NewsBits for July 22, 2003 sponsored by, Southeast Cybercrime Institute - www.cybercrime.kennesaw.edu ************************************************************ Teenager 'used spam to steal identities' A 17-year-old boy has been charged after sending spam that directed recipients to a fake AOL site where they were asked to enter personal data US regulators have charged a 17-year-old boy with using "spam" emails and a fake AOL Web page to trick people out of their credit card information and to steal thousands of dollars. http://news.zdnet.co.uk/story/0,,t269-s2137971,00.html http://www.washingtonpost.com/wp-dyn/articles/A25491-2003Jul21.html Identity theft 'remains hidden' http://news.zdnet.co.uk/story/0,,t269-s2137964,00.html 'Phishing' scams reel in your identity http://www.cnn.com/2003/TECH/internet/07/21/phishing.scam/index.html FBI warns about bogus sites collecting personal data http://www.hindustantimes.com/news/181_315842,00030010.htm How were $ 4 million stolen with the help of computer? http://www.crime-research.org/eng/news/2003/07/Mess2103.html - - - - - - - - - - Virus writer's appeal fails A man who admitted infecting thousands of computers world-wide with viruses has failed to have his prison sentence cut. Simon Vallor, 22, created the viruses at his home in Llandudno, north Wales, and released them on to the internet. The three "worms" between them attacked 27,000 computers in 42 countries. Vallor had admitted three counts of releasing a computer virus and was jailed for two years at Southwark Crown Court in January. http://news.bbc.co.uk/2/hi/uk_news/wales/3085203.stm - - - - - - - - - - Kinko's spyware case highlights risks of public Internet terminals For more than a year, unbeknownst to people who used Internet terminals at Kinko's stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords. Jiang had secretly installed, in at least 14 Kinko's stores, software that logs individual keystrokes. He captured more than 450 user names and passwords, using them to access and even open bank accounts online. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/6359407.htm http://www.usatoday.com/tech/news/techpolicy/2003-07-22-terminal-fear_x.htm - - - - - - - - - - Trojan opens victim-to-attacker file-sharing Sophos has issued a number of virus alerts, including identification of a backdoor Trojan primed to download files from the Net. Troj/DownLdr-DI has already been seen in the wild and, when run, it will download additional components from encrypted Web addresses. As the Trojan may be run at any time, the downloaded files may vary. http://www.pcpro.co.uk/?http://www.pcpro.co.uk/news/news_story.php?id=45104 - - - - - - - - - - Clarke advocates grass-roots action to protect critical IT Calling the Homeland Security Department incapable of doing anything to save the civilian IT infrastructure, former White House cybersecurity czar Richard Clarke today called on software users and buyers to set security standards themselves. You cant count on the government to defend critical networks, Clarke said at the National Information Assurance Leadership Conference in Washington sponsored by the SANS Institute of Bethesda, Md. http://www.gcn.com/vol1_no1/daily-updates/22845-1.html - - - - - - - - - - Schools stay mum on file traders' names Some universities are balking at stepped up demands from the recording industry to unmask alleged student file swappers, citing procedural uncertainties over an avalanche of subpoenas filed with the courts in recent weeks. Boston College and the Massachusetts Institute of Technology on Tuesday said they are barred from immediately handing over the names of students to the recording industry by the Family Education Rights and Privacy Act, which requires institutions to notify students before releasing any personal data. http://news.com.com/2100-1027_3-5052884.html Swap songs? You may be on record industry's hit list http://www.usatoday.com/tech/news/2003-07-21-swappers_x.htm Michael Jackson: Don't jail downloaders http://www.cnn.com/2003/TECH/ptech/07/22/jackson.fileshare.ap/index.html http://www.theregister.co.uk/content/6/31872.html http://www.vnunet.com/News/1142491 http://australianit.news.com.au/articles/0,7204,6792003%5E15322%5E%5Enbv%5E,00.html As RIAA suits loom, customers often confused with criminals http://www.usatoday.com/tech/news/techpolicy/2003-07-21-riaa_x.htm - - - - - - - - - - File-swap software to foil enforcers Peer-to-peer file-sharing software developers say user privacy-protection concerns are behind the introduction of features designed to foil scanning by organizations representing owners of copyright-protected material. The claims come as the music industry in the US ploughs ahead with moves to file a raft of civil lawsuits against people allegedly involved in online file-sharing. Some reports indicate more than 800 federal subpoenas have already been issued. http://zdnet.com.com/2100-1104_2-5051656.html http://news.zdnet.co.uk/story/0,,t269-s2137938,00.html - - - - - - - - - - Movie studios launch campaign to raise awareness of piracy The movie industry is trying a new tactic in its war against people who download pirated copies of films over the Internet -- it's asking nicely. Movie studios will launch a campaign Tuesday that includes television ads and in-theater spots featuring makeup artists, set painters and other crafts people saying that piracy robs them of a living. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/6357756.htm http://www.usatoday.com/tech/news/2003-07-22-mpaa-tactic_x.htm - - - - - - - - - - Cracking Windows passwords in seconds If your passwords consist of letters and numbers, beware. Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds from 1 minute 41 seconds. The method involves using large lookup tables to match encoded passwords to the original text entered by a user, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code. http://news.com.com/2100-1009_3-5053063.html - - - - - - - - - - China will censor text messages Chinese authorities plan to monitor text messages, adding them to a list that already includes email, Web sites and Internet chatrooms Chain SMS (short message service) on mobile phones are causing comment in India, but in China, authorities plan to censor messages that are sexual or offensive in nature. http://news.zdnet.co.uk/story/0,,t269-s2137934,00.html - - - - - - - - - - Threat center defends itself Administration officials defended the creation of a domestic terrorist analysis center Tuesday, but Democrats and other critics have concerns. At a contentious congressional hearing on the recently established Terrorist Threat Integration Center, intelligence officials said the organization has adequate mechanisms to analyze data and send it to the right people. http://www.fcw.com/fcw/articles/2003/0721/web-ttic-07-22-03.asp http://computerworld.com/securitytopics/security/story/0,10801,83322,00.html Intelligence officials: TIA is too broad http://www.fcw.com/fcw/articles/2003/0721/web-tia-07-22-03.asp http://www.govexec.com/dailyfed/0703/072203td1.htm States to test emergency info sharing http://www.fcw.com/fcw/articles/2003/0721/web-dot-07-22-03.asp Agencies under fire to assess privacy impact of federal actions http://www.govexec.com/dailyfed/0703/072203td2.htm US - "a target number one" for cyberterrorists http://www.crime-research.org/eng/news/2003/07/Mess2202.html - - - - - - - - - - US names the day for biometric passports A senior US government official has laid out detailed plans for the timing and form of US government issued biometric passports. Frank Moss, deputy assistant secretary for Passport Services, presented his organisation's plans to evolve to a new, more secure "intelligent document" from today's paper-based passports at the Smart Card Alliance's Government Conference and Expo conference last week. http://www.securityfocus.com/news/6471 http://www.theregister.co.uk/content/55/31882.html New NIST spec brings contactless smart cards into the fold http://www.gcn.com/vol1_no1/daily-updates/22844-1.html Why Biometrics Is No Magic Bullet http://www.businessweek.com/technology/content/jul2003/tc20030722_2846_tc125.htm - - - - - - - - - - Pervasive.SQL Gets Security Boost Pervasive Software Inc. on Tuesday rolled out the beta of an update to its embeddable database engine that's bristling with security enhancements. Pervasive.SQL V8 Security comes with a unified security model that's designed to protect critical data across Pervasive.SQL access interfaces, down to the operating system. The release also features enhanced encryption of data as it travels through a network. http://www.eweek.com/article2/0,3959,1200866,00.asp - - - - - - - - - - Waiting for the Worms The hole's been announced, the patch has been released. Now there's nothing to do but wait for the worm to come and wreak its ugly havoc. "Sitting in a bunker, here behind my wall, waiting for the worms to come. In perfect isolation, here behind my wall, waiting for the worms to come." Strangely apropos, this Pink Floyd lyric reflects the current mindset of many security-folk given the latest announcement of a critical vulnerability in most Microsoft Windows operating systems. http://www.securityfocus.com/columnists/174 Firms Raced to Fix Internet Hardware Flaw http://www.washingtonpost.com/wp-dyn/articles/A29780-2003Jul22.html - - - - - - - - - - Detecting SQL Injection in Oracle Last year I wrote a two-part paper about SQL Injection and Oracle. That paper explored which SQL injection techniques are possible with Oracle, gave some simple examples on how SQL injection works and some suggestions on how to prevent attackers and malicious employees using these methods. Those SQL Injection papers can be found here: http://www.securityfocus.com/infocus/1714 SQL Injection and Oracle, Part One http://www.securityfocus.com/infocus/1644 SQL Injection and Oracle, Part Two http://www.securityfocus.com/infocus/1646 - - - - - - - - - - Hackers Lose a Patron Saint If there is a heaven, the angels are in for a hell of a time when Jude Milhon, the Internet's real and very earthy patron saint of hacking, shows up. Better known on the Internet by her nom de plume, St.Jude, Milhon died July 19 of cancer. Her age was an issue Milhon obviously decided not to address. Even her closest friends could only guess at it, and they admitted they could be off by as much as a decade. http://www.wired.com/news/technology/0,1282,59711,00.html *********************************************************** Computer Forensics Training - Online. An intense, 150 hour, instructor lead program that teaches you computer forensics and helps prepare you for the Certified Computer Examiner exam. For more information see; www.cybercrime.kennesaw.edu *********************************************************** Search the NewsBits.net Archive at: http://www.newsbits.net/search.html *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000-2003, NewsBits.net, Campbell, CA.