[iwar] News
From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com
Wed, 16 Aug 2000 06:08:15 -0700 (PDT)
fc Wed Aug 16 06:09:13 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Wed, 16 Aug 2000 06:09:13 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Wed Aug 16 13:09:07 2000)
X-From_: sentto-279987-481-966431299-fc=all.net@returns.onelist.com Wed Aug 16 08:08:44 2000
Received: from hj.egroups.com (hj.egroups.com [208.50.99.212]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id IAA32749 for ; Wed, 16 Aug 2000 08:08:44 -0500
X-eGroups-Return: sentto-279987-481-966431299-fc=all.net@returns.onelist.com
Received: from [10.1.10.38] by hj.egroups.com with NNFMP; 16 Aug 2000 13:08:20 -0000
Received: (qmail 4381 invoked from network); 16 Aug 2000 13:08:18 -0000
Received: from unknown (10.1.10.142) by m4.onelist.org with QMQP; 16 Aug 2000 13:08:18 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta1 with SMTP; 16 Aug 2000 13:08:16 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id GAA08812; Wed, 16 Aug 2000 06:08:15 -0700
Message-Id: <200008161308.GAA08812@all.net>
To: iwar@egroups.com
Cc: secedu@onelist.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Wed, 16 Aug 2000 06:08:15 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] News
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Bloomberg CEO credited with key role in foiling alleged cyber-extortion
Two men from Kazakstan were arrested in London on
charges that they tried to extort $200,000 from
Bloomberg LP after breaking into the company's
computer system, authorities said Monday. Federal
prosecutors and the FBI said Michael Bloomberg,
founder of the financial news and information
company, played a central role in capturing the
men. Oleg Zezov, 27, who worked for a company that
produced database services for Bloomberg, and
Igor Yarimaka, 37, were arrested after Bloomberg
appeared to comply with their monetary demands to
learn how they had gained access to the company's
computer system, authorities said in a statement.
http://www.mercurycenter.com/svtech/news/breaking/merc/docs/054824.htm
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2615264,00.html
Safeway pulls U.K. site after hacker attack
Supermarket chain Safeway said it has shut down
its Web site after an attack by computer hackers.
Thousands of Safeway customers received emails
over the weekend--which appeared to come from the
company--saying Safeway would raise its prices by
25 percent. The emails also said, "If they wanted
to shop elsewhere, they could," according to Emma
French, a Safeway spokeswoman.
http://cnet.com/news/0-1005-200-2511703.html
[Editors Note: Safeway UK is NOT THE SAME COMPANY as Safeway USA, it was
bought several years ago and is completely different at this pointin
time - FC]
Verizon site exposed customer data
Already suffering pressure from an ongoing customer
service worker strike, Verizon Communications had
to remove a customer service self-help Web site on
Sunday because it exposed some customers' private
information. The company released a new application
last week that encouraged customers to troubleshoot
their own problems. But a private researcher
discovered he could enter other customers' phone
numbers into the application and gain access to
personal data about them. The security hole was
first reported by SecurityFocus.com early Monday
morning.
http://www.msnbc.com/news/445991.asp
http://www.securityfocus.com/news/74
Latin America: Piracy to increase as Internet use grows
According to the Business Software Alliance, the
decreasing piracy rates in Latin America could
reverse themselves with the growth of the Internet
in the region. Piracy rates for the region range
from 48 percent in Puerto Rico to 85 percent in
Bolivia.
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2615448,00.html
Bug hunter spies holes in Windows, IE 5.x
Noted bug hunter Georgi Guninski issued a security
alert today warning that Microsoft Windows 2000 and
later versions of Internet Explorer may be vulnerable
to security problems planted in local and remote
network folders. In a security advisory, Guninski
said he identified a vulnerability triggered when
folders accessed through Microsoft Networking are
viewed as Web pages, which occurs in Windows 98
and is the default setting in Windows 2000.
http://news.cnet.com/news/0-1005-200-2522411.html
Taking a Byte Out of Crime
New Public-Private Venture Meant to Combat Cybercrime.
Saying revention is better than prosecution, federal
law enforcement officials and private companies unveiled
a new effort today to protect banks, utilities and other
businesses from computer hackers and terrorists. "You
can't do much after the cow is out of the barn," said
U.S. Attorney Mark Calloway at the launching of InfraGard,
a program that is opening its first state chapter in
North Carolina. The North Carolina InfraGard chapter,
with 100 members, will hold its first meeting Sept. 1
at the headquarters of Duke Energy in downtown Charlotte.
http://abcnews.go.com/sections/tech/DailyNews/cybercrime000811.html
The Mafia of cyberspace
Hackers aren't in it for money. The fun is in exercising
their skills. Once the tool is up on the web site, that's
it for them, says WENDY LEVY. 'WE MEET in a public area.
Nobody is excluded. We have nothing to hide and we don't
presume to judge who is worthy of attending and who is not.'
So start the guidelines for 2600, an international computer
hackers group that meets on the first Friday of the month
in venues around the world. 'We act in a responsible manner.
We don't do illegal things and we don't cause problems for
the place we're meeting in,' the guidelines continue.
http://web.lexis-nexis.com/more/cahners-chicago/11407/6188680/2
Feds shape cyberwarning strategy
Under pressure from Congress to better coordinate the
government's response to computer viruses and other
cyberattacks, the National Security Council has developed
a plan outlining roles and responsibilities for federal
cybersecurity organizations. Under the plan sent out
to those organizations and federal agencies late last
month the National Infrastructure Protection Center,
working with the General Services Administration's
Federal Computer Incident Response Capability office,
will take the lead in alerting agencies to cyberattacks
and will coordinate any immediate response.
http://www.fcw.com/fcw/articles/2000/0814/news-tritak-08-14-00.asp
DARPA's EMERALD proves worth in cyberdefense
EMERALD is a gem in the world of cyberdefense. This
EMERALD is not a green jewel, but the Event Monitoring
Enabling Responses to Anomalous Live Disturbances.
Developed by SRI International and the Defense Advanced
Research Projects Agency, EMERALD's ability to detect
computer hackers and other intruders surpasses current
technology, said Michael Skroch, program manager of the
DARPA information assurance program. The new technology
is needed. "We're seeing an increase in the number of
attacks and the severity of attacks in the cyberdomain,"
Skroch said. The recent "I Love You" virus and the denial
of service attacks are just two examples of the threats
facing Defense Department and computer users worldwide.
http://www.af.mil/news/Aug2000/n20000814_001219.html
Judge expands on Napster shutdown order
The loaded gun pointed at Napster's head loomed a
little larger today, as federal Judge Marilyn Hall
Patel released the details of her decision ordering
the company to close its digital doors. Three weeks
ago, Patel granted a preliminary injunction against
the music-swapping start-up that would have barred
it from allowing any major-label songs to be traded
through its service. That order was quickly put on
hold by an appeals court, but that stay is only
temporary. Next week, Napster will submit its first
legal papers laying out why it thinks Patel was
wrong--and today's documents show that the company
will have a high legal hill to climb.
http://news.cnet.com/news/0-1005-200-2500773.html
New credit-card technology uses sound waves to enforce security
An Israeli start-up has created a bit of gadgetry
that uses sound waves to address some of the biggest
issues of e-commerce: fraud, privacy and convenience.
To demonstrate, Alan Sege of ComSense Technologies Ltd.
holds up a bit of white plastic that looks like a credit
card. The executive points the card at his beat-up Sony
laptop computer. He pushes a small round circle on the
card he calls a "Com Dot", dot-com in reverse and
the card emits a coded sound pitched so high the human
ear can't hear it. The computer's microphone picks up
the signal, and the card emits an audible chirp to let
Mr. Sege know the transmission is complete.
http://www.msnbc.com/news/445747.asp
Health-care industry looks at security risks
Health care officials said alleged data theft last
week at a leading cancer center in Boston highlights
the security issues the industry faces. But experts
also said information technology leaders face the
daunting task of balancing the need for patient
privacy in an industry where the flow of information
can literally affect the lives of their customers.
Moreover, security at health care organizations will
come under increased scrutiny in coming months as
federal agencies review regulations that require
health organizations to protect the security and
privacy of electronic information.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO48493,00.html
Toysrus.com drops tracking service amid pressure
Toysrus.com has stopped using a controversial
marketing service after the online toy store was
accused of releasing personal customer data.
Following two class action lawsuits filed against
Toysrus.com, the site posted a revised privacy
policy late last week to address its relationship
with Coremetrics, a 5-month-old marketing company
that analyses customer habits on the Web.
http://news.cnet.com/news/0-1007-200-2520471.html
EU To OK US E-Signature Plan, Punt On Net Telephony
The EU's European Commission Friday said it would
allow the formation of a joint venture between EU
and US banks to create a standardized electronic
signatures authentication service, while at the same
time said it would not change licensing and status
rules for Internet telephony companies. The EC said
it "plans to clear" the way for the establishment
of Identrus, a bank certification network for
financial and e-commerce transactions. The network
would offer a standard for B2B transactions between
banks.
http://www.newsbytes.com/pubNews/00/153614.html
U.N. panel hands Yahoo 40 domain names
Internet portal Yahoo won the rights to 40 Internet
addresses in two rulings by United Nations arbitrators
released today. A three-member panel awarded it the
names "yahooemail.net," "yahoofree.net," "yahoofree.com"
and "yahoochat.net," registered by Jorge Kirovsky of
Colonia, Uruguay. The domain names linked to another
site registered by Kirovsky--"yahoo.com.uy," a Spanish
language site on pets. He subsequently registered
"yahoochat.cl," "yahoofree.cl" and "miyahoo.cl," which
connected to the same address, and established a
business dubbed Yahoo S.R.L. The arbitrators found
that "Internet users are actually confused" by the
names, as the yahoo.com.uy site had received hundreds
of emails apparently intended for Yahoo.
http://news.cnet.com/news/0-1005-200-2519434.html
Deutsche Bank scores against cybersquatters
Deutsche Bank AG has won a case at an international
panel to evict the Spanish holder of five Internet
addresses containing its name in its second such
victory, U.N. arbitrators said Thursday.
http://www.mercurycenter.com/svtech/news/breaking/internet/docs/305947l.htm
UN Court Rules Against Telia Cybersquatters
A United Nations arbitration court has reportedly
ruled that two Swedish residents must surrender to
telecom colossus Telia AB more than 200 Internet
domain names they had registered containing the
name of the Swedish firm and its branches. The Wall
Street Journal reported that the two had offered the
243 domain names for sale at $14,500 (16,049 euros)
each. The unnamed duo had registered such names as
teliadata.com, teliabusiness.com and
teliabroadband.com. The Geneva-based World
Intellectual Property Organization (WIPO), a UN
entity, ruled the two acted in bad faith.
http://www.newsbytes.com/pubNews/00/153580.html
Japan to Act against cybersquatters
Japan's government is finally taking aim at
''cybersquatters,'' who register someone else's
trademark as an Internet address without
authorization, the financial daily Nihon Keizai
Shimbun reported on Tuesday.
http://www.mercurycenter.com/svtech/news/breaking/internet/docs/307511l.htm
Saudis block Yahoo!'s clubs site
Saudi authorities have blocked access to a site on
U.S. Internet giant Yahoo! Inc.'s Web portal that
contains pornographic and other offensive material,
a Saudi official said Sunday. ``The decision to block
the clubs.yahoo.com site is irreversible. Matters
have gone beyond what is acceptable, and pornographic
and other offensive sites are mushrooming,'' said
Khalil al-Jadaan, an official with the King Abdul Aziz
City for Science and Technology, the kingdom's sole
Internet provider.
http://www.mercurycenter.com/svtech/news/breaking/ap/docs/303193l.htm
Stolen laptop sparks antitheft technology
A car alarm blared, glass shattered and a laptop full
of information was gone. That's what happened to
Ravi Hariprasad in Philadelphia one day last September
while seeing patients during his third year of medical
school at the University of Pennsylvania. Although he
lost his computer, the theft sparked talk early into
the next morning between Hariprasad and his friend
Ravi Ghanta about developing a business to protect
laptops.
http://www.nwfusion.com/news/2000/0814antitheft.html
Security exodus continues
The upcoming change in presidential administrations
willbring many personnel changes in government, but
the security side is beginning to see a drain that
many did not expect, as nonpolitical appointees take
private-sector jobs. Tom Burke, associate commissioner
for information security at the General Services
Administration's Federal Technology Service, last
week announced he is retiring from government on
Sept. 1 to take a job in Computer Sciences Corp.'s
civilian information security group.
http://www.fcw.com/fcw/articles/2000/0814/news-exodus-08-14-00.asp
Infosec education needs revamping, professor warns
A report to be published this year by one of the
nation's top educators in information systems and
security warns that the current system of higher
education cannot support the demand for information
assurance professionals and calls for a revolutionary
change in the way the government, academia and
industry cooperate. "The present national need for
an immediate increase in the development of
information assurance professionals at all levels
cannot be met within the existing educational
structure," said professor Corey Schou, chairman
of the National Colloquium on Information Systems
Security Education and associate dean of Information
Systems at Idaho State University.
http://www.fcw.com/fcw/articles/2000/0814/web-work-08-14-00.asp
These Wires Were Made for Tapping
A new government-approved standard for telecommunications
equipment violates the Fourth Amendment's prohibition
against unreasonable searches and seizures, critics
say. The standard, released in updated form last week
by theTelecommunication Industry Association, instructs
telecommunications hardware manufacturers on how to
build their equipment so that it complies with a
federal wiretap law passed by Congress in 1994.
http://wired.com/news/politics/0,1283,38170,00.html
Anti-hacking method of full disclosure under attack from
a part of the security industry.
FOR MORE THAN three years, we have strived to use
this space to inform you about the latest tools and
techniques from the security world. Our weekly toil
was a wholehearted attempt to educate you about the
importance of security and to demonstrate how easy
it is both for others to compromise and for you to
tighten security at your site. We recommend the tack,
first realized by Dan Farmer and Wietse Venema, of
securing your site by breaking into it. Although at
first glance this path seems calamitous, it has
earned great popularity.
http://www.infoworld.com/articles/op/xml/00/08/14/000814opswatch.xml
Stupid, Stupid Protocols: Telnet, FTP, rsh/rcp/rlogin
In this article, I start by discussing the weaknesses
of each of these absolutely horrid protocols. I then
introduce secure shell (ssh) and provide an in-depth
guide to using it. Before some of you write this off,
realize that if you're still using passwords, you're
not using ssh's strongest method of authentication.
User-level public/private key authentication, somewhat
similar to PGP signatures, is powerful and safe.
Combine this with ssh-agent, which implements
"single-signon," and you can save yourself hours a
week, while remaining secure.
http://securityportal.com/cover/coverstory20000814.html
FBI, Mounties hunt Internet hackers
RCMP are working with the FBI to track down computer
hackers who overloaded an Edmonton-based Internet
service provider yesterday, denying access to some
customers. Edmonton RCMP found the "denial of service"
attack on OA Group Inc.'s server that barred
subscribers from logging on to their Internet accounts
originated in Chicago and they were working with the
FBI to zero in on the culprit, said RCMP Cpl. Gibson
Glavin. "We work with the FBI regularly in this section
working with Internet crime," he said.
http://www.canoe.ca/TechNews0008/15_hackers.html
FBI could do better job defending Carnivore
Less than a year ago, when a top priority of privacy
advocates was to get rid of the U.S. government's tight
encryption export policy, government officials told an
interesting anecdote that helped explain why they
wanted to maintain the tight controls. They said the
investigators who cracked the case of the 1993 World
Trade Center bombing in New York were able to capture
evidence from the bomber's laptop only because he used
low-grade encryption. Had he used the stronger encryption
that at the time was being restricted, evidence needed
to convict him would have been much harder to obtain.
http://www.nwfusion.com/news/2000/0815fbidefend.html
Cobb squad clicks on computer crime
The bomb threat appeared in an American Online chat
room. Someone in cyberspace said they were going to
blow up Walton High School. A man saw the message and
alerted Cobb County police. That's where Detective
Gary Lowe and his high-tech crime unit picked up the
trail. He traced the message to an account in
Indianapolis. That didn't make sense. Why would
someone in Indiana threaten a suburban Atlanta school?
He got his answer when he learned that a hacker had
stolen the password for the Indianapolis account.
http://www.accessatlanta.com/partners/ajc/epaper/editions/tuesday/local_news
_93892e49936c60351001.html
A bumper crop of break-ins
This morning the press covered a mixed bag of security
troubles at Bloomberg, Safeway U.K. and Verizon. The
first two suffered embarrassing break-ins; Bloomberg
provided a rare happy ending. Bloomberg's story was
the most dramatic -- the company's founder and chief
played a role in the arrest of two extortionists --
but the Bloomberg news agency itself played the story
short and cool.
http://www.mercurycenter.com/svtech/news/breaking/internet/docs/310905l.htm
U.S. Court orders FCC to rewrite wiretap rules
A U.S. federal appeals court on Tuesday ordered federal
regulators to rewrite rules that would require phone
companies to turn over certain data about wireless calls
being sought by law enforcement officials for
investigations. The Federal Communications Commission
failed to adequately address privacy and cost concerns
raised by telephone companies and privacy advocates,
according to a ruling issued by the U.S. Court of
Appeals for the District of Columbia.
http://www.mercurycenter.com/svtech/news/breaking/reuters/docs/311289l.htm
Experts corroborate Windows, IE security hole
Security experts today confirmed that certain configurations
of Microsoft's Windows operating system and its Internet
Explorer Web browser are open to a potentially dangerous
vulnerability allowing a malicious programmer to take over
a computer through local and remote folders. As previously
reported by CNET News.com, security consultant Georgi
Guninski yesterday published a report on the vulnerability,
which is triggered when folders accessed through Microsoft
Networking are viewed as Web pages. The problem occurs in
Windows 98 and is the default setting in Windows 2000, he
wrote.
http://news.cnet.com/news/0-1005-200-2530362.html
Firm Tracking Consumers on Web for Drug Companies
A Boston technology firm is surreptitiously tracking
computer users across the Internet on behalf of
pharmaceutical companies, a practice that demonstrates
the limits of a recent agreement to protect the privacy
of Web surfers. By invisibly placing ID codes on
computers that visit its clients' World Wide Web sites,
Pharmatrak Inc. can record consumers' activity when
they alight on thousands of pages maintained by 11
pharmaceutical companies. For example, the company can
tell when the same computers download information about
HIV, a prescription drug or a company's profits from
different sites.
http://washingtonpost.com/wp-dyn/articles/A25494-2000Aug14.html
Cybersquatting Rules Delayed - WIPO
A United Nations organization that plays a central role
in policing disputes over Internet addresses has pushed
back a deadline for comments on a proposal to fine-tune
its definitions of what constitutes "cybersquatting."
The World Intellectual Property Organization (WIPO) had
originally picked today as the deadline to receive input
on the terms of reference for what it's calling the
Second WIPO Internet Domain Process. That deadline is
now set at Sept. 15.
http://www.newsbytes.com/pubNews/00/153688.html
FAA to develop security certification
The Federal Aviation Administration is on the verge of
awarding a contract to develop a certification program
for FAA information systems security workers. The FAA
announced plans Aug. 11 to make a sole-source award to
the International Information Systems Security
Certification Consortium 2 (ISC 2), a nonprofit
corporation that develops certification programs for
information systems security practitioners.
http://www.fcw.com/fcw/articles/2000/0814/web-faa-08-15-00.asp
Lab certified to test security software
The government has certified CygnaCom Solutions Inc.'s
Security Evaluation Laboratory to test information
security software based on international criteria
established to assure users that security products
perform the functions that vendors claim. The
laboratory accreditation, announced Monday, comes
from the National Infrastructure Assurance Partnership
(NAIP), a collaboration of the National Institute of
Standards and Technology and the National Security
Agency. The partnership oversees the certification
of laboratories and testing of products under the
Common Criteria evaluation and validation program,
an international standard that experts are encouraging
civilian agencies to consider when purchasing security
products.
http://www.fcw.com/fcw/articles/2000/0814/web-lab-08-15-00.asp
Windows 2000 Patch Broke Firewalls
Several popular firewall products rendered ineffective by
a Windows 2000 fix are back on the job, with patches from
the manufacturers. Zone Labs' ZoneAlarm 2.1 and Network
ICE's BlackICE Defender 2.1 are among the firewalls that
would not function properly when used with a service pack
update to Microsoft Windows 2000, released earlier in
August.
http://www.pcworld.com/pcwtoday/article/0,1510,18051,00.html
Sigaba Enhances E-Mail Security
Recent attention to the FBI's "Carnivore" e-mail sniffer
has privacy-minded Netizens looking for e-mail encryption
options, and Sigaba is releasing a free end-user product
this week. SigabaSecure uses the 128-bit Blowfish encryption
algorithm. (See "How it Works: Encryption.") You can read
encrypted messages sent with SigabaSecure using a browser
interface, although you also need a free SigabaSecure account.
To send encrypted messages, you need the free SigabaSecure
plug-in, which is downloadable now from the company's site.
http://www.pcworld.com/pcwtoday/article/0,1510,18038,00.html
HP preparing security appliance
SUGGESTING THAT TODAY'S corporate firewalls may not provide
adequate protection from hacker intrusions and DoS (denial
of service) attacks, Hewlett-Packard plans to begin
offering what it calls "security appliances" sometime in
2001. According to Roberto Medrano, general manger for HP's
Internet Security Solution Division, the HP security
appliance will sit directly behind a company's existing
firewall and in front of Web servers. Medrano also suggested
that another security appliance be placed behind any
secondary firewalls that protect a company's application
servers.
http://www.infoworld.com/cgi-bin/deleteframe.pl?story=/articles/hn/xml/00/08/14/000814hnhpsecure.xml
Net security is 'fatally flawed'
A stark warning from a world expert on internet security
is threatening to have a devastating effect on online
banking and e-commerce. Bruce Schneier, a cryptographer
and chief technology officer at consultancy Counterpane
Internet Security, says that there are fatal flaws in the
way systems operate. And he believes that security breaches
such as the recent Barclays bank blunder, where customers
could see other accounts, are just the tip of the iceberg.
http://www.thisismoney.com/20000813/nm19067.html
---------------------------------------------------------------------
------------------
http://all.net/