May 24, 2005
(Computerworld)
Here's another scheme to keep IT security managers up at night: Hackers have come up with another form of extortion to get quick cash from companies, the Associated Press reports via the Detroit News. In the scheme, hackers "lock up" data on a company's computer and leave a ransom note demanding money to get the data back. Experts call the stunt "ransom-ware." In one incident, a security researcher was able to unlock the data without paying the $200 ransom, but the fear is that the attacks will become more difficult as hackers refine their skills. "This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination," said Symantec Corp security manager Oliver Friedrichs.
The story of a cybercrime bust
For a compelling story on how a U.S. cybercrime unit snared 28 members of a worldwide gang of cybercriminals known as the Shadow.crew, check out this article in BusinessWeek. The article gives a detailed account of how Secret Service agents and the FBI investigated the gang, which was reported to be involved in identity theft, bank fraud and other crimes. A raid on the group in October 2004 yielded arrests of Shadowcrew members in eight states and six countries and netted "1.7 million credit-card numbers, access data to more than 18 million e-mail accounts, and identity data for thousands of people including counterfeit British passports and Michigan driver's licenses."
While the arrests were a big disruption of organized crime, the investigators recognize the arrests are a drop in the bucket as more crime moves to the Web.
A socialite and social engineering
The whole exploit involving the posting of celebrity Paris Hilton's cellular phone address book was in part the result of a classic case of social engineering, involving a phone call to a T-Mobile store in Southern California. In this account in The Washington Post, an unidentified hacker, who claimed he was involved in the theft, gave details of the caper to a reporter via "online text conversations." The hacker told how he and a hacker's group duped a T-Mobile sales rep into giving out proprietary information that ultimately enabled the hackers to steal information from the socialite's phone. One of the hackers called the store pretending to be a T-Mobile supervisor, and the employee divulged all the information requested.
The story is a reminder of the importance of instructing employees on security awareness, as Doug Schweitzer pointed out in a recent column. While his article came about from the appearance of variants to the Sober worm on the Internet, he also says, "Procedures for identity verification must be put into everyday practice, and employees need to be aware that no matter who is requesting information, be it a fellow employee or a higher-up in the organization, the requester's identity must be verified."
Jail time for software pirates
Three men in the U.K. will spend 18 months to two-and-a-half years in prison after they were convicted of software piracy, the BBC reports. The men were part of the "Drink Or Die" network, a group known for cracking digital copyright protections and illegally distributing the pirated software over the Internet. Four men in the U.S. pleaded guilty to similar crimes in 2003 (See story).
Can a security consultant be too paranoid?
In an article on SecurityFocus.com, author Mark Burnett pondered the question, which he was asked by a colleague. Granted he says he uses three firewalls and it takes five passwords to boot up his laptop and check e-mail. Among other telling comments: "I require my kids to use at least 14 character passwords on our home network" and "I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch." Burnett doesn't view it as paranoia, but as strong security practices, or as he puts it "meticulous precaution." While his practices may be understandable for someone in the security field, where he regularly sees the disastrous results of poor security, you have to wonder whether it makes sense for everyone. There's a wide variety of opinion in the discussion at the end of the article.
Hello, it's me
Business Week reports on biometric technologies that may be available in the next year or so to help in the war against identity theft . One is a voice-verification tool that would be useful at call centers. The way it works is the customer's voice is first recorded. When the customer calls again, the technology can compare the customer's voice with the original recording to see if it matches.
The other device is a voice-verification tool that would be used to activate a new credit card. The user's credit card has an embedded sensor with his voice previously recorded in digital form. When it's time to replace the old card, the user speaks a password into the new card. If the voices match, the card is activated. While there are issues with both devices, (what if the user has a cold or can't speak for some reasons?), these tools could be new weapons in the arsenal against ID theft.
A just reward:
The Mozilla Foundation paid $2,500 to a German computer researcher who found five flaws in its open-source Web browser, vnunet.com reports. Michael Krax was given $500 for each bug and also received a Mozilla T-shirt. The reward is part of Mozilla's security bug bounty program, which offers incentives for users who report flaws in the software.
The missing 270,000:
The Mizuho Bank of Japan said this week it had lost personal account information on 270,000 customers. The missing data included "names, account numbers and transaction histories" of customers at the bank's 167 branches, according to Reuters via the Financial Times. The information disappeared over several years and bank officials believe it was accidentally discarded and not stolen. An internal investigation found no evidence that the data had been misused, the article said.
The news is another embarrassment for the bank, which has more than 30 million customers. When three of Japan's largest banks consolidated to become Mizuho Bank Ltd. in 2002, computer glitches disrupted service at the bank's 7,000 ATMs, resulting in 30,000 transaction errors (See story).
Almost four years for hacking:
A man who admitted breaking into the computer systems of Arkansas data company Axciom Corp. was sentenced to 45 months in federal prison, according to SiliconValley.com via the Associated Press. Daniel Baas was a systems administrator at Market Intelligence Group, which had been hired to analyze data at Axciom, when he gained unauthorized access and downloaded 300 encrypted password files of Axciom clients, which he stored on computer disks at his home, the article said. Baas pleaded guilty to hacking charges and said he stole the data between January 2001 and January 2003. The company said the theft cost it $5.8 million.
Pushes for privacy:
With all the hoopla over identity theft recently involving institutions like ChoicePoint, LexisNexis and even Boston College, to name a few, one data broker is listening and said it would limit its sales of Social Security numbers, the Washington Post reports. Westlaw, an online legal research firm, said it would no longer provide corporate clients with access to Social Security numbers, while government offices, except for law-enforcement agencies, would now only receive partial numbers. The article notes that data-broker ChoicePoint and LexisNexis also have taken steps to restrict the amount of Social Security data they make available to clients. Congress has also stepped up and is considering proposals to ban the commercial sale of Social Security numbers.
Wireless woes:
With the popularity of wireless networks and the big stories about identity theft, you would think that more users would be paying attention to security. Not so. A new survey found that a third of companies using wireless networks had their security features turned off, the BBC reports. That figure is worse than last year, when 15% of surveyed companies admitted to not applying basic security. RSA Security, which commissioned Netsurity to conduct the survey, warned that as the popularity of Wi-Fi grows, networks that aren't secured will be detected and exploited. The survey, which involved Wi-Fi networks in London, Frankfurt, New York and San Francisco, also noted that many companies had failed to take such basic security precautions as reconfiguring default network settings.
Mail mess: The Washington Post has a compelling article (registration required) on how a simple clerical error put the confidential financial information of 73 bank customers at risk for identity theft. When a Wachovia Corp. customer started the receiving financial statements of other customers, he contacted the bank and a title company listed on the documents. Still, it took nine months for the problem to be resolved, leaving the personal data -- including the Social Security numbers -- of those customers vulnerable to identity theft. Fortunately, the customer who received the financial statements was an honest man who phoned and e-mailed the bank to correct the situation, but it still took months and a Post investigation to get the matter resolved.
While such cases are rare, they point "to the vulnerabilities in systems that have become so highly automated that small errors in the management of databases can quickly become amplified into major security breaches," say privacy advocates. The error occurred when a Wachovia clerk entered the customer's address incorrectly, causing the company's computer system to link it with other customers who bought real estate through the same title company. Wachovia said it has taken steps to prevent such an incident from happening again.
Banks, beware of phishers: Financial services firms continue to be the biggest target of phishing scams, reaching a new high of 85% of reported incidents in December, the Anti-Phishing Working Group said in its most recent report (PDF format). That's 10 percentage points higher than the previous month. And eight of the nine new brands "hijacked" during this period were financial institutions, the report found. The U.S. was the top location for hosting phishing sites, at 32%, with China (12%) and Korea (11%) following at a distance.
Take hints from consumers: More than 80% of adults said the security and accessibility of their online data are their key concerns when using online services, according to a Harris Interactive poll. About a quarter of those polled said they expect this online data, such as e-mail, music files, photos and financial information, to last forever. The poll results, which were released by Sun Microsystems, show the need for companies that provide these online services to have a solid storage strategy in place, said Mark Canepa, executive vice president of Sun Network Storage. The explosion in online data also explains part of the 3.5% growth in the enterprise disk storage industry in 2004, according to IDC.
Despite the fears after Sept. 11, cybercrime, not cyberterror, is the biggest worry for security managers, according to this article from CNN. The article notes that after Sept. 11 there were fears that terrorists would use the Internet to go after the nation's electronic infrastructure. However, the major security issues are in corporate and private computer networks, where IT managers must fight off spam, spyware and computer worms and viruses. "Although the threat of cyber-terrorism exists, the greatest risk to Internet communication, commerce and security is from cybercrime motivated by profit," said David Perry, global director of education at security company Trend Micro.
FBI project shelved: A draft report from the Inspector General's office for the Justice Department concludes that the FBI's Virtual Case File project will not succeed, Government Computer News reports. The FBI has already spent $170 million on the VCF project, which was intended to enable agents to conduct rapid, paperless information sharing (See Computerworld story). The GCN article, citing the report, said the project would be replaced by the "Federal Investigative Case Management System." The article said, "Technological developments since the beginning of the case management project in mid-2001 and the FBI's approach of adapting older systems to provide VCF components" means the agency wouldn't use any of the VCF technology for the new system. The FBI confirmed it had received the report, but had no comment on it, the article said.
December
Fighting cybercrime in the East: Computer security experts in India are working with Russian IT officials to fight cybercrime. The Hindustan Times reports that India's Cyber Emergency Response Team (CERT) has already signed a protocol with Russia on information security and that the two nations plan to work on preventing attacks from viruses, worms and malicious hackers. Russia is eager to learn about India's success in the software industry, so it can duplicate the efforts at home. "We want to retain talent within Russia, and Indian companies can work on projects in our country for customers in third countries like Europe and America," said Russian IT Minister Leonid D Reiman.
Quit blaming users: Web usability expert Jakob Nielsen has an insightful column on why it's unreasonable to place the burden for computer security on users. Rather than user education, he recommends changing the technology to make it simpler and more automated. "Computer security is too complicated and the bad guys are too devious and inventive," Nielsen writes. "It's simply unrealistic to assume that average users can keep up with them." He also cites "stupid security warnings that people don't understand," such as "The security certificate has expired or is not yet valid. What does that mean to a normal person?" The article has some sensible suggestions on what security managers should do, such as using encryption, digital signatures and automated updates.
Security center at UT/Austin: The University of Texas at Austin is opening a Center for Information Assurance and Security with the goal of tackling the nation's growing cybersecurity problems. The center's objectives include research to develop innovative cybersecurity solutions and to "address the national need to produce more trained professionals in the field," the university said in a statement. The center's director is Frederick Chang, who recently left as president of technology strategy for SBC Communications to join the university's Department of Computer Sciences and to lead the center's efforts. While at SBC, Chang developed a security lab that investigated how to protect large-scale Internet networks.
November
Better database security: Software that can prevent databases from releasing unauthorized information is under development at Penn State, the university's Web site reports. Called QFilter, the software lies between users and databases and filters out unauthorized requests for data before a database responds to a query. "We have shifted the thinking from data filtering to query filtering," said Dongwon Lee, assistant professor at Penn State's School of Information Sciences and Technology. "This is a practical solution to the ongoing problem of database access controls." The software "uses a specialized model of computation known as non-deterministic finite automata (NFA), which stores a large number of access control policies in an efficient and non-redundant fashion." Qfilter is not in its final version, and other applications are expected to be added.
Microsoft security update: Patch Tuesday came this month with Microsoft reporting one vulnerability, which involved its Internet Security and Acceleration (ISA) Server 2000 and Proxy Server 2.0. "The vulnerability could enable an attacker to spoof trusted Internet content," Microsoft said, and recommended that users install the update at the earliest opportunity. The company rated the flaw important but not critical, its highest level. Users could be tricked into thinking they are accessing a certain Web site when they are actually accessing malicious Internet content, the company said. "However, an attacker would first have to persuade a user to visit the attacker's site to attempt to exploit this vulnerability."
Going for greed: Motivations of malware writers are shifting from fame and notoriety to money, according to research from antivirus firm TrendMicro. The company's research arm observed that 47% of malware detected in October were Trojan horses, compared with 30% the previous month . "Backdoor programs together with Trojans make up almost 65% of detected malware. Because these malware are the main vector for information theft, this data shows that the motivation of malware authors is shifting from the traditional goal of claiming fame and notoriety to the pursuit of profit and monetary rewards." The company also noted that malware discoveries were up 22% to 1,817 in October. New variants of the MyDoom and Bagle worms also showed a resurgence of those pests last month.
Hacking indictment: A former University of Texas student was indicted this week on charges that he broke into the school's computer systems and stole personal data on more than 37,000 students and employees, according to the Associated Press via SecurityFocus. The break-in occurred in February or March 2003 and the university spent $167,000 responding to the theft and sending warnings to possible victims of identity theft. Christopher Andrew Phillips, 21, faces charges of fraud and storing credit card and bank account information with intent to defraud. His lawyer says Phillips had no criminal intent. ""He didn't use any hacking tools. The system was open," lawyer Alan Williams is quoted as saying. The story adds that Phillips had told officials that he didn't intend to use the information to hurt anyone.
Security Webcasts: The SANS Institute is running free Webcasts that look worthwhile. " "Internet Storm Center: Threat Update" on Nov. 10; and "What Works in Vulnerability Management and Remediation." A free registration is required.
October
Federal agencies have started releasing their security audit reports, which are used in the government's annual computer security report card, SecurityFocus.com reports. Many agencies in the past haven't scored well (see story) although the reports suggest some are doing better. The Social Security Administration, which earned a "B+" last year, reported that it "suffered no security incidents at all in the 2004 fiscal year . . . no root or user compromises, no defacements, no viruses and no DDoS attacks," the article says.
The Department of Energy, which received an "F" for the past two years, showed some improvement, but the audit found, among other things, that "problems continue to exist in the Department's unclassified cyber security program that, if uncorrected, could expose critical systems to compromise." Final grades will be announced later this year.
Phishing for Red Hat users: Malicious hackers have sent out a fake e-mail that claims a buffer overflow vulnerability has been found in Red Hat software. Users are "strongly advised" to immediately download and install a "fix" from a page at www.fedora-redhat.com.
Actually, the alleged patches "contain malicious code designed to compromise the systems they are run on," according to a notice on Red Hat's Web site.
Risk from ex-employees: Vnunet reports on a survey that found that 23%, or one in five businesses, are at risk of data theft or worse because they take too long before removing the access rights of former employees. The survey of 1,400 IT professionals, conducted by Citrix Systems, an access infrastructure vendor, found that a fifth of companies leave "corporate networks exposed to the threat of data theft and attacks by former staff by failing to revoke former staff IT access rights for weeks, months and in some cases years after the have left." The survey also said that e-mail was at the highest risk from ex-staffers for remotely accessing data, while "confidential company documents, contact databases and administration systems were also at high risk."
Islamic hacking? Meanwhile, The Guardian cites a U.K.-based Internet security company that found hackers from Muslim countries are targeting Western company in politically motivated cyberattacks worldwide. "We have seen a lot of attacks on multinational corporations in the G7 countries. Some of them are well-known consumer brand names and Â…banks," said D.K. Matai, the chairman of mi2g, in the article. Matai said his company had noticed more cooperation among hacking groups in Morocco, Turkey, Saudi Arabia and Kuwait. "They call for American troops to get out of Iraq, Israelis out of Palestine and Russians out of Chechnya," he said. The article notes that industry insiders called mi2g's report "alarmist" and that "political hacking among Internet groups is common."
More reason to worry: Cybercriminals are taking advantage of weak security at business Web sites to steal valuable customer data, the BBC reports. Adding insult to injury is the widespread use of extortion to force the businesses to pay up to get their customer lists back. While the main targets were gambling sites where users bet on sporting events, the thieves have moved on to business sites that don't adequately protect themselves.
"Lax security, improperly configured firewalls, unpatched programs and poor antivirus efforts all allow the criminals to get access to businesses," said Detective Chief Superintendent Mick Deats, head of the UK's National Hi-Tech Crime Unit. This isn't new but it bears repeating.
You might want to look at Douglas Schweitzer's column this month on the 12 mistakes security managers make for more ideas on how to safeguard your networks.
Security spending: Vnunet reports on an Ernst & Young study that found investments in IT security aren't delivering an appropriate return. Despite spending on antivirus software, intrusion detection and antispam products, companies remained at risk because of insufficient staff training, malicious attacks from ex-employees and lack of direction from upper management, the Global Information Security Survey 2004 found. The firm based its findings on interviews at 1,230 companies in 51 countries. You can read the full report on the Ernst & Young Web site (.pdf format).
Viruses and zombies and it's not Halloween yet: Computer security company Trend Micro detected 1,485 viruses in September, a 600% increase over the 250 spotted a year ago. Of those, 45% were Trojan horses attempting to steal personal data, the company said. The company also reported a "surge in zombie networks," saying it had found 400 programs in the past month compared with 17 a year ago.
Meanwhile, antivirus software company Sophos said it found 1,150 new viruses in September, and that the Zafi-B and Netsky-P viruses took the top spots for the last month in causing trouble to computer users.
October is Cyber Security Awareness Month: The National Cyber Security Alliance, a group devoted to raising awareness of Internet security, declared October National Cyber Security Awareness Month and announced results of a straw poll that showed average computer users underestimate the risk of cyberthreats. The poll of 493 users found that 30% believed they were more likely to get struck by lightning, audited by the IRS or win the lottery than be the victim of a security breach. It also noted that while 90% of those polled recalled the name of the controversial entertainer at the Super Bowl, less than 60% could remember the last time they updated their antivirus software. While primarily focused on consumers, home office users and a K-12 education audience, some of its tips make sense for corporate users.
September blog
New job for Sasser writer: A German firewall company has hired 18-year-old Sven Jaschan, the virus writer who admitted to being the creator of the Sasser worm and Netsky viruses and who faces charges of computer sabotage and other crimes (see story). Silicon.com reports that the company, Securepoint, plans to train Jaschan as a security programmer. The company concluded that Jaschan "had knowledge in the field and deserved a chance to prove himself."
Other security companies disagree, saying it would be wiser to have the "reformed script kiddy" working on games or Web design. Graham Cluley of Sophos notes that the company that hired Jaschan faces the challenge of "reassuring the media and its customers that it has not set a precedent by 'rewarding' those who may have only months before been launching attacks against innocent computer systems."
FTC: Show 'em the money: Bounties of $100,000 to $250,000 would be needed to get citizens to turn in spammers, according to a Federal Trade Commission report , and even then, other obstacles could keep these people from coming forward. The report was commissioned by Congress to assess the value of a bounty system in improving enforcement of the CAN-SPAM Act, which became law Jan. 1 (see story).
The report notes that the most likely whistleblowers are "insiders," or people who know the spammers personally or are business associates. These prospective informers would weigh the reward against such uncertainties as whether the information would actually be used; the likelihood of successful legal action; personal liability for their own part in a scheme; whether they would lose a lucrative income stream; whether they could lose their anonymity, and whether the spammer would retaliate against them. The FTC couldn't come up with a specific amount that would allay those concerns, but concluded that $100,000 to $250,00 was in the ballpark.
Looking for a day job: The writers of the most recent version of the MyDoom worm embedded a message in their code that says they're looking for work in the antivirus business, Sophos, an antivirus software company, reports on its Web site. "We searching 4 work in AV industry," is a message hidden in the code which isn't displayed on infected users' computers.
"It's hard to tell if the creators of these new versions of the MyDoom worm are being serious, but there is no way that anybody in the antivirus industry would touch them with a barge pole," says Graham Cluley, senior technology consultant for Sophos. "Not only is it unethical to write malicious code, but it raises issues as to whether you could ever be trusted to develop the software which protects millions of users around the world from attack every day."
Will you take the bait?: Think you won't be fooled by a phishing scam? E-mail security company MailFrontier has a quiz that may surprise you. The test involves links to 10 e-mails that were received by real people. You have to click on the link and decide whether the e-mail is legitimate or phony. My score was 7 out of 10 correct answers, barely respectable and a good reminder of how sneaky these phishers are and how careful you have to be with e-mails.
Separately, security company TruSecure is offering a Webinar to examine the legal implications of phishing on Thursday, Sept. 16, from 10 a.m. to 2 p.m. Eastern. Chat with Marne Gordan, director of regulatory affairs at TruSecure, from your desktop about such issues as spamming vs. phishing, what to do if you become "phish" bait, and the legal ramifications of "phishing." To quote from the Web site, "How can an organization defend itself against the use of its brand in a phishing scam, and what is its responsibility to protect consumers once such a scam has been perpetrated?" A free registration is required.
Global security chat: Hear the CIOs of two worldwide companies discuss the challenges of network security in this Webcast on Cisco Systems' ExecNet. CIOs Doug Busch of Intel Corp. and Brad Boston of Cisco discuss "Balancing Open Communications with Security" in this 10-minute program. ExecNet is a series of Webcasts in which Cisco executives discuss the impact of technology on business with other corporate leaders.
August blog
Aiming at the GOP: Republican Web sites, such as GeorgeWBush.com and GOP.com, will be the targets of online protesters during the GOP National Convention later this month. This article from Wired says that some hacking groups plan to distribute software tools that would cause disruptions similar to denial-of-service attacks. "We want to bombard [the Republican sites] with so much traffic that nobody can get in," someone called CrimethInc, a member of the Black Hat Hackers Bloc, said. While neither Republican party officials nor the network services company hired for the convention would comment, others protest groups are critical of the planned attacks. These groups note that such electronic disruptions violate the same free speech rights that activists apply to demonstrations.
A disconcerting trend Meanwhile, NewsFactor reports on an unsettling relationship that has developed between the shadier spammers and virus writers. Gone are the days when worms were created by people who wanted to find out what they could achieve technically, or see how much damage they could cause, says Panda Software CTO Patrick Hinojosa. The article says organized criminal groups are working with spammers to devise viruses "to steal financial information on a massive scale." It cites the example of the Scob worm, which was the work of a group of Russian virus writers (see story) intent on stealing credit card and other financial data. Sophos PLC says criminal types are also using extortion tactics, such as threatening to launch a denial-of-service attack against a Web site unless the owners "pay protection money."
Overheard in Athens: Security officials for the Summer Olympic Games are using highly sophisticated software, including surveillance cameras with intelligence-gathering skills, CNN reports via the Associated Press. The security system, developed by a consortium led by San Diego-based Science Applications International Corp. at a cost of about $312 million, uses images and audio from an electronic web of more than "1,000 high-resolution and infrared cameras, 12 patrol boats, 4,000 vehicles, nine helicopters, a sensor-laden blimp and four mobile command centers."
The technology allows the users of the system to save and analyze data from the surveillance network. It also parses words and phrases collected by surveillance cameras and in communications traffic and can "understand" Greek, English, Arabic, Farsi and all major European languages. The surveillance has angered some who have protested it as an invasion of privacy. There's more on Olympic security in this article from the IDG News Service.
Your face vs. your fingerprints: A computer-matching technology to identify facial characteristics will be implemented by the State Department on new passports next Spring despite warnings that the technology has a high error rate, The Washington Post reports. (A free registration is required.) Researchers and biometrics experts quoted in the article and even a privacy advocate said that fingerprints are far more reliable for the State Department's purposes of proving identity, preventing forgery and ultimately thwarting terrorism. The facial technology has an error rate of as high as 50% depending on whether proper lighting is used, the experts said. But the State Department chose the technology because "travelers are accustomed to submitting photographs and would find giving fingerprints to be intrusive."
The technology uses "a chip woven into the cover of the passport that contains a digital photograph of the traveler's face. That photo could then be compared with an image of the traveler taken at the passport control station, and also matched against photos of people on government watch lists."
Meanwhile, Computerworld's Jai Vajayan reports that large companies are showing reluctance to invest in biometric technologies (see story).
No rest for virus stompers: Virus writers kept antivirus software companies busy last month, sending out 1,157 new viruses in July, according to Sophos. The most prevalent was the Zafi-B worm, which continued to dominate Sophos' Top 10 viruses chart for July, claiming 59% of reported incidents. The Zafi-B also retained the No. 1 spot on Kaspersky Lab's Top 20 list, with Netsky a distant second at just under 12% of reported incidents. Central Command, however, had Netsky.p at the top of its Dirty Dozen list with 34% of its reported incidents, while the Zafi-B was a mere 3% and ranked seventh.
Meanwhile, e-mail security company Postini also listed Netsky as its top virus threat of the month, with more than 42 million incidents. Zafi-B was second, with 16.7 million.
July blog
DHS falls short on cybersecurity: An internal report finds shortcomings in the Department of Homeland Security's activities to fight attacks by hackers and other cybercriminals, the Washington Post says. Citing a report from the agency's inspector general, the article says the National Cyber Security Division suffers from "a lack of coordination, poor communication and a failure to set priorities" and calls upon the division to "address these issues to reduce the risk that the critical infrastructure may fail due to cyberattacks." The findings also irked some in the private sector who said the agency should be a role model, but instead, "the department has not adopted some of the practices they argue that government agencies, companies and organizations should employ to reduce the risk of cyberattacks."
Fears of cyberterrorism: What if cyberterrorists shut down the air traffic control system at an airport or the 911 emergency system? While it hasn't happened, security experts say it could be just a matter of time, according to this article from the The Age posted on the Computer Crime Research Center Web site. The article goes on to cite the story of an engineer in Australia who rigged a computer to cause thousands of gallons of sewage to be pumped into public waterways so he could get hired to clean up the pollution he had caused. While the engineer was out for his own interests, the activities could have also been the work of terrorists, the article notes. "There is certainly the potential for terrorists to cause chaos and casualties by, for example, taking down the traffic control system at a busy airport," says Clive Williams, an Australian terrorism expert.
Web attacks get pricier: Companies that suffer business disruptions from Web-based attacks lose an average of $2 million per incident, Aberdeen Group reports in this article from CRN. The survey of 162 companies found that companies were hit with "one disruptive incident per year" from worms, viruses, spyware or other security-related causes. Corporate systems were down an average of 22 hours in each attack. Meanwhile, 75% of companies said they are beefing up their Web-based customer sales and services operations, and 55% "are increasing their use of the Internet for negotiating and buying goods from suppliers," the article said. While 82% of the companies said they were strengthening their defenses, the remainder was split between a strategy of "cleaning up the mess after an attack or containing the damage after an incident." The full report is available for download at Aberdeen Group . A free registration is required.
Companies worry about viruses: Meanwhile, companies across the Atlantic are just as worried as their U.S. counterparts. Research from MessageLabs and reported by Silicon.com finds that most European companies worry about an increase in the "frequency and destructive potential" of computer viruses over the next 10 years and "few believe they have the protection in place to weather the storm." Given that 99% of companies have antivirus protection, (according to FBI research) and some 82% were attacked by a virus in 2003, there is some understanding for a lack of confidence in antivirus software protection, MessageLabs said. The survey found 35% of companies were confident about traditional antivirus software, 43% "are no longer confident about the protection it affords" and 22% said "the changing face of virus threats means traditional antivirus products will be obsolete within the decade."
VoIP privacy woes: Security Focus has an intriguing piece on a quirk in Voice over IP that makes it possible for hackers to spoof Caller I.D. Seems the feature that reveals who's calling before the phone is answered can be manipulated through weaknesses in VoIP programs and networks, enabling hackers to make phone calls appear to be from any number they want. They also can crack caller I.D. blocking "to unmask an anonymous phoner's unlisted number."
June blog
Presidential campaign sites have security holes:
The Web sites of the two major presidential candidates have several security holes some small, some big, Wired reports. The article reports that a check of the two official Web sites by security analyst Richard Smith found security problems on both the Bush and Kerry campaign sites, but that all of the issues are common on many other Web sites. After Smith posted his findings to several security lists, "others conducted a deeper analysis" and found some significant problems on Bush's Web site, the article says. One researcher found 30 security faults on the Bush Web site, including some that were critical. Kerry's site was "no too bad" but also had vulnerabilties, including one that could cause SQL injection errors, which could put the site's server at risk. Neither campaign responded to requests for comment, the article said.
Most spam is U.S. bound: About 99% of all spam originates from foreign countries, although most of the recipients of this unwanted e-mail are in the U.S., according to a study reported in Enterprise Security Today. China surpassed all countries in the hosting of Web sites referenced in spam messages, with nearly 74%. The study, conducted by Commtouch, an anti-spam software provider, also found that drugs, "prescription or otherwise," were the items most-often pitched in spam, followed by promotions for mortgages and refinancing deals. It's a small consolation, but spam for pornography fell to 3.1 % and casino spam slipped to 0.45%.
Zafi worm joins June list: June has been the quietest month this year for viruses, Kaspersky Labs reports in its monthly Top 20 list of viruses. The antivirus software company had only one new entrant on its list, the Hungarian Zafi.b worm. But Zafi also took the top spot, with nearly 34% of reported incidents. Sophos also reported Zafi as the dominant worm of the month. "The Zafi-B worm, which calls for changes to Hungarian legislation, such as the introduction of the death penalty to reduce crime, uses sophisticated social engineering tricks to dupe innocent recipients into opening the attachment and launching the virus," according to Sophos security consultant Carole Theriault. Central Command, which had Zafi.b second after Netsky.P, notes the worm can spread over file-sharing programs, and can replicate itself over e-mail in different languages.
Password imprinting: An article in MIT's Technology Review reports on a new form of password that allows users to skip the memorizing or the risk of writing a password on a yellow sticky. Instead, researchers from Israel's Hebrew University propose passwords that aren't consciously remembered in a concept called instinctive imprinting. "When a person learns information via imprinting, he can recognize the information later but can't recall it to describe it to someone else." The researchers said the method could be applied in the real world in about two years.
E-mail misfires: A survey from an e-mail filtering company suggests that companies ought to beef up their policies and training on messaging, Silicon.com reports. A survey from SurfControl found that more than a third of workers said they had received e-mail containing confidential information not intended for them to see, while another 15% said they had sent confidential information to the wrong people. A SurfControl spokesman stressed that nine out of 10 of the misfired e-mails were accidental, but that a combination of policies, training and filtering could help solve the problem.
Donors exposed to ID theft: Separately, Silicon also had a story this week on a problem for 145,000 blood donors included in a database contained on a laptop stolen from UCLA. The University of California is sending letters to the donors warning them that they could be victims of identity theft. The laptop was stolen from a locked van last November, but officials didn't become aware of the significance of the theft until a security audit was conducted last month. The database was password-protected but not encrypted, and the university is reviewing data security policies in light of the incident, UCLA said. Police are investigating the theft and said there's no evidence the data has been misused.
FDIC data vulnerable: Lax security at the Federal Deposit Insurance Corp., the agency that protects U.S. bank deposits, could lead to major losses of money, information and other data, according to a General Accounting office report cited in this article from the Associated Press via Wired . While progress has been made, "the agency has not limited access adequately of authorized users or completely secured access to its network against unauthorized use," the GAO said. FDIC agreed with the recommendations to tighten its data security.
Top viruses for May: Variants of the Netsky worm were scattered about the monthly lists of the top viruses during May, according to several antivirus software companies. Kaspersky Labs listed Netsky.aa as No.1 with just over 31% of its reported incidents, while Netsky.b was a close second with 30%. However, the company notes a connection beween Sasser and Netsky. "The virus writer arrested for creating Sasser admitted to authoring worms from the Netsky family -- the very worms which have received so much attention over the past few months, and which occupy much of this month's Top Twenty."
Sophos, meanwhile, has the Sasser worm dominating the list with more than 51% of its reported incidents. "Sasser was the major pain in the neck this month, affecting far more users than even the prevalent Netsky worms," said Sophos security consultant Carole Theriault. Sophos also detected 959 new viruses last month, the highest number in a single month since December 2001.
Sasser also topped the list at Central Command with more than 49% of reported incidents, with variants of Netsky filling many of the slots in its Dirty Dozen list.
And for all you Harry Potter fans: While looking over your shoulder for Dementors this week, you might also want to keep a lookout for the Netsky-P worm, which has made a resurgence, Sophos reports. The security software company says the revival of the worm is due in part to its ability "to disguise itself as a Harry Potter computer game when spreading on file-sharing systems."
The opening of the third movie on the boy wizard this week may be contributing to the spread of the worm, and users may be letting down their guard, Sophos says.
U.S. ponders centralized patching The federal government should consider reviving a centralized patch-management service for its agencies, Federal Computer Week reports. The article reports on a General Accounting Office study that found that U.S. agencies are overwhelmed with the process of installing software patches and are uneven in developing patch management policies. The GAO recommends that the government reconsider a centralized patch management service to ease the burden on agencies. Such a system was tried and failed due to negative feedback from agencies. But the GAO says the plan should be reconsidered applying lessons learned from the previous attempt.
Stopping the spread of viruses: A computer scientist is studying how viruses spread in people with the goal of figuring out how to stop computer viruses from spreading over the Internet. This Associated Press article, which was posted on the Washington Post Web site, says biological viruses follow a pattern in which the virus starts slowly, spreading within a few people, takes off exponentially and then tapers off. Professor Biplab Sikdar, of the Rensselaer Polytechnic Institute, suspects that computer viruses also follow some sort of a pattern and that it might be possible to detect this pattern an early stage. Routers could then be programmed to recognize signs of an attack and then isolate any virus. The study is being funded by the National Science Foundation.
May blog
More secure passwords: Here's an interesting paper on passwords found via Slashdot. The study from the Cambridge University Computer Laboratory debunks some of the conventional wisdom about passwords. For example, it found that random passwords are no better than those based on mnemonic phrases. The study found that each appeared to be as strong as the other. It also offered suggestions on creating passwords that are harder to crack. One idea: Write a simple sentence of eight words and then use the first letter or last letter from each word as the password. Making some of the letters uppercase helps too.
A price tag on online crime: Online crime cost companies about $666 million in 2003, according to a new survey released by our sister publication CSO. The survey of more than 500 corporate executives also found that 30% of respondents reported no online crime or intrusions in the same period. The survey was conducted by CSO in conjunction with the U.S. Secret Service and the CERT Coordination Center. The survey also found that of those reporting online crime, 71% said the incidents came from outside the organization, while 29% said the incidents were the result of insiders. Thirty percent said they didn't know.
Bounty programs work: Microsoft's bounty program is working and the arrest of the Sasser worm creator proves why, writes Tim Mullen in Security Focus. He also says there are "glory hackers" out there who are trying to outdo one another in creating headlines. Overzealous security companies don't help by sensationalizing virus and worm incidents and overestimating the damage they cause. He predicts more bounties in the future and malware that does serious damage.
Security survey of financial companies: A survey reports that most global financial institutions had their networks attacked over the past year and that many of the breaches resulted in a financial loss. The Deloitte Global Security Survey also said that despite the attacks, 25% of the respondents reported flat growth in their security budgets. In addition, more than 70% of respondents said viruses and worms are the greatest threat to their systems in the next 12 months, but only 87% of respondents had fully deployed antivirus measures. That's a drop from 96% in 2003. Deloitte said the firm interviewed senior IT executives of the top 100 global financial services organizations. The full report is available on its Web site.
Missing data not a security threat: Data discovered missing this week at the Los Alamos National Laboratory doesn't pose a security risk, according to Govexec.com. Lab employees doing inventory couldn't find "the data storage device containing classified information," the article says, and a federal review team was preparing to investigate. A Los Alamos spokesman said it's believed the device "was either destroyed or retasked, but the proper paperwork wasn't done to track its destruction or reuse."
MS-SQL: For a tutorial on security MS-SQL, check out Windowsecurity.com.
Why are virus writers so tough to catch? Lots of reasons, according to this article from News Factor . The arrest of the 18-year-old creator of the Sasser worm last week (see story) raised the question of why it's so difficult to catch the makers of some of the thousands of viruses unleashed on the Internet each year. One reason is that investigators tend to go after high-impact cybercrimes, such as fraud and embezzlement, where money is stolen. Another reason is the global nature of the Internet, which makes it hard to track down worldwide virus writers, who are probably spreading their viruses through other people's machines. Another reason is fear of retribution from hackers, notes Bruce Schneier, CTO of Counterpane Internet Security, in this article just posted in Computerworld today.
Headaches for Trilogy: A panel of scientists is finding fault with a key component of the FBI's huge computer upgrade known as Trilogy, according to news reports. A Los Angeles Times article posted on Omaha.com says the Virtual Case File (VCF), "a program considered the guts of the new network," was not properly tested and could result in "mission-disruptive failures" when it is deployed later this year.
The report (in pdf format) is from a committee of technology experts convened by the National Research Council. The FBI officials asked the council to review the nearly $600 million program and other IT efforts, according to Federal Computer Weekly . "VCF, designed before the FBI's mission shifted to include counterterrorism, does not support the needs of today's intelligence gathering," the article notes. The FBI was "studying some of the recommendations and had implemented others," the Times said.
Microsoft at WINHEC: "Although Microsoft has made security a top priority for the past couple years, its top executives didn't devote much time to the topic at the annual Windows Hardware Engineering Conference," Associated Press notes in its coverage of this year's WinHec. "Instead, they focused on the whiz-bang gadgets of the future."
However, a Microsoft offcial did tell the IDG News Service that the company is revisiting its Next-Generation Secure Computing Base (NGSCB) security plan because developers don't want to rewrite their code to take advantage of the technology (see story).
"We're revisiting the way that the architecture needs to be built in order to accommodate the feedback that we have gotten and provide the broader value that we want the technology to provide," said product manager Mario Juarez.
Trilogy delivery: Computer Science Corp. said it made the final delivery of the Trilogy computer network to the FBI last week. "We hit a few bumps on this one, but ended it on a high note," Paul Cofoni, president of CSC's federal sector, told National Journal's Technology Daily via Govexec.com. The $400 million project had been troubled by delays and cost overruns related to its escalated schedule after the 9/11 attacks. The company said that before the Trilogy project, some FBI employees were using desktops that were as much as eight years old and unable to run basic software.
April blog>
Encryption challenge solved: A worldwide team of eight scientists has solved the latest RSA-576 factoring challenge in about three months using around 100 workstations, Vnunet reports. RSA-576 is a smaller-scale example of the types of cryptographic keys that are recommended to secure Internet and wireless transactions. RSA Laboratories started the factoring challenge encryption puzzle in 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers. The winners were from the Scientific Computing Institute and the Pure Mathematics Institute in Germany, the National Research Institute for Mathematics and Computer Science in the Netherlands and other organizations They will share a $10,000 prize from RSA Security.
Trilogy delivery: Computer Science Corp. said it made the final delivery of the Trilogy computer network to the FBI last week. "We hit a few bumps on this one, but ended it on a high note," Paul Cofoni, president of CSC's federal sector, told National Journal's Technology Daily via Govexec.com. The $400 million project had been troubled by delays and cost overruns related to its escalated schedule after the 9/11 attacks. The company said that before the Trilogy project, some FBI employees were using desktops that were as much as eight years old and unable to run basic software.
Spam breaks record: The amount of unsolicited bulk e-mail skyrocketed in April to 82%, reaching record levels in the U.S. and across the world, Earthweb reports. The article cited figures from MessageLabs, a New York-based security company. Spam waned in January and February due to the CanSpam Act that went into effect in January, as major spammers slowed down operations so they could figure out how to better dress up their spam to make it appear to fit into the legal limits, said MessageLabs' chief information security analyst Paul Wood. He also suspects "the huge number of open proxies on the Net," as a reason for the spam spike. He estimated that 70% of spam is sent through open proxies.
Security experts: Patch now! Once security patches are released, can attacks on those exploits -- seeking to target systems which haven't applied the fix -- be far behind? Usually not, which is why security experts are urging admins to install the most recent wave of critical Windows patches ASAP. The SANS Institute has already spotted exploits for some of the flaws Microsoft announced last week (see story).
However, patches can come with their own set of problems. "While the existence of working exploits for several of the flaws encourages users to immediately patch systems, many users have reported problems after installing the patches," ENT magazine reports. "Visitors to ENTmag.com have experienced slow performance, disabled disk drives and broken applications, including Oracle 8.1.6. Many of the problems were fixed after uninstalling the patches."
A homeland security Web portal: A portal for emergency responders and federal, state and local homeland security officials has been created to share and access information, Federal Computer Weekly reports. The portal, known as the ""Lessons Learned Information Sharing" system , will allow authorized emergency and homeland security officials to share expertise on planning, training and operational practices. The Web site will also provide information developed and validated by peers, and an information clearinghouse on reports, exercises and incidents. The Web site is free to verified first responders and homeland security officials.
Data destruction policies: What's yours? SecurityFocus has a thought-provoking article by security columnist Scott Granneman on the importance of having a data destruction policy, but also cites the difficulties of ensuring that data is really and truly gone, such as from a computer's hard drive. While there are laws that prohibit the disposal of certain data, such as IRS, SEC or OSHA documents for certain periods of time, there's nothing wrong with getting rid of old or obsolete data. But check with the company lawyer first.
Goals for IT security: Could there be a cybersecurity role for Uncle Sam? It's a possibility, says the Washington Post, citing a report from an industry task force released yesterday. Despite previous resistance from technology companies, the task force, headed by Microsoft and Computer Associates, suggests that some regulations might be in order. However, the report "stops short of specific mandates, focusing primarily on broad, voluntary measures for both the makers of software and the network operators who use it," the article notes.
March viruses in many varieties: March came in with 11 new viruses, including several variants of Netsky and Bagle making the top lists of antivirus software companies. Kaspersky Lab's Top Twenty virus list had six new mail worms; with Netsky.b (aka Moodown.b) taking the top spot with nearly 53% of reported occurrences. The Netsky worm family bested the worm Bagle family, accounting for more than 70.5% of all confirmed virus occurrences, Central Command reported in its "Dirty Dozen" list. Both Central Command and Sophos had Netsky.D as the top virus, with more than 30% of reported incidents.
March blog
Bad technology day: A newspaper in Bermuda reports that half of the 37,000 trademarks registered to the British island colony were lost after a computer crash and and a backup system that should have rebuilt the database failed. The staff of the Registry General is working day and night to manually input the data from original files dating back to 1999, The Royal Gazette reports on its Web site. According to the registry's IT director, the files are stored on RAID (redundant array of independent discs) devices to reduce the risk of error on a single drive. This time when a drive failed, it wasn't replaced as it usually is when there are problems. IT experts turned "to backup copies to repair the RAID drives, but they failed because the backup copy of the file needed was not available because of 'system configuration changes' performed at an earlier date."
Interior back online: The Department of the Interior has restored Internet access to part of its Web site now that an appeals court has granted a temporary stay of a federal judge's order to shut down access due to security concerns. In a statement on the Interior Web site, Secretary Gale Norton said the department will work aggressively with the Department of Justice to permanently reverse the March 15 injunction, which ordered Internet access shut off. Judge Royce Lamberth ordered the department's Internet access disconnected, concluding that accounts for hundreds of millions of dollars in royalties from American Indian land were at risk due to weak information security.
This is the third time since December 2001 that Judge Royce Lamberth has ordered the Interior Department's Internet connections shut down due to security weaknesses (see Computerworld story).
The Interior Department has asked the judge to allow the computers to be put back online. "Interior has invested substantial time, effort and funding in improving our information technology security," Interior Secretary Gale Norton is quoted telling the court.
Other federal agencies aren't doing well on security either, when you look at the results of the federal government's security report card (see story).
The Interior's Web site remained offline at this writing.
University computers hacked: San Diego State University warned more than 178,000 students, alumni and employees that hackers broke into a university computer server where names and Social Security numbers were stored, the San Diego Union Tribune reports. University officials said the hackers infiltrated a server in the Office of Financial Aid and Scholarships in late December and used it to send spam e-mail messages and transfer files, including MP3 music files. The problem was discovered in late February and SDSU took the server off the network.
This is the university's second breach that put personal data at risk. The university notified around 1,000 people in December when a server used by the library was hacked, the report said.
Are antivirus companies doing enough? That issue is raised in an article in Wired stating that "security experts are questioning whether the antivirus software industry is working hard enough -- or has enough incentive -- to develop new and better ways of stopping nasty software." The issue came up a few months after many version of the MyDoom, NetSky and Bagle viruses infected computers worldwide. One of critics cited in the article argued that the antivirus vendors' "signature model," is outdated. The system, in which users subscribe for an annual fee to regularly download "signature file" updates that identify the latest malicious code, provides the company with a "nice tidy revenue stream," said Mike Sweeney of security consulting firm Packetattack. Antitivirus companies counter that the signature files are the simplest and most convenient for users.
"Antivirus companies do not offer subscription-based product-delivery models because they are the most profitable, but because they can provide a high level of protection against the ever-moving threat of viruses, with the least amount of hassle for end users," said Chris Belthoff, senior security analyst at Sophos.
Push for online warning network: The Washington Post reports that a group of technology and business associations made a series of recommendations "for minimizing the threat of cyber-crime and hacker attacks." The recommendations from the National Cyber Security Partnership, include a request for congressional funding of an early warning alert network and a national media campaign to promote safer Internet use at home.
Robot race has no winner: The race for $1 million in an unmanned vehicle across the Mojave Desert ended without a winner Saturday, when all 15 entries either broke down or withdrew, CNN reports. Only two vehicles were able to travel seven miles of the 150-mile course, and eight didn't even make it to the one-mile mark. The Pentagon's research and development agency, known as DARPA (for Defense Advanced Research Projects Agency), planned to award the money to the first team whose vehicle could cover the course in less than 10 hours. While the race ended quickly, DARPA Director Anthony Tether called it an "important first step," and said a lot was learned about autonomous ground vehicle technology.
Companies try to limit liability: The Washington Post has a disturbing article for customers of online businesses. Some companies, worried about liability if their computer systems are hacked, are warning customers that if their personal information is stolen, tough luck. These companies are saying they won't be legally responsible and are requiring customers to agree to waive any right to sue the companies if the businesses are hacked.
The waivers are included in those long terms-of-use agreements that users click on. And how many of us ready them closely? Consumer advocates say the companies are wrong. "If companies are willing to derive the benefit of information collection, but not the responsibility to secure it . . . it won't be difficult for consumer attorneys to invalidate these provisions as being unfair," said Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center.
From the "Experts" Wonder Why Corporate IT Doesn't Always Immediately Apply the Latest Patches Dept: Some software apps may no longer work on Windows XP systems after Service Pack 2 is installed. "Microsoft has made something of a trade-off with the update, focusing on security improvements at the expense of backward compatibility," according to the IDG News Service.
"It may surprise some of the developers that we are changing some defaults, and that may affect the way some of the older applications run," Microsoft product manager Tony Goodhew told the IDG news service. Some end users are likely to be surprised as well.
Microsoft is asking all developers to test their code against SP2 beta. Anyone interested in learning more about SP2 technical specs can head to Microsoft's Web site.
A rosy job picture: It looks like an improving job market for data storage and security professionals. News Factor notes that demands for more storage, plus new laws that require companies to preserve and retrieve information, will lead to greater demand for storage pros.
Meanwhile, all this extra data needs to be protected from the bad guys, fueling growth in jobs in network security. It looks to be a good year for anyone searching for a job in data storage or in data security, says Jim Lanzalotto, vice president of strategy and marketing, Yoh Company, a technology staffing firm.
New security response plan: The Department of Homeland Security has come out with a plan to provide a standard way for local, state and federal governments to respond to security incidents. The plan is called the National Incident Management System (download PDF) (NIMS) and was announced by Homeland Security Secretary Tom Ridge this week. NIMS uses best practices proposed by thousands of first responders and other officials around the U.S., Ridge said in this article from Washington Technology. The plan also can be used to take advantage of future technology initiatives.
Bank falls victim to hackers: Customers of Bank Leumi in Israel were informed last week that intruders broke into the bank's computers and stole a file containing a list of corporate loans. No money was taken from bank accounts, the Israeli Web site Maariv International reports. It was undetermined whether the break-in was an inside job, but the intruders somehow "logged into the system, downloaded the file onto a laptop, and deleted it from the bank's central computer."
For a motive, speculation falls on three possibilities: an attempt to blackmail the bank, to steal information about clients or to erase a loan taken from the bank, the Web site said. Interestingly, the bank didn't notify the police and handed the case over to a private investigator.
DARPA awards network security deal: The Defense Advanced Research Projects Agency aka DARPA awarded $8.7 million of a $13.2 million contract to Computer Systems Center Inc. (CSCI) for work on dynamic network security applications, Federal Computer Week reports. The contract is for the Information-on-Demand project, a study of dynamic network security, which enables users to have multiple levels of security access from one workstation. The DOD has been interested in the technology for years to allow its employees and military personnel to use one workstation for both secure and nonsecure applications.
Separately, FCW reports that the DOD awarded a $21.4 million contract to the Knowledge Consulting Group to write a security plan for the agency's Counterintelligence Field Activity and the FBI's Foreign Terrorist Tracking Force. The plan would "update the organizations' security guidelines, identify potential security lapses and provide security support," said company president Maryann Hirsch.
Getting beyond M&M SANs: Enterprise Storage Forum has a good look at the flaws in how companies protect their data. The article cites the classic "hard and crunchy on the outside and soft on the inside" example for network security and notes that companies spend lots of money securing the outer shell with firewalls, passwords and keys, but they neglect the center, where the data is stored. The article offers tips on what companies should do to secure the center, centralize command and other issues.
Microsoft security webcasts: Microsoft is hosting a series of webcasts starting Feb. 16 devoted to security issues. "These webcasts are designed to help developers write applications that are resistant to security attacks," the company said in its liner notes. The Webcast, which run for 90 minutes, include such topics as ".Net Code Access Security," "How to Perform a Security Review" and "Creating a Single Sign-On Enterprise Security Portal." For a list of all the topics and schedule, click here.
Tighter security urged at Energy Department labs: An audit report by the U.S. Energy Department's inspector general is recommending tighter security of classified projects, including advanced computer research, conducted by the department's national laboratories, Government Computer News reports. The audit (pdf format) by Inspector General Gregory Friedman cited Sandia lab officials for failing to conduct security classification reviews for six classified projects. Officials at Los Alamos and Oak Ridge were faulted for assigning "foreign citizens who were permanent resident aliens to seven projects involving sensitive technology, even though three of the researchers were from 'sensitive' countries such as Russia and China." Energy Department officials agreed with the recommendations but also said the agency, as a whole, had adequately controlled sensitive technologies."
Day care data posted on Web: Personal data about low-income families and children in foster care in upstate New York was posted on the Web for two weeks until MSNBC notified local authorities, the news Web site reported. The information included names, birthdays, addresses and daily whereabouts of hundreds of children. It also exposed data on children in the country's foster care program and on their parents, some of whom are in treatment programs. The data leak was caused by a programmer who was a subcontractor for Livingston County. The programmer was looking for help on a formatting issue with the database and posted it in a zip file to RentACoder.com, a Web site that helps computer programmers find temporary work. State and local authorities are investigating the privacy breach.
Mydoom.A tops listsThe Mydoom.A worm was at the top of the charts of antivirus and security software companies that keep track of the most notorious viruses and worms each month.
Central Command said Mydoom.A represented more than 77%, of total confirmed infections and 1 out of 9 e-mails in January, while Kaspersky Labs placed the infection rate at slightly higher, at 78.3%. Kaspersky's Web site also noted that the worm, which appeared Jan. 27, beat all the numbers produced by Sobig.f, last year's leading Internet pest. Sophos also has Mydoom at the top of its list, but recording 25% of its reported infections. The worm beat by a landslide the next most prevalent virus last month, Bagle.
January blog
CERT's national cyber alert system: The CERT security response team at Carnegie Mellon University in a partnership with the Department of Homeland Security, has established a National Cyber Alert System to provide "timely information about current and emerging threats and vulnerabilities as well as advice about protecting your computer and networks." The alerts are written in two forms, one technical and one non-technical. The alerts got their first test with the Mydoom virus, and have already been criticized by infosecurity pros within national infrastructure groups who said the alerts weren't well-coordinated with the private sector. You can read more about the furor from this Computerworld story.
What's ALF all about? For a straightforward read on application layer filtering (ALF), check out this article by Deb Shinder from WindowSecurity.com. The article does a concise job of explaining yet another security buzzword while pointing out the pros and cons of ALF in firewall technology.
Draft on authentication: The National Institute of Standards and Technology released a draft of a document for authenticating users, or ensuring that users are who they say they are. The document, according to Federal Computer Week, "advises agencies on setting up electronic security procedures to authenticate users before giving them access to a computer information system." The new document is NIST Special Publication 800-63 (pdf format), Recommendation for Electronic Authentication.