GDT::Security::Watchdog::Archive::Year 2004

Security Watchdog

Santy Worm; Another IE Defect; Google Desktop Search
Google Used To Find Crackable Systems
Crackers used Google to find webservers running phpBB "discussion forum software" and defects in the PHP code were used to crack vulnerable systems. The "worm" was given the name Santy. {eWeek.com:: Google Nukes Santy Worm, But Threat Remains }

Another Internet Explorer Defect
Just in time for the holidays was yet another security hole in the Internet Explorer browswer. This defect could be exploited to "write an executable to a user's harddrive and run it, requiring nothing from the user except visiting a webpage." {SecLists.org:: Microsoft Internet Explorer Full Remote Compromise w/o User Intervention }

Google Desktop Search Contained a Security Defect
Google has a tool that allows users to use Google to search files stored on their computer (desktop search). Researchers at Rice University found a security defect in Google's code that results in the desktop search tool sending results from a local index to websites. Google promptly fixed the defect.

[31 December 2004, top]
12 Step Program for Cyber Security
The Cyber Security Industry Alliance has given the White House and Federal Agencies inputs as to how they can "improve cyber security and enable continued innovation on the Internet."
   + Dedicate an Assistant Secretary position in the 
     Department of Homeland Security
   + Urge quick ratification of the Council of Europe's 
     Convention on Cybercrime
   + Encourage information security governance in the private sector
   + Lead by example with federal procurement practices
   + Close the strategic gap between government and private sector
     information security efforts
   + Strengthen Information Sharing and Analysis Centers (ISACs)
   + Establish and test a survivable Emergency Coordination network
   + Direct a federal agency to track the costs associated with 
     cyber attacks
   + Increase R and D funding for cyber security
   + Fund authorized responsibilities for NIST Computer Security Division
     and White House Office of Management and Budget
   + Strengthen the federal security certification process to improve the
     quality of security in software
   + Direct a task force to develop concrete actions that will secure
     digital control systems used by utilities

{Biz.Yahoo.com:: 12 Steps to Improve Cyber Security }

[17 December 2004, top]
Beware of the 60 Second Patch
A former co-worker of mine was once quoted telling management... "if you want it bad, you'll get it bad." [in this case bad implies fast]
   "So we had a fix in less than 24 hours, and the exploit 
    wasn't that bad to begin with.  Let's compare this to 
    Microsoft's handling of a recent Internet Explorer exploit 
    that was taken advantage of by the Scob trojan."

   "One day for the community to discover, discuss, and 
    patch a Windows security flaw through Mozilla, one week for 
    Microsoft to incorrectly patch a serious IE exploit. 
    Now tell me, Mr. Ballmer, Mr. Gates: Which is the better 
    development model?"

Getting patches out fast is important; however, if a patch is published in a short period of time, then how do we know that patch was subjected to the proper testing and QA procedures?

It should also be noted that as systems become more complex, then the rate at which patches are completed will probably slow. FLOSS users should not think that all patches will be made available in a timely fashion.

{NewsForge.com:: Commentary: Patched in 60 Seconds } [10 December 2004, top]
ObscenityCrimes.org; Student Data; Biometric Growth
Reporting Obscene Stuff
Numerous watchdog groups exist that patrol the Internet for obscene stuff. If obscene stuff is found, then a report can be filed with ObscenityCrimes.org (morality in media)

Collecting College Student Data
The federal government wants to establish a database to keep track of college students. They make the following claim.

   "The Department of Education says students' privacy 
    would not be violated because the department would 
    not share the information with anyone else, including 
    law enforcement."
{Boston.com:: U.S. Eyes Collection of College-Student Data }

Biometric Usage Continues to Grow
Facial recognition systems are becoming increasingly effective; therefore, they are becoming increasingly employed around the world.

[03 December 2004, top]
Securing Our Identities is Hard
Identity theft remains a "hot" topic and it will stop "hot" for sometime to come. Identity theft can be accomplished without exploiting computers; however, Internet-connected computers make identity theft easier. This ease-of-use increases the number of people who can develop the skills to be identity thieves. {GDT::Security::Bit:: Securing Our Identities is Hard} [26 November 2004, top]
Penn State Says "Take Control: Secure Your Computer"
Penn State University has established a website to help computer users to use computers securely. The website focuses on five topics: firewalls, anti-virus software, security updates, spyware protection and secure passwords. With respect passwords, PSU tells computer users the following:
   "A common method by which intruders break into computer 
    systems is through Administrator accounts that have no 
    passwords. Similarly, malicious individuals often enter 
    systems by 'cracking' a poor user password, logging in, 
    and exploiting your information and computer access."

PSU.edu:: Take Control: Secure Your Computer

[Extra::Hollywood's One Strike Policy]

   "We need to nip this thing in the bud," John Malcolm, 
    director of the Motion Picture Association of America's 
    worldwide anti-piracy operations, told The San Francisco 
    Chronicle. "One copy, he added, 'could easily become tens 
    of thousands of copies available around the world. We do 
    not believe that any amount of illegal use is sanctioned.'" 

MPAA.org:: Press Releases

[19 November 2004, top]
UofTexas Ex-Student Cracks To Teach School a Lesson
The student's lawyer is quoted saying, "He didn't use any hacking tools. The system was open. There weren't any signs saying, 'Don't go in.'" {News.Yahoo.com:: Ex-Student Charged With Breaking Into University Computers } [12 November 2004, top]
Students Crack Oxford's Computer System
Oxford University suspended two students who cracked into the university's computer using a program they obtained from the Internet. The students wrote about their crack adventure in the student newspaper to help the school learn that their computer systems were not secure. One of the students is quoted saying, "We were simply trying to expose the security failings in Oxford's IT network." {BBC.co.uk:: Oxford pair suspended for hacking } [05 November 2004, top]
AOL and NCSA Conducts an Online Safety Study
AOL (America Online) and the National Cyber Security Alliance (NCSA) conducted a study that claims "80 percent of home computers are currently infected with spyware and that 90 percent of users with infected machines were completely unaware of the infection." {StaySafeOnline.info:: AOL/NCSA Online Safety Study [dot-pdf]} [29 October 2004, top]
UC-Berkeley Computer System Cracked
The University of California, Berkeley, has confirmed that its computer system was cracked and that researcher collected data had been "accessed." The data included names and social security numbers of about 600,000 California residents who receive in-home health care. The school reported "campus networking officials believe the security breach was related to linking a non-UC Berkeley computer and non-UC Berkeley server to the campus network system without taking proper precautions against intrusion." {Berkeley.edu:: Unauthorized Access to UC Berkeley Computer Raises Serious Concerns } [22 October 2004, top]
NSF Grants Monies From Its Cyber Trust Program
The National Science Foundation (NSF) has accounced two cybersecurity centers to study Internet Epidemiology and "Ecology." The research centers will focus on eliminating "plagues of Internet worms and viruses and on building better security defenses through a deeper understanding of Internet "ecology."

The STIM Center will "pursue fundamental understanding of the networks of interactions among humans, computers, and even cyberattacks" using "Security Through Interaction Modeling."

The Center for Internet Epidemiology and Defenses will be "dedicated to wiping out those plagues of the Internet, worms and viruses that infect thousands upon thousands of computers and cause billions of dollars in down time, network congestion and potentially lost data."

{NSF.gov:: NSF Announces Two Cybersecurity Centers to Study Internet Epidemiology and "Ecology"}

[Extra] CNET News.com:: Hollywood Takes P2P Case to Supreme Court

[15 October 2004, top]
RIAA Files 762 More Lawsuits; IBM Does Biometrics
The Recording Industry Association of America (RIAA) has filed another 762 lawsuits against file traders. The lawsuits include 32 students, and 26 academic institutions on "whose networks the alleged copyright infringement is said to have taken place." The RIAA reports that more than 1,000 of those charged so far have settled with the group, at an average of $3,000 per settlement. {RIAA.com:: RIAA Brings Lawsuits Against 762 Illegal File Sharers}

[Extra] IBM is adding a finger-print reader to their ThinkPad laptop computer. {News.Yahoo.com:: IBM Adds Biometrics to ThinkPads }

[08 October 2004, top]
Phishing At FDIC.gov; CyberTrust Inc.; Password Problems
FDIC.gov Website Hit By Phishers
A recent headline indicated that phishing has cost consumers an estimated $500 million. How much will it cost when it really becomes popular? {FDIC.gov:: FDIC Consumer Alerts - Phishing Scam }

New SecurityCompany: CyberTrust
Two security firms, TruSecure and Betrusted, have merged into a single company named Cybertrust. {Cybertrust.com:: Homepage}

Passwords Are Important
Computer security takes on many forms. Many computer users have not learned how to select good passwords. [A good password is one that difficult to crack, yet easy to remember.] The following story from Yahoo.com tells us that companies have to do more to increase the computer literacy of their employees. If they did so, then this would also help employees secure their home computers. {News.Yahoo.com:: Passwords Fail To Defend Enterprises }

[01 October 2004, top]
Computer Gurus Say No E-Voting in 2004
Although our leading computing gurus say e-voting is not ready for today's elections, politicians ignore their wisdom. Two e-voting stories follow.

California Suing Maker of E-Voting Systems
California and the state's Alameda County have joined a "computer programmer and voting rights advocate" in a lawsuit against e-voting system maker Diebold Inc. The lawsuit claims that "problems with Diebold's products caused more than half of the polling places in San Diego County to open late for the state's March primary, and at least 6,000 voters in Alameda county had to use paper ballots instead of Diebold's electronic voting machines." {SiliconValley.com:: California AG joins lawsuit suit against voting companies [08 September 2004]}

Black Box Voting Says No To 2004 E-Voting
On 21 September 2004, Black Box Voting posted a news release that stated the following.

   "A panel of top experts on election technology and administration 
    warned Tuesday that the American system of voting is broadly 
    vulnerable to error and abuse, and called for a crash-course 
    of study and reform to make results more reliable and to promote 
    better access by voters, especially those who have historically 
    encountered serious impediments to exercising their right to vote."

BlackBoxVoting.com:: Ballot Tampering in the 21st Century

[24 September 2004, top]
Microsoft JPEG Processing Contains a Buffer Overflow
Microsoft announced its operating system contains yet another buffer-overflow the results in a "critical" security defect. This time Microsoft's sloppy code buffer overflows while processing dot-jpg files. The company said the defect could be used by crackers to "install viruses on or take complete control over XP machines whose users visit a Web site that has been seeded with a specially crafted image." In addition, Microsoft reported that the defect could be used by crackers to "embed infected images in e-mail which could drop their viral payload on vulnerable machines after the recipient merely opens the infected message."

Dangerous email is email that can crack your computer simply by opening an email message without clicking a single attachment. The CERT advises users "View email messages in plain text."

US-CERT.gov:: Vulnerability in Microsoft Image Processing Component
IT.Slashdot.org:: Flaw in Microsoft JPEG Parsing

[Extra] Because computer security continues to get worse, Ray has become watchdog #3.

[17 September 2004, top]
Spinning Cube of Potential Doom
The Spinning Cube of Potential Doom is an animated visual display of network traffic collected through the Bro Intrusion Detection System. Bro was developed at Lawrence Berkeley National Laboratories and the International Computer Science Institute's Center for Internet Research in Berkeley, CA. "It monitors network links, searching for traffic that potentially violates a site's access and usage policies."
   "The field of computer security has been likened to an arms race, 
    with each side developing new defenses as quickly as the other 
    develops new attacks. Computer users need to be computer-security 
    aware all the time, not just during media-grabbing attacks. Hopefully, 
    the Cube will help teach the unwary and the clueless, as well as the 
    experts, that the Internet has become a hostile place indeed."
{ACMQueue.com:: The Spinning Cube of Potential Doom}

[Extra] The winzip program is a popular compression utility for Windows. The company has announced it has found "buffer overflow" and fixed defects in their winzip source code. {WinZip.com:: WinZip 9.0 Service Release 1 (SR-1)}

[Extra] Computers connected to the Internet can be attacked by crackers regardless of where they are physically located. {SecurityFocus.com:: South Pole 'cyberterrorist' hack wasn't the first} [10 September 2004, top]

Scottsdale Company Creates Bio-Pen; Spam Text Messages
Scottsdale-based DynaSig Corporation has created a pen that authenticates a signature based upon the "act" of creating a signature versus its easy to forge "image." Bio-Pen identifies a person by assuming every person has a unique way of writing. The Bio-Pen is an example of a "behavorial" biometric versus a "physical" biometric such as fingerprints. {Bio-Pen.com:: Secure Biometric Identification} [I tried the Bio-Pen at the Insight Arizona Technology Expo on 18 August 2004. On 31 August 2004, the Business section of the East Valley Tribute had an article about DynaSig and their Bio-Pen.]

[Extra] Spam takes on many forms and it isn't isolated to email.

   "A judge granted Verizon Wireless a permanent injunction 
    against a Rhode Island man accused of sending millions 
    of unsolicited text-message advertisements to cell phone 
    customers in four states."
USAToday.com:: R.I. Man Barred From Sending Spam Text Messages

[03 September 2004, top]
Operation Slam Spam; South Pole Computers Cracked
The U.S. Justice Department announced "a series of arrests against junk e-mailers and online scammers." The arrests are being executed as a result of an investigation called Operation Slam Spam. {USAToday.com:: Feds Make Move To Throw Spammers In Slammer

[Extra] Almost any computer -- once connected to the Internet -- can be cracked. The geographical location of the computer doesn't matter as evidenced by a crack that occurred on computers located in the South Pole. {SecurityFocus.com:: South Pole 'cyberterrorist' Hack Wasn't the First} [Side-bar: I'd like to see SecurityFocus.com use the term 'crack' instead of 'hack.']

[27 August 2004, top]
About GDT::Blog::Security Watchdog
GDT::Blog::Security Watchdog was started on 10 March 2000 as component of a Learning About Computer Security resource. As of Wednesday, 18 August 2004, the Security Watchdog contained 212 postings. Any news that is related to computer security can end up being posting to the Security Watchdog. This blog is updated every Friday and it is archived on a yearly basis. {GDT::Resource::Security:: Learning About Computer Security} [20 August 2004, top]
libpng Overflow Defects; Passport Mug Shots
PNG (Portable Network Graphics) is a bit-mapped graphics format similar to GIF. PNG is suppored by the W3C (World Wide Web Consortium) to become the graphic format on the WWW because it is completely patent- and license-free. It appears as though some of the software that has been developed to process PNG files has some overflow defects. The CERT/CC has issued an advisory in which numerous buffer- and integer-overflows are documented. {US-CERT.gov:: Multiple Vulnerabilities in libpng}

[Item::Don't Smile On Passports] The U.K. Home Office ruled that all new passport photos must show an unsmiling face with closed mouth because open mouths can confuse facial recognition systems. The new guidelines require good contrast between the face and background; the full face looking straight at the camera; no shadows; and a neutral facial expression. The rules will apply immediately to new and replacement passports. {TheRegister.co.uk:: U.K. Prohibits Smiling Faces On Passports}

[13 August 2004, top]
Crackers Use Bin Laden and Schwarzenegger to Crack Computers
Computer crackers are cracking computers by sending email messages to computer users telling them that they have pictures of terrorist Osama Bin Laden killing himself. The crackers then morphed the crack by sending email messages that claimed to contain pictures of California governor Arnold Schwarzenegger hanging dead from a tree.

Sophos.com:: Hackers Disguise Trojan Horse as Osama Bin Laden Suicide Photographs
Sophos.com:: Arnie Terminated? Sick Schwarzenegger Suicide Note Leads to Trojan

[30 July 2004, top]
Chips Implanted In Some Mexican Officials
At least 160 people who work in for Mexico's attorney general have had microchips implated in them. These chips will be used to gain access to secure areas of their headquarters. {Biz.Yahoo.com:: Chip Implanted in Mexico Judicial Workers} [23 July 2004, top]
Two Acts In the News: Patriot and Id Theft
[Item::USA Patriot Act Remains Intack]
The U.S. House of Representatives voted to maintain the USA Patriot Act. An attempt was made by some politicians to reduce the government's ability to use the Patriot Act to investigate our reading preferences by tracking our activities at libraries and bookstores. {Wired.com:: Patriot Act Wins House Vote}

[Item::Bush Creates Law To Help Fight Identity Theft]
U.S. President George W. Bush signed the Identity Theft Penalty Enhancement Act into law. During late 2003, he did the Fair and Accurate Credit Transactions Act. Maybe some phishers will end up going to jail thanks to these laws. {Whitehouse.gov:: President Bush Signs Identity Theft Legislation}

[16 July 2004, top]
Court Threatens Privacy of E-mail Communication
The Wiretap Act appears as if it may not bode well for email privacy. The following was copied from Privacy.org having the title "Court Threatens Privacy of E-mail Communication."
"A federal appeals court panel has ruled that e-mail providers may make copies of messages intended for their subscribers. This decision could extend e-mail monitoring by businesses and government. The 2-1 decision by the U.S. Court of Appeals for the 1st Circuit of Massachusetts presents a challegnge to privacy advocates at a time when the Google's G-Mail proposal is being debated."

The following comes from a Washington Post article.

"The court ruled that because e-mail is stored, even momentarily, in computers before it is routed to recipients, it is not subject to laws that apply to eavesdropping of telephone calls, which are continuously in transit. As a result, the majority said, companies or employers that own the computers are free to intercept messages before they are received by customers."
{Privacy.org:: Court Threatens Privacy of E-mail Communication} [09 July 2004, top]
EFF Fights the Induce Act; CERT Says IE is Crap

Politicians are thinking about passing a law that would "make it a crime to aid, abet, or induce copyright infringement." For example, the creator of a peer-to-peer program that supports some form of file transfer could be criminally charged because the content of the files being transferred could be copyrighted bits. The EFF (Electronic Frontier Foundation) provides a webpage for sending e-letters/e-faxes to politicians urging them to fight the Inducing Infringement of Copyrights Act.

For some reason the EFF's website is not using HTTPS. If this bothers you, then you can send a copy of their letter (or your own) to Arizona Senators...

	Senator Jon Kyl
	730 Hart Senate Office Building
	Washington, DC 20510

	Senator John McCain
	241 Russell Senate Office Building
	Washington, DC 20510-0303

EFF lawyers have come up with a fake complaint against Apple, Toshiba, and C-Net for Inducing Infringement of Copyrights.

[Extra] The Computer Emergency Response Team (CERT) has issued a 'Vulnerability Note' against Microsoft's Internet Explorer (IE) browser program. They offer a variety of ways to avoid the IE defects and one of their suggestions is to use a different web browser. {CERT.org:: Microsoft Internet Explorer Does Not Properly Validate Source of Dedirected Frame}

[02 July 2004, top]
Passenger Profiling; Spyware; RIAA Lawsuits
[Item::Airlines Lied About Sharing Passenger Data]
The following was copied the Electronic Privacy Information Center (EPIC).
"It has been reported that Delta, Continental, America West, JetBlue and Frontier Airlines disclosed passenger records to the agency's contractors in 2002 to test CAPPS II. The admission follows repeated denials to the public, Congress, General Accounting Office and Department of Homeland Security Privacy Office that the agency had acquired or used real passenger data to test the controversial passenger profiling system. Stone further disclosed that two of the world's largest airline reservation centers, Galileo International and Sabre, also provided passenger information to the agency."
{EPIC.org:: Passenger Profiling}

[Item::Government Wants to Govern Spyware Usage]
U.S. House of Representatives approved a bill banning unsolicited downloads of spyware. Spyware is software that is installed onto computers to monitor their users' activities for marketing purposes. The Securely Protect Yourself Against Cyber Trespass Act requires spyware distributors to notify consumers before installing themselves. {LOC.gov:: Bill Summary & Status}

[Item::RIAA Continues Suing Music Downloaders]
The Record Industry Association of America (RIAA) continues to sue Americans for illegally downloading copyrighted materials via the Internet. According to a Wired.com article, the industry has "sued 3,429 people since launching its lawsuit campaign last September." {Wired.com::Business:: RIAA at It Again: 482 More Sued }

[25 June 2004, top]
TECF.org::Trusted Electronic Communications Forum
Reports indicate that the band Phish is dis-banding in the near future. Too bad for Phish fans. Computer phishing, however, remains a growth industry. The TECF has been formed to help battle the increasing phishing problem that criminals are using to steal people's identities. Here is a copy/paste from their homepage.
"The Trusted Electronic Communications Forum (TECF) is a global, cross-industry consortium of industry leaders focused on efforts to eliminate the phishing and spoofing attacks that lead to identity theft and brand distrust. The TECF is comprised of some of the most influential knowledge leaders in retail, telecommunications, financial services, banking and technology that have joined forces to eliminate the threat of phishing to e-mail and e-commerce."
{TECF.org:: Trusted Electronic Communications Forum } [18 June 2004, top]
Buffer Overflow Defect Found in Subversion
Subversion is concurrent version control system that is destined to replace CVS. It is amazing to see that they are already uncovering buffer overflow defects. {SecurityFocus.com:: Subversion Date Parsing Function Buffer Overflow Vulnerability} [11 June 2004, top]
Cyberattackers Like Banks and Insurance Companies
The CNET News story starts with the following sentence.
   "More than 80 percent of global financial institutions 
    have had their systems compromised during the past year, 
    according to a survey."
Yuck. Banks and insurance firms collect and store lots of personal information. In addition, they purposely give some of the information away to others.

I have always thought that financial software systems are some of the toughest systems to do correctly.

{ZDNet.co.uk:: Banks and Insurance Firms Facing Flood of Cyberattacks } [28 May 2004, top]
Yahoo DomainKeys May Help Reduce Spam
Yahoo! is an active soldier in the war against email spam. Yahoo has proposed the use of "DomainKeys" in which outgoing email messages are embedded with an encrypted digital signature matched to a signature on the server computer that sends the message. Internet providers check the signatures on incoming messages blocking those that do not match up. On 14 February 2004, Sendmail, Inc. -- a leading MTA (Mail Transfer Agent) -- announced support for Yahoo's DomainKeys. {AntiSpam.Yahoo.com:: DomainKeys: Proving and Protecting Email Sender Identity } [21 May 2004, top]
Open Source Vulnerability Database
OSVDB is an "independent and open source database created by and for the community." The goal of the OSVDB is to "provide accurate, detailed, current, and unbiased technical information." Public access to the OSVDB started on 31 March 2004. A visit to the OSVDB makes one wonder why we ever touch a keyboard or click a computer mouse. {OSVDB.org:: Open Source Vunerability Database} [14 May 2004, top]
California Learns Electronic Voting Doesn't Work
The term e-chad has not made it into the media for the masses; however, the politicians in the state of California are learning that e-voting is not ready for prime time usage. The state of California has decertified evoting systems across the state and they are seeking a criminal investigation against evoting machine maker Diebold Inc. California says Diebold practiced "deceitful conduct" with respect to telling them their systems were secure. Diebold may be guilty of taking California's money using false advertising, but the computing gurus in California (an nationwide) told them evoting was not ready for real elections yet they did it anyway. If I was judge I'd tell California to 'live and learn' and to listen to the real computing gurus. {FCW.com:: California Nixes eVoting} [07 May 2004, top]
West Point Preparing eSoldiers For Cyberwarfare
I have written about being "drafted" to become an esoldier. I wouldn't be a general, but I could probably make an okay sargent. It appears as though the West Point Military Academy is looking for a view good hackers to help defend our computer systems against the crackers of this world. {News.com.com:: Cadets Learn the Art of Cyberwarfare} {ITOC.USMA.edu:: IWAR} [30 April 2004, top]
Defect Found in TCP Design
TCP is the Transmission Control Protocol. Lots of data (but not all) gets tranmsitted around the Internet using TCP; consequently, it is not good when problems are found in the protocol itself. A defect has been found in TCP that is indepedent of a particular piece of software or hardware. {US-CERT.gov:: Vulnerabilites in TCP} [23 April 2004, top]
Crackers Cracking Dot-Edu Unix-Like Systems
The Information Technology Systems and Services (ITSS) group at Stanford University issued an advisory indicating that it -- along with a large number of research institutions -- have become targets for some "sophisticated Linux and Solaris attacks." Some of the attacks (i.e. cracks) have been enabled by using a program called John the Ripper to crack user account passwords. {SecureComputing.Stanford.edu:: Multiple UNIX Compromises on Campus } [16 April 2004, top]
Rules of Engagement for Information Warfare
How do wars start? You hit me; I hit you; and we have a war. This is okay if you and I are in a room by ourselves, but it becomes a problem when Internet resources are used to deliver payloads. Here is a yucky quote: "Rules of engagement for information warfare." I doubt anybody is going to be interested in a collection of rules when it comes to cyberwarfare. {ZDNet.co.uk:: Symbiot launches DDoS counter-strike tool } [09 April 2004, top]
PDEA: Piracy Deterrence and Education Act
On 31 March 2004, Delcan McCullagh wrote the following.

"A House of Representatives panel has approved a sweeping new copyright bill that would boost penalties for peer-to-peer piracy and increase federal police powers against Internet copyright infringement."

"The House Judiciary intellectual property subcommittee voted for the "Piracy Deterrence and Education Act" (PDEA) late Wednesday, overruling objections from a minority of members that it would unreasonably expand the FBI's powers to demand private information from Internet service providers."

I like how politicians put the word Education into the name of their bill. Just like tuition rates, the cost of Education keeps going up and up and up because they will teach us about copyrights by suing us into poverty. Plus, they are wrong to place the word Piracy into the bill's title. Illegal downloading of copyrighted material does make somebody a pirate unless they do it from a boat on the high seas.

{News.com.com:: House Panel Approves Copyright Bill} [02 April 2004, top]
RIAA Files More Lawsuits; DDoS Attack on RIAA.com
The RIAA (Recording Industry Association of America) has filed more lawsuits against people who have downloaded music. The RIAA has gone after 532 people, "including 89 individuals who were using university networks to illegally distribute copyrighted sound recordings on peer-to-peer services." The RIAA filed lawsuits against 443 people using commercial ISPs. {RIAA.com:: RIAA Brings New Round of Cases Against Illegal File Sharers}

[Extra] Netcraft.com reported that the RIAA website was hit by a DDoS (distributed denial-of-service) attack and was down for a five days. {Netcraft.com:: RIAA Site Targeted by Worms }

[26 March 2004, top]
Orange County eVoting; CSIA; FBI DNA Database
[Item::eVoting in Orange County Potentially Defective]
Is this a potential echad story?
	"Poll workers struggling with a new electronic voting 
	 system in last week's election gave thousands of 
	 Orange County voters the wrong ballots, according 
	 to a Times analysis of election records. In 21 
	 precincts where the problem was most acute, there 
	 were more ballots cast than registered voters."
{Slashdot.org:: More E-Ballots Cast Than Voters}

[Item::Cyber Security Industry Alliance Formed]
The Cyber Security Industry Alliance (CSIA) has been formed to help move us into a secure computing world. The eleven founding members include Computer Associates, Internet Security Systems (ISSX), Network Associates, and Symantec. { CSIAlliance.org}

[Item::FBI Happy With Their DNA Database]
There was a story about on My.Yahoo.com and then I read about in the Arizona Republic. {FBI.gov:: DNA Database Helps Deliver Promise of Powerful Crime-Fighting Tool}

[12 March 2004, top]
Electronic Voting is Happening -- Ready or Not
More and more areas are starting to use electronic voting systems. Many computing gurus, however, think evoting may result in electronic chads (echads).

Avi Rubin -- a Computer Science Professor from John Hopkins University who has been critical of evoting systems -- played the role of an election judge on Tuesday, 02 March 2004. {AviRubin.com:: My Day as an Election Judge}

Here is quote from near the end of Rubin's report.

"I continue to believe that the Diebold voting machines represent a huge threat to our democracy. I fundamentally believe that we have thrown our trust in the outcome of our elections in the hands of a handful of companies (Diebold, Sequoia, ES&S) who are in a position to control the final outcomes of our elections. I also believe that the outcomes can be changed without any knowledge by election judges or anyone else. Furthermore, meaningful recounts are impossible with these machines."

Here is a potential contest: Predict when and where the first case of echads is experienced.

[05 March 2004, top]
Slashdot Reports On an ATM Card Skimmer
Computer security takes on many forms. Software is major problem area, but hardware is bad. Dr. Drexler tells us that this era of unsecure computing will pass. For this I am grateful. It would be a pleasure to delete this Security Watchdog. [I quote Neil Young -- "fighting for the freedom of silence."]

Slashdot.org:: Visual Autopsy of an ATM Card Skimmer [27 February 2004, top]

Is Friendster a Fiendster?; RIAA Sues More Computer Users
[Item::Can Friendster Be a Fienster] When it comes to privacy issues, social networking websites such as Friendster.com can be problematic for its members. Frank Baranak of CBS.MarketWatch.com posted the following to his mailing-list.
"If you have signed up with Friendster or Plaxo, your privacy is at risk, according to Roger Clarke, a security expert at the Australian National University. He called the 'harvesting' of members' address books, part of the network set-up process, disturbing. 'Every IP address, every e-mail, and every social-network relationship that arises appears to be entirely free of any express contractual constraints,' he told the Register. Social network sites like Friendster.com and Tribe.net present serious opportunities for ruthless marketroids and stalkers, Clarke added."

[Item::RIAA Sues More John/Jane Does] The RIAA (Record Industry Association of America) continues to pursue computer users who have been sharing copyrighted materials. EFF.org:: Record Industry Targets 531 More Filesharers

[20 February 2004, top]
Here a Crack, There a Crack, Everywhere a Crack
When asked about computer security I say two things: 1) Microsoft's "just good enough software" is just bad enough software when connected to the Internet; and (2) FLOSS (Free/Libre and Open Source Software) offer us a chance for semi-secure computing world. The following hyperlinks are to the NewsFactor.com website. [13 February 2004, top]
FOIS Act; MyDoom Dooms SCO's Website
[Item::The FOIS Act] The Fraudulent Online Identity Sanctions Act would increase prison sentences to those found guilty of "committing fraud through a Web site registered under a false name or contact information." In other words, if you register a website, then be careful when specifying "owner" information. {WashingtonPost.com:: Congress Eyes Internet Fraud Crackdown } {Gandi.net:: whois AzLitter.org }

[Item::MyDoom an Example of Cracks to Come] The MyDoom virus successfully brought down the SCO website forcing them to establish a new domain name. Here are some MyDoom related quotes.

   "In building an army of zombie PCs over a six-day span, 
    the MyDoom outbreak underscores a new digital security 
    threat for corporations, governments and news operations."

   "Security officials and law enforcement experts believe 
    such viruses will only become more sophisticated and 
    could be used to silence entities for a commercial or 
    ideological stance."

   "This is an effective weapon to censor your critics."
{Yahoo.com:: MyDoom Internet Worm}

[06 February 2004, top]
Arizona #1 in IT; Yet-Another-Email-Worm
Identity Theft (IT) is going to get worse before it gets better. The Arizona Republic reports that Arizona is number one in IT. Too bad it is the wrong IT. The IT that stands for Information Technology enables the other form of IT.

Defining IT today just keeps getting more and more complicated.

The Arizona Republic recommends to readers that we "open a post office, and consider using this as your address on your driver's license and for other purposes."

The Federal Trade Commission (FTC) reported the following.

   "The FTC received more than half a million complaints 
    in 2003, up from 404,000 in 2002, and Internet-related 
    complaints accounted for 55 percent of all fraud reports, 
    up from 45 percent in 2002."
FTC.gov:: Top 10 Consumer Complaint Categories in 2003

[Extra] Yet another email-based computer worm has hit the Internet. The worm goes by the names Mydoom or Novarg. Users of Microsoft Windows need to have pristine computing practices; in other words, don't click on attachments unless you know they come from a trusted source. {CERT.org:: W32/Novarg.A Virus} {SecurityFocus.com:: Latest e-mail worm spreading fast}

This virus is planning on attacking the websites for both SCO (on Sunday) and Microsoft (on Tuesday).

[Extra] SCO has offered a $250,000 award for information leading the capture and conviction of the criminal(s) responsible for the W32/Novarg.A/Mydoom worm/virus. Yahoo.com:: SCO Posts Bounty for MyDoom Creator

[30 January 2004, top]
Cracker Ordered to Live With Parents
This is an old item from 23 September 2003 that never got posted. It has to do with an adult who cracked the New York Times computer systems and got caught. The cracker has had his day in court and he pleaded guilty.

SecurityFocus.com:: Lamo Pleads Guilty to Times Hack Crack [08 January 2004]

Original Item from September, 2003

Wired.com:: Hacker Cracker Must Live With Parents

   "A 22-year-old California man charged with hacking into the 
    New York Times computer network was allowed to remain free 
    on bail terms requiring him to live with his parents and restricting 
    his computer use to such things as e-mail and job searches."

I'm definitely showing my age because I am at a loss as to what age defines adulthood? If this guy was 12, then I could see him being forced to live with his parents, but I consider a 22 year old to be an adult.

How is this guy's computing habits going to be monitored?

According to an FBI agent's statement included in the complaint, Lamo had admitted on a website, SecurityFocus.com, that he had broken in to the New York Times network and described in detail how he carried out the intrusion. If found guilty of being a cracker, then Lamo faces a maximum sentence of 15 years in prison and a $500,000 fine.

[23 January 2004, top]
Phishing Doesn't Necessarily Mean Listening to Phish
I thought Phish was a rock'n roll band and that phishing was going to a Phish concert, but in the Internet world phishing has taken on new meaning.

Hackers like to use "ph" as a replacement for "f". Crackers (i.e. hackers who are criminals) go "fishing" for unsuspecting computer users by sending email messages and creating webpages that look like valid (and safe) information hoping these users will provide personal data in turn will enable crackers to execute their criminal acts. In a sense phishing can be thought of as evil spamming.

Anti-Phishing.org:: Stop Phishing and Email Scams

   "Phishing attacks involve the mass distribution of 
    'spoofed' e-mail messages with return addresses, 
    links, and branding which appear to come from banks, 
    insurance agencies, retailers or credit card companies. 
    These fraudulent messages are designed to fool the 
    recipients into divulging personal authentication 
    data such as account usernames and passwords, credit 
    card numbers, social security numbers, etc. Because 
    these emails look 'official', up to 20% of recipients 
    may respond to them, resulting in financial losses, 
    identity theft, and other fraudulent activity."

WordSpy.com phishing (FISH.ing) pp. Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data. {More...}

[16 January 2004, top]
Welcome to Year 2004
Happy New Year! welcome to 2004. The 2003 Security Watchdog has been archived. [01 January 2004, top]


Author: Gerald D. Thurman [deru@deru.com]
Last Modified: Saturday, 05-Jan-2013 11:17:39 MST

Thanks for Visiting