Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
The US Secret Service arrested 28 people from eight states and six countries on charges of identity theft, computer fraud, credit-card fraud, and conspiracy. The Secret Service considers the sting, code-named Operation Firewall, a significant disruption of organized online crime targeting US financial infrastructures. The group allegedly trafficked in 1.7 million stolen credit-card numbers and cost financial institutions an estimated US$4.3 million. Operation Firewall began in July 2003 and quickly grew into a transnational investigation, targeting groups identified as Shadowcrew, Carderplanet, and Darkprofits. The British National High-Tech Crimes Unit, the Vancouver Police Department's Financial Crimes Section, the Royal Canadian Mounted Police, Europol, and officials in Bulgaria, Belarus, Poland, Sweden, the Netherlands, and Ukraine also participated in the investigation.
America Online (AOL) Postmaster Charles Stiles, speaking at the North American Network Operators Group technical conference, criticized Internet providers' antispam efforts and said that AOL would blacklist mail servers if ISPs don't address spam more aggressively. ISPs have reduced spam by blocking transmission control protocol port 25 on users' computers, but spammers have started using ISP mail servers for most of their output. Stiles argued for additional tactics, such as filtering outbound email traffic, outbound rate limits, and SMTP authentication for all ISP users. AOL supports such sender-authentication technologies as Sender Policy Framework (SPF) and Sender-ID, but these can't stop spam coming from ISP mail servers. Stiles said AOL plans to use published SPF records for an email white list, and urged ISPs to register their records as soon as possible or risk having their email services blocked.
IDC estimates that the number of cybersecurity professionals will grow to 2.1 million by 2008 at a compound annual growth rate of 13.7 percent from 2003. There were 1.3 million professionals working in cybersecurity in 2004, representing a 14.5 percent increase over 2003—12 percent in the Americas, 11.4 percent in Europe, and 18.3 percent in the Asia-Pacific region. IDC analyst Allan Carey names new technologies, government regulation, and a dynamic threat environment as the drivers of cybersecurity growth. Ninety-three percent of managers hiring cybersecurity staff cite certification as an important factor in hiring decisions. The IDC study is based on responses from 5,371 full-time information security professionals in 80 countries and was commissioned by the International Information Systems Security Certification Consortium (ISC 2).
German antivirus company H+BEDV Datentechnik ended its partnership with firewall firm SecurePoint over its decision to hire confessed virus writer Sven Jaschan. Tjark Auerbach, chief executive of H+BEDV, says his company can't put SecurePoint's decision to offer a virus writer a second chance over its customers' security concerns. Even if the virus writer is reformed, customers might become suspicious if a SecurePoint firewall lets a virus slip onto a network. Jaschan has confessed to writing the Sasser worm, which is believed to be responsible for 70 percent of virus infections in 2004.
In a two-week test, AvanteGarde found that it takes four minutes for an attacker to take control of a poorly protected computer connected to the Internet. AvanteGarde used six machines for the test. Windows XP Service Pack 1 without a firewall had the worst survival rate, sometimes being taken over completely in less than 30 seconds, with an average survival of four minutes. Windows XP SP1 with Zone Alarm and Windows XP SP2 survived the two-week test without compromise. A machine running the Linspire operating system had the most success, suffering the fewest attacks with only one open port in the default configuration and no compromises. Mac OS X was attacked as often as the Windows machines, but was never compromised.
Richard Lawless, US deputy undersecretary of defense, advised business leaders during a closed-door meeting that China is developing cyberattacks to use against Taiwanese utilities, communications networks, and other critical infrastructures in the event of a war. Military assessments of a possible Chinese invasion of Taiwan usually focus on conventional weapons, such as destroyers, airplanes, and missiles, but some analysts have noted that China could use cyberattacks to gain an advantage against US forces should they attempt to aid Taiwan. A cyberattack could disrupt communications, operations, and morale.
China's government has confirmed that it has closed 1,600 Internet cafes and fined operators a total of US$12 million since March 2004, when it began an increased crackdown on Internet pornography. Reports indicate that in addition to the 1,600 cafes that have been permanently closed, 18,000 have been temporarily closed for rectification. Zhang Xinjian, deputy director of the Chinese Ministry of Culture's market department, said that pornography and other objectionable content have adversely affected the healthy development of the Internet in China.
Fyodor, the programmer responsible for the popular freeware hacking tool Nmap, is warning users that the US Federal Bureau of Investigation is seeking access to information from the server logs of his download site, insecure.org. In a message to his mailing list, Fyodor warned that he might have to comply with properly served subpoenas, though he will fight such actions. Nmap is a popular port scanner used by both hackers and security professionals.
Judge Cynthia Rufe of the US District Court of Eastern Pennsylvania has ruled that ISPs must inform alleged file traders of their legal rights before providing their personal data for music industry lawsuits. The ruling adds further requirements to slow down the Recording Industry Association of America's (RIAA) litigation campaign, after a previous ruling barred record labels from obtaining the names of file traders without a court order. RIAA spokesman Jonathan Lamy says the music industry has always encouraged ISPs to inform users of pending subpoenas and notes that nothing in Rufe's decision protects illegal file sharers from copyright laws. ISPs must also include a list of attorneys and information on how users can challenge a subpoena. Notices must also clarify that the RIAA must establish that the court issuing a subpoena has jurisdiction over the defendant.
The US's November 2004 elections raised questions about the use of electronic voting machines, but little controversy. Some districts reported machine errors—one machine in Columbus, Ohio, awarded incumbent President George W. Bush with 4,258 votes, though only 638 voters used the machine. Another machine in South Carolina simply lost 4,530 votes. Statistical studies have found correlations between e-voting machines and higher than expected vote counts for Bush in New Hampshire and Florida. However, a recount confirmed the New Hampshire results, whereas the Florida study suffered from flawed methodology. Nonetheless, election irregularities have sparked enough concern to launch a Government Accountability Office investigation into e-voting machines' security and accuracy.
A little-noticed provision in the Transportation, Treasury Appropriations Act of 2005, a US$388 billion omnibus appropriations bill, would require every federal agency to appoint a chief privacy officer. Senator Richard Shelby (R-Ala.) added the provision to the spending bill. Law professor Peter Swire, formerly President Bill Clinton's chief privacy counselor, argues that the provision could be too broad because different agencies have different privacy issues. Representative Tom Davis (R-Va.) has introduced a bill to repeal the provision, arguing that privacy is already the responsibility of chief information officers and that adding a chief privacy officer would only complicate bureaucracy. Currently, Homeland Security is the only agency required to have a chief privacy officer.
The United Kingdom is moving toward implementing a biometric national identity card. Her Majesty Queen Elizabeth II endorsed a Labour Party proposal for national identity cards during the Queen's Speech before the House of Lords. A bill authorizing the identity card program has also received the Conservative Party's support, although some Tories, such as Shadow Home Secretary David Davis—the opposition party's counter to the Labour Party's cabinet minister—have expressed concerns over civil rights and privacy. Information Commissioner Richard Thomas doubts whether the plan adheres to data-protection laws. The identity cards would be compulsory under the Labour plan, which includes a controversial National Identity Register of all citizens.
A survey of 1,000 US consumers commissioned by Electronic Data Systems and the International Association of Privacy Professionals finds the public is increasingly accepting the use of biometrics for identification. Two-thirds of US consumers said they were open to using fingerprints or iris scans to verify their identity, and 90 percent cited convenience as a reason to support the technology. Biometrics could also prove useful for security, as 60 percent of those surveyed said they give out personal information, such as addresses and account numbers, in response to an unsolicited email or phone call.
A coalition of US technology firms, ISPs, banks, e-commerce firms, and law enforcement agencies have created Digital PhishNet ( www.digitalphishnet.org) in an effort to fight phishing. High-profile participants include Microsoft, America Online, EarthLink, nine of the US's top 10 banks and financial institutions, the FBI, the Secret Service, and the Federal Trade Commission. Digital PhishNet will facilitate reporting of phishing attacks and help law enforcement track down cybercriminals. Dan Larkin, the unit chief at the FBI's Internet Crime Complaint Center, says Digital PhishNet will facilitate critical data collection among numerous phishing targets and provide that information to law enforcement in real time.