October 31, 2002 FBI director says industry must do more to prevent cyberattacks FBI Director Robert Mueller Thursday implored industry technology executives to do a better job securing the Internet and other data networks by reporting incidences of online crime to the bureau. Youre not enabling us to do [our] job by withholding reports about criminals who successfully penetrate companies data networks or attack their systems, Mueller told those attending a Falls Church, Va. forum on combating online crime and cyberterrorism. Corporations are reluctant to report such attacks to law enforcement agencies for fear of revealing their systems vulnerabilities. They worry the information could give competitors an edge, or invite more attacks by criminals once they discover the weaknesses. - - - - - - - - U.S. should fund R&D for secure Internet protocols, Clarke says Presidential cybersecurity advisor Richard Clarke today renewed his call for government funding to support R&D for more secure Internet protocols. Clarke told reporters that security and reliability of the basic protocols underlying the Internet have not received enough attention because no one has a proprietary interest in them. We have begun to think about the tragedy of the commons, the economic theory that no one takes responsibility for property that is held in common, he said. The commons of cyberspace are the protocols. The question is, what is the role of the U.S. government in regard to this? http://www.gcn.com/vol1_no1/daily-updates/20382-1.html - - - - - - - - Hacking Victims' ID to Stay Secret Senior law enforcement officials assured technology executives Thursday that government will increasingly work to keep secret the names of companies that become victims to major hacking crimes, along with any sensitive corporate disclosures that could prove embarrassing. The effort, described at a cybercrime conference in northern Virginia, is designed to encourage businesses to report such attacks and build public confidence in Internet security. Officials promised to use legal mechanisms, such as protective orders and sealed court filings, to shield corporate hacking victims from bad publicity. http://www.latimes.com/technology/ats-ap_technology12oct31,0,1346591.story http://www.nandotimes.com/technology/story/601028p-4652104c.html http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4416403.htm - - - - - - - - 'Sensitive' label strikes nerve Presidents from three prestigious government science academies have urged the Bush administration not to declare information "sensitive but unclassified" and withhold it from the public. During the past year, dozens of federal agencies have adopted informal policies of suppressing information that they think could be helpful to terrorists planning attacks against the United States. And since summer, the Office of Management and Budget has been considering whether to adopt a formal policy for withholding sensitive information. http://www.fcw.com/fcw/articles/2002/1028/web-info-10-31-02.asp - - - - - - - - Study: Software-Piracy Rate Rises The rate of business-software piracy in the United States climbed slightly in 2001, an industry trade group said Thursday. The Business Software Alliance, citing a new study conducted by the International Planning & Research Corp., said the U.S. software- piracy rate in 2001 was 25 percent, up 1 percentage point from 2000. Theft of software cost the United States $1.8 billion in retail sales of business software applications and more than 111,000 jobs, the group said. http://www.latimes.com/technology/ats-ap_technology14oct31,0,2264097.story http://www.nandotimes.com/technology/story/600959p-4651817c.html http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4416472.htm http://zdnet.com.com/2100-1106-964059.html http://news.zdnet.co.uk/story/0,,t269-s2125121,00.html - - - - - - - - BugBear tops virus charts as Klez refuses to die The nasty BugBear worm finally displaced the irksome Klez-H as the most common virus circulating on the Internet this month. That's according to monthly statistics from managed services firm MessageLabs, which show it blocked 576,286 copies of BugBear over the last four weeks. MessageLabs stopped Klez-H, the next most common virus (and most prolific pathogen ever), 484,647 times. http://www.theregister.co.uk/content/56/27876.html - - - - - - - - More Surveillance on the Way The USA Patriot Act was passed with much fanfare last October, but it was soon clear that lawmakers passed the package without examining all the parts. Today, we're still struggling to determine how new law enforcement powers granted by Patriot are being used. In June, the House Judiciary Committee asked the Attorney General for specifics on this issue. On October 17, the committee released the DOJ's answers. http://www.thenation.com/doc.mhtml?i=20021111&s=mejia20021030 - - - - - - - - GAO says agencies protect personal data Federal agencies that collect personal information from the public usually take the right steps to protect privacy, according to a new report from the General Accounting Office. From March 2001 to July this year, GAO looked at how four agencies the Agriculture, Education, Labor and State departmentsgather and maintain the personal data used to determine whether individuals are eligible for government benefit programs such as Medicare and federal student loans. - - - - - - - - Identifying a solution to ID fraud Despite tentative moves toward a comprehensive authentication system, debate has not yet focused on one of the most visible threats to America's national security: namely, the growing problem of identity fraud. The fingerprinting program that began last month for visitors and non-U.S. citizens entering the United States, for example, underscores the need for a comprehensive authentication system to help strengthen our borders. http://zdnet.com.com/2100-1107-964096.html - - - - - - - - BT launches attack on "cyberslackers" BT Group on Thursday unveiled a new business targeting SMEs who are riddled with inefficiencies resulting from email and Web abuse. BT has invested PS3m in setting up the company, called Open Orchard, and has committed a further PS3m for the next stage of its development. http://zdnet.com.com/2110-1106-964090.html - - - - - - - - Music business pushing security-laden super audio discs Two new digital audio disc formats touted by the music industry for their stellar sound are nowhere near as consumer-friendly as regular old CDs: They're engineered to be copy-proof. The proposition thrills digital piracy-fearing record executives. But many audiophiles are cool to the virtual padlocks, which could prove the undoing of one or both formats. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4415252.htm - - - - - - - - Madster file-sharing service ordered to keep track of songs The file-sharing service Madster must keep a list of songs available through the system as part of a court order to block access to copyright works. U.S. District Judge Marvin Aspen in Chicago granted a preliminary injunction against the service Sept. 4. The judge sided with recording company officials who claimed Albany- based Madster violated copyright law just as Napster had before it. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4416386.htm - - - - - - - - Flaw Leaves Windows Open to Attack Security hold could leave certain Windows XP and 2000 systems vulnerable to denial of service attacks. A flaw in software code that implements a protocol for virtual private networks makes Windows 2000 and Windows XP systems vulnerable to denial of service attacks, Microsoft warned late Wednesday. An unchecked buffer exists in the code that implements the Point-to-Point Tunneling Protocol, a protocol that enables users to create and use VPNs that is natively supported by Windows 2000 and Windows XP, Microsoft said in security bulletin MS02-063. The software maker deems the issue "critical." http://www.pcworld.com/news/article/0,aid,106538,00.asp http://zdnet.com.com/2100-1105-964057.html Microsoft flags three security holes http://zdnet.com.com/2100-1104-964106.html http://news.com.com/2100-1001-964106.html - - - - - - - - Software fixes systems while they work Researchers at Pennsylvania State University said hey have developed software that can repair a database that has been attacked, even as it continues to process transactions. Scientists at the Cyber Security Group at Penn State's School of Information Sciences and Technology said the software can quarantine malicious commands sent o database management programs as it simultaneously repairs any damage done to the system. http://zdnet.com.com/2100-1104-964109.html - - - - - - - - The worm that ate the Internet? Computer-science researchers are predicting that new types of dangerous worms are on their way with the ability to infect Web servers, browsers and other software so quickly that the Internet could be taken down in a matter of minutes. Although still very much a theoretical threat, the killer worms described in the research study "How to Own the Internet in Your Spare Time," are triggering some skepticism - but the idea of them is seldom dismissed as outlandish science fiction. http://www.nwfusion.com/news/2002/1028worm.html - - - - - - - - DDoS attack highlights 'Net problems Last week's distributed denial-of-service attack against the Internet's root servers underscores that much of the Internet's infrastructure remains vulnerable to these common hacker attacks and more sophisticated assaults that might be on the horizon, experts say. That an easily preventable distributed DoS attack was successful against so many of the Internet's root servers surprised many network executives, who say they thought more precautions were being taken by the operators of such a key component of the Internet's DNS. http://www.nwfusion.com/news/2002/1028ddos.html - - - - - - - - WiFi group lays out better wireless security The organization that certifies wireless LAN products under the WiFi name unveiled new specifications Thursday for how vendors should make their products more secure. The guidelines call for new mechanisms to replace the current security system, based on WEP (Wired Equivalent Privacy), which has come under fire for being too easy to circumvent. The certification body, Wi-Fi Alliance, plans to lay the mechanisms out as optional features beginning in February and require them for WiFi compliance about six months later, said Dennis Eaton, chairman of the Wi-Fi Alliance. http://www.idg.net/ic_960988_5055_1-2793.html http://news.com.com/2100-1033-964046.html http://www.nwfusion.com/news/2002/1030wifisec.html http://www.usatoday.com/tech/news/computersecurity/2002-10-31-wireless-security_x.htm - - - - - - - - How to get certified security for Win2k, by Microsoft Windows users whose spirits lifted at this week's announcement of Common Criteria certification for Microsoft's Windows 2000 would do well to take a look at some of the assumptions and restrictions associated with the tested system. While perhaps not as extreme as when NT passed Orange book certification so long as it wasn't connected to a network, these do seem just a little restrictive and artificial. http://www.theregister.co.uk/content/4/27877.html Proof Win2K is still insecure by design A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000. The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise. http://www.theregister.co.uk/content/55/27874.html - - - - - - - - Practising safe hex Sharing floppies and downloading without adequate protection can be fatal. Here at the Bleeding Edge Centre for Computer Prophylaxis, we are forced every day to confront the sad reality that most of our patients deliberately expose themselves to the risk of Acquired Installation Deficiency Syndrome. http://www.smh.com.au/articles/2002/10/31/1035683455596.html - - - - - - - - Why Can't Hackers Be Stopped? Enterprise networks often use packet firewalls at the network perimeter, but they are of little use against active components because they examine only header information. The battle between malicious hackers and system administrators is a never-ending tug-of-war between constantly evolving adversaries. Every time administrators seem to have gained the upper hand, their nemeses change in surprisingly agile ways. http://www.newsfactor.com/perl/story/19830.html *********************************************************** Search the NewsBits.net Archive at: http://www.newsbits.net/search.html *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000-2002, NewsBits.net, Campbell, CA.