Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• The Information Security Forum released a study finding that many US companies have spent more than US$10 million to comply with Sarbanes-Oxley regulations, but have seen little improvement in security because they must interpret the law's security implications themselves. Companies are ignoring security practices such as business continuity and disaster recovery to devote attention to regulatory compliance. Although companies must be compliant to fit into a larger strategy of information security, many are neglecting risk management.
• The Pew Internet & American Life Project has released a new survey of US users, finding that 90 percent changed their online behavior after suffering a malware attack. Twenty-five percent say they've noticed new programs on their desktops that they didn't install, and 18 percent say malware changed their browser's homepage. Additionally, 68 percent reported symptoms typical of malware infection, although 60 percent of these respondents didn't know what caused the symptoms. Eighty-one percent have stopped opening attachments in unsolicited email; 48 percent are more cautious about visiting Web sites; 25 percent have stopped downloading files from peer-to-peer networks; and 18 percent have changed browsers to avoid attack. However, users are learning from personal experience rather than following expert advice—only a third of Windows XP users have installed Service Pack 2.
• To limit piracy, Microsoft has implemented Genuine Advantage 1.0, which requires users to validate their copies of Windows before downloading updates, including Windows Update, Microsoft Update for Windows, and the Microsoft Download Center. Security updates will still be generally available. Microsoft started testing Genuine Advantage in September 2004 as a voluntary service, offering users incentives to validate their software.
• Michael Lynn, formerly a security researcher for Internet Security Solutions (ISS), announced a major flaw in Cisco's Internetwork Operating System (IOS) at the July 2005 BlackHat conference in Las Vegas. Cisco IOS is installed on most routers, making it fundamental to the Internet's operations. Lynn demonstrated a takeover of a Cisco router, but didn't reveal the steps he took. Cisco fixed the flaw in April 2005, but didn't want to release details for a year, when its next version of IOS will be ready. Cisco and ISS originally approved of Lynn's presentation, but canceled it at the last minute. Lynn went ahead with it anyway, considering the flaw a matter of national security. Although Cisco and ISS sued, they quickly negotiated a settlement; the US Federal Bureau of Investigation is still investigating the incident.
• Email security firm MX Logic reports that spammers might have found a way to exploit email authentication protocols. Out of 18 million emails that MX Logic filtered in June 2005, 9 percent came from domains using the Sender Policy Framework (SPF), and 0.14 percent contained a SenderID record. However, 84 percent of these emails were spam, suggesting that spammers are using these protocols to make their messages appear trustworthy; most legitimate senders have yet to adopt any sort of email authentication. Scott Chasin, MX Logic's chief technology officer, doesn't believe an email authentication protocol can prevent spammers from spoofing their messages' origins. MessageLabs' Andy Lake agrees, calling SPF and SenderID immature technologies. MX Logic estimates that 62 percent of spam comes from compromised "zombie" computers, whereas MessageLabs has the number at 70 percent.
• According to security firm Websense, hackers are increasingly using blogs, photo-sharing sites, and other free online services to disseminate malware. Such attacks spiked in July 2005, with 500 in the first two weeks, more than in May and June combined. Websense recorded a total of 2,500 attacks in the first half of 2005. The attackers lure users to their blogs through email and instant messaging. Once users visit a site, they become infected with malware. Such malicious sites are generally online for only a few days at a time, making them difficult to detect.
• A Swedish law, which went into effect 1 July 2005, bans peer-to-peer (P2P) file-sharing software and forbids sharing copyrighted material, but appears to have had no effect on P2P traffic, according to Niklas Jakobsson, engineer at ISP Netnod. However, download company Inprodicon says it's seen a surge in legal downloads. Swedish police say enforcing the new law isn't a priority, although the country has the largest piracy rate in Europe. Sweden's Antipiratbyrån (APB) has reported more than 200 people to the police for illegally trading copyrighted material.
• The US Senate Commerce Committee has warned P2P vendors to do more to counter piracy on their networks or risk regulation. Senator Barbara Boxer (D-Calif.) calls for filtering to prevent children from accessing objectionable material, but Adam Eisgrau of P2P United argues that filters would affect only closed networks. He also warned that forbidding open P2P networks would have "serious" social, scientific, and educational ramifications. Eisgrau has pushed Congress to hold a summit on P2P use and propose a collective licensing program similar to that used for radio, but the entertainment industry opposes the idea, saying legitimate distributors already have licenses. Additionally, committee chair Ted Stevens (R-Alaska) argued that the US can't pursue pirates abroad if it fails to protect intellectual property at home.
• Michael Kerin, general manager of Australia's Music Industry Piracy Investigations (MIPI), says the Internet industry has its "head in the sand" over the implications of an Australian Federal Court ruling holding an ISP liable for a customer's copyright infringement. Kerin argues the Internet Industry Association (IIA) must provide ISPs with guidance on how to protect copyrighted information. He disagrees with IIA chief executive Peter Coroneos's claim that the factors in the Universal Music vs. Stephen Cooper case were "very unique"—ISPs benefit from whatever content they host, and thus are liable for hosting any infringing content. Kerin also dismissed lawyer Alex Malik's claims that recently instituted safe-harbor immunities would protect ISPs in similar cases. The Federal Court found ISP Comcen liable for Cooper's illegal hosting of music files.
• At an emergency meeting in Brussels, home ministers of European Union member states pledged to reach an agreement by October 2005 on EU-wide laws regarding retention of email and mobile phone data. Such rules have been discussed since April, but many fear that the rules could infringe privacy rights and impose excessive costs on communications providers. French Interior Minister Nicolas Sarkozy and British Home Secretary Charles Clarke consider such rules necessary to prevent terrorist attacks. Under the rules, phone and Internet services would have to keep metadata on communications traffic—though not the content itself—between one to three years. The European Commission says it will present rules on data privacy in September to complement the retention rules. Members of the European Parliament argue that the rules are unnecessary and that law enforcement could obtain relevant data through other means.
• The British House of Commons narrowly voted 314 to 283 to implement a national identity card carrying biometric fingerprints and iris scans backed by a national database. Currently, the identity cards would be voluntary as people renew their passports. Cardholders wouldn't need to carry the card at all times, but would have to supply more than 50 data items, including an address history, to the database. Private companies could use the database to authenticate cardholders. Privacy International argues that better solutions exist to combat fraud and terrorism, and the London School of Economics warns that the plan could cost two to three times more than the government's estimate. Most Britons opposed the national card based on cost rather than civil liberties.
• Security experts warn that the People's Republic of China might be using malware to conduct industrial espionage. Joe Stewart, a researcher for Lurhq, says data gained from reverse engineering the Myfip worm points to a Chinese source for the malware. Marcus Sachs of SRI International and the SANS Internet Storm Center agrees, noting that although Russia and the former Soviet Union seem to be major sources of fraud-related malware, Chinese malware more carefully hides itself, suggesting a strategic use such as corporate espionage. Cyberattacks against Western intelligence agencies have also originated from East Asia.
• US Representatives Joe Barton (R-Texas) and John Dingell (D-Mich.), chair and ranking member of the House Committee on Energy and Commerce, respectively, have submitted a draft bill that would require businesses engaged in interstate commerce to encrypt sensitive personal data and submit their security policies to the US Federal Trade Commission annually. Every company would also have to hire an information security officer and issue national notices of any data breaches for all affected clients. If a breach compromised personal data, companies would have to offer a free credit report and one year of credit monitoring. Although the technology industry usually advises against such regulations, several companies are beginning to support it. Mike Gibbons, Unisys vice president for Federal Security Services, argues that businesses have failed to address consumer demands for better data protection. Another bill, the Personal Data Privacy and Security Act, currently moving through the US Senate, focuses more on establishing penalties for data breaches than on mandating certain security practices.
• The Electronic Frontier Foundation (EFF) warned users that some color laser printers contain code that prints barely perceptible dots on documents that let the US government track them. The codes, originally meant to track counterfeit currency, give the printer's serial number and manufacturer. The EFF notes that only the manufacturers' privacy policies, rather than legislation, determine whether investigators can track down the printer that created a document. The EFF is filing a Freedom of Information Act request on the matter and asking users to confirm their claims by printing test sheets. The American Civil Liberties Union has recently found that the US Federal Bureau of Investigation has collected more than 1,100 pages of documents on the EFF, as well as on Greenpeace and United for Peace and Justice.
• Small private-investigation Web sites are augmenting basic personal information that's readily available on the Internet—including phone numbers and addresses—with data such as social security numbers, lists of phone calls individuals have made, and employment information. Although such disclosure could lead to increased identity theft and fraud, stalking and harassment are also concerns for privacy advocates. Chris Hoofnagle, director of the West Coast office of the Electronic Privacy Information Center (EPIC), states that, in at least one case, an online company sold information that ultimately led to a murder. EPIC filed a complaint on 7 July with the US Federal Trade Commission (FTC) asking that it investigate the practices of this growing market segment.
• The US Federal Bureau of Investigation, along with Spanish police, have arrested 310 people in Malaga, Spain, in connection with a €100 million lottery scam run by Nigerian 419 gangs. Authorities raided 166 homes throughout southern Spain, seizing €218,000, 2,000 mobile phones, 327 computers, and 165 fax machines. The gangs are also responsible for the well-known 419 email scams, which claim to come from a former dictator soliciting help in laundering money, which have claimed 20,000 victims in 45 countries. The arrests, the end result of an investigation begun in 2003, could lead to a drop in spam.
• UK Home Secretary Charles Clarke announced plans to broaden the government's powers to surveil individuals who "foment terrorism, or seek to provoke others to commit terrorist acts," whether through sermons, Web sites, or articles. The Foreign and Commonwealth Office and intelligence agencies will build a database of individuals who provoke terrorism according to criteria Clarke has yet to develop. Religious extremism could also become grounds for deportation or exclusion from immigration.