Thursday, February 2, 2006

Sen. Leahy Calls NSA Program "Illegal". - NewsHour with Jim Lehrer Podcast | PBS; 1/24/06 Sen. Leahy Calls NSA Program "Illegal". In response to the Attorney General, Sen. Patrick Leahy, D-Vt., rebuffed the White House's argument for domestic surveillance, and said the NSA program greatly damages civil liberties in America. By NewsHour with Jim Lehrer. [NewsHour with Jim Lehrer Podcast | PBS] 4:00:31 PM  PermaLink   / trackback []

Attorney General Defends Domestic Surveillance Program. - NewsHour with Jim Lehrer Podcast | PBS; 1/24/06 Attorney General Defends Domestic Surveillance Program. Attorney General Alberto Gonzales told the NewsHour that President Bush has "inherent authority under the Constitution" to authorize the NSA's highly scrutinized surveillance program. By NewsHour with Jim Lehrer. [NewsHour with Jim Lehrer Podcast | PBS] 3:58:18 PM  PermaLink   / trackback []

IT Conversations: Daniel Golding and Trent Henry - Security and Network Perspectives on Spam While users are waging a one-on-one battle against spammers, and often feel as though they're on the losing side, enterprise IT administrators are waging the same battle on a much larger scale. Trying to defend an organization's entire infrastructure and all of its users from the increasingly persistent and dangerous attacks of a growing legion of spammers, they soldier bravely along using whatever tools they have at hand. At Burton Group's 2005 Catalyst Conference, Burton Group Senior Analysts Trent Henry and Daniel Golding discuss some tools and best practices in the enterprise-level battle against spam. Henry and Golding describe some different types of spam and detail some of the risks to the enterprise, from the security and bandwidth costs of inbound spam to the risks to an organization's reputation when outbound spam seems to originate from within the organization. They discuss a few spamming techniques and detail some of the tools available, with an emphasis on user education, sender authentication techniques and message security/hygiene. Risks-to-come, such as SPIM (Instant Messaging Spam) and SPIT (IP Telephony Spam) are briefly touched on. The good news, according to Henry and Golding, is that while it might not seem like it, we're winning the war. 3:54:09 PM  PermaLink   / trackback []

IT Conversations: Ben Laurie - Apache and SSL Lately, there have been a lot of comparisons between the security vulnerabilities of the competing server platforms IIS by Microsoft and the open source Apache. At Apachecon 2005, Opening Move's Scott Mace caught up with Ben Laurie, Director of Security for the Apache Foundation and this very question was addressed. They also discuss many of the issues about security facing the Apache Foundation. Since Apache is part of a standard set of server tools, known as LAMP (Linux, Apache, mySQL and PHP), some security vulnerabilities that are attributed to Apache are actually inherent in other applications. However, Laurie points out that Apache is built with security as a main concern, rather than an added component. He argues that the combination of security at the core along with diligent bug fixes make Apache a secure solution. This talk starts with an overview of the Apache vs. Microsoft controversy, and some accessible explanations about the development of Apache. In the second half, Laurie delves more deeply into specifics about Apache, SSL, TLS and other security issues. 3:50:46 PM  PermaLink   / trackback []

Ed Amoroso: Frontline Security. Ed Amoroso: Frontline Security. Businesses should book software not as an asset, but as a liability. That's just one of Ed Amoroso's provocative ideas. Like medicine, software engineering should require "years of tortured residency." Homeland Security should work with hackers to fight terrorism. We should discard our firewalls and let broadband carriers filter attacks in the cloud. In this interview with Sondra Schneider, the AT&T CSO also describes AT&T's 24x7 TV network for security professionals. [Frontline Security audio from IT Conversations] [ITC: All Programs] 3:42:49 PM  PermaLink   / trackback []

Boing Boing Threatened By Software Creator. Boing Boing Threatened By Software Creator.  mfh writes  "StarForce has issued threats to Boing Boing's Cory Doctorow in retaliation to Cory's post about the anti-copy malware that installs itself along with many popular (and unpopular) video games." ---  From the BoingBoing post:  "Yesterday, I posted about StarForce, a harmful technology used by game companies to restrict their customers' freedom. StarForce attempts to stop game customers from copying their property, but it has the side-effects of destabilizing and crashing the computers on which it is installed. Someone identifying himself as 'Dennis Zhidkov, PR-manager, StarForce Inc.' contacted me this morning and threatened to sue me, and told me that he had contacted the FBI to complain about my 'harassment.'"  [Slashdot: Your Rights Online] 3:32:22 PM  PermaLink   / trackback []

Newspapers Wrapped in Credit Card Data. Newspapers Wrapped in Credit Card Data. Buzzy's Roast Beef writes "The Boston Globe reports that bundles of newspapers in Worcester, MA were distributed wrapped in paper which contained subscriber credit card information for 240,000 customers. Those of you paying by check needn't worry; account and routing details for 1,100 customers paying by check were also given out like candy." From the article: "Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach yesterday morning, Larkin said. The company put out a news release late yesterday afternoon." [Slashdot] 3:27:07 PM  PermaLink   / trackback []

Kama Sutra Worm Could Make For A Bad Friday. Kama Sutra Worm Could Make For A Bad Friday. mikey1134 writes "CNN is running a story about the Kama Sutra worm, a virus that is coded to overwrite files of the (potentially thousands of) infected computers. They provide some background on this viral outbreak and warn users to protect themselves" From the article: "And even for home computer users who have never taken such precautions before, security experts say now would be a good time to back up your most important data, like financial information and family photographs, to CDs, DVDs, zip drives, or an external hard drive that you know is worm and virus free. Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra."  [Slashdot] 3:21:01 PM  PermaLink   / trackback []

Hendersonville Times-News / Overhaul Urged for Laws on AIDS Tests and Data New York City's health commissioner, Dr. Thomas R. Frieden, called yesterday for changing state laws so that health officials could more aggressively test people for H.I.V. and AIDS and use the medical information the city already collects to help treat those infected. Currently, the city and the state collect detailed data about specific patients with H.I.V./AIDS, with their names attached, but health officials are prevented by law from using that information to contact those patients or their doctors about their treatment. In addition to wanting to change those laws, Dr. Frieden also wants to make testing for the virus a routine part of medical care, simplifying the process by which a patient consents to be tested. "We know people are dying," Dr. Frieden said yesterday as he outlined his proposals publicly for the first time. "And we are prohibited by law from lifting a finger to try and help." The collection of state laws governing the public health response to H.I.V./AIDS was created nearly two decades ago, and it has been fiercely defended by both lawmakers and patient advocates ever since. From the beginning, AIDS was treated differently from any other infectious disease, so Dr. Frieden could face stiff political resistance. He stressed that he is in no way proposing mandatory testing or treatment. 3:16:15 PM  PermaLink   / trackback []

Bush Keeps Privacy Posts Vacant. Bush Keeps Privacy Posts Vacant. While domestic surveillance is growing, neither the president nor Congress is racing to fill key privacy and civil liberties jobs in Washington. By Ryan Singel. [Wired News: Security Blanket] 3:11:49 PM  PermaLink   / trackback []

Lawmakers promise action against phone-record sales. Lawmakers promise action against phone-record sales. Lawmakers were united yesterday in their call to take action against businesses that sell phone records without the permission of the telephone customer. But some telecommunications industry representatives were less than supportive. [Computerworld Privacy News] 3:08:28 PM  PermaLink   / trackback []

Cellcos and senate vs social engineering | The Register New legislation proposed by Senator Chuck Schumer (D, NY) and backed by heavyweights from both major parties, seeks to criminalize both the practitioners and the dupes of "social engineering". That's just a fancy way of smooth-talking someone out of some information they shouldn't normally impart, but it has been the most effective technique for fraudsters, hackers and private eyes over the years. Schumer's bill, the proposed Consumer Telephone Records Protection Act of 2006, makes disclosing a subscriber's phone records an offence. It specifically outlaws making false statements or providing phoney documentation to a phone provider in order to obtain the records, and accessing an account over the net without the subscriber's authorization. According to the Electronic Privacy Information Center EPIC, over 40 websites including celltolls.com and locatecell.com have been trading in a black market in call records. 3:00:57 PM  PermaLink   / trackback []

First IE 7 Beta 2 Bug Found. First IE 7 Beta 2 Bug Found. Security researcher needed just 15 minutes to find a flaw in Microsoft's browser. [PCWorld.com - Latest News Stories] Editor: 15 minutes? Makes you wonder what type of testing Microsoft did. 2:56:38 PM  PermaLink   / trackback []

IT Architect's Weblog: Got Rootkits? Time to 'Fess Up Enterprise software vendors beware. If you have included rootkit-like technology in your products, now is the time to step forward, publicly own up to it, and get rid of it right away. Otherwise some enterprising hacker is going to do it for you. Cases in point are the programmer Mark Russinovich and the research team at software vendor F-Secure. They are prowling the hidden paths of commercial products in search of rootkits. Both were involved in breaking the story on the Sony rootkit, and both have added Symantec's Norton SystemWorks to the roster of products with rootkit-like technology built in by the vendor. (SystemWorks included a directory hidden from Windows APIs that stored deleted files that could be restored if a user wanted them. An attacker could potentially use this directory to hide malware.) In addition, Russinovich says he's found rootkit technology in products from anti-virus vendor Kaspersky Labs, though Kaspersky disputes the claim. (Note that Russinovich and F-Secure aren't working together, but they both have rootkit detection technology and seem to be making good use of it.) In fact, the real danger isn't that a security researcher will find rootkit technology in commercial products, it's that a criminal will. At least Russinovich and F-Secure will notify the vendor. If a bad guy can exploit a product's ability to hide files and processes from Windows and from security software, he or she will keep it as quiet as long as possible to wreak as much havoc as possible. 2:53:38 PM  PermaLink   / trackback []

Parliament committee hears DRM rights and wrongs. Parliament committee hears DRM rights and wrongs. Oral evidence The All Party Parliamentary Internet Group met today to hear oral evidence to help it prepare a report into Digital Rights Management. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 2:49:50 PM  PermaLink   / trackback []

RFID passport logo (or "mark of the beast"?). RFID passport logo (or "mark of the beast"?). How can you tell if your passport contains an RFID chip? Look for this logo on the label: If there's an RFID chip in your passport , identity thieves, terrorists, direct marketers, data aggregators, malicious governments, or anyone else with a radio receiver within 10 meters (30+ feet) or more whenever your passport is read at a border crossing, airport, etc. can secretly and remotely track you, log your movements through the unique "collision avoidance" ID number sent by the chip, and intercept and decrypt all the data (including your digital photo and, in some countries, your digitized fingerprints) needed to "'clone" a perfect copy of your passport, forge other identity credentials, or impersonate you. All passports that contain ICAO standard (ICAO document 9303) RFID chips (ISO standard 14443) are supposed to have this logo on the front cover, printed or embossed in such a manner that it can't readily be effaced or removed without leaving conspicuous traces. Border guards and immigration inspectors need to be able to distinguish quickly and reliably between a (valid, for the time being) passport that never contained an RFID chip, and an invalid (under current USA regulations and, I expect, similar regulations in other countries that are putting RFID chips in passports) passport that contains a defective or disabled RFID chip. [The Practical Nomad] 2:46:51 PM  PermaLink   / trackback []

InformationWeek | IP Telephony Security | Botnet Herders Hide Behind VoIP | January 27, 2006 Jon Crowcroft, a Cambridge professor and the lead CRN researcher on the problem, noted that if botnet "herders," the term given to attackers who control large numbers of bot-infected PCs, turn to VoIP applications for command and control, security experts might find it impossible to trace back an attack to the perpetrator. Current practice by most botnet herders is to issue commands to their armies of "zombie" machines over IRC (Internet Relay Chat) channels, or less frequently, via instant messaging (IM). Crowcroft argued that attackers could use VoIP's ability to dial in and out of its overlays to make their tracks impossible to trace. In addition, proprietary protocols -- in some cases used by VoIP software to ensure ISPs can't block their applications -- make it tough for providers to track DoS attacks. Ditto for the encryption these applications offer and their peer-to-peer approach to routing packets. "While these security measures are in many ways positive," said Crowcroft in a statement, "they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks. 2:42:36 PM  PermaLink   / trackback []

Lawmakers Promise Action Against Phone Record Sales. Lawmakers Promise Action Against Phone Record Sales. House hold hearing on proposal to outlaw unauthorized sale of telephone records. [PCWorld.com - Latest News Stories] 2:38:25 PM  PermaLink   / trackback []

Firefox Update Mends 8 Security Flaws. Firefox Update Mends 8 Security Flaws. Mozilla has issued an new version of its Firefox Web browser to fix multiple security holes, at least one of which appears fairly serious. The new release updates version 1.5; if you're using this version (check and see by selecting Help from the top menu, and then About Mozilla Firefox), you should grab the latest version from here.   [Security Fix] 2:34:35 PM  PermaLink   / trackback []