Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• The US Environmental Protection Agency's (EPA) inspector general released a report finding that water utilities have deployed Supervisory Control and Data Acquisition systems that leave water supplies vulnerable to cyberattacks. The report attributes the weak security to high costs, inability to check employee backgrounds, and poor communication between engineers and management. EPA water chief Benjamin Grumbles says the agency is working—with help from the US Department of Homeland Security—to provide cybersecurity tools and create a secure Web site for publishing security-related information.
• According to search engine expert Duncan Parry, creative director at Position Driver, a simple Google search can reveal thousands of security webcams accessible online, many of them private and confidential. Parry says that Google isn't to blame for providing access to these devices; Web administrators should keep webcam pages password protected and direct search engines to use the robots.txt file to stay away from them.
• Chinese hackers recently attacked the homepage of Japan's Yasukuni Shrine via email, forcing it offline 1 January 2005. Japanese Prime Minister Junichiro Koizumi's visits to Yasukuni, a Shinto shrine dedicated to Japanese soldiers who died in World War II, have created tensions in relations with Beijing. Kuninori So, an analyst for the Cyber Defense Institute in Tokyo, says the attacks appear well organized and correlate with the state of Sino-Japanese relations. To prevent such attacks, Japan plans to establish a government cyberdefense unit—although the Chinese attacks have caused minor problems, Japan is more concerned about cyberattacks against critical infrastructures by Islamist militants or North Korea.
• French security researcher Guillaume Tena, who discovered several vulnerabilities in Tegam's Viguard antivirus software, faces imprisonment and fines under French copyright laws. Tena, who currently works at Harvard University, published his research online in March 2002, leading Tegam to pursue criminal and civil lawsuits seeking a four-month prison term, a £6,000 fine, and £900,000 in damages. According to Tena's Web site, his research demonstrated how the program worked and revealed a few security flaws. Because the published exploits included some re-engineered source code from Viguard's software, a judge ruled he violated French copyright laws.
• Detective Constable Tony Noble of the Surrey Police Computer Crime Unit, speaking at the Computer and Internet Crime Conference in London, said many reported cybercrimes aren't investigated due to "an accountancy culture" within the police force. Noble says he has to personally battle for funding if a company brings him a case to investigate, and crimes that cost as much as £100,000 (US$186,000) often go unsolved. Noble's current budget isn't enough to provide a car to visit sites all over Surrey, and he often has to hire outside experts due to a lack of expertise on the police force. Although each of the UK's 45 constabularies has a dedicated cybercrime investigator, these might be the only individuals at each constabulary able to understand reported crimes' technical details. Also, areas of expertise differ among cybercrime investigators.
• During a panel discussion at the Secure Software Forum, several technology companies, including Microsoft and Oracle, criticized universities, arguing that computer science students are graduating without an understanding of secure programming practices. However, several security researchers have also criticized industry for hiring programmers without regard for security skills. To address the need for security-conscious programmers, Microsoft has pledged US$700,000 this year to 10 universities to create trustworthy-computing curricula; government agencies, such as the US Department of Defense and the US National Security Agency, have launched similar programs. Oracle's CSO Mary Ann Davidson has argued for better software tools to help programmers find errors. However, Fred Rica of PricewaterhouseCoopers said that companies must be willing to pay for security before they can get it; a Gartner study found that although many companies consider the lack of skilled programmers a top concern, developer training is second to last in their budgets in terms of spending.
• Internet service provider association London Internet Exchange (LINX) warns that a European Union proposal to require ISPs to retain massive data on their users' online activities would significantly increase the costs of consumer services. The EU Council of Ministers is considering a framework that would require ISPs to retain data on whom their customers call and email, and even where a phone call originated. Because many broadband users have always-on connections, the framework could require ISPs to record when customers use those connections. The EU has amended the proposal to remove limits on how long governments can require ISPs to retain the data. However, the proposal doesn't include government funding for data retention, so consumers would absorb the costs.
• The Higher Regional Court in Karlsruhe, Germany ruled on 17 January 2005 that selectively filtering email from a specific sender might be illegal. The court says that blocking email by content is unlawful because the content is considered confidential under German law. Email blocking is only legal under circumstances such as imminent viral attack. This ruling's implications aren't yet known, but some worry that it could unintentionally legalize spam. The ruling came in response to a case in which a university in Baden-Württemberg blocked the email of a former employee—who left after a quarrel with his peers—without informing the individual or his former coworkers.
• US Federal Bureau of Investigation agent Ed Gibson, an assistant legal attaché to the US Embassy, says national boundaries are still an obstacle to law enforcement. Speaking at the Computer and Internet Crime Conference in London, Gibson said international borders can delay law enforcement for months, and criticized ISPs and their regulators for doing little to help. He said many large US-based ISPs are using domestic laws to distance themselves from their UK responsibilities, and he questioned why they aren't required to conform to UK laws. According to Gibson, 80 percent of global email traffic goes through US mail service providers, and finding a way to access the relevant data would be invaluable to law enforcement.
• US federal appeals judge David Sentelle, commenting on a high-profile lawsuit with grand jury subpoenas sent to Time Magazine and The New York Times reporters, argued that drawing a line between journalists and bloggers could be impossible. This might mean that the widely recognized right of reporters to protect their sources' anonymity could also extend to "the stereotypical 'blogger' sitting in his pajamas at his personal computer." Attempts to draw a line could create an established, licensed press, whereas refusal to do so could create the potential for increased leaks—that is, any government official could ask a friend to set up a Web log to leak a story under the promise of confidentiality. Sentelle concludes that due to these issues, traditional journalists shouldn't enjoy the privilege of protecting their sources from grand jury subpoenas.
• An industry panel at the recent RSA Security Conference debated the pros and cons of regulating the software industry for greater cybersecurity, with mixed opinions on whether such regulation could be effective or would stifle innovation. Harris Miller, president of the Information Technology Association of America (ITAA), said regulation is often "the enemy of innovation." Rick White, a former congressman and current chief executive of TechNet, called for the industry to establish best practices for software development, arguing that Congress can't solve the problem as well as industry. Richard Clarke countered that industry has never adhered to its self-imposed guidelines in the past. Bruce Schneier called for financial incentives for companies to test product security before release.
• The US Senate has unanimously approved federal judge Michael Chertoff as the new Secretary of the Department of Homeland Security (DHS) with a 98-0 vote. The vote was delayed while Senator Carl Levin (D.-Mich.) demanded that the Justice Department provide uncensored versions of US Federal Bureau of Investigation memos regarding the Bush administration's torture policies. Although the department rejected the request, Levin did vote for Chertoff's appointment.
• Britain's National Health Services (NHS) National Programme for Information Technology (NPfIT) says patients can opt out of having their records kept in databases only in "extreme circumstances." However, this statement runs counter to NPfIT's previous position, which held that patients can opt out of having their records shared among health agencies, but couldn't opt out of any database. The new position allows patients to opt out "if someone can show that having their information held electronically on NHS databases will cause them or someone else unwarranted substantial damage or distress." According to NPfIT, physicians must have adequate notes to treat patients and future notes will be kept electronically. To opt out of sharing means patients would still have their health data in a national database, but locked down to prevent others from accessing it. Patients can also use the "patient-sealed envelope" to keep certain data hidden from view.
• The Anti-Phishing Working group (APWG) reports that phishers are starting to favor keylogging Trojans over social engineering attacks. November 2004 saw a 28 percent growth in phishing attacks, with 1,518 active spoof sites. The sites lasted an average of 6.2 days and targeted 51 companies. Phishers are starting to use botnets, zombie computers, and keyloggers for more sophisticated technological attacks, and the APWG warns that the trend will only increase in 2005. Although 75 percent of attacks target financial institutions, any large company in a financial relationship with its customers can be a target, as attacks against EarthLink and MSN customers show.
• Although identity theft is a major Internet security issue, the majority of financial loss from fraud occurs offline. According to a new study by the Better Business Bureau, the average case of fraud over the Internet costs US$551, whereas fraud through paper statements averaged US$4,543. The study concluded that Internet fraud wasn't as costly or widespread as once thought, and said the total amount of money lost to identity fraud in 2004 was the same or less than in 2003, at US$52.6 billion from 9.3 million victims. James Van Dyke, founder of Javelin, who assisted in the study, said the numbers indicate that fears about online identity fraud might be disproportionate to the relative risk.
• A recent Capgemini study of European consumers found that more than half believe radio-frequency identification (RFID) tags are a privacy threat and say privacy protection legislation would make them more likely to purchase RFID-tagged products. Nearly 75 percent of British respondents and 59 percent of all respondents feared the tags could be used to share their personal data with third parties or monitor them after they leave stores with the products, possibly for use in direct marketing.
• Canada's auditor general Sheila Fraser has released a report warning that "significant weaknesses" in government computer systems puts citizens' personal information at risk of identity theft, potentially eroding public confidence in government. The report criticizes the government for failing to adhere to its own minimum standards to protect confidential data. However, Fraser didn't advise Canadians to avoid using online services—she says she'll even file her taxes electronically. A survey of 90 departments and agencies found that 16 percent didn't have an information security policy, 33 percent of those that did weren't approved by management, and more than 25 percent had no business continuity plan for major disasters. Fraser has recommended that departments develop action plans for complying with security requirements.
• The Australian federal government plans to test a national document verification system—which its Office of the Privacy Commissioner helped develop—to combat identity theft-related crimes, such as money laundering, welfare fraud, and terrorism. Twenty-four agencies and departments are currently discussing using the program, which will let agencies authenticate certain documents, such as birth certificates and passports, online. However, agencies won't be allowed to access private information from other agencies. Banks have requested the ability to use the system, but the government has made no decision on the request.
• According to two congressional reports that the Electronic Privacy Information Center (EPIC) has obtained, the US Federal Bureau of Investigation didn't use its DCS-1000 Carnivore Internet surveillance system at all in 2002 and 2003, and instead relied on commercially available tools. Carnivore became public knowledge in 2000 after an ISP sued the FBI for using the system to obtain email headers without a wiretap warrant. Congress legalized the practice in Section 216 of the USA Patriot Act, letting the FBI collect information on communication routing, but not its content. The reports listed 13 cases in which the FBI used commercial technology for Internet surveillance, ranging from such crimes as mail fraud to providing material support to terrorists. However, the reports don't include cases involving espionage and foreign terrorism, or list cases for which ISPs provided the necessary equipment.