Thursday, January 4, 2007

Proposal expands DNA use by police - S.C. program would be nation's most-aggressive - Post and Courier | Charleston.net COLUMBIA - Police would have the power to seize DNA samples from anyone arrested for a crime - from shoplifting to murder - under legislation proposed by state lawmakers. The measure would provide South Carolina with the most aggressive DNA sampling program in the nation, allowing authorities to collect a person's genetic profile for even petty offenses before he or she is tried for the crime. Senate Pro Tem Glenn McConnell said the proposed legislation is part of a package of bills aimed at cracking down on increasing violence. Maintaining a bank of DNA samples will help police solve cases quicker and aid in the investigations of cold cases while also ensuring the falsely accused aren't prosecuted for crimes they didn't commit, he said. Some civil rights advocates are afraid the legislation on DNA sampling goes too far, although McConnell said it has safeguards built in to ensure constitutional rights are protected. Barbara Joslin of Charleston, a spokeswoman for the American Civil Liberties Union of South Carolina, said the organization stands against DNA collection unless DNA is part of the crime scene evidence. Otherwise, it's seen as a privacy offense and a steady decline of rights, she said. [...] Still, the bill would take South Carolina farther along this road than any other state. The federal government and seven states currently allow DNA samples to be taken from suspects at the time of arrest. But those states, which include California, Louisiana and Virginia, limit it to specific violent offenses or felony arrests, said Lisa Hurst, a government-affairs consultant with DNAResource.com, which tracks DNA usage by law enforcement. New York recently enacted a measure requiring DNA samples in connection with a wide array of misdemeanor offenses, but the offender has to be convicted first, Hurst said. [...] "It is no more invasive than fingerprinting," McConnell said. "What could be wrong with it? I don't see where it infringes on anyone's rights. I see a tremendous amount of benefit for the law-abiding public." Charleston School of Law professor Miller Shealy, a former federal prosecutor, said DNA technology has become widely accepted and that the courts commonly allow its use in criminal cases. But the courts have yet to weigh in on whether genetic material can be collected routinely during the booking process just to maintain a crime-solving database, he said. "Can you just automatically get it? That's a line the courts have not officially ruled on yet," he said. South Carolina's samples helped feed the national DNA databank overseen by the FBI. 1:11:48 PM  PermaLink   / trackback []

Patch Issued for Critical OpenOffice.org Flaw. Patch Issued for Critical OpenOffice.org Flaw. WMF vulnerability in free productivity suite could allow hackers to run malicious code. [PC World: Latest Technology News] 12:58:50 PM  PermaLink   / trackback []

Internet Explorer Unsafe for 284 Days in 2006. Internet Explorer Unsafe for 284 Days in 2006. Security Fix spent the past several weeks compiling statistics on how long it took some of the major software vendors to issue patches for security flaws in their products. Since Windows is the most-used operating system in the world, it makes sense to lead off with data on Microsoft's security updates in 2006. Click the graphic for data on 2006 IE patches. First, a note on the methodology behind this blog post: The data presented here builds on a project I began in late 2005 looking back on three years of efforts by Microsoft to address only the most severe security holes in its software. I conducted that same research again last month, individually contacting nearly all of the security researchers who submitted reports of critical flaws in Microsoft products to learn from them not only the dates that they had submitted their findings to the company, but also any other security trends or anomalies they observed in working with the world's largest software maker. Several weeks prior to posting this information, I shared the data I had gathered with Microsoft. The officials I dealt with helpfully concurred or quibbled slightly with some of my findings, but the company raised no objections that would materially affect the results presented in this particular study of IE flaws. In fact, if you examine the links included in the vulnerability chart that accompanies this post, you can see for yourself how the data is supported by information posted on the Web over the past year. Patching Internet Explorer in 2006 For all its touted security improvements, the release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users. In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them. Microsoft labels software vulnerabilities "critical" -- its most severe rating -- if the flaws could be exploited to criminal advantage without any action on the part of the user, or by merely convincing an IE user to click on a link, visit a malicious Web site, or open a specially crafted e-mail or e-mail attachment. [The chart posted here shows the overlap of threats from various IE flaws throughout the year.] In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem. Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four "zero-day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain. The first major flaw in a Windows program last year involved one that could be easily exploited via Internet Explorer. In late December 2005, experts tracked organized criminals hacking into sites and seeding them with code that installed password-stealing spyware on machines used by anyone who merely visited the sites with IE. Microsoft initially downplayed the severity of the attacks, until it became clear that the threat was fairly widespread and that thousands of customers had already been attacked in the span of a few days. The threat was seen as so severe that a large number of security experts urged users to download and install a patch produced by a third party until Microsoft developed an official fix. In September, attackers would exploit an unpatched flaw in non-Microsoft Web server software to install malicious code on thousands of legitimate Web sites that could infect Windows machines when users merely browsed the sites with IE. Much like the IE flaw first detected in December 2005, this sophisticated attack by organized criminals also would prompt a series of third-party security patches in the days before Microsoft issued an official update. Check back with Security Fix on Friday for a look at the number of vulnerabilities that Microsoft patched in its Office applications last year. [Security Fix] 12:55:46 PM  PermaLink   / trackback []

Bush Claims Mail Can Be Opened Without Warrant. Bush Claims Mail Can Be Opened Without Warrant. don_combatant writes to note that President Bush claimed new powers to search US Mail without a warrant. He made this claim in a "signing statement" at the time he signed a postal overhaul bill into law on December 20. The signing statement directly contradicts part of the bill he signed, which explicitly reinforces protections of first-class mail from searches without a court's approval. According to the article, "A top Senate Intelligence Committee aide promised a review of Bush's move." [Slashdot: Your Rights Online] 12:39:49 PM  PermaLink   / trackback []

The Seattle Times: Nation & World: Bush says feds can open mail without warrant President Bush quietly has claimed sweeping new powers to open Americans' mail without a judge's warrant. Bush asserted the new authority Dec. 20 after signing legislation that overhauls some postal regulations. He then issued a "signing statement" that declared his right to open mail under emergency conditions, contrary to existing law and contradicting the bill he had just signed, according to experts who have reviewed it. A White House spokeswoman disputed claims that the move gives Bush any new powers, saying the Constitution allows such searches. Still, the move, one year after The New York Times' disclosure of a secret program that allowed warrantless monitoring of Americans' phone calls and e-mail, caught Capitol Hill by surprise. "Despite the president's statement that he may be able to circumvent a basic privacy protection, the new postal law continues to prohibit the government from snooping into people's mail without a warrant," said Rep. Henry Waxman, D-Calif., the incoming House Government Reform Committee chairman, who co-sponsored the bill. Experts said the new powers could be easily abused and used to vacuum up large amounts of mail. "The [Bush] signing statement claims authority to open domestic mail without a warrant, and that would be new and quite alarming," said Kate Martin, director of the Center for National Security Studies in Washington. "You have to be concerned," a senior U.S. official agreed. "It takes executive-branch authority beyond anything we've ever known." A top Senate Intelligence Committee aide promised a review of Bush's move. 12:37:43 PM  PermaLink   / trackback []

U.S. Bars Lab From Testing Electronic Voting - New York Times A laboratory that has tested most of the nation's electronic voting systems has been temporarily barred from approving new machines after federal officials found that it was not following its quality-control procedures and could not document that it was conducting all the required tests. Skip to next paragraph The company, Ciber Inc. of Greenwood Village, Colo., has also come under fire from analysts hired by New York State over its plans to test new voting machines for the state. New York could eventually spend $200 million to replace its aging lever devices. Experts on voting systems say the Ciber problems underscore longstanding worries about lax inspections in the secretive world of voting-machine testing. The action by the federal Election Assistance Commission seems certain to fan growing concerns about the reliability and security of the devices. The commission acted last summer, but the problem was not disclosed then. Officials at the commission and Ciber confirmed the action in recent interviews. Ciber, the largest tester of the nation's voting machine software, says it is fixing its problems and expects to gain certification soon. Experts say the deficiencies of the laboratory suggest that crucial features like the vote-counting software and security against hacking may not have been thoroughly tested on many machines now in use. "What's scary is that we've been using systems in elections that Ciber had certified, and this calls into question those systems that they tested," said Aviel D. Rubin, a computer science professor at Johns Hopkins. 12:35:10 PM  PermaLink   / trackback []

Feds Shut Down E-voting Certification Lab Feds Shut Down E-voting Certification Lab. Colorado-based Ciber Inc., the largest laboratory that tests software used in U.S. voting systems, has been temporarily banned from approving new systems following problems discovered last summer by the Election Assistance Commission. In July, the EAC began a new oversight program that increased the level of scrutiny that independent testing authorities ("ITAs") must satisfy in order to be able to review candidate voting systems. The EAC found that Ciber was not following proper quality-control procedures and could not document that it was conducting all the required tests. Ciber's renewed petition for accreditation is currently under EAC review. The ITA review process, largely closed and funded by voting machine vendors themselves, is regularly criticized for its lack of transparency and procedures that are insufficient to ensure that systems are accurate and secure. [EFF: Deep Links] 12:31:45 PM  PermaLink   / trackback []

ABC News: Catching a Killer, With Help From a Camera It's not so unusual anymore for those cameras to catch criminals in the act. But as the number of surveillance cameras increases, it seems not even random crimes on deserted streets in the dark of night can escape. The footage from those post office cameras would be crucial to investigators as they pieced together exactly what happened to McDermott. 3:00:17 AM  PermaLink   / trackback []

Cameras Help Cops Catch a Killer. Cameras Help Cops Catch a Killer. CrazedWalrus writes "Philadelphia police recently captured a serial killer with the help of a combination of Homeland Security and private surveillance cameras. Police examined video from 50 different cameras and pieced together relevant footage from 12 of them, and eventually were able to identify the murderer. Once caught, he confessed to several other murders spanning the past eight years. Without these cameras this killer would probably be stalking the streets of Philadelphia today. With results like that, is there really a good basis for argument against these cameras?" [Slashdot: Your Rights Online] 2:55:37 AM  PermaLink   / trackback []

Critical QuickTime Flaw Discovered. Critical QuickTime Flaw Discovered. Apple's media player leaves Windows and Mac users open to attacks from malicious Web sites. [PC World: Latest Technology News] 2:48:33 AM  PermaLink   / trackback []

Securing a Converged Network. Securing a Converged Network. This paper will examine what is required to secure a converged network to provide the same type of worry [^]free communications that circuit-switched networks provided for years. By Steve Sullivan. [Infosec Writers Latest Security Papers] 2:42:42 AM  PermaLink   / trackback []