April 8, 2002 Mother poses online to help capture those who prey on children The FBI has Debbie Kelleman's number, and she's glad. The single mother of two children used the Internet last week to help police in Macomb County, Ill., arrest a suspected pedophile. Now the FBI wants her help in nailing him on federal charges. Kelleman pretended to be a pedophile herself. The man called himself "Crazy Grif"; he told her he possessed child pornography and suggested he was going to take his activity a step further. http://www.buffalonews.com/editorial/20020406/1038280.asp - - - - - - - - China acts on government piracy The Chinese government has ordered its departments to set a special budget to buy authorized software and stamp out pirated applications. A circular has been issued by four ministries and departments, including the Ministry of Finance and the National Copyright Administration, in the wake of the introduction of the Chinese governments new copyright law. The law was in part a response to the requirements of China's WTO membership. http://www.theregister.co.uk/content/7/24736.html - - - - - - - - MS gets leaked Win2k USB 2.0 drivers pulled, cites DMCA Microsoft has acted to suppress unofficial/ unauthorised sources for the USB 2.0 drivers for Windows 2000, citing the Digital Millennium Copyright Act in a complaint to the hosting company of Littlewhitedog.com, (LWD) which has been hosting leaked drivers since January. In response LWD has pulled the drivers, and the other site hosting them, Digital Silence, has also deemed it prudent to cease and desist, with some encouragement from its host. Which doesn't mean the drivers aren't still out there, but it does mean they've been pretty much consigned to warezland, Microsoft having made it clear by its actions that anybody not in a position to run and hide is going to get a take-down. http://www.theregister.co.uk/content/4/24749.html - - - - - - - - Data theft tops security headaches U.S. companies and government agencies report losing more money from theft of proprietary information than any other type of attack on their computer systems, according to a new study. Viruses remain the most common type of cyberattack, according to the seventh annual joint FBI/Computer Security Institute (CSI) Computer Crime and Security Survey released Sunday. "What's particularly impressive is that financial losses seem to be really rising," said Richard Power, editorial director of San Francisco-based CSI, an association of information security professionals. http://zdnet.com.com/2100-1105-877606.html http://news.zdnet.co.uk/story/0,,t269-s2107891,00.html http://news.com.com/2100-1001-877427.html FBI: Businesses Loath To Report Hacks Ninety percent of businesses and government agencies suffered hacker attacks within the past year, yet only a third of those businesses reported the intrusions to law enforcement, an FBI survey found. While 80 percent of the respondents acknowledged financial losses due to computer attacks, only 44 percent were willing or able to quantify the damage, according to survey results released Sunday by the FBI. Seventy-eight percent said employees had abused their Internet access privileges by downloading pornography or pirated software. Eighty-five percent detected computer viruses on their networks. http://online.securityfocus.com/news/364 http://www.newsfactor.com/perl/story/17146.html http://www.newsbytes.com/news/02/175718.html http://www.cnn.com/2002/TECH/internet/04/07/cybercrime.survey/index.html http://news.bbc.co.uk/hi/english/sci/tech/newsid_1916000/1916655.stm http://www.usatoday.com/life/cyber/tech/2002/04/08/fbi-survey.htm http://www.theregister.co.uk/content/6/24747.html http://www.nandotimes.com/technology/story/347520p-2853392c.html - - - - - - - - ISS ranks Net vulnerabilities Advanced worms, or so-called hybrid and blended threats like Nimda and Code Red, continue to pose the greatest online risk according to investigations carried out by Internet Security Systems Inc, but the company rates multiple vulnerabilities uncovered in the SNMP v.1 Simple Network Management Protocol "the largest multi- vendor security flaw ever discovered to date." http://www.theregister.co.uk/content/55/24738.html - - - - - - - - Researcher bemoans 'blunders waiting to happen' A technology researcher at Berkeley, University of California, has described distributed computing systems that connect to a central server as security blunders waiting to happen. The warning follows the news last week that peer-to-peer file sharing software Kazaa contains a Trojan that puts millions of machines at risk. In a federal securities filing last week, it was revealed that Kazaa contains another program designed to create a second underlying distributed computing network made up of unwitting Kazaa users. Brilliant Digital Media, the company behind the stealth peer-to-peer software, known as Altnet, plans to activate the software on users' machines in the next few weeks to be used for distributed computing. http://www.vnunet.com/News/1130726 - - - - - - - - New Defense Against Hack Attacks 'If someone has built up a relatively large attack network with 1,000 machines, you're going to want to find out what's attacking,' SecurityFocus incident analyst Ryan Russell told NewsFactor. 'However, how long is it going to take you to clean up 1,000 boxes?' A University of Massachusetts Amherst researcher claims to have come up with a new approach to denial-of-service (DoS) attacks, tracking the source of such onslaughts using just a single bit of information added to Internet messages. http://www.newsfactor.com/perl/story/17141.html - - - - - - - - FBI's new Cyber Division quietly ramps up To the surprise of many people in government and in the technology industry, the FBI has been quietly forming its new Cyber Division. The first formal announcement of the division indirectly was made Tuesday, when FBI Director Robert Mueller announced the appointment of Larry Mefford as assistant director of the division. Mefford is associate special agent in charge of the San Francisco FBI field office. http://www.govexec.com/dailyfed/0402/040802td1.htm - - - - - - - - Flyzik will advise Ridge on IT Starting April 15, James Flyzik will go on detail as the senior adviser for IT on homeland security director Tom Ridges staff. Flyzik, acting assistant secretary for information systems at the Treasury Department, discussed his new assignment Saturday at the 4th Annual Connect for a Cure Black-Tie Gala to benefit the Juvenile Diabetes Research Foundation. I decided that I needed to do something to support homeland security, said Flyzik, also Treasurys CIO. The new charge is not a burden, he said, adding that he has always been proud to be a federal employee. http://www.gcn.com/vol1_no1/daily-updates/18341-1.html - - - - - - - - Outflanking the Cyberterrorist Threat While cyberterrorism may not be an immediate threat, it would be foolish not to recognize that the U.S. is facing a "thinking enemy" who will adapt to attack our critical infrastructures and vulnerabilities, says Ruth David, former director for science and technology at the CIA. David is now president and CEO of Analytic Services Inc., an independent, not-for-profit, public service research institution in Arlington, Va. She and Bill Crowell, CEO of Santa Clara, Calif.-based security firm Cylink Corp. and a former deputy director of the supersecret National Security Agency, each participated in rare interviews with Computerworld's Dan Verton. They discussed the threats posed by cyberterrorist attacks and the steps that the public and private sectors should take to thwart them. http://www.computerworld.com/storyba/0,4125,NAV47_STO69866,00.html - - - - - - - - Watch out for pop-up downloads Web surfers who thought online advertisements were becoming increasingly obtrusive may be dismayed by a new tactic: pop-up downloads. In recent weeks, some software makers have enlisted Web site operators to entice their visitors to download software rather than simply to view some advertising. For example, when visiting a site a person may receive a pop-up box that appears as a security warning with the message: "Do you accept this download?" If the consumer clicks "Yes," an application is automatically installed. http://zdnet.com.com/2100-1106-877592.html http://news.zdnet.co.uk/story/0,,t269-s2107900,00.html http://news.com.com/2100-1023-877568.html http://www.newsbytes.com/news/02/175703.html - - - - - - - - Service providers as speech police? Legal protections generate complex disputes. A 1998 federal law meant to combat digital piracy is increasingly being used to challenge free speech online as well. In one recent case, the search engine Google removed links to a Norwegian site that criticizes the Church of Scientology International after the organization complained of copyright violations. http://www.cnn.com/2002/TECH/internet/04/07/online.speech.police.ap/index.html HDTV advocates join copy-protection fray http://www.usatoday.com/life/cyber/tech/2002/04/08/digitaltv-usat.htm Proposed copyright law raises controversy http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2002/04/08/BU140716.DTL - - - - - - - - BMG puts kibosh on copying promo CDs BMG Entertainment, the major record company owned by German media giant Bertelsmann, said it will begin this month to protect promotional releases of its CDs against copying. That means free samples of new albums sent to U.S. radio stations, retailers and the press will come packaged with software that prevents songs from being copied onto computer hard drives. BMG will begin the trials with the April promo releases from artists Cee-Lo and Donnel Jones. http://news.com.com/2100-1023-877933.html - - - - - - - - Apple Patches UNIX Security Bugs In Mac OS X Apple Compute has released a security update to its Mac OS X operating system that closes more than a half dozen serious security vulnerabilities. The April 2002 security update for OS X version 10.1 addresses recently discovered bugs in UNIX components used by the operating system, according to a description of the update released by Apple last week. http://www.newsbytes.com/news/02/175719.html - - - - - - - - Denial-of-Service Attacks Still a Threat Denial-of-service (DOS) attacks continue to present a significant security threat to corporations two years after a spate of incidents brought down several high-profile sites, including those of Yahoo Inc.and eBay Inc., users and analysts report. Since then, several technologies have emerged that help users detect and respond to DOS attacks far more quickly and effectively than before. But the increasingly sophisticated attack methods and the growing range of systems targeted in DOS attacks continue to pose a challenge. http://www.computerworld.com/storyba/0,4125,NAV47_STO69924,00.html - - - - - - - - New Win-NT, 2K, XP security holes First up, the MUP (Multiple UNC Provider) in Windows NT, 2K and XP contains an unchecked buffer which can be exploited to escalate user privileges, making it possible for an attacker to run arbitrary code at the OS level. UNC refers to the Universal Naming Convention, with which shares are identified. MUP is a Windows service which locates UNC resources. In this case, MUP file requests are stored in two buffers. The first is checked properly, but "MUP stores a second copy of the file request when it sends this request to a redirector," MS says. The second buffer is not adequately checked, and is therefore susceptible to a buffer overflow attack. http://www.theregister.co.uk/content/4/24743.html - - - - - - - - NetWare flaw threatens servers Vulnerability in remote management tool. A flaw in Novell's remote server management tool could cause servers to crash, security consultants have warned. Novell's web-based interface for managing the server has a buffer overflow security vulnerability that could allow an attacker to execute arbitrary code. Consultants Jonas Landin and Patrik Karlsson, of security firm IXSecurity, found the flaw in NetWare 6 Remote Manager and reported it to Novell. They said that NetWare 5.1 and 6 are vulnerable to the buffer overflow that could affect server operation. http://www.vnunet.com/News/1130700 - - - - - - - - IPod: Music to Hackers' Ears Jean-Olivier Lanctot-David is a 14-year-old hacker who has figured out a way to display online news headlines on Apple's iPod digital music player. Lanctot-David, who has been using Macs since he was 4 and programming since he was 11, was given an iPod for Christmas and immediately wanted to make it do more than just play music. http://www.wired.com/news/mac/0,2125,51586,00.html - - - - - - - - Feeling secure with Microsoft Word How often do you send out documents created with Microsoft Word that are based upon previous documents? Do you always use a new, clean template or do you take the last proposal you wrote and modify it for the new prospect? Do you ever turn off the 'Track Changes' option? If you don't then the recipients will almost certainly be able to see the proposal you sent to the previous customer --and all the other customers that have been included somewhere along the chain. What happens if there is really sensitive information involved? Clearly management is required. http://www.theregister.co.uk/content/4/24740.html - - - - - - - - Turning off the Internet tap Frustrated with the combined costs of lost productivity, virus cleanups, and e-mail monitoring, its very likely that many companies may soon be taking a just say no approach toward employee requests for Internet access. In fact, some CIOs Ive talked with indicate that theyre likely to shut off all Web access in the next couple of months and then plug in software that will selectively reenable access on an as-requested basis. Others relate that theyre pursuing less draconian, but just as restrictive, policies to control the growing administrative costs of unfettered Internet access. Its a good time to examine some available Web-access alternatives under consideration by CIOs. http://www.techrepublic.com/article_guest.jhtml?id=r00520020404lan01.htm - - - - - - - - Does your security plan neglect social engineering threats? The term social engineering (SE) smacks of George Orwells 1984, and it can be just as perfidious as it sounds, especially as it relates to IT security. Of course, we all use social engineering every day. We use it when we try to get our kids to do their homework, cajole employees into doing a bit of extra work, or try to talk a traffic cop out of a ticket. However, hackers also use social engineering to get valuable information that allows them to penetrate IT systems. http://www.techrepublic.com/article_guest.jhtml?id=r00220020408mco01.htm - - - - - - - - My Daily Virus Why continue to run a "WildList" cataloging ever virus in the world when they all show up in our inboxes anyway? "I regarded viruses as only good for entertainment," said Guido Sanchez about ten years ago. Sanchez ran Nun Beaters Anonymous, an underground bulletin board system notable for its free viruses and dry wit, the latter a scarce commodity in the world of hacker outlawry. For the record, he also said: "I have nothing against nuns, nuns are great people. I love nuns!" However, nuns notwithstanding and with regard to viruses, Sanchez's words are still right on. If you're going to hang around in the business for any length of time, it helps to develop a sense of humor towards everything. http://online.securityfocus.com/columnists/73 - - - - - - - - Does your password let you down? They may be random and private, but a lack of originality by employees when choosing computer passwords is putting companies' secrets at risk. According to a study, employees fail abysmally when it comes to securing confidential information. In a survey carried out by an international online security company, 60 percent of employees knew little of security awareness, while 90 percent admitting to opening or executing a "dangerous" e-mail attachment. http://www.cnn.com/2002/TECH/internet/04/08/passwords.survey/index.html - - - - - - - - Set up a strong Linux firewall with iptables In most organizations, network security has become interwoven with standard network and system administration. Threats in the form of malicious hackers, self-propagating worms, denial of service attacks, and other nefarious security problems loom large for administrators. Of course, one of the building blocks of network security is a good firewall. Although many companies pay top dollar for commercial firewall solutions, Linux has long been a popular option for those who want to save some big money and who don't mind rolling up their sleeves and building the firewall configuration themselves. Fortunately, the Linux firewall solution has continued to improve and the netfilter/iptables system now provides a robust and supremely flexible solution. http://www.techrepublic.com/article_guest.jhtml?id=r00220020402noo01.htm - - - - - - - - Clinton backs tech war on terror Bill Clinton has been outlining how technology can play a key role in defeating the new brand of terrorism. The former US president said that information management systems similar to those used by the big mass mailing companies could provide an early warning about suspicious behaviour. "More than 95% of the people that are in the United States at any given time are in the computers of companies that mail junk mail and you can look for patterns there," he told BBC World's ClickOnline. http://news.bbc.co.uk/hi/english/sci/tech/newsid_1912000/1912895.stm - - - - - - - - High-Tech Identity Checks Attempts to improve airport security with new technology have led to tools for identifying people using iris scans, handprints and even cellphones to track movements of passengers and airport personnel. Some innovations also promise customer-service improvements, such as notifying passengers of changes in departure times or gates by cellphone or pager instead of an unintelligible public address speaker. http://www.nytimes.com/2002/04/07/travel/07SHELF.html - - - - - - - - Grants to bolster GIS, homeland In the interest of boosting homeland security, ESRI one of the leading companies in the geographic information system field has set up a $2.3 million grant program to jump-start GIS initiatives in small cities and help set up crisis centers for local government agencies. The company also will hold seminars on the use of GIS for homeland security in various cities across the country and will issue a series of white papers showing how GIS can be used as the backbone of a homeland security plan. http://www.fcw.com/geb/articles/2002/0408/web-esri-04-08-02.asp *********************************************************** Search the NewsBits.net Archive at: http://www.newsbits.net/search.html *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000-2002, NewsBits.net, Campbell, CA.