Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• Identity management firm RSA Security announced deals with Unicredit Banca of Italy and the National Bank of Abu Dhabi to move customers to two-factor authentication within 18 months. Many experts consider two-factor authentication the next step for online banking. Most agree that customer demand for tighter security will drive the change to stronger authentication. Research firm Forrester has noted the "correlation between the adoption of online banking and the deployment of two-factor authentication."
• Splog, the blog equivalent of spam, hit Google's blog-creation tool, Blogger, and the BlogSpot hosting service with the largest assault seen so far. To manipulate search engine results, an attacker used automated tools to create thousands of fake blogs loaded with links to specific mortgage-industry Web sites. It also flooded RSS feeders and email with alerts. The extent and the methods used to mount the attack show that splogging is a growing threat. PubSub and IceRocket.com plan to stop indexing sites made with Blogger until a fix has been implemented. Some are calling for Google to shut down Blogger due to its insufficient security protection.
• By the middle of 2006, Microsoft and Yahoo announced that they will make their instant messenger (IM) services interoperable so users will be able to exchange instant messages, share contact lists, and make PC-to-PC voice calls. However, experts warn that the integration could channel a massive IM worm outbreak. According to Imlogic, the number of threats detected for IM and peer-to-peer networks—the majority of which were aimed at MSN Messenger—rose more than 3,295 percent in the third quarter of 2005. The two companies have pledged to keep consumer safety and security top priorities.
• Researchers at Pennsylvania State University have published a paper explaining how a denial-of-service (DoS) attack could succeed against mobile phone networks by overwhelming mobile phones with text messages. The researchers warn that large cities could lose service with "little more than a cable modem" and cellular service in the entire US could be disrupted using a medium-sized zombie network. However, security experts doubt such a model's feasibility, saying it would be difficult to obtain individual phone numbers in a specific zone, and that the attack would eventually defeat itself because the attacking messages wouldn't go through the network after a certain point.
• A survey of 36 large ISPs in the US, Europe, and Asia has found that the predominant security threat to ISPs are distributed denial-of-service (DDoS) attacks. According to Arbor Networks' Worldwide ISP Security Report, "simple 'brute force' TCP SYN and UDP datagram DDoS floods from zombie PC networks [are the] biggest day-to-day hassle" for 90 percent of survey respondents. Worms and Domain Name System (DNS) poisoning were ranked second and third, respectively, although worms create the greatest initial threat to Internet traffic. Surprisingly, less than 30 percent of the ISPs have automated DDoS countering and tracing services.
• The UK's Identity Cards Bill has come under attack from Parliament over the amount of personal information the National Identity Register (NIR) would store and its lack of data protection. To keep public servants from accessing the data, the House of Lords requested that an independent body be appointed as custodian of NIR data. Another concern is that the NIR could be used to "track everything an individual does." Even though one report warns that the "stated aims of the ID card scheme do not justify the huge invasion of privacy it will cause," the bill was passed in the House of Commons and began a "rocky passage" through the House of Lords on 31 October 2005.
• A new US Federal Communications Commission (FCC) ruling that extends the Communications Assistance for Law Enforcement Act (CALEA) to VoIP services is meeting opposition. CALEA sets standards that all phone service providers must meet so law enforcement agencies can place wiretaps. The new rules affect VoIP services that dial into and accept calls from traditional phone networks, including those using peer-to-peer architecture lacking central servers. Voice applications that have no contact with the public network, such as instant-messaging telephony, are exempt. Aside from being costly, critics say the rules will stifle innovation in the nascent Internet telephony industry. The Electronic Frontier Foundation and the Center for Democracy and Technology plan to file lawsuits contesting the FCC's authority to apply CALEA to the Internet.
• Once Canada adjusts its data handling to "comply with European data-protection laws," European airlines will provide Canadian authorities with details about incoming passenger identities. The agreement is described as maintaining data-protection standards while also increasing joint action against terrorism. The European Commission says the deal will commit Canada to collecting less personal data from Europeans and adhering to higher data-protection standards than the similar deal Canada has with the US.
• Former White House cybersecurity adviser Howard Schmidt, speaking at SecureLondon 2005, allegedly argued that software developers should be held personally responsible for writing secure code and receive training in safer programming practices. "Most university courses traditionally focused on usability, scalability, and manageability—not security," he said. The British Computer Society (BCS) agrees with the general direction of the sentiment, but says that companies, rather than individuals, should be held responsible. The BCS also points out that developers can't control code after it's released, and that users must bear some responsibilities, such as installing security patches. Schmidt has since said he was misquoted.
• Estonia is testing electronic voting for local elections. For three days before the elections, voters will be allowed to cast ballots through a protected Internet site. Each voter will use a microchip-equipped ID card with a PIN number that is slid through an electronic card reader attached to their computer. If electronic voting is successful in the local elections, Estonia will use it for national elections in 2007.
• The Australian High Court has ruled that copyright law doesn't prohibit users from installing modified chips on game consoles. The High Court found that a modified chip doesn't bypass technological protection on game consoles as defined in Australia's Copyright Act and that loading part of a game onto the console's RAM doesn't constitute making a copy. The ruling marked the end of a lawsuit Sony Australia filed in 2001 against Eddy Stevens for selling modified PlayStations. However, the court ruling was based on an older definition of copying; the Copyright Act has since been amended as part of the Australia-United States Free Trade Agreement (AUSFTA) so that loading a game into RAM could be considered a form of copyright infringement. This interpretation remains untested.
• Bloggers in Singapore and Malaysia are concerned that the arrest of three Singaporeans could signal a government crackdown on blog comments. Benjamin Koh Song Huat, 27, and Nicholas Lim Yew, 25, were arrested in Singapore on charges of sedition for posting racial slurs in blogs, while an unidentified 17-year-old is also being investigated. Both Singapore and Malaysia keep tight controls on their media, but haven't devoted much attention to blogs because bloggers can be anonymous. Both countries have an ethnically diverse population and consider media controls necessary to preserve the peace between ethnic groups.
• The Missouri Department of Transportation is finalizing a contract with Delcan to monitor thousands of cell phones, using their movements to map traffic conditions statewide. State officials claim that owners of individual cell phones will remain anonymous, but privacy advocates are nervous that the system might later be used to track fugitives or drivers who violate the speed limit. Once the contract is completed, it'll take an estimated six months to implement and test the project.
• Several sources say the risk of identity theft has been exaggerated. Widespread media reports create the perception of rampant hackings and corporate blunders, but few people whose personal information has been exposed are ever victimized. Compared to identity theft, twice as many people get into car accidents. In addition, 63 percent of identity fraud happened as a result of "traditional" methods, such as stolen wallets, according to Javelin Strategy & Research. Still, 80 percent of Americans are afraid of identity fraud and nearly half of registered voters shy away from doing business online because of it, even though only 12 percent of identity fraud cases occurred due to the victim's online activity.
• The Electronic Frontier Foundation says it has deciphered a code of colored dots that Xerox places in documents printed with DocuColor. Under an agreement with the US federal government, Xerox agreed to program its printers to encode dots on all documents so that federal investigators could track the source of counterfeit currency . The dots appear in an 8 × 15 grid visible only under a magnifying glass or blue light, and give the date and time of print-out and the serial number of the printer that made it. Although Xerox says it doesn't routinely share customer data with governments, and the US Secret Service says it only uses the dots to track down counterfeiters, governments could use the dots to crack the anonymity of dissident movements.