NewsBits for April 29, 2005 ************************************************************ Florida Uni on brown alert after hack attack Students and staff at Florida International University (FIU) were warned they are at risk of identity fraud this week after techies discovered hackers had broken into college systems. A file found on a compromised computer showed that an unknown hacker had access to the username and password for 165 computers at the University, sparking a major security alert. http://www.theregister.co.uk/2005/04/29/fiu_id_fraud_alert/ - - - - - - - - - - LSU dean arrested on child porn charges LSU's associate dean of students has been arrested and charged with possession of child pornography. A worker reported finding a picture of three nude boys on the printer in 60-year-old James C. Welles' campus office. Major Ricky Adams of LSU Police says all four of Welles' office computers had numerous amounts of child pornography on them. LSU has placed Welles on administrative leave with pay. http://www.katc.com/Global/story.asp?S=3277425&nav=EyAzZFZ3 - - - - - - - - - - Porn on school's computer sparks Internet alarm A Dartmouth couple wants the school board to further restrict Internet use in schools after their 10-year-old son was exposed to gay porn on a classroom computer. Julian Maughan, a Grade 4 student at Southdale-North Woodside Elementary, was told by a substitute teacher to do schoolwork on a computer with two other boys during class on April 15, his mom, Lynn Maughan, said in an interview Wednesday afternoon. He was pressured by the two boys to go to the website, she said. http://www.halifaxherald.com/stories/2005/04/28/f247.raw.html - - - - - - - - - - China's anti-hacking alliance regrouped The "Red Hacker Alliance," the largest and earliest hacking legion in China, was regrouped recently after a short break. The alliance, attracting 20,000 hackers, once ranked the fifth in the world in terms of the number of its members. Its Web site, set up at the end of 2000, had nearly 80,000 registered members at its peak. http://news.xinhuanet.com/english/2005-04/26/content_2879866.htm - - - - - - - - - - Porn-surfing Norwegians awarded $40k We are seriously considering relocating the entire Vulture Central editorial staff to occasionally-sunny Norway after learning thattwo workers sacked for hunting net smut at work have been awarded 250,000 Kroner ($40,000) a head for unfair dismissal, Aftenposten Norway reports. http://www.theregister.co.uk/2005/04/29/norwegian_compensation_claim/ - - - - - - - - - - Mass. Bill Targets Online Buzz Marketers A Democratic state representative in Massachusetts is introducing a bill aimed at shielding children from so-called buzz marketing. The lawmaker, Michael E. Festa of Melrose, calls for children under 16 to obtain their parents' permission to participate in online "word-of-mouth" sales campaigns. http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=161601966 - - - - - - - - - - State Bill to Limit RFID While civil libertarians battle the federal government's decision to embed RFID chips in new U.S. passports, a California bill is moving swiftly through the state legislature that would make it illegal for state agencies and other bodies to use the technology in state identification documents. http://www.wired.com/news/privacy/0,1848,67382,00.html State Department official defends passport efforts http://www.govexec.com/dailyfed/0405/042905tdpm1.htm - - - - - - - - - - Release of child witness photo brings no major breaks in case highly unusual step of releasing the photo of a young girl described as a material witness in an international child-pornography case did not produce any major breaks in the first 24 hours, police in Florida say. http://www.theglobeandmail.com/servlet/ArticleNews/TPStory/LAC/20050429/GIRL29/TPNational/Toronto - - - - - - - - - - Software police issues warning on IT staff The Federation Against Software Theft (Fast) has warned companies that their IT departments might be leaving them open to court action. In a recent investigation of a UK financial services firm, the organisation found 5,800 illegal digital music files in a software audit of 2,500 PCs. The vast majority of these had been downloaded by members of the firm's IT department. http://www.vnunet.com/news/1162778 - - - - - - - - - - Bagle Worm Seen As 'Blueprint' For Web Criminals A pair of research reports have explored the long-running Bagle worm and laid out a chronology that points to a professional developer who, like counterparts in the commercial software world, is constantly testing, tweaking, and improving his code for profit, not pride of ownership. http://www.internetweek.com/showArticle.jhtml?articleID=161601929 - - - - - - - - - - Virus writers take spring break Only one new virus, Mytob.Z, made it into the top 10 list for April, according to antivirus data from Sophos. Top of the list was Zafi.B, which accounted for nearly half of all viruses detected. This is the fifth month Zafi.B has topped the charts. http://www.vnunet.com/news/1162789 - - - - - - - - - - Hackers to test U.K. lawmakers' systems Hackers are to be employed to test the effectiveness of the IT security defences for the computer systems in the House of Commons, home of the British parliament. A three-year IT security contract is up for grabs to conduct internal and external penetration testing on routers, firewalls and critical servers using a range of independent vulnerability assessment techniques. http://news.com.com/Hackers+to+test+U.K.+lawmakers+systems/2110-7355_3-5690318.html - - - - - - - - - - F-Secure pros issue hacker challenge DEVELOPERS AT F-Secure have issued a challenge to hackers to find an embedded message in a .EXE file. The challenge looks quite tricky, and the winner gets a free ticket to the T2'05 info sec conference in Finland, but unfortunately only if she or he lives in Finland. http://www.theinquirer.net/?article=22879 http://news.com.com/This+week+in+Net+attacks/2100-7349_3-5689805.html - - - - - - - - - - Fraud propels demand for forensics training In the 'if you can't beat 'em, join 'em stakes', computer-based crime is driving more and more IT professionals to study the skills and tools needed to unravel and reveal the inner workings of cyber fraudsters. The general upsurge in computer skills in the population is reflected equally amongst criminals and malcontents and law enforcement agencies frequently confiscate computers to search for evidence of alleged misdeeds. http://www.computerworld.com.au/index.php/id;263054876;fp;16;fpid;0 - - - - - - - - - - Wireless leaders hook up to address security Cisco and Intel announced a formal alliance at InfoSec Europe to promote better security for users of wireless networks. The trio are concerned that fears about security will harm the rollout of wide-scale wireless networks, and have produced advice sheets for businesses, homes and public Wi-Fi access points. "Wireless moves security beyond physical boundaries so organisations need to protect their complete working environment, especially as they collaborate more," said David Lacey, director of information security at Royal Mail, and working group leader of the Jericho Forum. http://www.pcw.co.uk/news/1162761 - - - - - - - - - - InfoSecurity show proves anything but The InfoSecurity show may have ended, but exhibitors were left with red faces after two companies highlighted major security lapses among attendees. Kensington, manufacturers of laptop security devices, conducted regular sweeps of the hall and found less than half of the computers on stands with any kind of physical lock to keep them from being stolen. http://www.vnunet.com/news/1162794 - - - - - - - - - - Backup tapes are backdoor for ID thieves Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing. Last week, trading firm Ameritrade acknowledged that the company that handles its backup data had lost a tape containing information on about 200,000 customers. http://www.theregister.co.uk/2005/04/29/backup_tapes_are_backdoor_for_id_thieves/ - - - - - - - - - - Citrix Program Agent Buffer Overflow Vulnerabilities Two vulnerabilities were identified in Citrix Program Neighborhood Agent, which may be exploited by remote attackers to execute arbitrary commands. The first flaw is due to a stack overflow error in the client code responsible for handling the caching of information received from the server, which may be exploited via a malicious server to execute arbitrary code on the client host. http://www.frsirt.com/english/advisories/2005/0390 MySQL MaxDB Webtool Remote Stack Overflow Vulnerabilities Three vulnerabilities were identified in MySQL MaxDB, which may be exploited by remote attackers to execute arbitrary commands. The first flaw is due to a stack overflow error that occurs when processing specially crafted HTTP GET requests containing a percent sign (%) followed by a long string, which may be exploited by a remote attacker to execute arbitrary commands with SYSTEM privileges. http://www.frsirt.com/english/advisories/2005/0389 eGroupWare SQL Injection and Cross Site Scripting Vulnerabilities http://www.frsirt.com/english/advisories/2005/0387 MailEnable Enterprise/Professional Buffer Overflow Vulnerabilities http://www.frsirt.com/english/advisories/2005/0383 HP Security Update Fixes Multiple Mozilla Vulnerabilities http://www.frsirt.com/english/advisories/2005/0394 Sun Solaris Multiple libtiff Vulnerabilities http://secunia.com/advisories/15113/ Oracle Products Contain Multiple Vulnerabilities http://www.us-cert.gov/cas/techalerts/TA05-117A.html - - - - - - - - - - Criminal legal description of computer-facilitated crimes Among top-priority steps of state policy in sphere of counteraction to computer criminality is an appearance of new Criminal Code dated September 1, 2001. Its new Section 16 in the Criminal Code of Ukraine - Crimes in Sphere of Computers, Systems and Networks. Having recognized information as a subject of theft, assignment, extortion and other criminal acts, criminal law has confirmed status of information as an object of the property right that is coordinated with substantive regulations of information legislation. http://www.crime-research.org/articles/Golubev0305-2/ - - - - - - - - - - Linux targeted with two-factor authentication CryptoCard is offering authentication software for backend Linux servers. A Canada-based security company is looking to target the Linux community with a security product offering two-factor authentication. Two-factor authentication systems requests something in a users possession (a smart card, for example) and something they know (such as their PIN), before the user is allowed to access a system. http://news.zdnet.co.uk/internet/security/0,39020375,39196891,00.htm - - - - - - - - - - Giants offer WLAN security tips Concerns that the perceived security problems of wireless networks of all sizes could cause companies to delay deployment has prompted three industry giants - BT, Cisco and Intel - to issue Wireless Security Guidelines for organisations. http://www.pcw.co.uk/news/1162771 - - - - - - - - - - BAA prepares for RFID rollout The airports operator is staying tight-lipped as to the nature of the project, but it admits to having high hopes for the impact of the tracking tech on its business. Airport operator BAA is experimenting with RFID, which it says could create a "step-change" in the way it does business. http://news.zdnet.co.uk/communications/wireless/0,39020348,39196892,00.htm - - - - - - - - - - Combating Gadget Theft As electronic products shrink in size, they grow in allure, not only to consumers but also to thieves. Lightweight and easy to conceal hand-helds, laptops and music players are sleek, valuable and often carried around as casually as a set of keys http://www.nytimes.com/2005/04/28/technology/circuits/28theft.html - - - - - - - - - - DHS chief floats idea for collecting private citizens' information Call it Total Information Awareness, homeland- style. Homeland Security Secretary Michael Chertoff this week floated an idea to start a nonprofit group that would collect information on private citizens, flag suspicious activity, and send names of suspicious people to his department. The idea, which Chertoff tossed out at an April 27 meeting with security- industry officials, is reminiscent of the Defense Department's now-dead Total Information Awareness program that sought to sift though heaps of foreign intelligence information to root out potential terrorist activity. http://www.govexec.com/dailyfed/0405/042905nj1.htm - - - - - - - - - - Jailhouse Friends and Family Web Keith Maydak's jail cells are roomier than most. Must be all that cyberspace. State and federal prisons don't let inmates use internet computers behind bars -- and the Allegheny County Jail doesn't either. Yet Maydak has answered a reporter's e-mails from the Pittsburgh jail, and later an Ohio lockup, while he awaits sentencing for violating probation on a 900-number phone scam that cost AT&T $550,000 dollars. http://www.wired.com/news/culture/0,1284,67399,00.html Inmates use intermediaries to escape to the Internet http://www.usatoday.com/tech/news/2005-05-01-inmates-internet_x.htm *********************************************************** Search the NewsBits.net Archive at: http://www.newsbits.net/search.html *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000-2005, NewsBits.net, Campbell, CA.