November 6, 2000 Another hacker hits Microsoft ONE WEEK AFTER Microsoft reported an intrusion into its corporate networks, another hacker claimed to have penetrated the company's Web servers on Friday. The Dutch hacker, using the alias Dimitri, said in an interview with the IDG News Service that Microsoft failed to install a patch for a known bug in its Internet Information Server (IIS) software and has not sufficiently secured its Web servers. He gained access to several of Microsoft's Web servers and was able to upload a short text file, "Hack The planet," boasting of the hack to events.microsoft.com , Dimitri said. He could alter files on Microsoft's download site, he said. "I could add Trojan horses to software that Microsoft customers download," Dimitri said. Dimitri also claimed that he downloaded files containing administrative user names and passwords to the server. The encrypted files could be decoded with a tool called the L0ft crack, he said, but added that he had not and would not decode them. http://www.infoworld.com/articles/hn/xml/00/11/03/001103hnhacker.xml Microsoft Hack: Warned of weakness three months earlier Microsoft knew about the weakness in its security three months before it was hacked, but failed to do anything about it, according to a speaker at the Compsec conference in London. James Adams, CEO of iDefense, a computer security company, has said he warned the software giant about the vulnerability three months ago. "They could have closed the door," he said. He was giving a keynote speech on the changing nature of war. He said that there had been a proliferation, matching the speed of the digital revolution, of conflict in the virtual space. He cited the LoveBug virus and the Microsoft hack as two prime examples of this conflict. http://www.theregister.co.uk/content/1/14463.html Cracker Jacked! The most noteworthy aspect of the computer intrusion against Microsoft in late October may be that, in this case, someone might actually be caught and charged with the crime. If not, Microsoft will simply have become the latest, albeit high-profile, victim of a legion of crackers and other computer criminals who, for the most part, perform their perfidy with impunity. Despite the investment of millions of dollars in federal and state law enforcement efforts, the number of open computer crime cases at the Federal Bureau of Investigation is growing far faster than the agency can solve them. While many of the crimes are still in the nuisance category, the imbalance between cop and cracker appears likely to continue until a number of significant changes occur on both the enforcement and prevention fronts. http://www.zdnet.com/intweek/stories/news/0,4164,2650218,00.html - - - - - - - - - - - Life sentence for Net murderer A man who used Internet chatrooms to explore his obsession with rape has been sentenced to life imprisonment for the murder of a mother of two. David Ferguson, 31, of Chatham was found guilty of stabbing Susan Kent to death at her home near Gillingham on 24 November 1999. Mr Justice Hidden sentenced him to life in jail, with a minimum of 20 years. Maidstone Crown Court heard that Ferguson connected his home PC to the Internet six days before he sexually assaulted Ms Kent and stabbed her ten times. Computer experts at Kent police submitted evidence of Ferguson sending rape-obsessed emails to women that he had stalked on the Internet -- the emails were saved on the hard-drive of his computer. The prosecution also proved that he had been accessing Web sites such as louiscypher.com -- a pornography site containing images of women being attacked and raped. http://www.zdnet.co.uk/news/2000/44/ns-18904.html - - - - - - - - - - - 'Mafiaboy' hacker case postponed 16-year-old computer hacker accused of paralyzing major Web sites of CNN, Yahoo! and Amazon.com in February had his case postponed Monday until December 8. The suspect, who cannot be named under Canadian law, has pleaded innocent to more than 60 charges of mischief and computer hacking. If convicted, he could spend up to two years in a juvenile detention center. An adult convicted of the same charges would face up to 10 years in prison. The case raised concern worldwide about the vulnerability of major Web sites as dependence on the Internet for communication and commerce increases. http://www.cnn.com/2000/TECH/computing/11/06/canada.teenhacker.ap/index.html - - - - - - - - - - - Curious teen used Web line of jailed lover A teen-ager who had an affair with a woman he met on the Internet has testified that curiosity spurred him to continue using the woman's online account after she was arrested on a charge of sexually assaulting him. The boy, now 15, said he used the Internet account of Tara Hulin to read her e-mail and surf the Web for about two months after she was arrested in July. Police say that Hulin flew from Thomasville, N.C., to Houston on May 19 to have sex with the boy, the Houston Chronicle reported yesterday. http://www.journalnow.com/news/local/local/northcarolina/net05.htm - - - - - - - - - - - 'Hacktivism': Mideast cyberwar heats up An online battle between Israeli and Palestinian vandals escalated this week with the theft and public posting of a database containing the personal information of 700 members of the American Israeli Public Affairs Committee on Wednesday and the posting of information by Israeli-affiliated hackers regarding Palestinian communications. "This is no different than in the real world, where activists have gone into terrorism," said Paul Robertson, a senior analyst with security services provider TrueSecure Inc., formerly ICSA.net. "The big issue now is how are we going to defend against it." http://www.zdnet.com/zdnn/stories/news/0,4586,2650300,00.html - - - - - - - - - - - Typo leads to sensitive state e-mails A Miami man's spelling mistake during an Internet search led him to sensitive e-mail messages sent to state government officials that had been inadvertently left for public view on a state Department of Health website. The hundreds of messages -- one from an HIV patient looking for a doctor, another from a woman questioning her physicians' credentials -- were sent either directly to the health department's website or forwarded from other places like the state government's new Internet information center, www.MyFlorida.com. ``It's a big deal when you've got someone's personal information all over the Web where anybody could have gotten it,'' said Jerry Haygood, who discovered the files. http://www.herald.com/content/today/news/dade/digdocs/003675.htm - - - - - - - - - - - Police found using pirated MS software Police across the UK have bought and installed counterfeit Microsoft software, an investigation conducted by the City of London Police has discovered. Four individuals have been arrested and released without charge, a spokesman for the City of London Police said Monday. They were detained under the Trade Description Act. The scandal comes days after the Business Software Alliance announced £10,000 rewards for information leading to the capture of corporate piracy offenders. Hampshire Police, which is responsible for recommending software to other forces in the UK, recommended the counterfeit software to other forces last year. City of London Police traced the bogus editions of Microsoft Office Pro 97 to a company also based in Hampshire called Protocol Solutions. http://www.zdnet.co.uk/news/2000/44/ns-18910.html - - - - - - - - - - - Cybercriminals On The Loose The National Infrastructure Protection Center, the unit of the Federal Bureau of Investigation that's supposed to catch hackers, has cooked up a cacophony of hype to persuade the American public that a bunch of teenage hackers are equal in menace to the threat posed by professional cybercriminals. And despite the FBI's promotion of the e-mail tapping/sniffing program, Carnivore, on the grounds that agents need more information, the NIPC's performance so far suggests that the problem isn't too little information - it's the FBI's inability to distinguish signal from noise. It's time to assess just how well or how poorly the center has been doing. http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html - - - - - - - - - - - High-Tech Snooping All in Day's Work Moving beyond merely monitoring employees' Internet use, many of the nation's largest companies are quietly assembling teams of computer investigators who specialize in covertly copying employees' hard drives and combing them for evidence of workplace wrongdoing. These high-tech investigators employ tools and techniques that originally were devised for law enforcement to catch criminals but that are now spreading rapidly in the private sector at Microsoft, Disney, Boeing, Motorola, Fluor, Caterpillar and dozens of other major companies. The development, little known outside the narrow community of corporate security experts, is sure to raise tensions over workplace privacy in an age when the lives of millions of workers are inextricably tied to their office computers. Employers say that their rush into the field known as "computer forensics" is a matter of self-defense, that being able to retrieve computer evidence is essential to their ability to catch employees engaged in everything from spending too much time surfing the Internet to stealing company secrets. (LA Times archive article, free registration required) http://www.latimes.com/news/nation/20001029/t000103426.html - - - - - - - - - - - Laptop secrets not safe on planes Travellers have been warned by an aerospace industry expert not to work on company-sensitive projects on laptop computers while making journeys. Speaking at the Computer Security, Audit and Control conference in London this week, Julien Holstein, information security director at aeroplane manufacturer Aerobus, said his firm has introduced a company-wide policy forbidding staff to work on projects using their laptops when making aeroplane journeys. The rule, which could equally apply to train travel, had been introduced to maintain the integrity of the company's data after one of its managers reported that he had covertly read sensitive project information off the laptop screen of the person in the next seat. http://www.vnunet.com/News/1113460 - - - - - - - - - - - Mending the un-safety Net Online fraud is booming — complaints are up 48 percent in two years. Experts say the scams are old tricks made new by the Internet: phony auctions, billings for services never received, get-rich-quick schemes and work at home schemes. In this report for “NBC Nightly News,” Norah O’Donnell says federal regulators have announced a crackdown, new law enforcement actions and a strong warning. http://www.msnbc.com/news/486010.asp - - - - - - - - - - - Experts says France could block most Nazi Web sales People in France could be prevented from gaining access to on-line Nazi memorabilia sales hosted by U.S. Internet giant Yahoo, but the system would never be fail-safe, computer experts told a French court Monday. The court ordered Yahoo Inc in May to block French surfers from outlawed English-language web sites where items like Nazi uniforms and SS badges are sold by auction. The judge subsequently asked a panel of three specialists to verify if the ruling was viable after Yahoo asserted that it was technologically impossible to cut off French Internet users from Web sites governed by less restrictive U.S. laws. http://www0.mercurycenter.com/svtech/news/breaking/internet/docs/600101l.htm - - - - - - - - - - - Net dad Vint Cerf slams RIP Vinton Cerf, one of the founding fathers of the Internet, has attacked the RIP bill as a dangerous new piece of legislation. Speaking at the Compsec conference in London yesterday he commented: "Oh my god. A lot of us in the US are very worried about the RIP Bill, it has raised some of the same concerns as Carnivore." He said that he acknowledged that it was a matter of balancing an individual's right to privacy with the need to protect society as a whole, but was worried about the circumstances in which it comes into force. http://www.theregister.co.uk/content/1/14451.html - - - - - - - - - - - Cloaking devices designed for wary Web shoppers The Internet's first anonymous shopping tools are going live this fall. These are various virtual masks that cloak people's credit card numbers -- and, in some cases, their real names and addresses -- from the prying eyes of online merchants. At the same time, a batch of new security tools are being introduced to help credit-card companies verify that shoppers are indeed who they say they are. It's all part of the Internet industry's attempt to counter the widespread attitude that online shopping is neither secure nor private. Merchants are embracing new privacy tools, partly with hopes of fending off heavy-handed regulation by Congress, while financial institutions are mostly concerned about fraud. http://www.startribune.com/viewers/qview/cgi/qview.cgi?template=tech_a&slug=tech03 - - - - - - - - - - - The Ten Immutable Laws of Security Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products; when this happens, we develop a patch as quickly as possible to correct the error. In other cases, the reported problems simply result from a mistake someone made in using the product. But many fall in between. They discuss real security problems, but the problems don't result from product flaws. Over the years, we've developed a list of issues like these, that we call the Ten Immutable Laws of Security. http://www.microsoft.com/technet/security/10imlaws.asp *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000, NewsBits.net, Campbell, CA.