12-13
CYBERCRIME-HACKING
China denies network attacks:
Sydney Morning Herald, 2005-12-14
Regulators warn of SMS stock scam:
Sydney Morning Herald, 2005-12-14
POLITICS-LEGISLATION
Europe to pass tough new data retention laws:
Silicon.com, 2005-12-14
MALWARE
Fake virus phishing scam targets McAfee:
Federal Computer Week, 2005-12-14
TECHNOLOGY
The penguin's not really coming:
Sydney Morning Herald, 2005-12-14
>From passwords to 'passthoughts':
Sydney Morning Herald, 2005-12-14
Microsoft products earn Common Criteria certification:
Government Computer News, 2005-12-14
StealthText, Should You Choose to Accept It:
EWeek.com, 2005-12-13
VULNERABILITIES & EXPLOITS
Opera struck by bizarre hidden hole:
Techworld, 2005-12-14
Critical Explorer hole patched:
Techworld, 2005-12-14
BEST PRACTICES & RISK MANAGEMENT
City firms warned on disaster recovery plans:
Silicon.com, 2005-12-14
CIVIL & CONSUMER ISSUES
Dutch piracy link site returns:
The Register, 2005-12-14
HOMELAND SECURITY & INFRASTRUCTURE PROTECTION
Title: US government slammed for failing on cybersecurity
Source: Techworld
Date Written: 2005-12-14
Date Collected: 2005-12-14
The Cyber Security Industry Alliance (CSIA) has issued poor
grades to the US federal government on a set of twelve
cybersecurity priorities. Paul Kurtz, executive director of CSIA,
describes federal research and development as "in crisis" due to
a lack of "leadership, hard work and execution". The only
priority to receive a grade as high as 'B' was progress towards
ratifying the Council of Europe's Convention on Cybercrime.
Efforts to track the cost of cyberattacks, promote cybersecurity
corporate governance, and encourage information sharing between
the government and industry all received a 'D'. CSIA also named
13 new priorities for 2006, recommending that the government pass
a data breach notification law, increase funding for
cybersecurity research, and promote telework as a way to create
backup networks.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4996
Title: Senate committee OKs national alert bill
Source: Federal Computer Week
Date Written: 2005-12-13
Date Collected: 2005-12-14
The Senate Commerce, Science and Transportation Committee has
approved the Warning, Alert and Response Network (WARN) Act for
consideration by the full Senate. The WARN Act would create a
national alert system that sends emergency messages over
television and radio broadcasts, e-mail, cell phones, the
Internet, and other media. The National Oceanic and Atmospheric
Administration would also receive authorization for a tsunami
warning system on the Pacific Coast. The federal government
currently uses only radio, television, and cable in its
Emergency Alert System. The goal of the bill is to "ensure that
regardless of where individuals are or what kind of
communication technologies they are using, they would receive a
life-saving alert".
http://www.fcw.com/article91713-12-13-05-Web&RSS=yes
CYBERCRIME-HACKING
Title: China denies network attacks
Source: Sydney Morning Herald
Date Written: 2005-12-14
Date Collected: 2005-12-14
China defended itself against charges that the systematic attacks
against US government computers called "Titan Rain" were
orchestrated by the Chinese military. Stating that hacking is
illegal in China, a government representative asked for proof
that the attacks originated within China's military.
http://www.smh.com.au/news/breaking/china-denies-network-attacks/2005/12/14/1134500885503.html
Title: Regulators warn of SMS stock scam
Source: Sydney Morning Herald
Date Written: 2005-12-14
Date Collected: 2005-12-14
The National Association of Securities Dealers (NASD) warned in
an "investor alert" that text messages are now being used in
"pump and dump" stock fraud schemes. Until recently, most such
touting of small stocks to inflate their value was conducted on
internet message boards and in financial publications. John
Gannon, NASD's vice-president for investor education, said that
"The emergence of text messaging offers fraudsters another cheap
and easy way to reach large numbers of potential investors," and
reminded investors that they should "never to rely solely on
information from an unsolicited source".
http://www.smh.com.au/news/breaking/regulators-warn-of-sms-stock-scam/2005/12/14/1134500881454.html
POLITICS-LEGISLATION
Title: Europe to pass tough new data retention laws
Source: Silicon.com
Date Written: 2005-12-14
Date Collected: 2005-12-14
The European parliament has passed "new, far-reaching data
retention legislation for the telecommunications industry". The
directive will require ISPs and telecommunications companies to
maintain data on "every electronic message sent or phone call
made for between six months and two years". While content will
not be recorded, "data including the time of each fixed and
mobile phone call made in Europe, whether the call is answered
or not, the duration of the call and other details that can
trace the caller, as well as times users connect to the
internet, their IP addresses and details pertaining to emails
and VoIP calls" must be kept. Telecom companies have expressed
concern about the financial impact, and privacy advocates worry
about the rights of European citizens. Implementation is
expected as early as next year.
http://networks.silicon.com/telecoms/0,39024659,39155062,00.htm
MALWARE
Title: Fake virus phishing scam targets McAfee
Source: Federal Computer Week
Date Written: 2005-12-14
Date Collected: 2005-12-14
Phishing emails pretending to contain a warning from McAfee
describes a nonexistent virus called Kongo31.XRW, and links to a
Canadian-hosted website masquerading as an official McAfee site.
The link downloads a file called ak26xrw-patch-installer-
win32.exe that carries Trojan-Downloader.Win32.Hanlo.h. McAfee
does publish virus alerts via links in emails, so users are
cautioned to only trust email from AVERT_Advisory@xxxxxxxxxxxxx
and subscriptions@xxxxxxxxxxx
http://www.zdnet.com.au/news/software/soa/Fake_virus_phishing_scam_targets_McAfee/0,2000061733,39227707,00.htm
TECHNOLOGY
Title: The penguin's not really coming
Source: Sydney Morning Herald
Date Written: 2005-12-14
Date Collected: 2005-12-14
According to research firm Forrester, Australia and New Zealand
are far behind North America in the adoption of Linux and other
open source softwares. Forrester surveyed 125 companies in the
region, finding that only 18% used Linux and 11% were
considering its use within the next year. Adoption of Linux is
three times as high among North American companies. The public
sector tends to favor open source software more than the private
sector, but rates are still low at 36% for Linux and 45% using
at least one open source application, such as Apache or MySQL.
Factors leading to the lower rates of adoption are the cost of
support and industry's confusion when choosing between various
open source options.
http://www.smh.com.au/news/breaking/the-penguins-not-really-coming/2005/12/14/1134500901855.html
Title: From passwords to 'passthoughts'
Source: Sydney Morning Herald
Date Written: 2005-12-14
Date Collected: 2005-12-14
Julie Thorpe, a researcher at Carleton University in Ottawa,
suggests it may be possible to develop technology to recognize
'passthoughts', passwords that users will need to only think to
access a computer system. Brainwave patterns vary from person to
person, allowing their use as a biometric identifier. Users could
also use images or childhood memories as passthoughts. However,
such a system requires better MMI (mind-machine interface) and
proof that users would be able to generate the same thought on
demand. Thorpe's research is primarily focused on developing
computer interfaces for the paralyzed.
http://www.smh.com.au/news/breaking/from-passwords-to-passthoughts/2005/12/14/1134500895603.html
Title: Microsoft products earn Common Criteria certification
Source: Government Computer News
Date Written: 2005-12-14
Date Collected: 2005-12-14
A number of Microsoft products, including various versions of
Windows Server 2003 and Windows XP, have earned Common Criteria
certification at Evaluation Assurance Level (EAL) 4+. Microsoft
chief executive Steve Ballmer says the certification shows the
great progress Microsoft has made toward its goal of improving
the security of its products. Common Criteria certification for
the United States is managed by the National Information
Assurance Partnership. The highest level of certification is 7.
http://www.gcn.com/vol1_no1/daily-updates/37775-1.html?CMP=OTC-RSS
Title: StealthText, Should You Choose to Accept It
Source: EWeek.com
Date Written: 2005-12-13
Date Collected: 2005-12-14
StealthText, a service available from Staellium UK Ltd., "enables
senders to punch in a self-destruct code when they send text
messages" so that, once the link to the message is opened, the
message will disappear in about 40 seconds. The service will work
on via SMS (Short Message Service) and WAP (Wireless Application
Protocol) phones. The product is expected to appeal to executives
handling sensitive information, as well as celebrities, and has
"attracted interest from defense and intelligence agencies". The
company plans to expand it offering in 2006 to include self-
destructing e-mail, voice messages and pictures. The service will
have to comply with European Union data retention laws, however.
http://www.eweek.com/article2/0,1759,1901368,00.asp
VULNERABILITIES & EXPLOITS
Title: Opera struck by bizarre hidden hole
Source: Techworld
Date Written: 2005-12-14
Date Collected: 2005-12-14
Secunia had advised users of the Opera web browser of a mouse-
click bug which attackers could exploit to trick users into
running malicious code. The bug can create a file download dialog
box that is still sensitive to mouse-clicks beneath a new window.
Since the dialog opens in a predictable place, a link on the new
window could lead users to unknowingly click 'Run' on the
invisible dialog box. Secunia notified Opera in June and the bug
was fixed in July, though details were kept secret until
Microsoft could fix a similar bug in the Internet Explorer.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5000
Title: Critical Explorer hole patched
Source: Techworld
Date Written: 2005-12-14
Date Collected: 2005-12-14
Microsoft's December 2005 patch release includes four critical
patches for Internet Explorer. One is a critical JavaScript flaw
that could allow attackers to run malicious code, but would
require the user to visit a malicious website first. An exploit
is already circulating in the wild. The December patches also
include an 'important' fix for the Windows 2000 kernel and an
update for the Microsoft Malicious Software Removal Tool to
remove Sony's XCP rootkit.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4994
BEST PRACTICES & RISK MANAGEMENT
Title: City firms warned on disaster recovery plans
Source: Silicon.com
Date Written: 2005-12-14
Date Collected: 2005-12-14
According to a study of sixty financial firms by the United
Kingdom's Financial Services Authority (FSA), many financial
services providers are unprepared for a terrorist attack or
natural disaster since their off-site backup facilities are all
in London. The concentration of backup systems in one major city
makes it likely that they would not be available during a crisis
in that city. More than half have no plans for dealing with staff
fatalities. The study also found lax security; one in three admit
not conducting background checks on new employees. While the core
of the British financial system should withstand a disaster,
these factors also create serious weaknesses.
http://www.silicon.com/financialservices/0,3800010322,39155054,00.htm
CIVIL & CONSUMER ISSUES
Title: Dutch piracy link site returns
Source: The Register
Date Written: 2005-12-14
Date Collected: 2005-12-14
The Dutch website Releases4U has restarted one year after it was
closed down by tax and economic crime authorities. The site
claims that providing links to pirated files is not illegal as
long as the site itself does not host them. Anti-piracy
organization BREIN warns it will be taking "immediate action".
http://www.theregister.co.uk/2005/12/14/releases4u_returns/
The Institute for Information Infrastructure Protection (I3P)
accepts no responsibility for any error or omissions in this e-mail.
The information presented is a compilation of material from various
sources and has not been verified by staff of the I3P. Therefore,
the I3P cannot be made responsible for the factual accuracy of
the material presented. The I3P is not liable for any loss or
damage arising from or in connection with the information
contained in this report. It is the responsibility of the user to
evaluate the content and usefulness of this information.
References in this e-mail to any specific commercial products,
processes, or services by trade name, trademark, manufacturer, or
otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the I3P. I3P is a research, not
operational, organization, and makes its Security in the News
e-mail available as a public service on a best-effort basis.
Security in the News will be sent out on most business days, but
not all.
The Institute for Information Infrastructure Protection
45 Lyme Road, Suite 300
Hanover, NH 03755
Tel: (603) 646 0700
E-mail: listmanager@xxxxxxxxxx
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
Copyright statements to be included when reproducing
annotations from Network Newsletters
The single phrase below is the copyright notice to be used when
reproducing any portion of this report, in any format:
EDUCATIONAL CYBERPLAYGROUND
http://www.edu-cyberpg.com
Network Newsletters copyright
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
FREE EDUCATION VENDOR DIRECTORY LISTING
http://www.edu-cyberpg.com/Directory/
HOT LIST REGISTRY OF K12 SCHOOLS ONLINE
http://www.edu-cyberpg.com/Schools/
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
Other related posts:
[Security-News] December 14, 2005 update
