 |
Saturday, November 23, 2002 |
|
THE trouble with IT is that the more significant it becomes, the more open it is to attack from the same collection of reactionary fools, simian thugs and intellectual pygmies that have worked so hard to screw up the rest of human endeavour for us.
In moves that will no doubt have delighted Iraqi bunker manufacturers, the CIA this month warned that fundamentalist Muslim terror group Hezbollah is among a gaggle of shadowy miscreants hoping to wreak havoc upon the West with a wave of 'cyber-attacks'. Lawks a lawdy -- this is scary stuff.
With breathtaking serendipity, this stark message was bolstered on the same day by an announcement in London by security specialists mi2g that terrorist-backed hacking attacks on the web have increased 10-fold over the past month. The company, which has a board and advisory committee packed with players from the diplomatic, defence and intelligence services, claims that at least 3001 such incursions took place in October.
Connoisseurs of irony, for whom these are rich and fruitful times, will have enjoyed the fact that if the digital revolution is seriously threatened at all, it is largely by the people making such big pronouncements.
Let's cast our minds back to 2001, when the spectre of Code Red threatened to bring the web grinding to a halt. While off-the-record briefings from the FBI's National Infrastructure Protection Centre (NIPC) hinted strongly that the malicious worm was a Chinese cyber-attack responsible for a 30% slowing down in web speeds, it transpired that a non-politically motivated hacker from London was later arrested and the velocity breakdown traced to a train derailment in Baltimore.
By the time the truth was out the damage had been done, but that didn't particularly bother an agency that only days before had been officially censured for its incompetence and was in desperate need of a PR victory. Doubtless the security industry had no regrets over the free publicity either.
There can be no doubt that hacking does pose a very real threat to businesses and governments. Increased use of online services means that malevolent geeks have a multitude of targets to choose from, and clearly these need to be protected.
What's odd, however, is the unbelievably convenient political nature of the threats reported by security agencies. During the trial of Oklahoma bomber Timothy McVeigh it was white supremacists haunting our wires, a danger that was momentarily replaced by the online Cuban menace before switching to the Red Chinese. Since September 11, all the action has apparently been routed from Islam.
In much the same way that fear of terrorist attack has been used to introduce levels of surveillance and executive power in the US that would once have been considered massively unconstitutional, the spooks are now moving to cover the online world. The net is too democratic and makes information and ideas too accessible for such agencies to control, and consequently they're going to do something about it. Sunday Herald Nov 23 2002 3:32PM ET [moreover Computersecurity]
21:41
#
G!
| |
|
Dutch police have just disclosed that they searched the house of a computer hacker in Leusden on July 16, at the request of the American authorities.
The 19-year-old man had evidently hacked the network of Hellmuth, Obata & Kassabaum (HOK), an American architectural company involved in renovation work at the US Department of Defence, gaining access to alarm-system and other blueprints of the Pentagon and several FBI buildings.
Reporting on the website WebWereld, the hacker said that he had accepted an offer by the firm of architects to help identify flaws in its network security in exchange for US$3,600, and had subsequently submitted his report.
However, after disclosing his address the hacker found the police on his doorstep. [Slashdot: Your Rights Online]
20:42
#
G!
| |
This news article summarises the current situation for the entertainment industry and peer-to-peer file swapping services. On Monday a US federal court judge is going to determine whether on not the off-shore company Shaman Networks, the owner of Kazaa, can be sued. The author notes that Congressmen Hollings and Berman's recent proposals to address the issue have not been popular in Washington and the how the long-running and unresolved nature of the debate ensures controversy. Here is another story covering Kazaa's legal obstacles. Meanwhile as Vivendi releases a stack of music online, for one US $ per download, other file sharing networks such as Freenet, grow to the point where developers encourage the general public to download and try their software and the Open Directory Project lists links for at least 200 clients for anyone with internet to download and use. Peer-to-peer supercomputing projects and network storage breakthroughs and convergence developments such as Colligo or Mobilefile which easily allow for file transfers between different types of mobile and wireless hardware continue to innovate the peer-to-peer arena. [infoAnarchy]
20:00
#
G!
| |
|
[court: check of credit card or National-ID card number is not enouth to protect children from adult websites.]
Wer das Zeigen von Internet-Inhalten, die Jugendlichen nicht zugänglich gemacht werden dürfen, lediglich an eine automatische Überprüfung von Ausweis- oder Kreditkartennummern knüpft, wird den gesetzlichen Anforderungen des Jugendschutzes nicht gerecht. Das hat das Amtsgericht Neuss in einem bereits Ende August gefällten, aber erst jetzt veröffentlichten und noch nicht rechtskräftigen Urteil entschieden.
Angeklagt war der ehemalige Geschäftsführer einer Düsseldorfer Firma, die das Webangebot "Clubhardcore.de" auf einem Berliner Server betreibt. [...] Die Abrechnung erfolgt nach bekanntem Muster über einen sogenannten Highspeed-Dialer, also ein herunterzuladendes 0190er-Einwahlprogramm, das die Telefonrechnung pro Minute um rund 2 Euro anwachsen lässt &150; davon allerdings erfährt man vor dem Download nichts.
Das Gericht hatte sich jedoch nicht etwa mit Betrug oder anderen Tatbeständen auseinanderzusetzen, die dem Internet-Beobachter im Zusammenhang mit 0190-Dialern vielleicht als erstes einfallen würden. Es ging in Neuss vielmehr um die Frage, ob der Zugang zu den Hardcore-Inhalten über den Dialer hinreichend gegen den Zugriff durch Kinder und Jugendliche abgesichert war. Der Richter verneinte diese Frage und verurteilte den Angeklagten schließlich wegen "Verbreitung pornografischer Schriften" zu einer Geldstrafe in Höhe von 3500 Euro.
Die Clubhardcore-Betreiber verwendeten zur Kontrolle, ob ein Interessent volljährig ist, eine simple Abfrage mit automatischer Plausibilitätskontrolle durch ein Programm. Abgefragt wurden wahlweise Personalausweis- oder Kreditkartennummern. "Perso"-Nummern, in die ein passendes Geburtsdatum einkodiert ist, kann sich allerdings jeder ohne Aufwand aus dem Internet ziehen: Bereits eine einfache Anfrage bei der Suchmaschine Google genügt, um entsprechende Fundstellen zu erhalten und sich dort per Mausklick sozusagen Volljährigkeit auszuleihen. Das probierte der Richter in der Hauptverhandlung selbst aus und kam zu dem Ergebnis, dass es sich bei dem Kontrollsystem um einen "Scheinschutz" handle, der auch von Kindern auf leichteste Art zu umgehen sei. Jede menschliche Kontrollmöglichkeit, etwa am Kiosk oder in der Videothek, sei einem solchen Verfahren weit überlegen. Schon in der ausdrücklichen Zusicherung von "Anonymität" ohne jegliche Erfassung personenbezogener Daten habe die Betreiberfirma außerdem signalisiert, dass es ihr schlichtweg egal sei, wer ihre Angebote nutze.
Dafür sprach nicht zuletzt auch die Tatsache, dass die Clubhardcore-Betreiber schon 2001 eine Abmahnung von der in Mainz ansässigen Zentralstelle der obersten Landesjugendbehörden für Jugendschutz in Mediendiensten erhalten hatten, die darauf aufmerksam machte, dass das Webangebot keine wirksame Alterskontrolle aufwies. Diese Abmahnung wurde offenbar ignoriert, was sich für den Ex-Geschäftsführer schließlich als Bumerang erwiesen hat: Er muss, wenn das Urteil rechtskräftig wird, als vorbestraft gelten. [heise]
18:53
#
G!
| |
|
Wessen Handy dieser Tage einmal kurz bimmelt, sollte sich die anschließend im Display erscheinende Nummer vor dem Rückruf genau anschauen. Wenn sie mit +674... oder 00674... beginnt, hat nicht etwa eine Freundin zu wenig Geduld gezeigt, sondern ein automatischer Dialer zugeschlagen, der zumindest der internationalen Vorwahl nach auf Nauru sitzt. Berichten von heise-online-Lesern zufolge klappert der Dialer seit vergangener Nacht systematisch Nummern des Mobilfunkproviders O2 (früher Viag Interkom) ab, die mit 0179 anfangen. Das Handy des Autors war um 15:00:19 an der Reihe. O2 arbeitet daran, die Zielnummer in seinem Netz zu sperren, jedoch hält dieser Schutz nur solange an, bis sich die Betreiber eine neue Nummer zulegen.
Anzeige
Ein kurzer Testanruf per Festnetz &150; beim günstigsten Call-by-Call-Anbieter derzeit auch schon 58 Cent pro Minute teuer &150; ließ zwei Frauenstimmen erklingen, die sich über Schlafgewohnheiten und die Vorzüge von Wasserbetten austauschen. Die Bandschleife soll beim Anrufer wohl den irrigen Eindruck auslösen, er wäre durch eine Fehlschaltung in dieses Gespräch geraten. Wer arglos vom Handy aus zurückruft, darf für das internationale Gespräch nach Nauru noch deutlich mehr für den falschen Eindruck berappen, einem pikanten Live-Gespräch beizuwohnen.
Bei der jetzigen Aktion handelt es sich möglicherweise um eine Neuauflage einer im August aufgetretenen Handy-Rückruf-Betrügerei, bei der ebenfalls Nummern mit Nauru-Vorwahl im Spiel waren. Bereits im April dieses Jahres gab es eine vergleichbare Abzock-Aktion, die eine Rufnummer auf den Salomonen, einer Inselgruppe im Südpazifik, betraf. [heise]
17:53
#
G!
| |
|
Leute aus Augsburg und Umgebung, die zum 19. Chaos Communication Congress (19c3) nach Berlin wollen, können den "Hackbus" nehmen.
Den Südwesten Deutschlands erschließt hingegen der "Hacktrain". [heise, c4, etc.]
17:53
#
G!
Translate
| |
|
[USA: 9 years of jail for software piracy]
In den USA ist am Freitag eine 52-jährige Frau wegen Software-Piraterie zu neun Jahren Gefängnis verurteilt worden. Die Delinquentin muss zudem elf Millionen US-Dollar Schadensersatz an die Software-Hersteller Microsoft und Symantec bezahlen. Dem Mitglied einer vierköpfigen Bande war vorgeworfen worden, am weltweiten Verkauf illegal hergestellter Kopien von Microsoft-Betriebssystemen, Office-Paketen und Sicherheitsprogrammen beteiligt gewesen zu sein. Die Frau soll dabei vor allem Geldströme gelenkt und Waren gelagert haben.
Zollfahnder hatten nach monatelangen Ermittlungen im November 2001 in Los Angeles große Mengen gefälschter Software-Produkte aus Taiwan beschlagnahmt, darunter 31.000 illegale Kopien von Windows ME und 2000 sowie eine große Anzahl von nachgemachten Benutzerhandbüchern, Registrierungskarten und "Echtheits"-Zertifikaten. Der von der Gruppe angerichtete Gesamtschaden wurde auf 98 Millionen US-Dollar beziffert. Nach Aussagen von Strafverfolgern handelt es sich bei dem Urteil um die bisher höchste Strafe, die gegen einen Ersttäter im Zusammenhang mit Software-Piraterie verhängt wurde. [heise]
13:38
#
G!
| |
[Danish Computerworld reports that the Danish Anti Piracy Group has sent a weird Christmas card this year. 150 Danish users of filesharing software eDonkey and Kazaa have received an invoice from the Anti Piracy Group. The names and addresses were obtained from the users internet service providers.GrepLaw]
13:28
#
G!
| |
|
Forget malicious hackers. The errors that come bundled with your software are costing businesses plenty. According to a study by the Department of Commerce's National Institute of Standards and Technology (NIST), bugs have become so frequent and harmful that they cost the U.S. economy an estimated $59.5 billion annually.
More alarming, NIST&151;which surveyed vendors as well as end users&151;found that $22.2 billion of that cost could be eliminated through improved testing infrastructure, allowing for bug detection earlier in the development process rather than "downstream" or post-sale. But more testing is not the necessarily the answer. "In fact, 80 percent of software development costs are now allocated to testing activities, so expanding the amount of testing may not be a good objective or even a feasible one," says Greg Tassey, senior economist on the study. "Rather, improving the efficiency of the testing infrastructure by developing better test methods, which industry can adopt as standards, appears to be the logical direction of response."
While the hefty cost is certainly startling, the issue of overly buggy software is no surprise. It first gained government attention back in January when the National Academy of Sciences issued a report urging Congress to consider legislation to hold software vendors liable for security breaches.
Unfortunately, a stricter infrastructure will mean new costs, and while the bigger vendors have made strides lately to improve confidence in their products, smaller developers could suffer. "I could see it stifling innovation, and sometimes preventing better things from emerging. That would be the real downside to government doing anything," warns Norma Schroder, software industry analyst for Gartner. "I don't believe the software vendors want to write bad software. There's always a risk in anything. There will always be room to improve, but the risk will never go away." WebTechniques Nov 23 2002 5:38AM ET [moreover Computersecurity]
12:36
#
G!
| |
|
Research has revealed that the financial loss to SME's when the next big computer virus hits could be billions
The next big computer virus attack could cost the UK's small and medium-sized enterprises (SMEs) £2.1bn, according to research carried out by McAfee Security.
The research showed that of the 70 percent of SMEs who said they had received a virus, all had lost money and suffered systems downtime as a result.
The average financial loss was £843 per company, equating to a total of £2.1bn, and the average downtime was 7.2 hours -- almost a full working day.
Nearly all the survey respondents agreed that cybercrime is on the increase (91 percent), but 12 percent still have no virus protection in place. Nearly half (43 percent) have no firewall protection from hackers.
Peter Scargill, IT chairman of the Federation of Small Businesses, said: "Many SMEs agree that cybercrime is a serious issue but fail to protect all of their computers or update protection regularly. Viruses or hacker attacks could be disastrous for many SMEs. They must start putting protection in place."
The survey also revealed that many SMEs do not subscribe to the generally accepted rule that prevention is better than cure, and wait until they are infected by a virus before taking action to address their vulnerability.
A third of respondents (32 percent) bought virus protection after they'd been infected by a virus.
Marc Vos, European product manager for McAfee Security, said: "It is very important that SMEs protect themselves against cyber crime properly. Although many have protection, it is useless unless they keep it regularly up-to-date."
He added: "Viruses tend to grab the news headlines but SMEs are often left wide open to other forms of cybercrime such as fraud or hacking. These threats are especially hazardous for high speed Internet users who are always connected and therefore always open to attack."
ZDNet Nov 22 2002 11:49AM ET [moreover Computersecurity]
9:21
#
G!
| |
|
E-mail security company CipherTrust wants your spam. The company is calling on surfers of all stripes to help it wage a fight against spam by sending their unsolicited mass e-mail to its new Web site, Spamarchive.org. The idea is to create a vast public repository of spam, so makers of antispam tools can test their algorithms on the latest mass-messaging trends.
"It's kind of like donating your spam to science," Paul Judge, director of research and development at CipherTrust, said.
CipherTrust is soliciting volunteers to help it determine which messages constitute spam. It plans to put the database online in a few days and will collect spam messages on an ongoing basis.
[LinuxSecurity.com]
This brings up some interesting liability issues for email included in this arcive. Since some SPAMmers seem to enjoy going to court we might see some interesting trials.
9:20
#
G!
| |
|
A team of computer scientists is working to prevent new types of denial-of-service attacks aimed at battery-powered mobile devices. Tom Martin, a professor at Virginia Tech's electrical and computer engineering department, has received a grant for more than $400,000 from the National Science Foundation to devise a way to protect battery-operated computers from security attacks that could drain their batteries.
Although the researchers concede that such kinds of attacks are extremely rare, the proliferation of notebook computers, personal digital assistants, tablet PCs, networked cell phones and other devices could make them alluring targets.
The threat could be even more menacing to businesses that use battery backup systems to protect their databases and storage systems against electrical power outages. [LinuxSecurity.com]
9:20
#
G!
| |
Record labels file a contempt motion against file-swapping service Madster¸ claiming it is ignoring a court order to stop trading. [BBC News Online]
9:18
#
G!
| |
m Prozess gegen den Comroad-Gründe Bodo Schnabel hat sich das Landgericht München nun klar für eine Haftstrafe von sieben Jahren ausgesprochen. Kurz zuvor hatte Bodo Schnabel ein Geständnis abgelegt und Kursbetrug, Insiderhandel und gewerbsmässigen Betrug zugegeben. [newsBYTE.ch]
9:17
#
G!
| |
Maximillian Dornseif, 2002.
|
|
|
