Published by the IEEE Computer Society
PDFs Require Adobe Acrobat
• Microsoft is publicly releasing details from its invitation-only Blue Hat Security Briefings, including a blog entitled "Reflections on Blue Hat 3," photos, podcasts, and video interviews with some of the presenters. More than 650 people attended Blue Hat 3 at Microsoft's campus in March 2006 to discuss "exploiting Web applications" and "breaking into database systems." Microsoft started the Blue Hat briefings in 2005 to spark dialogue between Microsoft employees and outside researchers, many of whom are critical of Microsoft's security practices.
• An Israeli court has sentenced a husband and wife to prison for providing spyware for use in industrial espionage. The couple developed Trojan spyware and marketed it to three private-investigation firms, who used it to copy files from their competitors' computers.
• Netcraft reports that a server belonging to China Construction Bank (CCB) is hosting spoof sites used in a phishing scam targeting US customers of Chase Bank and eBay. The scam promises users US$20 for answering a customer survey about the bank's Web site; victims are directed to give their username, password, bankcard number, personal identification number, card verification number, mother's maiden name, and social security number after the survey so the bank can deposit the promised reward into their accounts. The CCB is one of China's "big four" state-owned central banks. Netcraft believes this is the first case of one bank's infrastructure being used to attack another bank's customers.
• Avivah Litan, a research director for Gartner, argues that a case of massive ATM fraud in Russia, Canada, and the United Kingdom wouldn't have affected Citibank's US customers if the bank had adopted chip and personal identification number (PIN) technology. Hackers broke into the ATM network through a retail server and stole PINs and decryption keys. US customers in the UK were easy targets because they still have ATM cards with magnetic stripes, which are easier to duplicate than chip cards.
• Robert Chapman, director of the Training Camp, sent office workers a CD offering a free vacation for simply running the disk. The CD contained a script that opened a Web page and loaded an image that allowed Chapman to track how many CDs were used and how many times—in this instance, 75 out of 100 CDs were used, some by employees of two major insurance companies and a bank. The CD even advised users to check their companies' security policies before running it, underscoring how employees can bypass the best security precautions if they don't have basic security training.
• MessageLabs released a report finding that 91 percent of all email traffic sent to India is spam. Paul Wood, a security analyst at MessageLabs, notes that India has seen its technological development outpace security awareness. Most spam originates from the US or from US spammers who have moved operations overseas to regions with fewer spam restrictions. The report also found that the United Arab Emirates had the highest rate of malware transmission at one virus per 13.9 emails.
• The US Government Accountability Office (GAO) identified 81 security flaws in the Internal Revenue Service's (IRS) information systems that could compromise taxpayers' personal and financial data. The IRS fixed 41 of the flaws identified, but the GAO also discovered new weaknesses in electronic-access controls, user accounts, file permissions, and security-incident logging and monitoring. The report recommends that the IRS align its configuration and password policies with federal guidelines, review security plans, give security training to contractors, and update emergency procedures.
• Estonian security firm Zone-H reports that server attacks and Web site defacements increased by 16 percent in 2005 from the previous year. The firm notes an "increase in politically motivated attacks" and the number of attacks originating in Muslim countries, particularly Turkey.
• E-Gold, a company offering digital currency backed by gold, says the creators of the Cryzip Trojan didn't profit from their cyberextortion attempts. Cryzip encrypted files on infected computers and directed users to pay a ransom of US$300 using E-Gold if they wanted the keys to get their data back. E-Gold says its own review process detected the multiple accounts associated with Cryzip and blocked all payments to those accounts. Cryzip has been hard to track because it's spreading slowly to avoid detection by antivirus companies. E-Gold says it cooperates with all legal requests for account data and doesn't want to be known as a tool for racketeering and other criminal behavior.
• Speaking at the Federal Office Systems Exhibition (FOSE) 2006 trade show, Lance Cottrell, founder and chief scientist at Anonymizer, reported that terrorists are beginning to "cloak" their Web sites to hide sensitive information from law enforcement by blocking traffic from North America or from IP addresses from English-speaking countries; using Web sites to feed false information to investigators to pinpoint communications leaks; setting up their computers to use specific operating systems and browser configurations so that Web site visitors with different configurations are identified as law enforcement and targeted for cyberattack; and monitoring how browsers search Web sites to see what sort of intelligence they seek. Cottrell suggested that anonymizing technology could help law enforcement cover their own tracks when investigating terrorists.
• As more employees telecommute on a regular basis, IT managers are adapting security policies to include home PCs. In 2005, roughly 8.9 million people telecommuted three or more days a month. Ensuring that a telecommuter's home PC stays current with office security guidelines has become an important IT function. One expert recommends that businesses provide telecommuting employees with dedicated PCs for work use only or at least separate hard drives with security controls restricting access.
• FaceTime Communications released new research showing a 723 percent increase from the previous year in threats targeting instant messaging (IM) and peer-to-peer (P2P) technology. The study examined "greynets"—IM, Internet Relay Chat (IRC), or P2P software installed on a network without the IT staff's permission or knowledge—and found that IM threats stabilized in number but grew in sophistication; multichannel attacks were 23 times more common; and IRC and chat-based attacks dropped in favor of P2P attacks, which are now 15 times more common.
• The US military has begun purchasing flash drives at a bazaar outside a base in Bagram, Afghanistan, after the Los Angeles Times recently reported that many drives on sale there contained secret military documents. Afghan workers at the local air base swipe the drives, along with other small items in demand at the bazaar. An armed and uniformed military officer, accompanied by six bodyguards, purchases the drives off the market at roughly US$35 each. The US military considered raiding the bazaar, but the Afghan government convinced them that purchasing the drives would be a more popular way of closing the leak. The military purchased every flash drive in the bazaar, but merchants expect to sell more as petty theft continues to rise.
• The US Internal Revenue Service is proposing new regulations that would change how tax preparers share taxpayer data with other organizations. The rules would require preparers to obtain taxpayers' signatures to share data with "third parties"—a less strict requirement than the current regulations, which let preparers share such information only with affiliated businesses. Taxpayers are concerned that consent could be buried in the reams of paperwork that preparers present, making "informed consent" easy for preparers to abuse. Loosening up restrictions on tax preparers could also lead to privacy violations according to Jean Ann Fox, director of consumer protection for the Consumer Federation of America (CFA).
• The British House of Lords and House of Commons have agreed to amend the Labour government's national identity-card proposal, breaking the gridlock between the two. Under the agreement's terms, both houses will accept an amendment that would let British nationals applying for a passport opt out of a national identity card until 2010, when it will become mandatory. However, passport applicants must still have their biometrics entered into the National Identity Register, the identity-card database.
• Singapore has filed 51 copyright-infringement charges against interior design firm PDM International for using unlicensed software "to obtain a commercial advantage." The charges follow a September 2005 police raid on PDM's offices based on a tip from the Business Software Alliance. Lawyer Lam Chung Nian describes the case as significant because it's the first time a corporate user has faced prosecution under amendments made to Singapore's Copyright Act in 2005. Punishments include fines of up to US$12,351 and six months in prison for a first offense and $30,878 and three years in prison for subsequent offenses.
• Pennsylvania's attorney general seized four hard drives from the Intelligencer Journal of Lancaster's newsroom in a grand jury probe. The state supreme court rejected the paper's challenge to the subpoena, and the attorney general refused its offer to let investigators use the computers to find the information they seek in a less intrusive manner. The investigation seeks to determine whether Lancaster coroner G. Gary Kirchner gave reporters his password to a restricted law enforcement site. The newspaper warns that the seizure could have a "chilling effect on newsgathering," as sources would be less likely to trust reporters if they believed the state could seize data from newspapers at will.
• Iowa lawmakers are considering implementing identity theft passports, certificates that identity-fraud victims could show to police or creditors to help demonstrate their innocence. The official passport would " help prevent arrest or detention for an offense committed by someone using the victim's identity." To receive one, an individual would have to send a copy of a police report describing his or her situation along with an application form to the Iowa attorney general's office.
• MySpace.com has hired Hemanshu Nigam to be its first chief security officer. Nigam, currently the director of consumer security outreach and child-safe computing at Microsoft, will oversee safety, education, privacy, and law enforcement affairs for the popular social-networking site.
• Australia has adopted an industry code of conduct that would require more than 680 Internet service providers to offer spam filters to subscribers and impose "reasonable" limits on the amount of outgoing email subscribers can send. The industry code goes further than the country's 2003 Spam Act, which lets regulators fine companies up to AU$1 million (US$705,160) for spamming, whereas the new code allows up to AU$10 million (US$7.05 million) in civil court.
• Apple criticized a proposed French law that would require music download services to make interoperable digital rights management (DRM) systems as "state-sponsored piracy." The French National Assembly approved the bill to prevent any one music download service or device from gaining a monopoly in France and to provide consumers with greater options for digital music. Apple argues that interoperable DRM won't adequately protect copyrighted content and that it might leave the French market if the bill passes into law.
• Conservative Member of Parliament Anne Main has asked the UK's Home Office whether it has contingency plans for the "rapid wholesale deletion of data held on the National Identity Register in the event of invasion by a foreign power" or a coup d'état. The National Identity Register is the back-end database that will hold such data as names, addresses, birthdates, and biometrics. Home Office minister Andy Burnham states that the register will be "classified as part of the nation's critical national infrastructure" and protected as such. The Home Office has also conducted risk assessments on physical, logical, procedural, personnel, and systems aspects of the register but has refused to provide details, citing security concerns.
• The US House Energy and Commerce Committee has approved the Data Accountability and Trust Act to establish federal standards for safeguarding private data. The bill would override state laws that require businesses to notify residents when a security breach potentially compromises their data. Data aggregators have called for a single federal law to replace often conflicting state laws. The bill lets the US Federal Trade Commission regulate how businesses protect personal consumer information. The bill also requires companies to notify customers "if there is a reasonable basis to conclude that there is a significant risk of identity theft"— notification isn't required if companies use encryption. Four other House bills and six Senate bills are under consideration for data-breach notification, but critics of the various federal bills say they give consumers weaker protection than many state laws.
• Several UK retail outlets are using biometrics to protect customer payments, and use of the technology is becoming more widespread. The Oxford Co-Op now allows customers to pay for purchases with a fingerprint linked to a credit card. Two million US shoppers already use a fingerprint system called Pay-by-Touch, and some US banks are considering adding biometric scans to ATMs. Stewart Hefferman, chief operations officer of ID verification company TSSI Systems, calls biometrics the next step after the UK's chip and personal identification number technology. However, many consumers are wary of the technology and its potential for abuse by authoritarian governments. Adrian Cannon of Accourt warns that the technology could slow down the payment process, leading to longer lines at the cash register and public rejection of biometrics.
• A new German law could sentence illegal music and movie downloaders to two years in prison for each offense. The entertainment industry suspects that Germans illegally download more than 20 million films a year, many before their official release dates.
• Police in Ehime, Japan, announced that sensitive data on 4,400 people was accidentally uploaded to the Internet through the Winny peer-to-peer (P2P) file-sharing application. The information includes records on suspects, victims, and investigation informants, with the oldest leaked datum going back to 1984. The police are asking Web hosts and bulletin board managers to remove the data if they find it on their Web sites. The Ehime announcement follows a similar incident in Okayama, which involved the release of more than 1,500 suspects' and victims' data.
• The US Department of Justice, in response to questions from Congress regarding the National Security Agency's warrantless Terrorist Surveillance Program (TSP), says it's legal for the program to monitor calls between doctors and patients or lawyers and clients and that such evidence is admissible in court. Specifically, the Department claims that the US Constitution's Fourth Amendment guaranteeing protection against unreasonable search and seizure doesn't apply to foreign intelligence. Defense attorneys in terrorism cases are hoping to challenge the admissibility of evidence obtained from the TSP and used against their clients. Michigan Representative John Conyers of the House Judiciary Committee is dissatisfied with Attorney General Alberto Gonzales' responses to 45 questions from the committee, saying all but two were too vague (many questions were left unanswered due to national security concerns).
• Information—including names, addresses, and details of alleged offenses—supplied by 20,000 people who filed complaints against the police with Hong Kong's Independent Police Complaints Council has been posted on the Internet. The database might have accidentally been made accessible when contractors copied it onto a commercial server. Roderick Woo, Privacy Commissioner for Personal Data, has launched an inquiry into the incident and into the general information security practices of Hong Kong government agencies.
• Microsoft is re-engineering its Passport universal-login service for use as the Windows Live ID system in Windows Live, Office Live, Xbox Live, MSN, and other Microsoft online services. Current Passport versions will be compatible with Windows Live ID. Passport was first released in 1999, but bugs and privacy concerns prevented widespread adoption, and it became an identity-management tool restricted to Microsoft-owned businesses. Passport will also accept InfoCard, another Microsoft single-sign-on technology.
• EU data-protection supervisor Peter Hustinx has criticized European governments' fondness for biometrics following an EU report about making several databases interoperable, including the Visa Information System and Eurodac. This and similar reports focus on merging, exchanging, and accessing data without examining what safeguards would be necessary to protect the information. Hustinx wants to implement the purpose-limitation principle, which would set rules to define legitimate purposes for data collection, maintenance, and security. Hustinx also wants to make the consistent analysis of data-protection and privacy-enhancing technologies part of any database-interoperability proposal.
• US banks have cancelled more than 600,000 debit cards believed to have been compromised in an online retailer's security breach, leading some observers to question how well merchants are protecting customer data. The breach compromised not only debit-card numbers, but also personal identification numbers (PINs). Major credit-card policies forbid retailers from storing PINs with credit-card purchases, but the compromise suggests that some retailers are violating this rule. Card readers at retail stores encrypt PINs at the keypad, but many keypads also store the encryption key. It's unknown how many stores keep prohibited data by mistake and what technology could make PIN systems vulnerable. Gartner Group security analyst Avivah Litan suspects that more criminals might target merchants in the hopes of obtaining debit-card PIN numbers, but Mike Urban, a fraud-technology operations director at Fair Isaac, believes current security controls can prevent more thefts if merchants implement the mandated procedures.
• A US Government Accountability Office (GAO) report found that government agencies that purchase data from private sector data aggregators do so in violation of federal privacy rules. The federal government spends roughly US$30 million a year on such data, with 91 percent of these purchases going to law enforcement and counterterrorism. However, data aggregators fail to consistently abide by fair information practices, and federal agencies failed to comply with privacy rules for handling information in half the cases the GAO examined. The GAO also noted that the Office of Management and Budget (OMB) hasn't provided agencies with clear privacy guidelines.
• AT&T has asked a US District Court in California to bar the use of technical documents provided by a former technician to the Electronic Frontier Foundation (EFF) as evidence in a lawsuit alleging that AT&T illegally cooperated with the US National Security Agency's (NSA's) domestic wiretap program. Special rooms set up at several AT&T offices housed NSA data-mining equipment, which was used to examine phone calls and Internet records. The documents were provided by Mark Klein, a former technician who believes the NSA's wiretap program extends beyond phone calls to wholesale Internet surveillance; Klein's duties included connecting circuits to the secret room at AT&T's San Francisco office. AT&T claims that adding the documents to the public record compromises its trade secrets and make its networks vulnerable to hackers.
• The social-security numbers, driver's license information, and bank account details of current and former Florida residents has been available on the Internet since 1999 . Original reports found the problem only in Broward County, but other counties are also posting documents without redacting personal information. Privacy activists warn that the practice has made citizens vulnerable to identity theft. Sue Baldwin, director of the Broward County Records Division, notes that "recorders have no statutory authority to automatically remove social security, bank account, and driver's license numbers" until January 2007, when a new state law grants county recorders the necessary authority to remove the information. Until that time, concerned individuals can request that their information be removed.