Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• Diebold's CEO, Walden O'Dell, resigned one day before a Connecticut law firm filed suit on behalf of shareholders alleging that the company's executives "downplayed voting system problems in the last election." The suit alleges that "Diebold was unable to keep control of the quality of its voting machines, lacked necessary oversight of its business processes, and misled shareholders about its condition." This follows the Electronic Frontier Foundation's lawsuit filed against North Carolina's state election officials alleging that they violated state law in certifying certain voting systems—including Diebold's—without requiring the voting machine makers to escrow the source code. In Florida, researchers with the Black Box Voting project ( www.blackboxvoting.org) found that poll workers could use a "premodified memory card to change the vote tally undetectably."
• Julie Thorpe, a researcher at Carleton University in Ottawa, Canada, suggests it might be possible to develop technology to recognize passthoughts—passwords that let users access computer systems by thinking of an image or memory. Variations in brainwave patterns from person to person could facilitate their use as biometric identifiers, but such a system would require a better mind–machine interface as well as proof that users could generate a given thought on demand. Thorpe's research focuses primarily on developing computer interfaces for the paralyzed.
• eBay shut down an auction for a Microsoft Excel vulnerability because it says "the sale of flaw research violates the site's policy against encouraging illegal activity." The advertised vulnerability, which "could allow a malicious programmer to create an Excel file that could take control of a Windows computer when opened," appears legitimate. Microsoft complained to eBay, resulting in the halt of the auction. eBay explained its decision, saying, "In general, research can be sold as a product. However, if the research were to violate the law or intellectual property rights, then it would not be allowed." Although buying vulnerability research is still considered controversial, some security companies do pay independent flaw finders for information.
• According to a report from the University of Maryland, only 5 percent of port scans—which many security professionals view as signs of impending attack—are followed by cyberattacks . Researchers categorized port scans as connections with fewer than five data packet and attacks as connections with more than 12 data packets. The study gathered evidence over 48 days from two honeypots; only 28 of 760 attacking IP addresses conducted port scans before attacks. However, 21 percent of the attacks were launched with vulnerability scans. The SANS Internet Storm Center's Johannes Ullrich finds the study sound but the analysis too simplistic. He argues that it's more important to examine a port scan's content rather than just counting the number of packets in a connection because researchers could have mistaken attacks for port scans.
• According to Valerie McNiven, cybercrime advisor to the US Department of Treasury, 2004 marked the first time that cybercrime yielded more revenue than the drug trade's estimated US$105 billion. Speaking at an information security conference in Riyadh, Saudi Arabia, she said cybercrime can be a major problem for developing countries, which often lack cybersecurity experience. The Internet's growing use in such countries can also exacerbate other crimes—such as human trafficking—by simplifying communication. McNiven finds some links between cybercrime and terrorism, but argues that creating secure information systems is more important.
• The US Securities and Exchange Commission (SEC) has filed an emergency federal court action against Estonian finance firm Lohmus Haavel & Viisemann for hacking embargoed press releases on Business Wire. The hacks gave the company insider information, allowing traders to time stock trades against the time that business notices were scheduled for public release. Yet, evidence of wrongdoing could be murky because the company used a spider program to crawl around Business Wire links, and might not have circumvented security features. Business Wire assures investors that press releases weren't stolen, but that the hackers managed to use screenshots to get the desired information.
• Sysinternals' Mark Russinovich discovered a rootkit included in a number of Sony BMG music CDs. The rootkit, part of First4Internet's XCP copy protection technology, modifies the Windows kernel to hide files that start with $sys$, limits the number of times music files from a Sony CD can be copied, and alerts Sony every time an XCP-protected CD is played. Attempts to remove XCP could crash a computer and render it unusable without a complete hard drive reformat. Hackers have begun using the $sys$ prefix to hide malicious files, antivirus companies are issuing workarounds and signatures for XCP, and Sony faces several civil suits as a result. The XCP controversy has even affected the open source community, since some of the code might have been lifted from open-source software in violation of the GNU Foundation's General Public License. For more on this issue, please see page 18.
• Microsoft broke with its usual monthly patch release cycle and issued a patch for the Windows Meta File (WMF) flaw 10 days after learning of the vulnerability. The two-week turnaround was one of the company's fastest, says Debby Fry Wilson, director of the Microsoft Security Research Center. The flaw uses WMF images to install malicious code on computers, which become infected simply by viewing an infected image. Microsoft's faster-than-ever response has prompted some critics to question its previously slow responses to vulnerabilities. Microsoft defends its patch process, arguing the lead time between patch releases is necessary to thoroughly test its patches and provide language support in more than 20 languages.
• South Korea's Ministry of Information and Communication (MIC) released new legal guidelines that significantly restrict both government and private-sector ability to collect biometric data from individuals . According to MIC spokesman Song Hyun-sook, individuals must give their consent before such information is collected, and collectors must return or destroy the data at the individual's request. The guidelines also require collectors to protect the data and deny access to the general public. MIC developed the guidelines after representative Suh Hye-suk of the Uri Party revealed that the MIC had compiled a biometric database on 5,620 people, including minors.
• The United Kingdom and Nigeria are forming a partnership to warn the public about so-called 419 scams, which send spam email offering people a cut of the profits to help former Nigerian officials launder money. When victims give out their bank account details, scammers can steal their money. Microsoft also began working with Nigerian officials in October 2005 to track groups involved in 419 scams. Nuhu Ribadu, the executive chair of Nigeria's Economic and Financial Crimes Commission, says that 419 scams have done an "unquantifiable damage to the country's image and credibility." The Commission will monitor Nigerian cybercafes to cut down on such crimes.
• An investor group, led by Reporters without Borders, is asking technology companies to uphold freedom of expression when working in countries with records of human rights abuses, and promises to monitor such companies' activities. The investors control roughly US$21 billion worth of assets in the US, Europe, and Australia. China has attracted special attention: Microsoft and Google have been accused of helping the Chinese government censor news sites, and Yahoo has been accused of helping the government trace a journalist's email. Cisco has denied allegations that it sold equipment to China to help monitor Web usage, saying the equipment sold to the Chinese is the same as that sold elsewhere. Julien Pain, of Reporters without Borders, says his organization was unable to open a dialogue with tech companies, prompting them to engage investors in shareholder activism.
• Sri Lanka's Telecommunications Regulatory Commission (TRC) asked Sri Lanka Telecom to disable phone lines to 13 countries in November 2005 to prevent modem hijacks and pornography scams. The order will remain in place for three months; people who need to make international calls until then can do so with operator assistance. The bulk of unauthorized phone calls made by malicious dialer programs go to the Solomon Islands, Vanuatu, the Cook Islands, the Wallis and Futana Islands, Papua New Guinea, Nauru, Tuvalu, Tokelau, Western Samoa, and Kiribati.
• On 26 October 2005, Greek police arrested and seized the computer of Swedish programmer Rick Downes, claiming he had advertised and sold pharmaceuticals on the Web. Downes, who was immediately released without his computer, denied the charges, saying the only link he had to the spam appears to be that three of the spam recipients were using a computer that he had once fixed. The evidence against Downes included printouts of spam emails sent by a large US-based advertising company that didn't include the full header information. According to Downes, the police didn't seem to be aware that this information was necessary to trace email messages. Downes is a member of the Coalition Against Unsolicited Commercial Email.
• The historic rivalry between Peru and Chile is now playing out in cyberspace, as Peruvian and Chilean hackers attack each other's government Web sites. Several sites in both countries have had to be taken down and reconfigured. The diplomatic conflict originated over 38,000 square kilometers of rich Pacific Ocean fishing waters controlled by Chile, but also claimed by Peru.
• The state of California will sponsor a hacking attempt against an optical-scan voting device from Diebold Election Systems. Security expert Harri Hurst, who was put forth by the voter advocacy group Black Box Voting, will conduct the rescheduled test, which was originally set for 1 December 2005. Black Box Voting and Hurst successfully hacked a Diebold machine in Florida in May 2005. For its part, Diebold claims Hurst was given too much information, so the conditions didn't represent a real voting situation.
• China defended itself against charges that the Chinese military has orchestrated systematic attacks against US government computers, a campaign the US government calls "Titan Rain." Stating that hacking is illegal in China, a government representative asked for proof that the attacks originated within the country's military.
• European Parliament members voted overwhelmingly for new rules on data retention that require telecommunications companies and ISPs to keep traffic and location information for a minimum of six months and a maximum of two years, although some countries will allow data to be retained for longer. Law enforcement authorities in the data's country of origin will automatically be allowed to access it. Authorities from non-European Union countries with data-sharing agreements will also have access. The new rules will take effect in about 18 months for telephone data and in about three years for Internet data. Critics argue that the rules won't detect terrorists using foreign service providers and that data storage costs will be passed on to consumers. Each member state will decide its own policies for reimbursement of costs to industry. The European Parliament will review the rules three years after they take effect.
• Since 2002, the US Federal Bureau of Investigation (FBI) and the US Defense Department have been purchasing records on individuals from data aggregator ChoicePoint , according to documents obtained by the National Journal and Government Executive. ChoicePoint maintains a database of 19 billion records for use in background checks and similar services, and has been selling access to the federal government. According to a contract obtained under the Freedom of Information Act, the FBI's Foreign Terrorist Tracking Task Force apparently signed a deal with ChoicePoint to access records the FBI is forbidden to collect under the 1974 Privacy Act. In 2003, ChoicePoint gave the federal government Internet access to its service, and then began developing a system exclusively for government use. Although the Privacy Act forbids the government from collecting certain records about its citizens, nothing in the law expressly prevents a corporation from doing so on the government's behalf.
• A computer stolen in October 2005 from TransUnion, one of three major US credit bureaus, included social security numbers and other personal information for up to 3,600 people. The company notified individuals who might be affected, but it doesn't believe that the information was the criminals' target because no indication of fraudulent activity has yet surfaced.
• Security intelligence organization iDefense predicts that hackers produced in excess of 6,000 keystroke loggers in 2005—a 65 percent increase over the previous year. Keyloggers have become a preferred tool in the illegal access of online banking accounts, averaging US$3,968 in damages per victim.
• Laszlo Kish of Texas A&M has proposed a solution that promises quantum-cryptography security using standard electronics. Under such a scheme, two parties would each have two resistors of different ohm values. They randomly choose one of their resistors: choosing resistors of equal resistance would leave the connection open for an eavesdropper to wiretap, but choosing differing resistors would let the parties communicate a single bit to construct a one-time pad. Although the physics seems sound, researchers will have to examine the electrical engineering to make sure there isn't some way to crack the system, and security issues often turn up when attempting to translate theory into practice. Even if the solution does work, it offers low bandwidth and is vulnerable to man-in-the-middle attacks. However, quantum cryptography suffers the same problems, so Kish's proposal might be a viable alternative to the more expensive quantum technology.
• Companies might need to consider IP cloaking to avoid leaking trade secrets through the Internet traffic they generate. For example, stakeholders in one company seeking to buy out another repeatedly visited the target company's investor relations Web site; the IP addresses they left in the Web site's logs alerted the company that the visitors were rival stakeholders considering purchasing the company. The target company alerted one of the buyer's competitors, reportedly sparking a bidding war that drove up the final price by US$15 million. IP cloaking, which routes traffic through intermediary networks, would've allowed the buying company to mask its intentions and save millions on the final buyout. IP blocking can also prevent competitors from gathering information on a company, whereas IP spoofing can lead them to false information. Many Web sites use a combination of these tactics to tailor content for each visitor.