Published by the IEEE Computer Society
|The Delicate Balance Security and Privacy|
|Corporate Security Under Siege|
PDFs Require Adobe Acrobat
In June, the US House Oversight committee received a US Department of Homeland Security progress report on the National Cybersecurity Strategy's implementation. The report shows both progress and remaining work in implementing the strategy, which was issued early last year. It also shows that an assessment of vulnerabilities to critical infrastructures is targeted for 2005, with a process for assessing Internet weaknesses due later this year. Perhaps the most publicized achievement in the report is the establishment of a public–private structure for responding to national-level cyber incidents by designating the US Computer Emergency Readiness Team (US-CERT) as the department's cybersecurity operational body. Carnegie Mellon University-based US-CERT, which launched a national cyberalert system in January 2004, now includes the former Federal Computer Incident Response Center.
Europe's emerging digital media market is crippled under red tape and mounting copyright levies, according to a group of technology firms. Groups representing software and consumer electronics manufacturers told European Commission members that obstacles must be overcome if new online music and video download services are to survive. The group recommends that the commission develop a single, EU-wide license and cap charges that increase digital media player prices. The technology industry also wants the commission to look at streamlining royalty collection and developing an industry-recognized standard for digital rights management—necessary for protecting media from digital piracy.
The US House of Representatives' Energy and Commerce subcommittee voted unanimously for a bill that requires Internet spyware suppliers to notify users before loading new software on their machines. The bill, introduced by Representatives Mary Bono (R-California) and Ed Towns (D-New York), would allow the US Federal Trade Commission to seek millions of dollars in fines for logging users' keystrokes or stealing their identities. It also would require that spyware be easily removable.
The Induce Act, a bill introduced in mid-June in the US Senate, would reshape copyright law by prohibiting file-trading networks and some consumer electronics devices because they could be used for unlawful purposes. If passed, it would make whoever "aids, abets, induces (or) counsels" copyright violations liable for those violations. The act represents copyright holders' latest legislative attempt to address the growing threat of peer-to-peer networks common with pirated music, movies, and software. Induce stands for "Inducement Devolves into Unlawful Child Exploitation," a reference to Capitol Hill's oft-stated concern that file-trading networks are a source of unlawful pornography.
A US House of Representatives bill, HR107, would overturn a major provision of the Digital Millennium Copyright Act of 1998 (DMCA), which bars consumers from circumventing encryption on digital media products even if they only intend to make copies for personal use. It aims to "amend the Federal Trade Commission Act to provide that the advertising or sale of a mislabeled copy-protected music disc is an unfair method of competition and an unfair and deceptive act or practice, and for other purposes." DMCA was intended as a way to stop piracy, but critics say it gave copyright holders far more control than intended while eroding Americans' fair use rights. They also worry that the law has criminalized otherwise innocent activities, such as making a personal copy of a purchased CD, or trying to get a DVD to play on a computer running Linux.
US Senator John Kerry (D-Massachusetts) unveiled his plan for a US$30 billion package of technology investments during a policy speech in San Jose, California in late June. Kerry, the Democratic Party nominee for US president, said if elected he would create tax incentives to invest in startups, research and development, and broadband networks for rural areas and cities. Kerry also said he would spend the money to create high-tech jobs—and would finance that by selling unused TV transmission spectrum after the country moves from analog to digital television. Kerry also proposed equipping all first responders to emergencies—such as police and firefighters—with broadband connections by the end of 2006. Although high-speed Internet service in homes and small businesses grew by 42 percent last year to 28.2 million lines, Kerry said the US ranks 10th in the world in adopting broadband.
The US Computer Emergency Readiness Team (US-CERT) warned Web surfers in late June to stop using Microsoft's Internet Explorer browser. US-CERT updated their earlier advisory that recommended the use of alternative browsers because there were significant vulnerabilities in technologies embedded in IE. US-CERT researchers said that the IE browser does not adequately validate the security context of a frame that has been redirected by a Web server, thus opening the door for an attacker to exploit the flaw by executing script in different security domains.
The Anti-Phishing Working Group reported that the number of unique phishing attacks (in which unsolicited commercial email is used to direct Internet users to illegitimate e-commerce Web sites) increased six percent in May 2004 to 1,197, with an average of 38.6 reports each day, slightly higher than in April. Financial services companies continued to be the primary target of the scams, and Citibank customers were the most frequent target. The group, which is sponsored by Microsoft, VeriSign and antispam company Tumbleweed Communications, also said that scams using eBay and PayPal (an eBay company), were rampant in May.
The UK-based Home Office says it will install iris-scanning technology in major UK airports in hopes of accelerating immigration times for those who travel in and out of the UK on a frequent basis (these travelers must register—only those that have previously complied with the UK's immigration laws will qualify), as well as increasing security. Sagem, based in France, will provide the Iris Recognition Immigration System. The first installation will be at Heathrow, with four other airports joining in 2005. The Home Office expects more than one million people will be registered to use the system within five years.
The US Department of Homeland Security's Chief Security Officer Jack Johnson said that the DHS is facing a daunting task in deploying the Homeland Security Data Network. HSDN was envisioned to be at a level of security matching the Defense Department's Secure IP Router Network by the end of the year, and will be used for disseminating classified intelligence throughout the department and to other agencies. Much of the work must be outsourced, which is difficult because of the small pool of qualified personnel with the necessary security clearances in the private sector. The problems facing data sharing are not just technical—intelligence agencies whose product is supposed to be distributed to other federal agencies and state and local governments are requiring assurances that the data will be handled securely. These assurances are complicated; many agencies now under the umbrella of the DHS did not have intelligence roles before the department was created last year. Organizations such as the Federal Emergency Management Agency will now require access to classified data that did not cross their desks before.
India is trying to improve its data protection for its booming software and outsourcing sectors. Officials of the National Association of Software and Service Companies said they will work with customers, regulators, and police to strengthen outsourcing in India. India exported US$12.5 billion of software and services in 2004 to March, up more than 30 percent from the previous year.
The state-funded Korea Information Security Agency (KISA) signed a contract with Microsoft in late June, creating a joint effort against virus and hacking attacks (a memorandum of understanding was signed last November for the alliance). Microsoft will send computer security professionals to train KISA officials and other Internet service providers. KISA will make efforts to jointly develop applications with Microsoft to curb the spread of spam.
America Online, BT, Comcast, EarthLink, Microsoft, and Yahoo have joined to form the Anti-Spam Technical Alliance (ASTA), which aims to fight spam by using existing technology and best practice rather than just looking for future technical solutions. Their statement of intent outlines best practices; they plan to update this document as necessary. Its first suggestion is that all providers remove open relays from their systems. It also calls on email providers to do a better job of informing users how they can combat spam. The group is examining ways to provide secure email identity.
MessageLabs, an email filtering firm, reported that May 2004 was the worst month for spam on record. Of the 909 million inbound emails that MessageLabs Anti-Spam service scanned, 691.5 million were intercepted as spam—76 percent.
The Electronic Privacy Information Center (EPIC), a public-interest organization, has filed a lawsuit in US federal court against the US Transportation Security Administration and the US Justice Department seeking the immediate release of information about government efforts to collect airline passenger data following the 9/11 attacks. The organization charges that TSA and the FBI have failed to adequately respond to Freedom of Information Act (FOIA) requests and have wrongfully withheld records. The complaint: the US alleges that TSA violated statutory time limits in responding to three separate FOIA requests. Several agencies and airlines have disclosed that they have collected and shared personal information about airline passengers since 9/11: JetBlue Airways shared more than five million passenger records with a Pentagon contractor in 2002, Northwest Airlines gave three months' worth of 2001 passenger data to NASA's Ames Research Center for use in a passenger profiling project, and an American Airlines contractor, Airline Automation, gave 1.2 million passenger records in June 2002 to four companies competing for TSA contracts. Most recently, the FBI has said that it ordered the nation's largest airlines to turn over millions of passenger records from the days after the terrorist attacks as part of a criminal investigation.