http://www.computerworld.com/printthis/2004/0,4814,95101,00.html
http://www.eweek.com/print_article/0,1761,a=133063,00.asp
[Editors' Note (Several): SP2 can be downloaded from
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx.
It is huge, about 270 MB. Read the release notes, test it and test it
before attempting to roll out to all your systems.]
--Reverse Engineering of SP2 Reveals Strong Security Approach
(9 August 2004)
Security company F-Secure has reverse-engineered SP2 and believes the
update will do a good job protecting against outbreaks of worms like
Sasser, Slammer and Blaster; infections will spread more slowly and it
will be more difficult for automated worms to spread on updated systems.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39162970-39020330t-10000003c
--Oracle to Address 34 Flaws
(3 August 2004)
Oracle plans to release patches to fix 34 vulnerabilities in its
database software. The vulnerabilities include buffer overflow and SQL
injection flaws; some are easy to exploit while others require a fair
amount of technical ability. Next Generation Security (NGS) Software
said that while it discovered the vulnerabilities and informed Oracle
early this year, Oracle is delaying the release of the fixes until its
new patch distribution system is ready for release. The delay has
prevented NGS from discussing details of the vulnerabilities with others
in the security field.
http://www.computerworld.com/printthis/2004/0,4814,95013,00.html
--FCC Rule: Spammers Need Consent to Send to Wireless Subscriber
Messaging Service Domains
(5 August 2004)
The Federal Communications Commission (FCC) has issued a new rule
requiring mass marketers to obtain express permission from users before
sending commercial messages to mobile phones and PDAs. The Commission
is also requiring that the Commercial Mobile Radio Service providers
compile a list of all pertinent Internet domains that will be used as a
do not spam list; the list would not contain individual addresses.
http://www.washingtonpost.com/ac2/wp-dyn/A41009-2004Aug4?language=printer
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=26806218
[Editor's Note (Tan): I applaud this move and would like to see SMS spam
included, as well.]
--Information Sharing Breakdown
(9 August 2004)
Some network operators and private researchers are backing off from
sharing vulnerability information with public entities. Some government
and related agencies are sharing less and less information that they
gather, and companies see their vulnerability information as a lucrative
commodity.
http://www.eweek.com/print_article/0,1761,a=133046,00.asp
[Editor's Note (Tan): This is not surprising. First hand information is
valuable. What does a company gain by sharing it? How much can the
company trust that the information is handled carefully? How does the
company know the other parties who see the data will not disclose it
further or use it in harmful ways?]
--Hospitals Defy Patching Restrictions
(9 August 2004)
Concerned that patient safety could be threatened, hospital staff
members are applying Microsoft's patches to various Windows-based
devices in defiance of the manufacturers' restrictions. Manufacturers
often have a long testing period or are concerned that a patch may
impair a device's functionality. Hospital staff are concerned that
malware could imperil patient safety and that applying patches is a part
of HIPAA (the Health Insurance Accountability and Portability Act)
compliance. The Food and Drug Administration (FDA) is encouraging
hospitals that run into these problems to file complaints in writing
which could result in the manufacturers losing their "government seal
of approval."
http://www.nwfusion.com/news/2004/080904patchfights.html?ts
--Three Plead Guilty in Targeted Wireless Hacking Case
(6 August 2004)
Three Michigan men have pleaded guilty to breaking into Lowe's computer
network though an unsecured wireless access point. Prosecutors say the
three accessed the network while in a Lowe's parking lot, and that they
altered software on the network to allow them to collect customer credit
card information. Prosecutors will recommend varying sentences for the
three men, one of whom was serving the final month of a three-year
probation sentence for an earlier cyber intrusion.
http://www.techweb.com/wire/story/TWB20040806S0003
http://www.securityfocus.com/printable/news/9281
--Romanian Man Indicted on Conspiracy Charges
(5 August 2004)
Calin Mateias of Bucharest, Romania, has been indicted on charges he
broke into the online ordering system at Ingram Micro and placed more
than 2,000 fraudulent orders over the past four years. Five Americans
who allegedly abetted Mateias will receive summonses to appear in
federal court later this month.
http://www.msnbc.msn.com/id/5614132/
http://informationweek.com/shared/printableArticle.jhtml?articleID=26806085
[Editor's Note (Schmidt): This looks like a good case and we need to
keep the pressure on and investigate, prosecute and convict as many as
we can. Companies reporting crimes, as they did in this case, is a
first step in holding the criminal accountable.]
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
--State Attorneys General Letter to P2P Vendors Urges Software Changes,
Customer Warnings
(5 August 2004)
A letter signed by 47 US state and territory attorneys general was sent
to peer-to-peer software vendors, urging them to modify their products
to prevent illegal file sharing; the letter also encourages the
companies to inform customers about the legal and personal dangers of
file sharing.
http://www.infoworld.com/article/04/08/05/Hnagpeer_1.html
http://www.washingtonpost.com/ac2/wp-dyn/A41012-2004Aug4?language=printer
http://zdnet.com.com/2102-1104_2-5298413.html?tag=printthis
--Company That Makes DVD Copying Products Ceases Operations
(4 August 2004)
Bowing to the pressure of pending lawsuits, 321 Studios, maker of a
number of DVD copying software products, has decided to stop operations.
The lawsuits were brought by movie studios and others alleging
violations of certain provisions of the Digital Millennium Copyright Act
(DMCA).
http://www.drmwatch.com/drmtech/print.php/3390801
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
--Sensitive Building Data is Readily Available on the Internet
(6 August 2004)
Sensitive information about the physical security of various companies
has been found on their corporate web sites. For example, there are
3-dimensional models of the exterior and some of the interior of the
Citigroup's Manhattan headquarters; there is also information about the
building's structural design flaws. Amit Yoran, director of the
Homeland Security Department National Cyber Security Division, says they
may consider publishing best practices guidelines for companies
regarding the availability of such information.
http://computerworld.com/printthis/2004/0,4814,95098,00.html
SPAM & PHISHING
--Pfizer Plans to Sue Spammers and Other False Viagra Advertisers
(5 August 2004)
Pfizer has announced that it will pursue legal action against spammers
and web sites advertising drugs under the name Viagra; Pfizer says it
alone is licensed to sell Viagra and that no "generic" brands of the
drug exist. Pfizer cites market research which revealed that 25% of men
believed the spam advertising Viagra was coming from Pfizer.
http://www.theregister.co.uk/2004/08/05/pfizer_sues_spammers/print.html
--APWG Data Shows Steady Increase in Phishing Scams During First Half
of Year
(4 August 2004)
Data from the Anti-Phishing Working Group indicates that the incidence
of phishing scams increased an average of 50% a month during the first
half of 2004. A Websense Inc. analysis of APWG's report found that 25%
of phishing sites were on hacked servers and that 94% of the sites
allowed attackers to remotely download personal information entered by
those who fell prey to the attacks.
http://www.computerworld.com/printthis/2004/0,4814,95029,00.html
[Editor's Note (Schmidt): Even with an increase in the number of
incidents the missing metric is how many are really successful.
Conversations with various groups indicate that people are getting
smarter. Even though there may be more scams, fewer people may be
falling for the scams.]
--Phishing Scam Exploits Potential Campaign Donors
(4/2 August 2004)
A recent phishing scam poses as a site to allow people to contribute to
John Kerry's presidential campaign.
http://www.msnbc.msn.com/id/5581739
http://www.computerworld.com/printthis/2004/0,4814,95030,00.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
--AIM Buffer Overflow Vulnerability
(9 August 2004)
A buffer overflow flaw in the way AOL Instant Messenger (AIM) handles
"away" messages could allow attackers to run arbitrary code on
vulnerable machines. AOL is recommending that users upgrade to the
recently released beta version of AIM. To exploit the vulnerability,
attackers must trick users into clicking on a malicious link.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci999090,00.html
http://www.techweb.com/wire/story/TWB20040809S0015
http://www.infoworld.com/article/04/08/09/HNaolimflaw_1.html
--Brador.A Trojan Infects PDAs and Other Mobile Devices
(6/5 August 2004)
The Brador.A Trojan horse program infects devices running PocketPC
devices running Windows CE version 4.2 as well as later and recent
versions of Windows Mobile. Unlike its predecessors, Brador carries a
malicious payload; it could allow the author to have complete control
of infected machines.
http://www.theregister.co.uk/2004/08/05/pocketpc_trojan/print.html
http://www.nwfusion.com/news/2004/080904pdavirus.html
http://www.computerworld.com/printthis/2004/0,4814,95090,00.html
--Evaman Variant Mistaken for MyDoom
(9/5/4 August 2004)
A variant of the Evaman worm uses Yahoo! People Search to harvest email
addresses. When it was first detected, this worm was believed to be a
MyDoom variant because an earlier version of that worm had scoured
search engines for email addresses.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39155793-2000061744t-10000005c
http://zdnet.com.com/2102-1105_2-5298040.html?tag=printthis
http://www.theregister.co.uk/2004/08/04/mydoom_targets_yahoo/print.html
--Multiple Vulnerabilities in libPNG
(6/4 August 2004)
US-CERT has warned of multiple flaws in the libPNG library the most
serious of which could be exploited to allow attackers to execute
arbitrary code on vulnerable systems.
http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39189335-39001150t-39000005c
http://www.us-cert.gov/cas/techalerts/TA04-217A.html
--Mozilla Will Pay $500 for Serious Vulnerability Discoveries
(3/2 August 2004)
The Mozilla Foundation has announced an initiative which will pay users
$500 for discovering and reporting vulnerabilities in their open source
software. The foundation is soliciting donations from users and
supporters to fund the initiative; foundation members will decide who
gets the money.
http://www.computerworld.com/printthis/2004/0,4814,95012,00.html
http://news.com.com/2102-1002_3-5293659.html?tag=st.util.print
http://www.theregister.co.uk/2004/08/03/mozilla_bug_bounty/print.html
http://www.mozilla.org/press/mozilla-2004-08-02.html
STATISTICS, STUDIES AND SURVEYS
--Managers Blame Employees' Bad Security Habits for Cyber Attacks
(6/5 August 2004)
A study from UK research firm Institute of Directors found that half of
senior managers at the 1,200 surveyed companies blamed their employees'
lax security habits for cyber attacks their companies have suffered.
Included among those bad habits are downloading non-work programs,
turning off security programs and opening worm-infested email messages.
http://www.techweb.com/wire/story/TWB20040806S0004
http://news.bbc.co.uk/2/hi/technology/3536018.stm
[Editor's Note (Schultz): I am appalled that management is blaming
employees for "bad security habits" rather than recognizing that
management makes or breaks security. Poor management cognizance of and
commitment to security results in a culture in which users have bad
security habits.]
--FBI Computer Crime and Security Survey
(5 August 2004)
The ninth annual computer crime and security survey from the Computer
Security Institute and the FBI found that only 53% of respondents
experienced cyber intrusions in the past year, following a steady
downward trend that began in 2001. The survey addressed new topics this
year, including security audits and the impact of regulations like
Sarbanes-Oxley.
http://www.theregister.co.uk/2004/08/05/fbi_security_stats/print.html
MISCELLANEOUS
--Insider Data Theft Prompts Shutdown at Indian R&D Center
--High-Tech Wallpaper Keeps Wireless Wardrivers Out
(4 August 2004)
A British defense contractor has developed a wallpaper that can be
fine-tuned to block outsiders' access to wireless networks while still
allowing mobile phones and emergency services to send and receive
signals.
http://www.newscientist.com/news/print.jsp?id=ns99996240
[Editor's Note (Schmidt): I guess that is one way to do it, but using
encryption and security in the wireless access points might be easier
and more cost effective.]