News Briefs
MARCH/APRIL 2006 (Vol. 4, No. 2) pp. 8-13
1540-7993/06/$31.00 © 2006 IEEE

Published by the IEEE Computer Society
News Briefs
Brent Kesler, I3P at Dartmouth College

Heather Drinan, I3P at Dartmouth College

Nancy Fontaine, I3P at Dartmouth College
  Article Contents  
  Security  
  Privacy  
  Policy  
Download Citation
   
Download Content
 
PDFs Require Adobe Acrobat
 
Security

    • A survey of the British Bankers Association found 40 percent of conference participants named data sharing as a top concern, followed by identity theft at 30 percent, and risk management at 15 percent. However, only five percent rated fraud prevention and detection as a top concern.

    • According to industry experts, highly targeted phishing attacks—spear phishing—are on the rise and becoming more sophisticated. For example, security firm Greenview Data reported a spear-phishing campaign that used email messages that were seemingly from eBay's "Question from eBay Member" portal. The messages tricked recipients into clicking on a "Respond Now" link and entering their login information, allowing criminals to steal their identities.

    • Netcraft reports that 450 phishing attacks in 2005 spoofed SSL certificates to exploit trust in Web connections. When an SSL connection is made, most browsers show a lock icon. Phishers can buy SSL certificates for domains similar to their target and install their own fake locks, tricking users into entering personal information such as credit card or social security numbers. Phishing attacks have grown more sophisticated over time, increasingly exploiting browser flaws and hacking frames on legitimate Web sites to make their spoofs seem genuine.

    • According to a Vanson Bourne survey, 59 percent of UK IT managers at small- and medium-sized businesses (SMB) fail to keep security patches up to date because of the time necessary to do so; 61 percent pay for software licenses they don't use because they're subject to strict agreements that don't allow SMBs to cancel licenses after employees leave or machines break down. Inty, the Internet management firm that conducted the survey, recommends application service providers (ASPs), but many SMBs say the ASP model doesn't offer reliable access to critical applications.

    • The SANS Institute reports that hackers have been moving away from direct attacks against Windows and toward exploiting application flaws. Arguing that software developers need to be more security-conscious in their programming, two Princeton researchers, Sudhakar Govindavajhala and Andrew Appel, have released a report amplifying this fact. Their analysis of popular applications such as Photoshop and America Online's Instant Messenger shows that the programs make changes to Windows or run with too many privileges, potentially allowing attackers to bypass certain security features. However, Govindavajhala notes that an attacker would need an account on a given machine or network to exploit these vulnerabilities. America Online and Adobe have fixed the problems discussed in the paper, but flaws remain in other products.

    Cyberinsurance premiums climbed from US$100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. Demand for cyberinsurance is increasing as hackers move away from general mischief toward targeted crimes for profit. Insurers offer two basic types: first-party coverage helps companies pay for recovery after an attack or pay extortion money for threatened attacks, whereas third-party coverage helps pay legal expenses if someone sues after a security breach. However, prevention remains most companies' top priority because loss of critical data to competitors would do more damage than policy payouts would cover.

    • Although most companies protect themselves against hackers and malware, few realize the threat posed by an employee with malicious intent and an iPod. Security researcher Abe Usher is warning about the threat of "pod slurping" and employee data theft in general. Usher has created an application that lets an iPod scan corporate networks for sensitive business data, and potentially download 100 Mbytes in a few minutes by plugging the device into a computer's USB port. A 60-Gbyte iPod could potentially hold every sensitive document in a medium-sized business—without even using a keyboard.

    • A Romanian hacker forced security personnel to log off all Apple computers from the journalism department's network at the University of Arizona, preventing students from using the computers until the university could solve the problem. The computers had been shutting down on their own at random times over the course of several weeks, but personnel thought it was a hardware problem rather than an attack. A security check found two unrelated attempted attacks originating from Korea and Indonesia. University officials don't believe any information was lost.

    • Zone-H.org reports that more than 600 Web sites in Denmark, Europe, and Israel have been defaced, carrying messages denouncing Denmark for the publication of 12 cartoons that offended Muslims by depicting the prophet Mohammed. One group, calling itself the "Internet Islamic Brigade," threatened to carry out bombings in Denmark similar to those in the London subway in July 2005. Many of the defacements contained Arabic messages with English text related to the cartoons.

    • Presiding over England's Bow Street Magistrates' Court, District Judge Nicholas Evans refused to extradite Gary McKinnon to the US to face charges for allegedly hacking 97 NASA and military computers in 2001, causing US$700,000 in damage. Judge Evans wants US authorities to guarantee that McKinnon won't be considered a terrorist and tried under military law.

    The Russian stock exchange had to suspend operations for an hour on 2 February 2006 after a virus infected its systems. The virus created huge volumes of outgoing traffic, overloading the exchange's support routers and preventing normal trading traffic from being processed.

    • Alex Shipp, a senior antivirus technologist at MessageLabs, told attendees at the 2006 RSA Conference in San Jose, California, that cybercriminals are shifting from using Trojans designed to steal usernames and passwords to malware that transfers money out of bank accounts directly when users log in. Automatically downloaded after a user clicks on a link to an e-card or other content, they then wait until the user goes to a bank's Web site. Shipp says such Trojans are currently the third most common threat, and their use is on the rise.

    Greek officials have discovered taps on numerous officials' mobile phones, including Prime Minister Costas Caramanlis, the ministers of foreign affairs, defense, public order, and justice, top military officers, a number for the US embassy, and several journalists and human rights activists. So far, police are unable to identify the party responsible for the taps, but they appear to have started shortly before the 2004 Olympic games and continued through March 2005. The taps were created through the installation of spy software on Vodafone's central system, which diverted the calls to difficult-to-trace, pay-as-you-go mobile phones. Vodafone removed the software as soon as it was discovered and informed police. The government has filed misdemeanor charges against unknown persons for the phone taps and is investigating possible criminal charges of espionage.

Privacy

    • The Marriott hotel chain lost backup computer tapes that contain credit-card information, social security numbers, and bank details for more than 200,000 Marriott Vacation Club International customers. Marriott has contacted the affected customers and is offering to enroll them free-of-charge in a credit-monitoring service and is investigating how the tapes went missing.

    • IMlogic says that instant messaging (IM) attacks increased 800 percent in the past year. Worms made up 87 percent of new IM malware, whereas viruses were a distant second at 12 percent, and phishing barely registered at one percent.

    • David Almacy, the White House's Internet director, has promised an investigation into WebTrends after learning that the contractor used a Web bug to track visitors to www.whitehouse.gov . A Web bug is a tiny image of a dot maintained on a central server; when users view a Web site, they download the image from the server, allowing it to track their IP address. If a federal agency uses Web bugs attached to cookies to track repeat visitors, agencies must show a compelling need and have a senior official's authorization, according to the US Office of Management and Budget. WebTrends says it collected no personally identifiable data and that it doesn't aggregate data from multiple sites.

    • Berlin hosted the 22nd annual Chaos Communication Congress, at which hackers discussed challenges posed by widespread government use of surveillance technology. An activist group known as Quintessenz reported that it has developed a way to intercept images from Austrian surveillance cameras using an inexpensive satellite receiver. Rop Gonggrijp, founder of Dutch ISP Xs4All, notes that Dutch police are installing surveillance cameras due to public demand. Yet, although the public—and even a new European Union data-retention law—are calling for more surveillance, current systems fail to provide the necessary information and are easy to circumvent. Chaos Computer Club member Frank Rieger argues that hackers should provide political and social movements with secure communications and anonymity technology.

    • Privacy advocates warned that Apple's iTunes MiniStore upgrade sends users' playlist information to Apple. MiniStore suggests music for purchase from the iTunes Store, but Apple says it doesn't save the information gathered through the MiniStore service and has posted instructions for disabling the feature. The license agreement for the iTunes update made no mention of MiniStore or its information collection.

    The European Union has finished the final draft of a data-retention directive that would require telecommunications providers in member states to archive metarecords on, though not the content of, telephone calls and Internet communications. Service providers will bear the cost of archiving the information, which includes the date, destination, and duration of communications. Various civil liberties groups, including Privacy International, say the directive would harm consumers by endangering their privacy and making European industry less competitive globally.

    Despite their pledges against the practice, 23 US senators use persistent cookies on their Web sites. Senator John McCain's site states that it doesn't use cookies, but it actually places one that doesn't expire until 2035. His office says the Web site was designed by an outside contractor and that the cookies aren't used by the Senator's office. Several of the Web sites use ColdFusion, which employs 30-year cookies by default. Sonia Arrison, director of technology studies at the Pacific Research Institute, says the issue highlights politicians' hypocrisy in demanding that companies shore up their data management while failing to do so themselves. Rather than maintaining a comprehensive privacy policy, both the Senate nor the House of Representatives leave the matter to individual offices to decide.

    • The Anti-Spyware Coalition, which includes companies such as Microsoft, Symantec, and America Online, have agreed on the final draft of a standard for classifying and handling spyware based on risk level. Spyware features named in the guidelines include mass reproduction over email, installation with a user's knowledge or permission, intercepting email or other messages, changing security settings, and transmitting personal data. Cybertrust's ICSA Labs will certify antispyware products and their compliance with the standard. Establishing spyware guidelines is controversial, as opponents claim it enables spyware distributors to continue unwanted behaviors while working within the rules.

    • Guidance Software, a security software company, left an unencrypted database accessible via the Internet, exposing the personal information of US security and law enforcement professionals. The security breach, described as being "of national security proportions," involved the "credit-card numbers of some 3,800 people, including investigative professionals from the National Security Agency, Federal Bureau of Investigation, and Central Intelligence Agency, as well as heads of law enforcement worldwide." The names, addresses, credit-card numbers, and expiration dates of the affected customers were available, as well as credit-card verification numbers, even though it's illegal to hold that particular piece of information in such databases.

    • The Atlantis resort located on Paradise Island in the Bahamas disclosed that personal information, such as names, addresses, credit-card details, social security numbers, driver's license numbers, and bank account data, for 55,000 guests has been stolen from the hotel's database. It's investigating to determine whether the breach was an inside job or perpetrated by hackers. Atlantis has reportedly informed those affected and offered them free credit monitoring.

    • North Regent Rx, an herbal remedy distribution company operating out of Lockport, Manitoba, says it has been receiving faxes for 15 months that were meant for Prudential Financial and carry the names, social security numbers, addresses, and salaries of Prudential's customers . North Regent Rx has a fax number that's almost identical to that used by Prudential Financial's insurance division; doctors' offices mistakenly send patient data to North Regent Rx. These mistakes not only reveal sensitive medical information but also create financial problems for patients when their insurance claims aren't processed. North Regent Rx often forwards faxes to Prudential and informs doctors of their mistakes, but the small company doesn't have the necessary workforce to handle the volume it receives. North Regent Rx would like Prudential to buy its fax number, but no agreement has been reached.

    Google refused to provide the US Justice Department with a week's worth of search records, criticizing prosecutors for being "uninformed" and having a "cavalier attitude." The Justice Department requested the data in connection with a case regarding Internet pornography and subpoenaed several search engines, most of whom complied. Only Google, on the grounds of protecting user privacy and trade secrets, is fighting the subpoena. Google also raised concerns that any information it supplies for this case could be transferred to other agencies for other uses. The government says it wants the data specifically for this one case to show that content filters are ineffective for preventing children from accessing adult material.

    • The Electronic Frontier Foundation (EFF) has filed a class action suit against AT&T, claiming the company violated federal law by cooperating with the US National Security Agency's (NSA) wiretaps on American citizens. The EFF alleges that AT&T provided the NSA with two databases: one containing metarecords of phone calls and Internet use, and another containing the actual content of customers' communications. The suit seeks US$22,000 for each AT&T customer, plus punitive damages. EFF attorney Kevin Bankston estimates that damages could reach billions, but expects the government to invoke its state secrets privilege to quash the lawsuit.

    • Reporters without Borders says Yahoo's Hong Kong unit helped Chinese police locate a dissident in 2003, leading to his eight-year prison sentence. Former civil servant Li Zhi was charged with and convicted of "inciting subversion" for posting comments online criticizing corruption among public officials. Yahoo has previously come under fire from civil liberties groups for similar actions, such as providing information leading to the arrest and conviction of reporter Shi Tao on charges of revealing state secrets. Reporters without Borders says China has 49 cyberdissidents in prison for posting Internet content deemed critical of Chinese officials. The organization is calling on Western companies to uphold human rights standards when working in countries with oppressive governments. Yahoo's US headquarters says it has no information about the Li Zhi case or the actions of its Hong Kong unit.

    • Police in Middletown, Connecticut, say as many as seven girls have been assaulted by men they met on MySpace.com. The free service allows people to post personal information and connect with others, but law enforcement warns that teenagers, unaware of the risks, might be putting too much information online. Predators sometimes use such services to download pictures of targets, learn their interests, send them messages, and even learn where they attend school. Although MySpace has a reputation for trying to keep its users safe, teens might not take advantage of all the safety features available. Parry Aftab, an attorney and child advocate who runs WiredSafety, says the problem is more prevalent in wealthier areas where children have better access to technology.

    • The District Court of Paris in December ruled that using peer-to-peer (P2P) file trading networks is legal for personal use, but not for commercial use. The ruling comes from a lawsuit brought against a user by La Société Civile des Producteurs Phonographiques for sharing 1,875 copyrighted files. The court ruled that P2P use constituted private copying. The ruling became public only recently with French Parliament considering a tax of €5 per month on P2P networks.

Policy

    • The Korea Communication Commission (KCC) announced that it will fine some telecommunications providers, including KT, Hanaro Telecom, Dacom, and Onse Telecom, for failing to block spam messages on mobile phones . Telecom operators have three to five days to block a spammer upon notice from the KCC, but some ignored the notices for as long as 100 days. Although spam has declined since opt-in regulation went into effect in March 2005, spammers have switched to a call-back tactic—randomly calling a phone for one ring, prompting curious recipients to call back, unknowingly placing calls to premium-rate numbers.

    Microsoft removed the Web site of a Chinese blogger who is critical of the government, raising questions about the company's complicity with Chinese state censorship. Zhao Jing's blog, which had been hosted on the MSN Spaces service "has been blocked to help ensure the service complies with local laws in China," according to a statement from Microsoft. It's not clear what triggered the move, but Zhao, who is also known as Michael Anti, has often written posts questioning government policy and commenting on current news events. Many US IT companies have been criticized for creating policies that support Chinese laws considered to violate widely accepted human rights standards; Microsoft claims it must respect local law in China.

    • According to Nielsen Soundscan, CD sales in the US fell 3.5 percent in 2005, compared to a 2.3 percent jump in 2004. The Recording Industry Association of America (RIAA) blames the fall in sales on digital piracy, while crediting the 2004 increase to its antipiracy efforts. The RIAA claims that piracy lowered its 2005 sales, despite 7,000 lawsuits against alleged pirates, shutting down the most popular BitTorrent hubs, and a US Supreme Court decision holding P2P companies liable for copyright infringement. The RIAA also claims that it's fostering a legitimate market for music downloads, but this market accounts for only 5 percent of music sales. The RIAA's focus on controlling content has, ironically, led to a loss of control as Apple has come to dominate the latest technology for distribution with iTunes.

    • Nigel Roberts, a UK resident, "has won a landmark legal case against a spamming company" using the European Union's E-Privacy Directive law to win £300 [$500 US] in compensation from Falkirk-based Media Logistics. Although the award is small (because Roberts decided to use Small Claims Court), he believes "it will send a clear warning to companies sending emails to UK residents without consent."

    • US Federal Bureau of Investigation (FBI) documents obtained by the Electronic Privacy Information Center (EPIC) under a Freedom of Information Act lawsuit could aid opponents of the US Patriot Act. Among the documents are complaints from the FBI's general counsel to the White House's Intelligence Oversight Board, detailing alleged abuses of the Act's powers.

    • John Ashe, Antigua's ambassador to the World Trade Organization (WTO), has written a letter to US trade representative Rob Portman protesting proposed American legislation to outlaw Internet gambling. In April 2005, the WTO ruled that US restrictions on overseas Internet gambling constituted unfair trade protections, and gave the US 11 months to comply. Ashe notes that the US hasn't yet passed legislation to bring itself into compliance with WTO regulations, and is instead considering two laws against the US$12 billion online gambling market. The US argued before the WTO that it could ban online gambling on moral grounds, but the WTO found that US law discriminates between foreign and domestic services in such sports as horse racing.

    • The UK, Belgium, France, Germany, and the Netherlands have launched the Traffic Documentation System (TDS), which provides police forces with car and driver registration data from several European countries. Originally authorized by the European Commission "to coordinate on a Europewide scale different national traffic-enforcement actions," the database is also designed to help combat terrorism, smuggling, and forgery, according to the Association of Chief Police Officers. Given British agencies' problems in creating their own digital database of drivers' licenses and registrations, however, it's doubtful that the database will have all the information police officers will need. Records will also be distributed on a CD-ROM for police forces without strong network capabilities, increasing the risk that sensitive data could be leaked to malicious parties.

    • The British House of Commons managed to overturn amendments imposed by the House of Lords on the ID Cards Bill during voting in February 2006, making it compulsory for all UK citizens to apply for a national biometric identity card when applying for a passport. Parliament members accepted without vote an amendment that would require another vote before making the cards officially compulsory, a move the government is expected to make by 2011. Commons also chose to require six-month budget reports from Home Office Secretary Charles Clarke rather than a full cost-accounting for the identity card program. Conservative Shadow Home Secretary David Davies warns that the UK is "sleepwalking towards a surveillance state." The bill returns to the House of Lords for approval or amendment.

    • The ACM has published a report warning that federally mandated voter databases must be properly protected to prevent election tampering. The Help America Vote Act of 2002 (HAVA) requires states to develop a "single, uniform, official, centralized, interactive computerized statewide voter registration" database that interoperates with other databases. HAVA also requires "adequate technological security" but doesn't mention encryption or security guidance. So far, 28 states have outsourced their databases to such companies as Diebold and Accenture, while 21 have decided to develop the databases themselves. Lack of proper authentication and access controls could let hackers add or subtract names to the database or steal sensitive voter information.