Another Internet Explorer Defect
Just in time for the holidays was yet another security hole in the Internet Explorer browswer. This defect could be exploited to "write an executable to a user's harddrive and run it, requiring nothing from the user except visiting a webpage." {SecLists.org:: Microsoft Internet Explorer Full Remote Compromise w/o User Intervention }

Google Desktop Search Contained a Security Defect
Google has a tool that allows users to use Google to search files stored on their computer (desktop search). Researchers at Rice University found a security defect in Google's code that results in the desktop search tool sending results from a local index to websites. Google promptly fixed the defect.

   + Dedicate an Assistant Secretary position in the 
     Department of Homeland Security
   + Urge quick ratification of the Council of Europe's 
     Convention on Cybercrime
   + Encourage information security governance in the private sector
   + Lead by example with federal procurement practices
   + Close the strategic gap between government and private sector
     information security efforts
   + Strengthen Information Sharing and Analysis Centers (ISACs)
   + Establish and test a survivable Emergency Coordination network
   + Direct a federal agency to track the costs associated with 
     cyber attacks
   + Increase R and D funding for cyber security
   + Fund authorized responsibilities for NIST Computer Security Division
     and White House Office of Management and Budget
   + Strengthen the federal security certification process to improve the
     quality of security in software
   + Direct a task force to develop concrete actions that will secure
     digital control systems used by utilities

{Biz.Yahoo.com:: 12 Steps to Improve Cyber Security }

   "So we had a fix in less than 24 hours, and the exploit 
    wasn't that bad to begin with.  Let's compare this to 
    Microsoft's handling of a recent Internet Explorer exploit 
    that was taken advantage of by the Scob trojan."

   "One day for the community to discover, discuss, and 
    patch a Windows security flaw through Mozilla, one week for 
    Microsoft to incorrectly patch a serious IE exploit. 
    Now tell me, Mr. Ballmer, Mr. Gates: Which is the better 
    development model?"

Getting patches out fast is important; however, if a patch is published in a short period of time, then how do we know that patch was subjected to the proper testing and QA procedures?

It should also be noted that as systems become more complex, then the rate at which patches are completed will probably slow. FLOSS users should not think that all patches will be made available in a timely fashion.

Collecting College Student Data
The federal government wants to establish a database to keep track of college students. They make the following claim.

   "The Department of Education says students' privacy 
    would not be violated because the department would 
    not share the information with anyone else, including 
    law enforcement."

Biometric Usage Continues to Grow
Facial recognition systems are becoming increasingly effective; therefore, they are becoming increasingly employed around the world.

• BBC.co.uk:: How Your Face Could Open Doors
• Biz.Yahoo.com:: Face Recognition in Pakistan's Smart Machine Readable Passport and National ID Program

   "A common method by which intruders break into computer 
    systems is through Administrator accounts that have no 
    passwords. Similarly, malicious individuals often enter 
    systems by 'cracking' a poor user password, logging in, 
    and exploiting your information and computer access."

PSU.edu:: Take Control: Secure Your Computer

[Extra::Hollywood's One Strike Policy]

   "We need to nip this thing in the bud," John Malcolm, 
    director of the Motion Picture Association of America's 
    worldwide anti-piracy operations, told The San Francisco 
    Chronicle. "One copy, he added, 'could easily become tens 
    of thousands of copies available around the world. We do 
    not believe that any amount of illegal use is sanctioned.'" 

MPAA.org:: Press Releases

The STIM Center will "pursue fundamental understanding of the networks of interactions among humans, computers, and even cyberattacks" using "Security Through Interaction Modeling."

The Center for Internet Epidemiology and Defenses will be "dedicated to wiping out those plagues of the Internet, worms and viruses that infect thousands upon thousands of computers and cause billions of dollars in down time, network congestion and potentially lost data."

{NSF.gov:: NSF Announces Two Cybersecurity Centers to Study Internet Epidemiology and "Ecology"}

[Extra] CNET News.com:: Hollywood Takes P2P Case to Supreme Court

[Extra] IBM is adding a finger-print reader to their ThinkPad laptop computer. {News.Yahoo.com:: IBM Adds Biometrics to ThinkPads }

New SecurityCompany: CyberTrust
Two security firms, TruSecure and Betrusted, have merged into a single company named Cybertrust. {Cybertrust.com:: Homepage}

Passwords Are Important
Computer security takes on many forms. Many computer users have not learned how to select good passwords. [A good password is one that difficult to crack, yet easy to remember.] The following story from Yahoo.com tells us that companies have to do more to increase the computer literacy of their employees. If they did so, then this would also help employees secure their home computers. {News.Yahoo.com:: Passwords Fail To Defend Enterprises }

California Suing Maker of E-Voting Systems
California and the state's Alameda County have joined a "computer programmer and voting rights advocate" in a lawsuit against e-voting system maker Diebold Inc. The lawsuit claims that "problems with Diebold's products caused more than half of the polling places in San Diego County to open late for the state's March primary, and at least 6,000 voters in Alameda county had to use paper ballots instead of Diebold's electronic voting machines." {SiliconValley.com:: California AG joins lawsuit suit against voting companies [08 September 2004]}

Black Box Voting Says No To 2004 E-Voting
On 21 September 2004, Black Box Voting posted a news release that stated the following.

   "A panel of top experts on election technology and administration 
    warned Tuesday that the American system of voting is broadly 
    vulnerable to error and abuse, and called for a crash-course 
    of study and reform to make results more reliable and to promote 
    better access by voters, especially those who have historically 
    encountered serious impediments to exercising their right to vote."

BlackBoxVoting.com:: Ballot Tampering in the 21st Century

Dangerous email is email that can crack your computer simply by opening an email message without clicking a single attachment. The CERT advises users "View email messages in plain text."

US-CERT.gov:: Vulnerability in Microsoft Image Processing Component
IT.Slashdot.org:: Flaw in Microsoft JPEG Parsing

[Extra] Because computer security continues to get worse, Ray has become watchdog #3.

   "The field of computer security has been likened to an arms race, 
    with each side developing new defenses as quickly as the other 
    develops new attacks. Computer users need to be computer-security 
    aware all the time, not just during media-grabbing attacks. Hopefully, 
    the Cube will help teach the unwary and the clueless, as well as the 
    experts, that the Internet has become a hostile place indeed."

[Extra] The winzip program is a popular compression utility for Windows. The company has announced it has found "buffer overflow" and fixed defects in their winzip source code. {WinZip.com:: WinZip 9.0 Service Release 1 (SR-1)}

[Extra] Computers connected to the Internet can be attacked by crackers regardless of where they are physically located. {SecurityFocus.com:: South Pole 'cyberterrorist' hack wasn't the first} [10 September 2004, top]

[Extra] Spam takes on many forms and it isn't isolated to email.

   "A judge granted Verizon Wireless a permanent injunction 
    against a Rhode Island man accused of sending millions 
    of unsolicited text-message advertisements to cell phone 
    customers in four states."

[Extra] Almost any computer -- once connected to the Internet -- can be cracked. The geographical location of the computer doesn't matter as evidenced by a crack that occurred on computers located in the South Pole. {SecurityFocus.com:: South Pole 'cyberterrorist' Hack Wasn't the First} [Side-bar: I'd like to see SecurityFocus.com use the term 'crack' instead of 'hack.']

[Item::Don't Smile On Passports] The U.K. Home Office ruled that all new passport photos must show an unsmiling face with closed mouth because open mouths can confuse facial recognition systems. The new guidelines require good contrast between the face and background; the full face looking straight at the camera; no shadows; and a neutral facial expression. The rules will apply immediately to new and replacement passports. {TheRegister.co.uk:: U.K. Prohibits Smiling Faces On Passports}

+  Sophos.com:: Hackers Disguise Trojan Horse as Osama Bin Laden Suicide Photographs
+  Sophos.com:: Arnie Terminated? Sick Schwarzenegger Suicide Note Leads to Trojan

[Item::Bush Creates Law To Help Fight Identity Theft]
U.S. President George W. Bush signed the Identity Theft Penalty Enhancement Act into law. During late 2003, he did the Fair and Accurate Credit Transactions Act. Maybe some phishers will end up going to jail thanks to these laws. {Whitehouse.gov:: President Bush Signs Identity Theft Legislation}

"A federal appeals court panel has ruled that e-mail providers may make copies of messages intended for their subscribers. This decision could extend e-mail monitoring by businesses and government. The 2-1 decision by the U.S. Court of Appeals for the 1st Circuit of Massachusetts presents a challegnge to privacy advocates at a time when the Google's G-Mail proposal is being debated."

The following comes from a Washington Post article.

"The court ruled that because e-mail is stored, even momentarily, in computers before it is routed to recipients, it is not subject to laws that apply to eavesdropping of telephone calls, which are continuously in transit. As a result, the majority said, companies or employers that own the computers are free to intercept messages before they are received by customers."

Politicians are thinking about passing a law that would "make it a crime to aid, abet, or induce copyright infringement." For example, the creator of a peer-to-peer program that supports some form of file transfer could be criminally charged because the content of the files being transferred could be copyrighted bits. The EFF (Electronic Frontier Foundation) provides a webpage for sending e-letters/e-faxes to politicians urging them to fight the Inducing Infringement of Copyrights Act.

For some reason the EFF's website is not using HTTPS. If this bothers you, then you can send a copy of their letter (or your own) to Arizona Senators...

	Senator Jon Kyl
	730 Hart Senate Office Building
	Washington, DC 20510

	Senator John McCain
	241 Russell Senate Office Building
	Washington, DC 20510-0303

EFF lawyers have come up with a fake complaint against Apple, Toshiba, and C-Net for Inducing Infringement of Copyrights.

[Extra] The Computer Emergency Response Team (CERT) has issued a 'Vulnerability Note' against Microsoft's Internet Explorer (IE) browser program. They offer a variety of ways to avoid the IE defects and one of their suggestions is to use a different web browser. {CERT.org:: Microsoft Internet Explorer Does Not Properly Validate Source of Dedirected Frame}

"It has been reported that Delta, Continental, America West, JetBlue and Frontier Airlines disclosed passenger records to the agency's contractors in 2002 to test CAPPS II. The admission follows repeated denials to the public, Congress, General Accounting Office and Department of Homeland Security Privacy Office that the agency had acquired or used real passenger data to test the controversial passenger profiling system. Stone further disclosed that two of the world's largest airline reservation centers, Galileo International and Sabre, also provided passenger information to the agency."

[Item::Government Wants to Govern Spyware Usage]
U.S. House of Representatives approved a bill banning unsolicited downloads of spyware. Spyware is software that is installed onto computers to monitor their users' activities for marketing purposes. The Securely Protect Yourself Against Cyber Trespass Act requires spyware distributors to notify consumers before installing themselves. {LOC.gov:: Bill Summary & Status}

[Item::RIAA Continues Suing Music Downloaders]
The Record Industry Association of America (RIAA) continues to sue Americans for illegally downloading copyrighted materials via the Internet. According to a Wired.com article, the industry has "sued 3,429 people since launching its lawsuit campaign last September." {Wired.com::Business:: RIAA at It Again: 482 More Sued }

"The Trusted Electronic Communications Forum (TECF) is a global, cross-industry consortium of industry leaders focused on efforts to eliminate the phishing and spoofing attacks that lead to identity theft and brand distrust. The TECF is comprised of some of the most influential knowledge leaders in retail, telecommunications, financial services, banking and technology that have joined forces to eliminate the threat of phishing to e-mail and e-commerce."

   "More than 80 percent of global financial institutions 
    have had their systems compromised during the past year, 
    according to a survey."

I have always thought that financial software systems are some of the toughest systems to do correctly.

"A House of Representatives panel has approved a sweeping new copyright bill that would boost penalties for peer-to-peer piracy and increase federal police powers against Internet copyright infringement."

"The House Judiciary intellectual property subcommittee voted for the "Piracy Deterrence and Education Act" (PDEA) late Wednesday, overruling objections from a minority of members that it would unreasonably expand the FBI's powers to demand private information from Internet service providers."

I like how politicians put the word Education into the name of their bill. Just like tuition rates, the cost of Education keeps going up and up and up because they will teach us about copyrights by suing us into poverty. Plus, they are wrong to place the word Piracy into the bill's title. Illegal downloading of copyrighted material does make somebody a pirate unless they do it from a boat on the high seas.

[Extra] Netcraft.com reported that the RIAA website was hit by a DDoS (distributed denial-of-service) attack and was down for a five days. {Netcraft.com:: RIAA Site Targeted by Worms }

	"Poll workers struggling with a new electronic voting 
	 system in last week's election gave thousands of 
	 Orange County voters the wrong ballots, according 
	 to a Times analysis of election records. In 21 
	 precincts where the problem was most acute, there 
	 were more ballots cast than registered voters."

[Item::Cyber Security Industry Alliance Formed]
The Cyber Security Industry Alliance (CSIA) has been formed to help move us into a secure computing world. The eleven founding members include Computer Associates, Internet Security Systems (ISSX), Network Associates, and Symantec. { CSIAlliance.org}

[Item::FBI Happy With Their DNA Database]
There was a story about on My.Yahoo.com and then I read about in the Arizona Republic. {FBI.gov:: DNA Database Helps Deliver Promise of Powerful Crime-Fighting Tool}

Avi Rubin -- a Computer Science Professor from John Hopkins University who has been critical of evoting systems -- played the role of an election judge on Tuesday, 02 March 2004. {AviRubin.com:: My Day as an Election Judge}

Here is quote from near the end of Rubin's report.

"I continue to believe that the Diebold voting machines represent a huge threat to our democracy. I fundamentally believe that we have thrown our trust in the outcome of our elections in the hands of a handful of companies (Diebold, Sequoia, ES&S) who are in a position to control the final outcomes of our elections. I also believe that the outcomes can be changed without any knowledge by election judges or anyone else. Furthermore, meaningful recounts are impossible with these machines."

Here is a potential contest: Predict when and where the first case of echads is experienced.

Slashdot.org:: Visual Autopsy of an ATM Card Skimmer [27 February 2004, top]

"If you have signed up with Friendster or Plaxo, your privacy is at risk, according to Roger Clarke, a security expert at the Australian National University. He called the 'harvesting' of members' address books, part of the network set-up process, disturbing. 'Every IP address, every e-mail, and every social-network relationship that arises appears to be entirely free of any express contractual constraints,' he told the Register. Social network sites like Friendster.com and Tribe.net present serious opportunities for ruthless marketroids and stalkers, Clarke added."

[Item::RIAA Sues More John/Jane Does] The RIAA (Record Industry Association of America) continues to pursue computer users who have been sharing copyrighted materials. EFF.org:: Record Industry Targets 531 More Filesharers

• Microsoft Says Run, Don't Walk To Fix This Flaw
• Linux Security on the Ropes
• Son of MyDoom Stalks Microsoft

[Item::MyDoom an Example of Cracks to Come] The MyDoom virus successfully brought down the SCO website forcing them to establish a new domain name. Here are some MyDoom related quotes.

   "In building an army of zombie PCs over a six-day span, 
    the MyDoom outbreak underscores a new digital security 
    threat for corporations, governments and news operations."

   "Security officials and law enforcement experts believe 
    such viruses will only become more sophisticated and 
    could be used to silence entities for a commercial or 
    ideological stance."

   "This is an effective weapon to censor your critics."

Defining IT today just keeps getting more and more complicated.

The Arizona Republic recommends to readers that we "open a post office, and consider using this as your address on your driver's license and for other purposes."

The Federal Trade Commission (FTC) reported the following.

   "The FTC received more than half a million complaints 
    in 2003, up from 404,000 in 2002, and Internet-related 
    complaints accounted for 55 percent of all fraud reports, 
    up from 45 percent in 2002."

[Extra] Yet another email-based computer worm has hit the Internet. The worm goes by the names Mydoom or Novarg. Users of Microsoft Windows need to have pristine computing practices; in other words, don't click on attachments unless you know they come from a trusted source. {CERT.org:: W32/Novarg.A Virus} {SecurityFocus.com:: Latest e-mail worm spreading fast}

This virus is planning on attacking the websites for both SCO (on Sunday) and Microsoft (on Tuesday).

[Extra] SCO has offered a $250,000 award for information leading the capture and conviction of the criminal(s) responsible for the W32/Novarg.A/Mydoom worm/virus. Yahoo.com:: SCO Posts Bounty for MyDoom Creator

SecurityFocus.com:: Lamo Pleads Guilty to Times Hack Crack [08 January 2004]

Original Item from September, 2003

Wired.com:: Hacker Cracker Must Live With Parents

   "A 22-year-old California man charged with hacking into the 
    New York Times computer network was allowed to remain free 
    on bail terms requiring him to live with his parents and restricting 
    his computer use to such things as e-mail and job searches."

I'm definitely showing my age because I am at a loss as to what age defines adulthood? If this guy was 12, then I could see him being forced to live with his parents, but I consider a 22 year old to be an adult.

How is this guy's computing habits going to be monitored?

According to an FBI agent's statement included in the complaint, Lamo had admitted on a website, SecurityFocus.com, that he had broken in to the New York Times network and described in detail how he carried out the intrusion. If found guilty of being a cracker, then Lamo faces a maximum sentence of 15 years in prison and a $500,000 fine.

Hackers like to use "ph" as a replacement for "f". Crackers (i.e. hackers who are criminals) go "fishing" for unsuspecting computer users by sending email messages and creating webpages that look like valid (and safe) information hoping these users will provide personal data in turn will enable crackers to execute their criminal acts. In a sense phishing can be thought of as evil spamming.

Anti-Phishing.org:: Stop Phishing and Email Scams

   "Phishing attacks involve the mass distribution of 
    'spoofed' e-mail messages with return addresses, 
    links, and branding which appear to come from banks, 
    insurance agencies, retailers or credit card companies. 
    These fraudulent messages are designed to fool the 
    recipients into divulging personal authentication 
    data such as account usernames and passwords, credit 
    card numbers, social security numbers, etc. Because 
    these emails look 'official', up to 20% of recipients 
    may respond to them, resulting in financial losses, 
    identity theft, and other fraudulent activity."

WordSpy.com phishing (FISH.ing) pp. Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data. {More...}

Thanks for Visiting