 |
Monday, September 2, 2002 |
Attack began just one day after controversial legislation was proposed to crack down on peer-to-peer piracy. [IDG.net]
23:30
#
G!
| |
Five Israeli teenagers have been charged with creating and spreading the W32/Goner-A virus, which spread rapidly on the Internet after its release in December last year.
21:44
#
G!
| |
|
Hewlett Packard has threatened to use computer crime laws and the controversial Digital Millennium Copyright Act to muzzle a group of security researchers who unearthed a flaw in its Tru64 operating system.
The threat comes in a letter to SnoSoft from HP Veep Kent Ferson warning that the security researchers "could be fined up to $500,000 and imprisoned for up to five years" for its role in publishing code that demonstrated the vulnerability, CNET's Declan McCullagh reports.
[The Register: HP invokes DMCA to quash Tru64 bug report]
HL later said say that the reported letter to SnoSoft threatening use of the DMCA against the firm "was not consistent or indicative of HP's policy". [The Register HP withdraws DMCA threat]
21:40
#
G!
| |
Mark Eddo discovers how easy it is to find data on a hard disk even if it has been deleted or reformatted. [Help Net Security - News]
21:02
#
G!
| |
|
Numerous security enthusiasts, including ourselves, have been receiving odd e-mails appearing to be from the International Information System Security Certification Consortium (ISC)2 which notify recipients that their personal information is being sold by to third parties. The message indicates that this data includes names, addresses, occupation details, credit card numbers, and social security numbers; for a processing fee, they will "consider" deleting your records - everyone else will be charged an additional fifty dollars . No one is sure whether the message is true or not, although the headers indicate that it is coming from an ISC address - perhaps a disgruntled employee? Cryptome has posted the e-mail with some notes, and the ISC's site has a very vague notice warning of spoofed messages that aim to discredit their organization. [hideaway.net]
I got such a 'legal notification', too. Mine originated at a dial in IP and was delivered directly to my mailserver. Headers indicated it was sent with a spam-tool.
20:52
#
G!
| |
In deutschen Unternehmen folgen der Debatte [florin]ber die IT-Sicherheit zu wenig Taten. Ein Drittel hat in den vergangenen zw[ring]lf Monaten keine Schritte unternommen, um den Schutz gegen Hackerangriffe zu verbessern. Das ergibt eine Umfrage der Informationweek. Firmen mit mehr als 100 Mitarbeitern geben demnach in diesem Jahr insgesamt 7,3 Milliarden Euro f[florin]r Informationssicherheit aus -- rund 410 Euro pro Mitarbeiter. Zehn Prozent des IT-Budgets werden auf Sicherheit verwandt.[heise online news]
20:39
#
G!
Translate
| |
|
South Carolina's 10 active federal trial judges have unanimously voted to ban secret legal settlements, saying such agreements have made the courts complicit in hiding the truth about hazardous products, inept doctors and sexually abusive priests.
"Here is a rare opportunity for our court to do the right thing," Chief Judge Joseph F. Anderson Jr. of United States District Court wrote to his colleagues, "and take the lead nationally in a time when the Arthur Andersen/Enron/Catholic priest controversies are undermining public confidence in our institutions and causing a growing suspicion of things that are kept secret by public bodies." [Privacy Digest]
19:14
#
G!
| |
All students at Cornell University were recently sent the following memo. In addition to actively enforcing the DMCA on campus, Cornell Judicial Administrators operate under a presumption of guilt and sentece students to mandatory community service without forcing the complainant to prove the individual accused was actually responsible for downloading the file. The DMCA does not require violators to be prosecuted, at ISPs expense, in order for them to maintain common carrier status. However, the university is actively selling students out in order to cover its own ass. I am wondering how common this has become. I remember, a couple of years ago, that some universities were actively trying to shield students from prosecution. Is your school actively disciplining DMCA violators? What schools still protect their students? As an aside, I sure hope that at least some of the students who receive sentences of community service work with the EFF! [kuro5hin.org]
18:14
#
G!
| |
|
Security experts agree that a sustained cyber attack against the United States is probable, since it is cheaper, easier and less dangerous than other forms of attack. [NewsFactor Cybercrime & Security]
This leads us to the interesting question how to distinguish between cybercrime and cyberwar. The first one should be handled by law enforcement the second one might be handled by military force.
18:01
#
G!
| |
Almost every Web designer has had their work copied at some stage. But what are the legalities of Web graphics - their creation and use? Mike reveals all... [Article Central - Legal Issues]
12:25
#
G!
| |
|
The Kentucky Department of Corrections has suspended formal satanic worship services at the Green River Correctional Complex while officials work to shape a statewide policy on the practice.
Inmates at Green River, a medium-security prison in Central City, had been allowed to hold weekly satanic services this summer as part of the official religious services calendar, said Lisa Carnahan, a Corrections spokeswoman. [CNN - LAW]
12:23
#
G!
| |
Tim discusses cross-site scripting÷a vulnerability widely known yet still prevalent on many web sites that allows an attacker to insert malicious code in dynamically generated web pages. [Article Central - Security]
12:18
#
G!
| |
Robert Vamosi over at ZDNet provides a great little not too technical introduction to buffer overflow attacks. You might use this to explain buffer overflow attacks to nontech personell etc. [Financial Applications Security Weblog]
12:17
#
G!
| |
Enterprise IT managers and CIOs, growing impatient with security vulnerabilities, are fighting back with language in contracts that holds software companies liable for breaches and attacks that exploit their products. ... |
... For example, a Fortune 50 company recently wrote a clause into a contract with a major software company that holds the vendor responsible for any security breach connected to its software, according to sources familiar with the deal. [eWeek]
This is definitely a trend we will see continue. Not just for commercial software but also in internal and external agreements for software development or service providing.
For service providers, I would imagine that this would become addendums as part of their existing Quality of Service agreements. Some of these current agreements might already be good enough as they are to cover such events. But ofcourse as the service providers get hit by more and more of these issues, they will naturally want to pass the buck onto the software providers. [Financial Applications Security Weblog]
12:15
#
G!
| |
Hundreds of Amazon.com customers have been targeted by an e-mail scam set up to steal billing information. The messages were designed as order confirmations for products that the recipients did not order, and included a link for cancelling the purchase. That URL, disguised as a legitimate Amazon.com address, led victims to a fake web site which asked for credit card information and address details to confirm the cancellation. The ISP hosting the spoofed site has shut it down, and Amazon claims no customers were successfully duped by the scam.
[Hideaway.Net] see also Bogus E-mails Traded on Amazon's Name [LinuxSecurity.com - Latest News]
12:12
#
G!
| |
|
An IBM researcher is building a database that applies a physician's code of ethics to the way it handles your personal data. [ACM Tech News]
êf they would have a conscience, could they be punished for doing wrong?
12:07
#
G!
| |
|
As backers of privacy protection bills fight an uphill battle in the California Legislature, Europe's strict approach to data protection is forcing many U.S.-based tech companies to raise the bar. A case in point is the Federal Trade Commission's recent privacy investigation of Microsoft's Passport, an online ID service that lets people enter one name and password for almost anything they do over the Internet. Consumer and privacy groups had accused Microsoft of not taking adequate steps to protect consumers' personal information. In a settlement earlier this month, Microsoft admitted no wrongdoing but agreed to government oversight of its consumer privacy policies for the next 20 years. [ ... ] ``Europeans are extremely concerned about the use of data about people,'' said Rockwell Schnabel, the Netherlands-born U.S. ambassador to the European Union. ``The data privacy issue is a huge issue over there. American partners have to live with those rules, and they can't do with it what they can with American data.'' U.S. companies accustomed to self-regulation may bristle, but overall the effect has been good for consumers, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C. He calls Europe's growing influence ``the California effect.'' When California passes legislation, other states end up passing similar laws because the Golden State represents such a major market, and two sets of laws are a hindrance. [ ... ] For example, a bank might say it needs information to decide whether to grant a loan, but later the bank might sell the information for another purpose. ``In U.S. this is possible,'' he said. ``Not in Europe.'' [Privacy Digest]
12:01
#
G!
| |
|
RAISETHEFIST.COM ADMINISTRATOR INDICTED OVER WEBSITE CONTENT
Posted 31 Aug 2002 04:33:16 UTC
RaiseTheFist.com administrator Sherman Austin, 19, has been indicted again by the US Federal Government over information posted on his web site. Austin's case first came to national attention last January when FBI and Secret Service agents raided his Los Angeles home and seized his computer, shutting down his web site. In early February, immediately after protests countering the World Economic Forum in New York City, Austin was arrested, charged, and transported back to Los Angeles, where all charges against him were dropped.
Austin was charged under Title 18 ¤852(p)(2)(A) of the US Criminal Code, which prohibits the distribution of information about bomb-making if that information is intended for use to commit a violent Federal crime and under Title 26 ¤5861(d), which prohibits the possession of an unregistered firearm. These charges are apparently related to the "Reclaim Guide" section of Austin's site (mirror at CMU thanks to David Touretzky).
RAISETHEFIST.COM ADMINISTRATOR INDICTED OVER WEBSITE CONTENT [2600.com] see also Islamistischer Webmaster in den USA angeklagt [heise online news]
12:00
#
G!
| |
[Reformed hackers are finding it harder and harder to find legitimate jobs in security companies, according to an article in Wired on the trials and tribulations of "Max Vision", aka Max Butler. In the late 90s, Max did a lot of network penetration testing and tipped off the FBI with new developments in hacking and security. But in 1998 he ended up serving a year in federal prison for releasing an Internet worm which patched a serious vulnerability in BIND - and also backdoored each fixed server. Since his release, he's had to resort to begging for minimum wage work, as his criminal record has made him unhireable. Particularly after 9/11, companies are rarely willing to hire former hackers, and a more competitive job market doesn't help either. While such fears are understandable, it still is sad to see such talented people forced to desperation for a chance to come clean and do decent work.
Hideaway.Net]
11:29
#
G!
| |
A recent Gartner study has indicated that through 2005, 80% of businesses will not have implemented effective strategies for securing their data warehouses. While much effort is put into protecting front-end systems and transaction processing, DMBS security is often neglected.
[Hideaway.Net]
11:25
#
G!
| |
|
The Office of Fair Trading has given a stern rebuke to the owners of companies that offered false domain names for $59 - and inadvertently given the green light to hundreds more Internet fraudsters.
TLD Network Ltd and Quantum Management (GB), located at 843 Finchley Road in London, have been "stopped from publishing misleading advertisements for website domain names that are difficult to view on the World Wide Web".
Since June 2001, the companies have been selling .sex, .bet, .brit and .scot domains. Of course, these are not ICANN-approved domains and so can only be viewed as sub-domains or on alternative Internet networks. As such, people that forked out for a domain will have been surprised to find it didn't exist and couldn't be used.
[The Register]
11:19
#
G!
| |
Nearly half of corporate security officers expect terrorists to launch a major strike through computer networks in the next 12 months, a poll released today shows. [Help Net Security - News]
11:08
#
G!
| |
|
A Seattle lawyer defending a Russian hacker said he plans to use the same argument against the FBI as the FSB has used -- that FBI agents illegally hacked into a Russian web server to collect evidence against his client.
After luring hacker Vasily Gorshkov to the United States in 2000, FBI agents secretly used a program to log every keystroke he made. They lifted his passwords and used them to enter the main server in Russia and copy files. Only then did the agents get a search warrant in the United States to read what they had downloaded.
Gorshkov was convicted in October of various computer crimes and awaits sentencing Sept. 13 in a federal court in Seattle. He faces a maximum sentence of 100 years in prison.
[SecurityFocus / The Moskow Times]
8:18
#
G!
| |
The Supreme Court is being asked to consider whether shooting at pictures of Saddam Hussein and Osama bin Laden is an expression of free speech or a dangerous drill that could lead to the killing of real people. [CNN - LAW]
8:13
#
G!
| |
|
A presentation at Blackhat last week by Tim Mullen of AnchorIs, offering a novel treatment for the Nimda worm, has caused considerable controversy because it involves taking unauthorized actions against the offending box.[The Register]
Vigilante hacking touted as virus cure
Striking back against a computer that is attacking you may be illegal under U.S. law, but a security researcher says people should be allowed to neutralize one that is unwittingly spreading destructive Internet worms such as Nimda.
[ZDnet]
This is full of interesting legal questions. German criminal law has a broad support for self defense against "unrightful attacks" but does this include data sent by worm-infected Hosts? There are other statues for self defence but they don'tthere you have to keep balance between the damage of the attack and the damage done by the defense. Hows that with a Computer-Worm?
8:04
#
G!
| |
|
By far the most entertaining - and controversial - speech of this year's DNSCON, the UK hacker conference, was delivered by Scotsman Gus (something of the Irvine Welsh of the UK's h4xOr scene) who lambasted the Hollywood image of hacking.
Gus, who doesn't admit to being a hacker himself ('that would be criminal') but clearly knows a thing or two, fired his opening shot by saying anybody who thought hacking was glamorous or a "way to get chicks" was hopelessly wrong. [The Register]
7:50
#
G!
| |
|
Not since the glory days of letter-writing, before the advent of the telephone, have people committed so much revealing stuff to written form as they do in the age of computers.
All those e-mail messages and electronic files are a treasure trove of evidence for law enforcement officers, whether they are targeting terrorists, crooked CEOs or local drug dealers.
The challenge for police and prosecutors is learning how to dig up and preserve these electronic gems.
"Any agent can come in and look through papers, but not every agent can do a thorough computer search," said David Green, deputy chief of the Justice Department's computer crime section, which helps train federal and state investigators.[CNN]
7:48
#
G!
| |
|
A security company's offer to pay for information on bugs discovered in software has once again stirred discussions over a long-simmering issue -- whether independent researchers should receive compensation for the flaws they find and how information about security vulnerabilities should be disclosed.
Donors to security information firm iDefense's new Vulnerability Contributor Program will receive cash awards of up to $400 for each report of a software vulnerability. Additional bonuses will be paid if the discoverer agrees to grant iDefense exclusive rights to the information.
Interesting buiseness practice with interesting legal implications - why not call it BlackNet?
7:33
#
G!
| |
|
A US Justice Department official is warning the government is prepared to prosecute individuals who pirate music and movies online.
Deputy assistant attorney general John Malcolm told a conference it's time people understood unlicensed copying is illegal.
He told the Progress and Freedom Foundation's Technology and Politics summit that action is urgently needed to protect the entertainment industry.
Mr Malcolm says the internet has become "the world's largest copy machine" and the time has come to change public perceptions.[Ananova]
7:29
#
G!
| |
|
When hackers broke into Ryan Russell's server and plastered his private e-mails and other personal files on the Internet last week, Russell tried to shrug it off as a harmless prank.
But Russell, editor of Hack Proofing Your Network and an analyst with SecurityFocus.com, also seemed shaken by the incident.
"There's a group out there whose goal in life is to show they're smarter than you and they have the tools to do it," said Russell, a "white-hat" hacker who goes by the nickname "BlueBoar."
The break-in at Russell's Thieveco.com site, which is hosted by a Canadian ISP, appears to be the latest in a series of attacks against white hats and prominent figures in the information security profession.
Claiming responsibility for the attacks is a shadowy group named el8. Earlier this year, members launched Project Mayhem, a campaign designed to "cause worldwide physical destruction to the security industry infrastructure," according to an article published last month in el8's online magazine.[Wired News]
See also "The Hacker Class War".
7:26
#
G!
| |
|
With Friday's bust of an alleged worldwide pedophile ring and the FBI's recent "Candyman" sting of child porn Web sites, investigators say they need to become more aggressive and innovative to stop what has become a global, lucrative trade in such illegal material.
But child porn sites like Candyman are nothing new to Dennis Guzzy. A former Philadelphia sex crimes cop, he now trolls the Web for an anti-pedophile task force run by the Pennsylvania attorney general's office.
His targets: child molesters who collect child porn and look for children in order to have sex.
Guzzy begins his cybersleuthing by posting messages where he seeks like-minded people who want to enjoy "family fun" -- a euphemism for incest.[CNN]
7:22
#
G!
| |
|
Two recent articles on hiring ex-hackers generated a lot of discussion on the importance of knowing whom youâre dealing with when an ex-hacker is up for consideration at your company. Iâll review some of those comments and address the concerns they raise.
Hackers vs. crackers: What's in a name?
[Moreover - moreover...]
7:15
#
G!
| |
The RIAA struggled to fix its web site following a defacement last Wednesday, with much of the hacked content remaining online throughout the holiday weekend. Though the site had been restored by Wednesday afternoon, a fake news story which claimed the RIAA would support file-sharing was not deleted from the server, nor were the dozens of Linkin Park MP3s the intruders uploaded. The webmasters only fixed the site's front page, removing its links to defaced pages but not the files themselves. As a result, the site was inaccessible for much of the weekend, probably due to both repairs and heightened traffic from visitors curious to see the hacks and download the MP3s. As of Sunday evening, Riaa.org appeared to be back online and properly fixed. The Register has some commentary.
[Hideaway.Net]
7:11
#
G!
| |
|
In Deutschland wird so viel abgeh[ring]rt wie nie zuvor - und dennoch bleiben die bahnbrechenden Erfolge der Strafverfolgungsbeh[ring]rden aus. Unternehmen sollen k[florin]nftig zur Kreditsicherung ihre Gesch...ftsdaten jahrzehntelang im Detail nachweisen k[ring]nnen - und gleichzeitig geben deutsche Banken Milliardenkredite f[florin]r die Luftschl[ring]sser von Medienkonzernen. Selbsternannte Sicherheitspolitiker fordern ein Verbot der Verschl[florin]sselung von E-Mails - obwohl nicht einmal der Jugendschutz im Internet m[ring]glich ist. Liberale fordern, ein Recht auf informationelle Selbstbestimmung in den Grundrechtekatalog aufzunehmen. Doch worin soll dieses bestehen? Diesem gesamten Problemkomplex wendet sich dieses Seminar zu: Ein Manifest soll erarbeitet werden, in dem die Grunds...tze einer freiheitlichen Informationsgesellschaft aller B[florin]rger programmatisch festgehalten werden.
Ort: Gummersbach
["NETLAW-L"]
0:30
#
G!
Translate
| |
The National Infrastructure Protection Center, the division of the FBI that serves as the
U.S. government's main cyber protection agency, is seeking outside help with tracking
Internet threats and incidents and generating alerts about them. [NewsFactor Cybercrime & Security]
0:17
#
G!
| |
Maximillian Dornseif, 2002.
|
|
|
