Wednesday, January 11, 2006

PCWorld.com - Two New Windows Metafile Bugs Found Just days after Microsoft patched a critical vulnerability in the way the Windows operating system renders certain types of graphics files, a hacker has published details of two new flaws that affect the same part of the operating system. The new vulnerabilities were posted to the Bugtraq security mailing list today by a hacker using the name "cocoruder." 12:48:20 PM  PermaLink   / trackback []

Two New WMF Bugs Found. Two New WMF Bugs Found. Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."  [Slashdot] 12:44:38 PM  PermaLink   / trackback []

Microsoft vs. Computer Security - Why the software giant still can't get it right. By Adam L. Penenberg Four years ago, Bill Gates dispatched a companywide e-mail promising that security and privacy would be Microsoft's top priorities. Gates urged that new design approaches must "dramatically reduce" the number of security-related issues as well as make fixes easier to administer. "Eventually," he added, "our software should be so fundamentally secure that customers never even worry about it." Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed "critical" have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer. Just last week, another problem reared its head--a security hole that could allow Windows users to become infected with adware, spyware, or viruses by simply viewing an e-mail, instant message, or Web page. When Microsoft dragged its heels on issuing a patch, the SANS Institute, an organization that tracks security threats, took the extraordinary step of recommending that users download an unofficial patch developed by a Russian programmer. (Microsoft had planned to release its fix on Jan. 10, but ultimately bowed to pressure and issued it five days earlier.) 12:41:50 PM  PermaLink   / trackback []

Microsoft vs. Computer Security. Microsoft vs. Computer Security. ArieKremen writes "The Slate has a piece written for the average user attempting to explain why Windows is `still` grappling with security issues. Although Gates made security and privacy top priority four years ago, not much progress has been made." From the article: "Microsoft customers haven't stopped worrying. A year later, Windows was hit with several nasty worms, including Slammer, Sobig, and Blaster. The viruses caused major traffic bottlenecks throughout the world, which cost tens of billions of dollars to clean up. Vulnerabilities deemed 'critical' have forced the company to release an almost unending stream of patches and fixes to the Windows operating system, Microsoft Office, and Internet Explorer." An interesting look at the whole issue. [Slashdot] 12:38:41 PM  PermaLink   / trackback []

Spielberg Bitten by DVD Encryption. Spielberg Bitten by DVD Encryption. diodesign writes  "The Guardian newspaper has reported that 5000 DVD based preview copies of Spielberg's 'Munich' sent to reviewers in the UK can't be played due to the copy protection system involved. Human error at the laboratory where the DVDs were encrypted lead to the wrong region code being set, plus the reviewers use special players from Dolby that prevent the pirating of 'screeners'. An ironic twist in the on-going battle of DRM   [Slashdot] 12:32:50 PM  PermaLink   / trackback []

Microsoft Taking Longer to Fix Flaws. Microsoft Taking Longer to Fix Flaws. An anonymous reader writes "A look back at the last three years of security patches from Microsoft shows Redmond is taking at least 25 percent longer to issue patches for "critical" vulnerabilities, now averaging around 135 days to issue a fix. The exception appears to be with "full disclosure" flaws, for which Redmond issued fixes in an average of 46 days last year." [Slashdot] 12:28:56 PM  PermaLink   / trackback []

ABC News: Poll: Broader Concern on Privacy Rights, But Terrorism Threat Still Trumps Three in 10 Americans believe the federal government has made unjustified intrusions into personal privacy as it investigates terrorism. That's nearly double the level of concern shown a few years ago, but it's still far from a majority view. More broadly, the public still grants investigating terrorism a higher priority than guarding privacy rights, but by somewhat less of a margin than in the past. And Americans divide about evenly on the specific issue of warrantless wiretaps by the National Security Agency: Fifty-one percent call them acceptable in investigating terrorism, 47 percent unacceptable -- views that are marked by huge partisan and ideological gaps. 12:03:53 PM  PermaLink   / trackback []

Phone Tap: How's the Traffic? Phone Tap: How's the Traffic? Missouri officials say there's no Big Brother agenda in a state project to manage traffic on the highways by snagging data from commuters' cell phones. But privacy advocates are cautious. [Wired News: Security Blanket] 11:59:16 AM  PermaLink   / trackback []

Data for 55,000 customers stolen from Bahamas hotel. Data for 55,000 customers stolen from Bahamas hotel. Personal information for 55,000 customers, including bank data and Social Security numbers, has been stolen from a database at the upmarket Atlantis Resort in the Bahamas. [Computerworld Privacy News] 11:56:51 AM  PermaLink   / trackback []

7news national news - Labor would consider ID cards: Macklin The Labor party would consider supporting the introduction of national identity cards, acting Opposition Leader Jenny Macklin said. "Obviously people have a number privacy concerns (about the cards), but if the government puts forward a serious proposal we'll have a look at it," Ms Macklin said. She said Labor would rather see improved security at airports and ports. 11:53:39 AM  PermaLink   / trackback []

Differing Views on Terrorism Americans overwhelmingly support aggressive government pursuit of terrorist threats, even if it may infringe on personal privacy, but they divide sharply along partisan lines over the legitimacy of President Bush's program of domestic eavesdropping without court authorization, according to a new Washington Post-ABC News poll. Nearly two in three Americans surveyed said they believe that federal agencies involved in anti-terrorism activities are intruding on the personal privacy of their fellow citizens, but fewer than a third said such intrusions are unjustified. 11:49:44 AM  PermaLink   / trackback []

Law Librarian Blog: Recent CRS Reports on Civil Rights and Liberties Abstract: On December 9, 2005, House and Senate conferees reported out the USA PATRIOT Improvement and Reauthorization Act (H.R. 3199). The House agreed to the conference report on December 14, 2005, whereas the Senate has yet to take action on it. On December 22, 2005, the House and Senate passed a bill (S. 2167) that extended the sunset of certain provisions of the USA PATRIOT Act and the lone wolf provision of the Intelligence Reform and Terrorism Prevention Act of 2004, originally set to expire on December 31, 2005, until February 3, 2006. This report is a side-by-side comparison of existing law, the conference report version of H.R. 3199, and the version of H.R. 3199 that the Senate sent to conference. 11:47:07 AM  PermaLink   / trackback []

Americans Want Terrorists Caught [ABC/WaPo Poll] An ABC News/Washington Post poll released today has interesting information about Americans' attitudes toward civil liberties and fighting terrorism. The poll, first of all, was demographically balanced, with 31% Democrats and 30% Republicans, so the results shouldn't be skewed. The Post's article on the poll makes the results seem more even-handed than they really are. Here are the key data: 6. What do you think is more important right now - (for the federal government to investigate possible terrorist threats, even if that intrudes on personal privacy); or (for the federal government not to intrude on personal privacy, even if that limits its ability to investigate possible terrorist threats)? Investigate threats: 65% Respect privacy: 32% No opinion: 3% 7. In investigating terrorism, do you think federal agencies are or are not intruding on some Americans' privacy rights? Are: 64% Are not: 32% No opinion: 4% 8. (IF FEDERAL AGENCIES ARE INTRUDING, Q7) Do you think those intrusions are justified or not justified? Justified: 49% Not justified: 46% No opinion: 5% Unfortunately, we have no definition of what constitutes "intruding on some Americans' privacy rights." But, using whatever definition respondents assume, two-thirds of Americans believe that no "unjustified" intrusions are taking place. These questions and answers strike me as more meaningful than the one that specifically addresses the current NSA "spying" controversy, where the numbers basically follow a partisan breakdown: 51% consider "this wiretapping of telephone calls and e-mails without court approval" acceptable, while 47% call it unacceptable. 11:40:40 AM  PermaLink   / trackback []

Washington Post-ABC News Poll Jan. 5-8, 2006 (washingtonpost.com) 6. What do you think is more important right now - (for the federal government to investigate possible terrorist threats, even if that intrudes on personal privacy); or (for the federal government not to intrude on personal privacy, even if that limits its ability to investigate possible terrorist threats)? Investigate Respect No threats privacy opin. 1/8/06 65 32 3 Compare to: What do you think is more important right now - (for the FBI to investigate possible terrorist threats, even if that intrudes on personal privacy); or (for the FBI not to intrude on personal privacy, even if that limits its ability to investigate possible terrorist threats)? Investigate Respect No threats privacy opin. 9/7/03 73 21 5 9/8/02 78 18 4 6/9/02 79 18 3 7. In investigating terrorism, do you think federal agencies are or are not intruding on some Americans' privacy rights? Are Are not No opinion 1/8/06 64 32 4 8. (IF FEDERAL AGENCIES ARE INTRUDING, Q7) Do you think those intrusions are justified or not justified? Justified Not justified No opinion 1/8/06 49 46 5 11:37:23 AM  PermaLink   / trackback []

Apple Patches QuickTime Vulnerabilities. Apple Patches QuickTime Vulnerabilities. Flaws could allow attackers to run malicious code on Mac OS X and Windows PCs. [PCWorld.com - Latest News Stories] 11:32:04 AM  PermaLink   / trackback []

Microsoft Patches Two Critical Flaws. Microsoft Patches Two Critical Flaws. Software giant issues fixes for Windows, Outlook, and Exchange. [PCWorld.com - Latest News Stories] 11:30:55 AM  PermaLink   / trackback []

Feds to banks: Put security policies in writing | Tech News on ZDNet Even if federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said Tuesday.  Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle. Among other things, those entities are expected to tightly control who can access their customer information systems. The are also called on to monitor physical storage of paper records, set up monitoring systems to detect intruders and provide written contracts outlining how they will respond to suspected breaches. The new Federal Reserve guidelines don't actually set forth new rules, but they do attempt to clarify some of the legalese contained in the 1999 Graham-Leach-Bliley Act, which outlined data security standards for financial institutions. 11:24:41 AM  PermaLink   / trackback []