News Pages - Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 |

Index

About

Future

Macrovision/C-Dilla

Links page

Contact Us!


Privacy & Security News April 2001


Privacy terms revised for Microsoft Passport
Microsoft on Wednesday revised the "terms of use" policy for its Passport service after criticism that the agreement gave the software behemoth Draconian control of customer communications. (Does This Read: The Data in Personal Profile and Your Messages)
http://technews.netscape.com/news/0-1005-200-5508903.html?pt.nc.txtdisp.hl.ne

Armey applies privacy brakes
WASHINGTON--The man who decides which bills will be considered on the House floor said Monday that any online-privacy bill is likely to do more harm than good.
http://technews.netscape.com/news/0-1005-200-5549772.html?pt.nc.txtdisp.hl.ne

Security flaw found in Alcatel DSL modems
Computer industry security experts believe they have discovered a vulnerability in certain high-speed modems manufactured by Alcatel, the French communications equipment giant.
Though only theoretical so far, the problem makes the devices potentially vulnerable to malicious hacker attacks.
http://technews.netscape.com/news/0-1004-200-5567751.html?pt.nc.txtdisp.hl.ne

Damage limited from lonely hearts virus
Antivirus software companies said a new virus that disguises itself as a program for finding romance partners is spreading quickly between companies in Europe.
Companies say the virus, known as Matcher.A, is less potent than the I Love You virus that ravaged computer systems last May, but it could pose a nuisance by overloading mail servers internationally.
http://technews.netscape.com/news/0-1003-200-5652326.html?pt.nc.txtdisp.hl.ne

Giving spam the network boot
A promotion arrives in your e-mail box from a company you've never heard of before--but is it spam?
http://technews.netscape.com/news/0-1005-200-5668645.html?pt.nc.txtdisp.hl.ne

Commentary: High prices for Net access
Higher prices for high-speed Internet access--via DSL (digital subscriber line) or cable--is the natural follow-up to the major industry shakeout of the last year. With much of the competition gone, and with many of the surviving major players carrying huge debt loads and desperate for profits, prices have to rise.
http://technews.netscape.com/news/0-1004-201-5681074-0.html?pt.nc.txtdisp.hl.ne

TRACK YOUR FLASH ADS
The Macromedia Flash Tracking Kit shows ad developers how to prepare Macromedia Flash files so that ad serving networks can dynamically assign click codes to Macromedia Flash advertisements. By adhering to the standards explained in the Tracking Kit, ad developers now need to create only one Macromedia Flash advertisement for an entire campaign: (MacroMedia Developers Newsletter)

Globbing Function Leaves Some FTP Servers Vulnerable
[April 10, 2001] A process used to expand short-hand notation into complete file names creates security flaws in a variety of FTP servers that lead to buffer overflows.
http://www.internetnews.com/wd-news/article/0,2171,10_739431,00.html

Hackers Succeed in Breaching Shopping Cart Software [April 10, 2001]
In one of several recent cyber break-ins, Atlanta-based PDG Software has informed the Federal Bureau of Investigation that its merchant sites were hacked. Within hours the president of the company, David Snyder, said online venders using its shopping cart software package were notified and security holes patched.
http://www.internetnews.com/wd-news/article/0,2171,10_738991,00.html

Compaq's Active X Policy Taking Water
Compaq Computer said ActiveX programs that ship with its popular desktop and notebook Presario lines contain a flaw which could allow attackers to over-write files on users' machines if they visit a specially-constructed Web page or read a booby-trapped HTML email. http://www.internetnews.com/wd-news/article/0,2171,10_740501,00.html

British Court Close To Sending Curador to Jail
A Crown Court judge in Wales indicated that he intends to sentence teenage hacker Raphael Gray to prison, pending the outcome of medical tests.
http://www.internetnews.com/wd-news/article/0,,10_748801,00.html

Groups: Pay Us for a Heads-up on Security Threats
It pays to be secure. Literally. Especially where the Computer Emergency Response Team Coordination Center (CERT/CC) is concerned. An invaluable group to the government because it tips them off to security threats before they can mete out damage, CERT Thursday said it will open up its advisories about viruses, hacks, and other pesky nuisances to others, so long as groups are willing to open up their coffers.
http://www.internetnews.com/wd-news/article/0,,10_747441,00.html

Microsoft Patches ISA Server Denial-of-Service Bug
Members of the security advisory group SecureXpert Direct this week isolated a bug in Microsoft Corp.'s ISA Web server 2000 that would render the Web server victim to denial-of-service (DoS) attacks.
http://www.internetnews.com/wd-news/article/0,,10_746141,00.html

Internet Security Systems Moves to Parry Drive-by Hackers
Atlanta-based Internet Security Systems Inc. (ISS) has long had this concern about drive by hackers. That's right -- drive-by hackers.
http://www.internetnews.com/wd-news/article/0,,10_752201,00.html

Journal of a Cyber Criminal
The president of AdCops.com, an on-line community that allows e-commerce merchants to share stories and ideas about Internet fraud, recently paid two cyber criminals to keep logs of their daily activities. Using anonymous e-mail accounts and stolen credit card information, the thieves claim to make thousands of dollars a month from their activities.
http://www.msnbc.com/news/550567.asp?0nm=T21B
http://adcops.com/

Federal Systems' Security Inadequate
Hackers gained root-privilege control of more than 150 systems at 32 government agencies last year, said federal officials at a congressional hearing, adding that only 20% of such incidents are reported. A General Services Administration (GSA) computer security official said that three-quarters of intrusion attempts on federal systems came from foreign sources. The majority of successful intrusions could have been thwarted had agencies updates their systems.
http://www.usatoday.com/life/cyber/tech/2001-04-05-hackers-feds.htm>/A> http://www.computerworld.com/cwi/story/0,1199,NAV47_STO59280,00.html http://www.msnbc.com/news/555308.asp?0nm=T21B

Web Host Database Stolen
A cracker says he stole a database containing personal information on 46,000 customers of ADDR.com, a Colorado-based web hosting company. Several customers have reported fraudulent charges on their credit cards. The cracker suggested he could use the sites' bandwidth to launch a DoS attack. In addition, the stolen database contains user names and passwords; if customers had not reset their default passwords, the cracker could potentially have altered content on their sites.
http://www.msnbc.com/news/553615.asp?0nm=T22B

Turbo Tax Glitch May Necessitate Password Changes
A security glitch in Intuit's Turbo Tax software saves investment account passwords to the user's PC or to Intuit's servers when the customers import investment tax data from any of seven financial institutions. As many as 150,000 users are affected by the problem. Some of the financial institutions have recommended that customers change their passwords while others have disabled the affected passwords altogether.
http://news.cnet.com/news/0-1007-200-5521513.html?tag=prntfr

CA Democrat Site Security Hole
A security flaw in the California Democratic Party's web site exposed credit card numbers and other personal data belonging to 54 people who had made contributions. Some of the donors received personal phone calls apologizing for the problem and no fraudulent use of the cards had been reported. The glitch in the older version of Lotus Notes Domino server allows unrestricted database access by default. MSNBC.com received an anonymous tip about the flaw and passed the information on to party officials.
http://www.msnbc.com/news/555361.asp?0nm=T22E

Yahoo and eBay Log-Ins Not Always Secure
Yahoo and eBay both allow users to log in to personalized versions of their sites via a secure log on page. But when accessing features on the site, users are asked to enter their user Ids and passwords again; this time, they are sent across LANs and WANs in clear text.
http://www.zdnet.com/zdnn/stories/comment/0,5859,2705095,00.html

eBay Privacy Policy Modified
eBay has revised its privacy policy, stating that customer information will be shared in the event of a merger or acquisition.
http://news.cnet.com/news/0-1007-200-5437441.html?tag=prntfr
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59201,00.html
Note: Readers are encouraged to express their views on this policy...

Industry Says Virus Challenge Irresponsible
A firewall company is offering a $10,000 reward to any virus writer who can infect a certain machine shielded by its product. The writer will receive $100 for getting a virus past the gateway; the balance will be paid when the author shares information about the creation of the successful virus. Anti-virus experts have called the challenge irresponsible and unethical, and the founder of an on-line virus dictionary points out the company could be held liable for viruses written to meet the challenge.
http://www.zdnet.com/zdnn/stories/news/0,4586,5080549,00.html?chkpt=zdhpnews01

Cloaked Code
A hacker who also works as a security consultant has developed a technique called polymorphic coding that can be used to disguise malicious code. The cloaking technique thwarts intrusion detection system pattern matching, according to its author.
http://www.zdnet.com/zdnn/stories/news/0,4586,5080532,00.html
This result was inevitable. It was predicted by a landmark 1998 paper by Ptacek and Newsham (http://secinf.net/info/ids/idspaper/idspaper.html) The most interesting aspect of this story is that this approach is now being discussed publicly in very practical forums. How soon will Polymorphic code undermine virus detection and IDS systems

Security Disclosure Could Raise Confidence in Internet
The government could boost confidence in the Internet if it required companies to disclose their security measures, just as the SEC required companies to provide Y2K preparedness in their earnings reports two years ago, according to Senator Robert Bennett (R-Utah), chairman of the High-Tech Task Force and Special Committee on Y2K.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59161,00.html
The only security measures that are likely to survive attack are those that are subject to public scrutiny. See the lessons of the Clipper chip.

Chinese Hacking
Despite strict laws against hacking, Chinese hackers are being urged to target US systems in retaliation for the recent mid-air collision, and Vigilinx CEO Bruce Murphy believes the Adore worm was written in retribution for the incident. In 1999, Chinese hackers attacked a number of US government systems in retaliation for the bombing of the Chinese Embassy in Belgrade. A security consultant recently discovered that a Chinese hacker authored the Lion worm. The Chinese government requires anti-virus vendors to provide complete virus code samples if they want to do business in China, leading some security experts to question their motives.
http://www.wired.com/news/politics/0,1283,42982,00.html

Alcatel Modem Security
Crackers could take advantage of a vulnerability in Alcatel high-speed modems to shut down a user's connection, monitor LAN traffic, or launch denial-of-service attacks. Crackers could remotely deactivate protections that would allow them to install firmware. Alcatel suggests its customers install firewalls to protect themselves. Researchers who discovered the flaw say it is arcane and exploits for it are unlikely to become widespread.
http://news.cnet.com/news/0-1004-200-5567751.html?tag=prntfr
http://www.infoworld.com/articles/hn/xml/01/04/11/010411hnalc.xml?0411alert
http://dailynews.yahoo.com/h/ap/20010411/tc/modem_flaw_1.html NOTE: A fascinating (but unverified) look at how Alcatel's management struggled over the media update distributed in response to the disclosure may be found at http://morons.org/articles/1/188. The authors (not Alcatel) use profanity.

FTP Security Hole
PGP security has discovered a flaw in the "globbing" command of many FTP server systems that could be used to cause buffer overflows and allow crackers to gain root control privileges on the system. PGP has released a tool that can help users identify vulnerable systems.
http://www.wired.com/news/technology/0,1282,42955,00.html
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59463,00.html

Philippine Hackers
A lack of jobs has led qualified Philippine programmers into the realm of hackers.
http://www.time.com/time/asia/digital/printout/0,9788,105665,00.html

Digital Signatures could Help Prevent On-Line Credit Card Fraud
The author posits the idea that requiring on-line shoppers to attach digital signatures with each purchase could go a long way toward thwarting on-line credit card fraud. One impediment to such a plan is the fact that digital signatures have not been standardized.
http://www.msnbc.com/news/559034.asp?0nm=T17L
Note: The standard is called SET. The credit card companies are the ones to implement this. They are doing so. (See American Express Blue.) They understand that this technology must be "enabled" and that it cannot be "required."

Computer Dealer Sends Virus to Competitor
A Devon, UK computer dealer was sentenced to 175 hours of community service for sending a virus to a competitor. The company became suspicious of the offending e-mail, discovered it contained a virus, and informed the police. The rivals had been engaged in a price war.
http://www.theregister.co.uk/content/8/18238.html

Pioneer Accidentally Sends Out Troj_Hybiris
Pioneer unwittingly sent Troj_Hybiris, a semipolymorphic worm, to more than 10,000 customers; at least 19 computers were infected. The worm is activated only when users click on the attached file. The company has sent out an virus alert, apology and fix.
http://www.infoworld.com/articles/hn/xml/01/04/10/010410hnpio.xml?0410alert
Note: This incident makes clear how difficult it will be to prosecute malicious use of viruses, because it is so easy to spread viruses accidentally.

Russian Hacker Claims US Diplomats Tried to Hire Him To Steal Files
The Moscow Times reported that a Russian hacker claims that diplomats at the US Embassy in Moscow attempted to him to copy, alter, and delete files in the Country's Federal Security Service's computer network.
http://www.wired.com/news/politics/0,1283,42998,00.html

Shopping Cart Software Flaw Allowed Credit Card Theft
A bug in PDG Shopping Cart software apparently allowed crackers to steal credit card numbers from several e-commerce web sites; NIPC posted an alert on April 9th. PDG contacted its vendors with a patch the same day it became aware of the problem. The fix is also available at PDG's web site.
Story at Yahoo NIPC Alert PDG Fix

Windows XP Security
Microsoft says its new versions of Windows XP and Whistler, will have dramatically improved security capabilities. In addition to checking for signed integrity credentials before allowing applications to run, and allowing administrators to limit access permissions to specific users, Microsoft has established an internal program, the Secure Windows Initiative, to provide its engineers on-going security education.
http://news.cnet.com/news/0-1003-200-5567520.html?tag=prntfr
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59501,00.html

Warner Bros. Online Security Breach
A cracker stole an e-mail newsletter mailing list from the Warner Bros. Online computer system and spammed the addresses with a pitch for a pyramid marketing scheme. Warner Brothers sent e-mail apologies to the subscribers, but would not comment on what other information may have been stolen.
http://www.msnbc.com/news/556908.asp?0nm=T24F

Cyber Forensics
The market for private sector cyber-forensics is growing, as companies are reluctant to call in law enforcement for fear of bad publicity; furthermore, private companies have greater expertise in getting to the bottom of security breaches.
http://www.msnbc.com/news/555451.asp?0nm=T25F

FBI Busts Russian E-commerce Extortion Ring
Two men have been indicted in what was described as a Russian computer hacking ring that victimized banks and other businesses through extortion and the theft of credit card numbers. The FBI lured the hackers to the US with the promise of a job with a fictitious company.
http://news.cnet.com/news/0-1007-200-5699762.html

Argus' $50,000 "Hack Me" Challenge Cracked
Argus Pitbull's latest public "hack me" challenge has fallen. Within 24 hours of the opening of the contest, the team Last Stage of Delirium (LSD) cracked the Pitbull server, notified Argus, and claimed the 35,000 prize. Argus reports that the flaw exploited was in the underlying Solaris operating system, and not in the Pitbull software.
http://uk.news.yahoo.com/010423/152/bmqfd.html
http://uk.news.yahoo.com/010423/175/bmqng.html
http://www.wired.com/news/technology/0,1282,43234,00.html

SDMI hacking research draws legal threats
The Secure Digital Music Initiative (SDMI) in September invited volunteers to test the security of embedded "watermark" codes as antipiracy technology. The consortium now is pressuring Princeton professor Edward Felten to suppress research that makes educated guesses about how the watermarking was done. SDMI insinuates a possible violation of the Digital Millennium Copyright Act (DMCA). Some scholars believe the DMCA might be unconstitutional, holding the potential to affect free speech and academic research into cryptography.
http://www.zdnet.com/zdnn/stories/news/0,4586,5081595,00.html
http://interactive.wsj.com/articles/SB988069076366701618.htm

Chinese and American Hackers Waging Private War
American cracker group PoizonBOx has defaced at least a hundred Chinese websites since April 4. Chinese hackers are now vowing to retaliate with a planned week-long all-out crack attack on American websites and networks which will start on May 1.
http://www.wired.com/news/business/0,1367,43134,00.html

Anti-Hacking Insurance Higher For NT Users
One insurance underwriter charges 25% higher premiums on anti-hacking policies for companies using Windows NT. While acknowledging that system configuration and architecture play a crucial role in security, the company maintains that Microsoft products are laden with vulnerabilities.
http://www.theregister.co.uk/content/8/18324.html

ISA Members will Receive CERT Warnings for a Fee
The Internet Security Alliance (ISA) is a joint effort between the Electronic Industries Association and the Software Engineering Institute at Carnegie Mellon University, which includes the CERT Coordination Center. Businesses may join for a fee ranging from $2,500 to $70,000 depending on gross revenues; in return, they will receive real-time Internet security warnings which have until now been available only to the Defense Department and the General Services Administration. CERT will continue to make the alerts public 45 days after members receive them. Critics have expressed concern that the ISA is duplicating efforts already undertaken by such groups as the Partnership for Critical infrastructure, the Internet Software Consortium, and the various ISACs.
http://dailynews.yahoo.com/h/nm/20010419/wr/internet_security_dc_1.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2709721,00.html?chkpt=zdhpnews01
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59847,00.html

SMBRelay
An application named "SMBRelay," written by a member of a cracking group, capitalizes on a flaw in Microsoft's Server Message Block (SMB) protocol on Windows NT and Windows 2000 machines. The application hijacks the user's connection and steals password hashes to be decrypted later. The author blames the security hole on the need for backward compatibility with workstations that have lower-ended security capabilities. Blocking access via TCP port 139 will stop this hijacking attack.
http://www.theregister.co.uk/content/8/18370.html

UK's National Hi-Tech Crime Unit
The National Hi-Tech Crime Unit (NHTCU) will work with local police and advise government on policy and legislation. The unit currently employs 40 officers and plans to increase than number to 80; Home Secretary Jack Straw says the government plans to spend 25 million pounds (US$36 million) over three years to fight cybercrime. Critics say that the NHTCU is underfunded, and that because the Internet is global in nature, national initiatives will not have much of an effect. However, the unit could be effective in raising awareness of cybercrime threats. Some have also expressed concern about citizens' privacy.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1283000/1283866.stm
http://www.wired.com/news/business/0,1367,43171,00.html
http://www.guardian.co.uk/uk_news/story/0,3604,474802,00.html

Behavior Blocking
Unlike traditional anti-virus software which scans for viruses based on known signatures, behavior blocking software uses policies to determine whether code and/or applications are attempting to perform unauthorized actions.
http://www.techweb.com/wire/story/TWB20010418S0011
Note: The article describes one instance of behavior blocking technology. Others include eSafe http://www.ealaddin.com/esafe/desktop/index.asp and Entercept http://www.entercept.com/ for Windows, Argus Pitbull LX http://www.argussystems.com/feature/pblxinfo.shtml , and SELinux http://www.nsa.gov/selinux/ and SubDomain http://immunix.org/subdomain.html for Linux.

Microsoft Internet Security and Acceleration (ISA) Server Vulnerability
A security hole in Microsoft's ISA server 1.0 could allow attackers to block all web traffic. By sending specific strings of characters to the server, attacker could take web sites off line and prevent those behind the firewall from accessing the web until the server is restarted. The malicious string could be contained in an image tag in HTML e-mail, sent to the server from someone behind the firewall, or, if the server's Web publishing feature has been turned on, sent from outside the firewall. The exploits do not give the attacker network access nor does it allow for the execution of other attacks.
http://www.infoworld.com/articles/hn/xml/01/04/17/010417hnisa.xml
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59697,00.html
http://www.zdnet.co.uk/news/2001/15/ns-22324.html

Another BDM Laptop Missing
A British Defense Ministry (BDM) laptop reportedly containing new weapons system data was left in the back of a taxi; this brings the Ministry's four-year total to 205 missing laptop computers. The BDM has plans to equip its workers with special briefcases with built-in tracking devices and the capacity to erase laptop hard drives if the proper code is not entered.
http://www.wired.com/news/politics/0,1283,43088,00.html

Security Testing Checklist
Comprehensive security testing includes network topology analysis, review of policies, practices and procedures, vulnerability assessment, and both technological and social engineering penetration testing. It is also helpful to use outside security auditors.
http://www.fcw.com/fcw/articles/2001/0416/tec-ryan-04-16-01.asp

New DoD Cybercrimes Center Position
Brig. Gen. Francis Taylor, commanding general of the Air Force Office of Special Investigations says the Defense Department (DoD) has created the position of executive director of the Defense Cybercrimes Center. In addition to overseeing the DoD's computer forensics lab and investigator training program, the director will help develop a long-term strategy for the center, which may include forming an institute that would function as a resource for private industry and academics.
http://www.fcw.com/fcw/articles/2001/0409/web-cyber-04-10-01.asp

Americans support e-mail monitoring, study finds
WASHINGTON, April 2 — A survey released Monday finds Americans are worried about criminal activity on the Internet and willing to let law enforcement agencies intercept suspects’ e-mail despite misgivings about privacy protections.
http://www.msnbc.com/news/553740.asp?cp1=1

Hackers say corporate security still poor
VANCOUVER, British Columbia--Companies are paying more attention to safeguarding their digital assets, but the overall state of corporate data security is still poor, said hackers and security experts attending the CanSecWest conference on Thursday.
http://news.cnet.com/news/0-1003-200-5383459.html?tag=mn_hd

Bug Opens Microsoft IE to HTML .exe Attachments
A noted bug tracker isolates a vulnerability in Internet Explorer; Microsoft releases a patch to plug the hole.
http://www.internetnews.com/wd-news/article/1,2171,10_730021,00.html

Welsh Hacker Pleads Guilty to Site Break-ins
Experts say "Curador" may evade jail sentence, despite causing $3M in damages.
http://www.internetnews.com/wd-news/article/1,2171,10_728891,00.html

Privacy Advocate Calls on Congress to Act
Amid the recent online security concerns, Junkbusters.com president urges Congress to probe online profiling companies.
http://www.internetnews.com/wd-news/article/1,2171,10_728911,00.html

Microsoft Creates Patch for Digital Certificate Holes
Microsoft scrambles to patch a couple of security holes that a hacker could exploit to run executable content.
http://www.internetnews.com/wd-news/article/1,2171,10_728621,00.html

Lingering Bug May Cause April Fools Problems
Some applications, especially in embedded systems, may not have been patched for the April Fools 2001 bug discovered in 1999.
http://www.internetnews.com/wd-news/article/1,2171,10_728641,00.html

Australia data warehouse raises privacy concerns (Older Story)
SYDNEY, AUSTRALIA (IDG) -- A massive data warehouse containing information on more than 15 million Australians is nearing completion. http://www.cnn.com/1999/TECH/computing/12/03/aussie.bigbro.idg/index.html

PacketStorm Security Site

Index  About  Future  C-Dilla  Links page  Contact Us! 
News Pages -  1 2 3 4 5 6 7 8 9

Copyright © 1996-2004 by PrivacyandSpying Com