February 11, 2002 Accused DEA Data-Thief On the Lam A former federal drug agent charged last year with peddling data from law enforcement computers has skipped bail, on what would have been the first day of his trial. Federal agents in Los Angeles are searching for a 12-year veteran of the U.S. Drug Enforcement Administration (DEA) who last week skipped out on felony charges of illegally selling sensitive information about private citizens from law enforcement computers, SecurityFocus has learned. http://www.securityfocus.com/news/326 - - - - - - - - Deadlier Klez worm on the prowl A new variant of the destructive Klez worm has had moderate success, prompting one antivirus company this past weekend to release free tools to deal with its spread. The variant, carried by e-mail and known as Klez.e, overwrites victims' files with random content on the sixth day of odd-numbered months. It can spread automatically on Windows systems that use an unpatched version of Microsoft's Internet Explorer. "The latest version, Klez.e, (poses) the most serious threat to computer safety," said Moscow-based antivirus company Kaspersky Labs. http://zdnet.com.com/2100-1105-834489.html http://news.com.com/2100-1001-834420.html - - - - - - - - The Valentine's Day virus massacre Exchanging electronic Valentine's cards and downloading romance-themed programs from the Internet increases the risk of spreading viruses. So says Sophos which we applaud for its initiative in unearthing the antivirus angle in February 14. The AV vendor cautions users to be vigilant because disguising worms as greetings card has become a popular ploy for virus writers. http://www.theregister.co.uk/content/56/24011.html - - - - - - - - Microsoft Recalls Botched Browser Security Patch Package was to fix 'all known security flaws in Internet Explorer.' A collection of long awaited security patches designed to plug several critical holes in Internet Explorer was yanked from Microsoft's site Thursday after the company found problems with the fix. Approximately two hours after the cumulative patch for IE was loaded to the company's Windows Update site Thursday, Microsoft "discovered an error and halted the distribution process in order to conduct further testing," according to a Microsoft representative. http://www.securityfocus.com/news/325 http://www.newsbytes.com/news/02/174366.html - - - - - - - - Hackers Shortcut Hotmail Password Reset Protections Security researchers have discovered a vulnerability in Microsoft Corp.'s Hotmail service that allows hackers to bypass security questions that users must answer before resetting their passwords. Normally, if Hotmail users forget their password they must fill out a Web form that requires their e-mail address, state, zip code and country. Users who enter the correct information are then prompted for the answer to the "secret question" they selected when signing up for the service. http://www.newsbytes.com/news/02/174400.html - - - - - - - - IE bug allows MSN Messenger hijack Researchers put a new twist on an old, unrepaired, Microsoft bug. The recent privacy stuff-up in Messenger "pales in comparison to what can be done if you use MSN Messenger through unpatched IE vulnerabilities," security researchers Tom Gilder and Thor Larholm have discovered. Among the fun and games one can have with a vulnerable Messenger user are such sports as impersonating the victim and sending spoof messages and spoof e-mail memos to his contacts, and scouring his local drive for interesting files to share around. http://www.securityfocus.com/news/324 http://www.newsbytes.com/news/02/174380.html http://www.msnbc.com/news/704603.asp http://www.theregister.co.uk/content/4/24004.html http://www.cnn.com/2002/TECH/internet/02/11/msn.messenger.flaw.idg/index.html Microsoft: We're patching MSN hole A privacy flaw in MSN Messenger that exposes IM nicknames and could reveal users' e-mail addresses is a 'hiccup,' not a problem, says Microsoft. But a fix is on the way Microsoft is putting the final touches on a patch to limit an MSN Messenger feature that allowed any Web site to grab a visitor's IM nickname and buddy list. http://news.zdnet.co.uk/story/0,,t269-s2104091,00.html - - - - - - - - MS server bugs open the door to hackers Microsoft has warned of vulnerabilities in its Exchange 2000 server software and Telnet remote access service that could open the doors to malicious hackers. The Exchange bug could allow hackers to view or alter the server's system registry, which lists crucial information such as the exact operating system version and which applications are installed. The Telnet hole could allow hackers to launch a denial-of-service attack or execute code on the target system. Both advisories were released late last week. http://zdnet.com.com/2100-1104-834113.html http://news.zdnet.co.uk/story/0,,t269-s2104095,00.html ISS issues patch for firewall software http://news.zdnet.co.uk/story/0,,t269-s2104062,00.html - - - - - - - - National infrastructures key to military strategy The nations critical infrastructure is vital to carrying out the nations military strategy, a senior Defense Department official told technology vendors Tuesday. Just as the United States usually targets other nations infrastructures when it is at war, so have potentially hostile nations planned to attack infrastructures in the United States, said Jeffrey Robert Gaynor, special assistant for homeland security in the Defense Departments Office of the Deputy Assistant Secretary for Security and Information Operations. http://www.govexec.com/dailyfed/0202/021102j1.htm - - - - - - - - FTC's working for a spam clampdown The Federal Trade Commission is training its legal guns on spam. On Tuesday, the agency plans to unveil an aggressive three-point program to crack down on unwanted commercial e-mail. The agency receives about 10,000 e-mails a day in a database it set up for consumers to forward their unsolicited mail. Since the database was launched in 1998, it has amassed 8 million pieces of purported spam, according to an FTC spokeswoman. http://zdnet.com.com/2100-1106-834089.html - - - - - - - - Entertainment Executives To Testify At IP Theft Hearing Leaders of associations that represent the music and entertainment industry are slated to testify Tuesday at a Senate committee hearing on the increasingly global problem of intellectual property theft. Recording Industry Association of America (RIAA) President Hillary Rosen and Motion Picture Association of America (MPAA) President Jack Valenti will headline a Senate Foreign Relations Committee hearing on the piracy of movies, software, music and books. http://www.newsbytes.com/news/02/174399.html Digital piracy: On the rise? http://zdnet.com.com/2100-1104-834605.html Report shines spotlight on digital piracy http://news.com.com/2100-1023-834517.html - - - - - - - - Cybersecurity alliance launches without funding, leadership The National Cyber Security Alliance, a government and industry project to promote the publics awareness of computer security practices, was launched last week without funding, a leader or a board of directors. The main work of the alliance so far is a Web site at staysafeonline.info that posts tips and a self-test for consumers about how to secure their computers. The site advocates firewalls, disconnecting computers from the Internet when they are not in use, sophisticated passwords and similar measures. http://www.gcn.com/vol1_no1/daily-updates/17939-1.html - - - - - - - - U.S. Funds Open Source Security Hub A new approach to open source security auditing, funded by the U.S. Defense Department, offers recognition to geeks who examine code. Conventional wisdom has long held that open source software garners extra security from the sheer number of people who are free to review the code -- "Many eyes make all bugs shallow," the adage goes. The reality is often different; it turns out many of those eyes have little interest in the thankless task of examining other people's code for security holes. http://www.securityfocus.com/news/322 - - - - - - - - Orange SMS spam dragnet ensnares unwary Orange is blocking text messages sent through a UK premium service, citing "security issues". But the British SMS provider appears to have fallen foul of Orange's new allegedly anti-spam policy of charging foreign networks for sending bulk messages. Register readers using a premium SMS service provided by Deltica.com have been charged for messages that were never received because it resells Swisscom SMS capacity, which offered the cheapest service in Europe, and is one of the blocked providers. http://www.theregister.co.uk/content/5/24003.html - - - - - - - - BlackICE slips up over serious security risk Security tools vendor ISS is warning of a potential denial of service risk to its range of desktop firewall/intrusion protection systems. Crackers might be able to crash or disrupt affected versions of its BlackICE Defender and BlackICE Agent desktop products, and affected versions of RealSecure Server Sensor using a modified ping flood attack, it has been discovered. http://www.theregister.co.uk/content/55/24008.html - - - - - - - - Snoop Software Shreds Reality Just because you're an accomplished academic and author doesn't mean you have street smarts. David Gelertner, the world-renowned computer scientist, Yale professor, author and art critic -- says he has a prescription for companies to avoid Enron- Arthur Andersen-type scandals: better management of corporate e-mails, Web pages, calendar items and other electronic documents. http://www.wired.com/news/exec/0,1370,50250,00.html - - - - - - - - Internet security software from Symantec If you're concerned about computer security but can't quite generate the necessary paranoia, Symantec has a nicely packaged (although somewhat pricey) active psychosis bundle in the Norton Internet Security Professional Edition. If this software had a mother, it would demand photo ID on every visit. http://www.nandotimes.com/technology/story/247993p-2343193c.html - - - - - - - - Charney an Ominous Microsoft Pick What are we to make of Microsoft tapping a former hacker prosecutor and IP lawyer for its top security spot? Nothing good. At the Blackhat Security Briefings in New Orleans last week my standard opening question in conversation was, "So, what do you think about Scott Charney?" For the most part, the standard response was, "Who's that?" If you have not heard yet, Microsoft has announced that Mr. Charney, previously a security and cybercrime specialist at Price Waterhouse Coopers, has been named to fill the newly-minted position of Chief Security Strategist -- a mutation of the title that Howard Schmidt used to own. http://www.securityfocus.com/columnists/59 - - - - - - - - If Office XP's So Great, How Come Microsoft Uses Word 97? Microsoft disputed a security expert's report today that a Microsoft whitepaper describing security enhancements in Office XP was created using Office 97. But a review by Newsbytes of numerous Word documents recently posted at Microsoft's site confirmed that the company may not be following its advice to customers that they upgrade to Office XP. http://www.newsbytes.com/news/02/174384.html - - - - - - - - Digital ID: You shop, they snoop? A new plan for tagging everything from computers to shampoo bottles could make life more convenient, but it's got privacy advocates up in arms. Sun Microsystems has joined a program called Auto-ID to build wireless digital identification tags into everything from razor blades to soup cans, chief executive Scott McNealy said on Thursday. http://news.zdnet.co.uk/story/0,,t269-s2104056,00.html - - - - - - - - OPM tech speeds background checks With the number of background checks it must conduct on potential federal employees jumping by 50 percent to 60 percent this year, the Office of Personnel Management is turning to information technology to get the job done quickly and accurately, officials said. Automated forms, digitized and easily searchable employee records, and electronic imagery have proven so important to OPM's investigative arm that $5.8 million of the new funds requested for the agency in the president's fiscal 2003 budget is aimed at "e-clearance" efforts, among other things. http://www.fcw.com/fcw/articles/2002/0211/web-opm-02-11-02.asp - - - - - - - - Mumbai's Passive-Aggressive Cops First there is misery. Then there are job offers. Things happen differently in India. Two hackers accused of defacing the Mumbai cops' website six months ago, who later claimed to have been beaten during interrogation, have now been offered help finding jobs. By the police. "They want to soften up things a bit," said Mahesh Mhatre, 24, one of the hackers. "They want me to drop the charge of assault against them. I don't want their job." http://www.wired.com/news/politics/0,1283,50313,00.html - - - - - - - - Police using voice stress analysis to detect lies Police want to know if a suspect is lying, but the polygraph test comes back inconclusive. What's an exasperated interrogator to do? Increasingly, law enforcement agencies are using a technology that measures ``voice stress'' -- small frequency modulations in the human voice that supposedly occur whenever someone is lying. Some police officials swear by the Computer Voice Stress Analyzer a laptop computer, software and microphone package that promises to catch deception. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/2645903.htm *********************************************************** Search the NewsBits.net Archive at: http://www.newsbits.net/search.html *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000-2002, NewsBits.net, Campbell, CA.