Privacy terms revised for Microsoft Passport
Armey applies privacy brakes
WASHINGTON--The man who decides which bills will be considered on the House floor said Monday that any online-privacy bill is likely to do more harm than good.
Security flaw found in Alcatel DSL modems
Computer industry security experts believe they have discovered a vulnerability in
certain high-speed modems manufactured by Alcatel, the French communications equipment giant.
Though only theoretical so far, the problem makes the devices potentially vulnerable to
malicious hacker attacks.
Damage limited from lonely hearts virus
Antivirus software companies said a new virus that disguises itself as a program for
finding romance partners is spreading quickly between companies in Europe.
Companies say the virus, known as Matcher.A, is less potent than the I Love You virus that
ravaged computer systems last May, but it could pose a nuisance by overloading mail servers
Giving spam the network boot
A promotion arrives in your e-mail box from a company you've never heard of
before--but is it spam?
Commentary: High prices for Net access
Higher prices for high-speed Internet access--via DSL (digital subscriber line)
or cable--is the natural follow-up to the major industry shakeout of the last year.
With much of the competition gone, and with many of the surviving major players
carrying huge debt loads and desperate for profits, prices have to rise.
TRACK YOUR FLASH ADS
The Macromedia Flash Tracking Kit shows ad developers how to prepare
Macromedia Flash files so that ad serving networks can dynamically
assign click codes to Macromedia Flash advertisements. By adhering to
the standards explained in the Tracking Kit, ad developers now need to
create only one Macromedia Flash advertisement for an entire campaign:
(MacroMedia Developers Newsletter)
Globbing Function Leaves Some FTP Servers Vulnerable
[April 10, 2001] A process used to expand short-hand notation into
complete file names creates security flaws in a variety of FTP servers
that lead to buffer overflows.
Hackers Succeed in Breaching Shopping Cart Software [April 10, 2001]
In one of several recent cyber break-ins, Atlanta-based PDG Software
has informed the Federal Bureau of Investigation that its merchant
sites were hacked. Within hours the president of the company, David
Snyder, said online venders using its shopping cart software package
were notified and security holes patched.
Compaq's Active X Policy Taking Water
Compaq Computer said ActiveX programs that ship with its popular desktop and notebook
Presario lines contain a flaw which could allow attackers to over-write files on users' machines if they visit a specially-constructed Web page or read a booby-trapped HTML email.
British Court Close To Sending Curador to Jail
A Crown Court judge in Wales indicated that he intends to sentence teenage hacker
Raphael Gray to prison, pending the outcome of medical tests.
Groups: Pay Us for a Heads-up on Security Threats
It pays to be secure. Literally. Especially where the Computer Emergency Response Team
Coordination Center (CERT/CC) is concerned. An invaluable group to the government because
it tips them off to security threats before they can mete out damage, CERT Thursday said it will open up its advisories about viruses, hacks, and other pesky nuisances to others, so long as groups are willing to open up their coffers.
Microsoft Patches ISA Server Denial-of-Service Bug
Members of the security advisory group SecureXpert Direct this week isolated a bug in Microsoft Corp.'s ISA Web server 2000 that would render the Web server victim to denial-of-service (DoS) attacks.
Internet Security Systems Moves to Parry Drive-by Hackers
Atlanta-based Internet Security Systems Inc. (ISS) has long had this concern about drive by
hackers. That's right -- drive-by hackers.
Journal of a Cyber Criminal
The president of AdCops.com, an on-line community that allows
e-commerce merchants to share stories and ideas about Internet fraud,
recently paid two cyber criminals to keep logs of their daily
activities. Using anonymous e-mail accounts and stolen credit card
information, the thieves claim to make thousands of dollars a month from
Federal Systems' Security Inadequate
Hackers gained root-privilege control of more than 150 systems at 32
government agencies last year, said federal officials at a congressional
hearing, adding that only 20% of such incidents are reported. A General
Services Administration (GSA) computer security official said that
three-quarters of intrusion attempts on federal systems came from
foreign sources. The majority of successful intrusions could have been
thwarted had agencies updates their systems.
Web Host Database Stolen
A cracker says he stole a database containing personal information on
46,000 customers of ADDR.com, a Colorado-based web hosting company.
Several customers have reported fraudulent charges on their credit
cards. The cracker suggested he could use the sites' bandwidth to
launch a DoS attack. In addition, the stolen database contains user
names and passwords; if customers had not reset their default passwords,
the cracker could potentially have altered content on their sites.
Turbo Tax Glitch May Necessitate Password Changes
A security glitch in Intuit's Turbo Tax software saves investment
account passwords to the user's PC or to Intuit's servers when the
customers import investment tax data from any of seven financial
institutions. As many as 150,000 users are affected by the problem.
Some of the financial institutions have recommended that customers
change their passwords while others have disabled the affected passwords
CA Democrat Site Security Hole
A security flaw in the California Democratic Party's web site exposed
credit card numbers and other personal data belonging to 54 people who
had made contributions. Some of the donors received personal phone
calls apologizing for the problem and no fraudulent use of the cards
had been reported. The glitch in the older version of Lotus Notes Domino
server allows unrestricted database access by default. MSNBC.com
received an anonymous tip about the flaw and passed the information on
to party officials.
Yahoo and eBay Log-Ins Not Always Secure
Yahoo and eBay both allow users to log in to personalized versions of
their sites via a secure log on page. But when accessing features on
the site, users are asked to enter their user Ids and passwords again;
this time, they are sent across LANs and WANs in clear text.
will be shared in the event of a merger or acquisition.
Note: Readers are encouraged to express their views on this policy...
Industry Says Virus Challenge Irresponsible
A firewall company is offering a $10,000 reward to any virus writer who
can infect a certain machine shielded by its product. The writer will
receive $100 for getting a virus past the gateway; the balance will be
paid when the author shares information about the creation of the
successful virus. Anti-virus experts have called the challenge
irresponsible and unethical, and the founder of an on-line virus
dictionary points out the company could be held liable for viruses
written to meet the challenge.
A hacker who also works as a security consultant has developed a
technique called polymorphic coding that can be used to disguise
malicious code. The cloaking technique thwarts intrusion detection
system pattern matching, according to its author.
This result was inevitable. It was predicted by a landmark 1998 paper by Ptacek and Newsham
(http://secinf.net/info/ids/idspaper/idspaper.html) The most interesting
aspect of this story is that this approach is now being discussed
publicly in very practical forums. How soon will Polymorphic code undermine
virus detection and IDS systems
Security Disclosure Could Raise Confidence in Internet
The government could boost confidence in the Internet if it required
companies to disclose their security measures, just as the SEC required
companies to provide Y2K preparedness in their earnings reports two
years ago, according to Senator Robert Bennett (R-Utah), chairman of
the High-Tech Task Force and Special Committee on Y2K.
The only security measures that are likely to survive attack are those that are subject
to public scrutiny. See the lessons of the Clipper chip.
Despite strict laws against hacking, Chinese hackers are being urged to
target US systems in retaliation for the recent mid-air collision, and
Vigilinx CEO Bruce Murphy believes the Adore worm was written in
retribution for the incident. In 1999, Chinese hackers attacked a
number of US government systems in retaliation for the bombing of the
Chinese Embassy in Belgrade. A security consultant recently discovered
that a Chinese hacker authored the Lion worm. The Chinese government
requires anti-virus vendors to provide complete virus code samples if
they want to do business in China, leading some security experts to
question their motives.
Alcatel Modem Security
Crackers could take advantage of a vulnerability in Alcatel high-speed
modems to shut down a user's connection, monitor LAN traffic, or launch
denial-of-service attacks. Crackers could remotely deactivate
protections that would allow them to install firmware. Alcatel suggests
its customers install firewalls to protect themselves. Researchers who
discovered the flaw say it is arcane and exploits for it are unlikely
to become widespread.
NOTE: A fascinating (but unverified) look at how Alcatel's management
struggled over the media update distributed in response to the
disclosure may be found at http://morons.org/articles/1/188.
The authors (not Alcatel) use profanity.
FTP Security Hole
PGP security has discovered a flaw in the "globbing" command of many
FTP server systems that could be used to cause buffer overflows and
allow crackers to gain root control privileges on the system. PGP has
released a tool that can help users identify vulnerable systems.
A lack of jobs has led qualified Philippine programmers into the realm
Digital Signatures could Help Prevent On-Line Credit Card Fraud
The author posits the idea that requiring on-line shoppers to attach
digital signatures with each purchase could go a long way toward
thwarting on-line credit card fraud. One impediment to such a plan is
the fact that digital signatures have not been standardized.
Note: The standard is called SET. The credit card companies are the ones
to implement this. They are doing so. (See American Express Blue.)
They understand that this technology must be "enabled" and that it cannot be "required."
Computer Dealer Sends Virus to Competitor
A Devon, UK computer dealer was sentenced to 175 hours of community
service for sending a virus to a competitor. The company became
suspicious of the offending e-mail, discovered it contained a virus,
and informed the police. The rivals had been engaged in a price war.
Pioneer Accidentally Sends Out Troj_Hybiris
Pioneer unwittingly sent Troj_Hybiris, a semipolymorphic worm, to more
than 10,000 customers; at least 19 computers were infected. The worm
is activated only when users click on the attached file. The company
has sent out an virus alert, apology and fix.
Note: This incident makes clear how difficult it will be to prosecute malicious use of viruses, because it is so easy to spread viruses accidentally.
Russian Hacker Claims US Diplomats Tried to Hire Him To Steal Files
The Moscow Times reported that a Russian hacker claims that diplomats
at the US Embassy in Moscow attempted to him to copy, alter, and delete
files in the Country's Federal Security Service's computer network.
Shopping Cart Software Flaw Allowed Credit Card Theft
A bug in PDG Shopping Cart software apparently allowed crackers to steal
credit card numbers from several e-commerce web sites; NIPC posted an
alert on April 9th. PDG contacted its vendors with a patch the same
day it became aware of the problem. The fix is also available at PDG's
Story at Yahoo
Windows XP Security
Microsoft says its new versions of Windows XP and Whistler, will have
dramatically improved security capabilities. In addition to checking
for signed integrity credentials before allowing applications to run,
and allowing administrators to limit access permissions to specific
users, Microsoft has established an internal program, the Secure Windows
Initiative, to provide its engineers on-going security education.
Warner Bros. Online Security Breach
A cracker stole an e-mail newsletter mailing list from the Warner Bros.
Online computer system and spammed the addresses with a pitch for a
pyramid marketing scheme. Warner Brothers sent e-mail apologies to the
subscribers, but would not comment on what other information may have
The market for private sector cyber-forensics is growing, as companies
are reluctant to call in law enforcement for fear of bad publicity;
furthermore, private companies have greater expertise in getting to the
bottom of security breaches.
FBI Busts Russian E-commerce Extortion Ring
Two men have been indicted in what was described as a Russian computer
hacking ring that victimized banks and other businesses through
extortion and the theft of credit card numbers. The FBI lured the
hackers to the US with the promise of a job with a fictitious company.
Argus' $50,000 "Hack Me" Challenge Cracked
Argus Pitbull's latest public "hack me" challenge has fallen. Within
24 hours of the opening of the contest, the team Last Stage of Delirium
(LSD) cracked the Pitbull server, notified Argus, and claimed the 35,000
prize. Argus reports that the flaw exploited was in the underlying
Solaris operating system, and not in the Pitbull software.
SDMI hacking research draws legal threats
The Secure Digital Music Initiative (SDMI) in September invited
volunteers to test the security of embedded "watermark" codes as
antipiracy technology. The consortium now is pressuring Princeton
professor Edward Felten to suppress research that makes educated guesses
about how the watermarking was done. SDMI insinuates a possible
violation of the Digital Millennium Copyright Act (DMCA). Some scholars
believe the DMCA might be unconstitutional, holding the potential to
affect free speech and academic research into cryptography.
Chinese and American Hackers Waging Private War
American cracker group PoizonBOx has defaced at least a hundred Chinese
websites since April 4. Chinese hackers are now vowing to retaliate with
a planned week-long all-out crack attack on American websites and
networks which will start on May 1.
Anti-Hacking Insurance Higher For NT Users
One insurance underwriter charges 25% higher premiums on anti-hacking
policies for companies using Windows NT. While acknowledging that
system configuration and architecture play a crucial role in security,
the company maintains that Microsoft products are laden with
ISA Members will Receive CERT Warnings for a Fee
The Internet Security Alliance (ISA) is a joint effort between the
Electronic Industries Association and the Software Engineering Institute
at Carnegie Mellon University, which includes the CERT Coordination
Center. Businesses may join for a fee ranging from $2,500 to $70,000
depending on gross revenues; in return, they will receive real-time
Internet security warnings which have until now been available only to
the Defense Department and the General Services Administration. CERT
will continue to make the alerts public 45 days after members receive
them. Critics have expressed concern that the ISA is duplicating
efforts already undertaken by such groups as the Partnership for
Critical infrastructure, the Internet Software Consortium, and the
An application named "SMBRelay," written by a member of a cracking
group, capitalizes on a flaw in Microsoft's Server Message Block (SMB)
protocol on Windows NT and Windows 2000 machines. The application
hijacks the user's connection and steals password hashes to be decrypted
later. The author blames the security hole on the need for backward
compatibility with workstations that have lower-ended security
capabilities. Blocking access via TCP port 139 will stop this hijacking
UK's National Hi-Tech Crime Unit
The National Hi-Tech Crime Unit (NHTCU) will work with local police and
advise government on policy and legislation. The unit currently employs
40 officers and plans to increase than number to 80; Home Secretary Jack
Straw says the government plans to spend 25 million pounds (US$36
million) over three years to fight cybercrime. Critics say that the
NHTCU is underfunded, and that because the Internet is global in nature,
national initiatives will not have much of an effect. However, the unit
could be effective in raising awareness of cybercrime threats. Some
have also expressed concern about citizens' privacy.
Unlike traditional anti-virus software which scans for viruses based on
known signatures, behavior blocking software uses policies to determine
whether code and/or applications are attempting to perform unauthorized
Note: The article describes one instance of behavior
blocking technology. Others include eSafe
http://www.ealaddin.com/esafe/desktop/index.asp and Entercept
http://www.entercept.com/ for Windows,
Argus Pitbull LX
http://www.argussystems.com/feature/pblxinfo.shtml , and SELinux
http://www.nsa.gov/selinux/ and SubDomain
http://immunix.org/subdomain.html for Linux.
Microsoft Internet Security and Acceleration (ISA) Server Vulnerability
A security hole in Microsoft's ISA server 1.0 could allow attackers to
block all web traffic. By sending specific strings of characters to
the server, attacker could take web sites off line and prevent those
behind the firewall from accessing the web until the server is
restarted. The malicious string could be contained in an image tag in
HTML e-mail, sent to the server from someone behind the firewall, or,
if the server's Web publishing feature has been turned on, sent from
outside the firewall. The exploits do not give the attacker network
access nor does it allow for the execution of other attacks.
Another BDM Laptop Missing
A British Defense Ministry (BDM) laptop reportedly containing new weapons
system data was left in the back of a taxi; this brings the Ministry's
four-year total to 205 missing laptop computers. The BDM has plans to
equip its workers with special briefcases with built-in tracking devices
and the capacity to erase laptop hard drives if the proper code is not
Security Testing Checklist
Comprehensive security testing includes network topology analysis,
review of policies, practices and procedures, vulnerability assessment,
and both technological and social engineering penetration testing. It
is also helpful to use outside security auditors.
New DoD Cybercrimes Center Position
Brig. Gen. Francis Taylor, commanding general of the Air Force Office
of Special Investigations says the Defense Department (DoD) has created
the position of executive director of the Defense Cybercrimes Center.
In addition to overseeing the DoD's computer forensics lab and
investigator training program, the director will help develop a
long-term strategy for the center, which may include forming an
institute that would function as a resource for private industry and
Americans support e-mail monitoring, study finds
WASHINGTON, April 2 � A survey released Monday finds Americans are worried about criminal
activity on the Internet and willing to let law enforcement agencies intercept suspects� e-mail despite misgivings about privacy protections.
Hackers say corporate security still poor
VANCOUVER, British Columbia--Companies are paying more attention to safeguarding their digital assets, but the overall state of corporate data security is still poor, said
hackers and security experts attending the CanSecWest conference on Thursday.
Bug Opens Microsoft IE to HTML .exe Attachments
A noted bug tracker isolates a vulnerability in Internet Explorer;
Microsoft releases a patch to plug the hole.
Welsh Hacker Pleads Guilty to Site Break-ins
Experts say "Curador" may evade jail sentence, despite causing $3M in
Privacy Advocate Calls on Congress to Act
Amid the recent online security concerns, Junkbusters.com president
urges Congress to probe online profiling companies.
Microsoft Creates Patch for Digital Certificate Holes
Microsoft scrambles to patch a couple of security holes that a hacker
could exploit to run executable content.
Lingering Bug May Cause April Fools Problems
Some applications, especially in embedded systems, may not have been
patched for the April Fools 2001 bug discovered in 1999.
Australia data warehouse raises privacy concerns (Older Story)
SYDNEY, AUSTRALIA (IDG) -- A massive data warehouse containing information
on more than 15 million Australians is nearing completion.