QuickLinks - Security and encryption
QuickLinks - Security and encryption
Issue no. 315 - 18 July 2004
- Pop-up program reads keystrokes, steals passwords
A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned. The program is part of a larger trend, as malicious hackers increasingly focus not on random acts of destruction but on stealing money.
Issue no. 314 - 24 June 2004
- OECD - Responses to survey on security of information systems and networks
This report sets out the results of responses received from 21 member countries to the Survey on the Implementation of the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, which was issued in July 2003. It is intended to provide an understanding of the implementation initiatives in place within member countries.
- First mobile phone virus created
The first ever computer virus spread by mobile phones has been sent to anti-virus firms. No infections have been reported and the worm is harmless but it is proof that mobiles are at risk from virus writers. The worm, known as Cabir, infects phones and devices running the Symbian operating system.
Issue no. 311 - 31 May 2004
- Open season for phishing as attacks soar
Phishing activity has been growing at the rate of 75 percent a month since December, according to the Anti-Phishing Working Group. Phishing is an Internet scam where official-looking emails attempt to fool users into disclosing online passwords, user names and other personal information. Victims are usually persuaded to click on a link in an email that directs them to a doctored version of an organisation's Web site. It is estimated that up to 5 percent of phishing emails persuade users to perform an action, such as clicking on a link, that could result in credit card fraud, identity theft or some other financial loss."
Issue no. 310 - 16 May 2004
- DE - Worm boy wonder gives Germany hope
He faces a prison term - not to mention hefty compensation claims - yet the German teenager whose Sasser worm caused global disruption is being seen as something of a boy wonder at home. Disapproval still reigns supreme. But for a country increasingly dubbed the sick man of Europe, where growth is sluggish, unemployment doggedly high and technological skills in short supply, the arrests of both the Sasser creator and another young virus author at the weekend have stirred up a curious sense of pride.
- Porn gets spammers past Hotmail, Yahoo barriers
By offering free porn, spammers are using Internet surfers to bypass a security protection designed to stop bot software from automatically opening Web mail accounts.
Issue no. 308 - 2 May 2004
- UK - Computer hacking 'costs billions'
Three-quarters of UK companies have been hit by security breaches in their computer systems over the past year, costing billions to industry. Viruses, staff misuse and hacking are blamed in the survey by the Department of Trade & Industry (DTI) and accountancy firm PwC. Most businesses know there is a problem, PwC said, and virus writing gangs are getting more sophisticated.
- US - CDT, Presenting List of Devious Spyware Practices, Calls for FTC Action
A broad coalition of high tech companies and consumer advocates has compiled a list of unfair, deceptive or devious practices involving software downloaded from the Internet - software that takes over users' computers and resists removal, sometimes even stealing information. The Center For Democracy and Technology (CDT) presented the list at a Federal Trade Commission workshop on April 19 and called on the FTC to take enforcement action against software makers and online advertisers who engage in the condemned practices. Examples of Unfair, Deceptive or Devious Practices Involving Software (Consumer Software Working Group). see also To foil intruders, install a counterspy (New York Times).
Issue no. 307 - 25 April 2004
- 'Phishing' scams luring more users
The number of 'phishing' e-mails circulating on the Web has increased from 279 to 215,643 over the past six months, according to e-mail security company MessageLabs. Phishing is an Internet scam in which unsuspecting users receive official-looking e-mails that attempt to fool them into disclosing online passwords, user names and other personal information. Victims are usually persuaded to click on a link that directs them to a doctored version of an organization's Web site.
- UK - Beware of 'phishing', warns Barclays
Barclays customers were urged to be vigilant after details emerged of a fresh email scam designed to allow fraudsters to obtain users' account information. The message was the latest in a now familiar scam called 'phishing', in which millions of emails are sent out directing people to a website masquerading as part of their bank's own online home. But the sites are carbon copies of the original pages and, by entering names, account details and passwords, online customers allow the gangs behind them to go to the bank's real website and clean out their accounts.
Issue no. 306 - 3 April 2004
- Britain sees surge in 'phishing'
UK bank customers have been warned they may be targeted in a new wave of 'phishing' scam emails. The Association for Payment Clearing Services (APACS) has told BBC News Online it is worried by a surge in phishing scam emails in recent days. Customers of some of the UK's largest banks are being targeted, APACS said. Phishing scamsters pose as a bank to request personal details as part of a bogus 'security check'. The crooks then use the details to empty accounts.
Issue no. 305 - 28 March 2004
- European Network Security
Mr Erkki Liikanen, Member of the European Commission responsible for Enterprise and the Information Society, CeBIT Hannover, 18th March 2004.
- Witty worm frays patch-based security
The Witty worm emerged so quickly that most companies had no time to apply a patch, according to an analysis of the program. The worm started spreading around the Internet last week, less than 48 hours after the first public description of the flaw was released. That's the fastest development to date of a worm from a vulnerability, according to a report published by the Cooperative Association for Internet Data Analysis (CAIDA) and the University of California at San Diego. companies will likely have to start relying less on plugging holes in the security of their software and more on other methods of reducing the threat of vulnerabilities.
- 'Witty' Worm Wallops Thousands of Computers
A quickly spreading worm that emerged over the weekend damaged computers at several universities and at least one Web hosting company, according to the first wave of damage reports that began surfacing on Monday as system administrators returned to work.
Issue no. 304 - 21 March 2004
- ENISA: European Network Information Security Agency
This dedicated web site for the European Network and Information Security Agency (ENISA) has been created in order to provide easy access information on the activities of the Agency. All public documents as well as the information related to ENISA, will be regularly added during its implementatio ENISA aims at ensuring particularly high levels of network and information security within the Community. The Agency assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future Community legislation. ENISA will ultimately serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information security.
- US - Companies Seek Online Warning Network
A group of technology and business associations today released a series of recommendations for minimizing the threat of cyber-crime and hacker attacks, including a request for congressional funding of an early warning alert network and a national media campaign to promote safer Internet use at home. The National Cyber Security Partnership, which includes the U.S. Chamber of Commerce, the Business Software Alliance and the TechNet lobbying group, also asked Congress to provide money to help develop a cybersecurity information clearinghouse for the business community.
Issue no. 303 - 29 February 2004
- US - Online security vendor club seeks to lead government
A collection of technology providers working in the online security sector announced the formation of a new industry oversight organisation, in the name of establishing common ground among vendors, legislators and users to discuss threats to internet safety. The group has been christened the Cyber Security Industry Alliance (CSIA) and will be headed by Paul Kurtz, a former special assistant to the president who has worked on technology issues for the White House's Homeland Security Council. Among the 12 companies represented in the organisation are security specialists such as Check Point Software, Computer Associates International, Entrust, Internet Security Systems, Network Associates, Symantec and RSA. CSIA would focus primarily on four topics related to Internet security: policy, education, standards and increasing public awareness of web safety issues.
Issue no. 302 - 15 February 2004
- DE - Biometrie: die Praxis ruft
Die Biometrie ist drauf und dran, als Zugangskontrolle in Firmen und als Identifikationsvehikel im Pass- und Visawesen in großem Maßstab eingesetzt zu werden. Nicht nur der Start eines Pilotprojekts am Frankfurter Flughafen zur Identifikation per Iris-Erkennung, das Innenminister Otto Schily publikumswirksam einläutete, rückt dies ins Interesse der Öffentlichkeit: Das Fazit einer zweitägigen Veranstaltung, die der Verband für Sicherheitstechnik unter dem Titel "Biometrische Verfahren im praktischen Einsatz" in Hamburg organisierte, war ebenfalls eindeutig.
- EU - Handbook of Legislative Procedures of Computer and Network Misuse
Study for the European Commission, Directorate-General Information Society, by Rand Europe. The Handbook is designed to help European Computer Security Incident Response Teams (CSIRT) deal with incidents and operate in a European environment with divergent legal codes dealing with computer crime and misuse. Particular attention is devoted to the examination of the content of the Council of Europe's Cybercrime Convention and the proposed European Framework Decision on Attacks Against Information Systems. The publication contains an analysis of legislation in each EU member state in the area of computer crime. A summary table is also provided together with the law enforcement points of contacts and reporting mechanisms.
- The Virus Underground
(New York Times)
Virus-writing is no longer exclusively a high-skill profession. By so freely sharing their work, the elite virus writers have made it easy for almost anyone to wreak havoc online. When the damage occurs, as it inevitably does, the original authors just shrug. We may have created the monster, they'll say, but we didn't set it loose. This dodge infuriates security professionals and the police, who say it is legally precise but morally corrupt. A 10-page article by Clive Thompson.
- US - VeriSign works to ID kid surfers
VeriSign plans to unveil a digital identity program for school-age children, which it says will bolster online safety for the growing number of young Web surfers. The Net infrastructure and security company and partner i-Safe America, a group that educates children about online safety, will demonstrate the use of digital IDs at a Congressional Internet Caucus Advisory Committee luncheon and technology fair in Washington, D.C.
Issue no. 301 - 8 February 2004
- EU - Security research: action to improve protection of citizens
The European Commission presented a Communication explaining why security research needs to be co-ordinated at the EU level in key priority areas such as: protection against terrorism (including bio terrorism); improving crisis management; and enhancing the security, reliability, protection and interoperability of communication systems. A €65 million budget has been earmarked for the initial phase (2004 2006). The Preparatory Action should lead to a full European Security Research Programme starting in 2007.
- OECD Launches Global "Culture of Security" Web site
There is no 'silver bullet' to rid the world of computer viruses and hackers, but a new OECD web site is dedicated to help combat these and other security risks to information systems and networks. In a year that has seen a record number of computer virus attacks, including 'Win32.Blaster', causing an estimated US $2 billion damage, the site is designed to help governments, businesses and the public understand the risks and responsibilities attached to information systems and networks. The site provides information on initiatives that have been taken in response to the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, published last year. It also serves as a portal to other relevant websites as a step towards creating a global culture of security. In the future, the site will also centralise educational tools for the security of information systems and networks.
- Spyware cures may cause more harm than good
A small army of angry Web users has set up a network of Web sites where they post reports of antispyware programs said to prey on consumers by installing offending files. Some of these charges could get a hearing soon, as public-interest group The Center for Democracy & Technology plans to file complaints with the Federal Trade Commission against specific companies.
- US - FTC launches 'Operation Secure Your Server'
The Federal Trade Commission and regulatory agencies in 26 countries warned hundreds of thousands of computer users that they were unwittingly helping people who send floods of unwanted e-mails. In a campaign called Secure Your Server, the FTC and others sent e-mail warnings to operators of computers that might be improperly configured to permit outsiders to route spam e-mails through them.
- Microsoft Likely to Fend Off MyDoom
Microsoft is better placed to avoid an impending attack from the MyDoom worm, the spam e-mail virus that has infected hundreds of thousands of personal computers worldwide and brought down the Web site of a small software provider, experts said. Infected machines are instructed to flood SCO and Microsoft's Web sites with requests for information in an attack called a distributed denial of service, and also give potential attackers unauthorized access to compromised PCs. see also Clues point to single MyDoom culprit (ZDNet).
Issue no. 300 - 1 February 2004
- US - Microsoft Offers Reward For Worm Authors
Microsoft has pledged a $250,000 reward for information leading to the arrest and conviction of the author of a newly emerged e-mail worm that directs infected computers to attack the Microsoft Web site and prevents them from gaining access to anti-virus Web sites. The Microsoft reward will draw from a $5 million fund that the company established in hopes of luring people to come forward with information that could lead to the arrest and conviction of the authors of viruses, worms and other online threats.
Issue no. 297 - 11 January 2004
- Messaging programs bring instant risk
Instant messaging is gaining popularity with workers trying to get around the restrictions placed on what they can do with e-mail. A survey by filtering firm Surf Control Survey shows that workers are turning to instant messaging to do the things that company policies stop them doing with e-mail. Currently few firms subject instant messaging programs to the same scrutiny that e-mail receives to stop spam, viruses or abuse by employees.
Issue no. 295 - 21 December 2003
- U.S. Starts Fingerprinting Russians
U.S. Embassy officials started taking fingerprints of Russians hoping to visit the United States, in a security measure that might exacerbate an already tense issue in U.S.-Russian relations and raises the specter of a tit-for-tat response. According to U.S. legislation drafted after the Sept. 11, 2001, terrorist attacks, all nonimmigrant visa applicants between the ages of 14 and 80 must provide prints of their left and right index fingers as part of their applications. U.S. Ambassador Alexander Vershbow demonstrated the new biometric technology to reporters, taking his own fingerprints with a special scanner.
- UK - Biometric Passports Take a Test Flight
Could that passport photo be a thing of the past? The UK Passport Service in January will launch a six-month trial of biometric technology. The trial, which will involve 10,000 volunteers, is billed by the UK government as the first step in its compulsory ID card plan. The UKPS will test facial, iris, and fingerprint recording and recognition in an attempt to determine which process is the least invasive for passport holders. The trial will also help determine how the technology works on a broad scale, what the costs will be, and how well people will accept the technology.
- US - Online Financial Crime Headed From Bad to Worse
In the annals of cybersecurity, 2003 should go down as one of the worst years ever, as hackers and spammers repeatedly demonstrated just how easy it is to use the latest software security holes, worms and viruses to attack businesses and trick unwitting Internet users into divulging their personal and financial information. And 2004 could be worse.
Issue no. 294 - 14 December 2003
- UK - Cyber fraudsters force NatWest to shut website
NatWest was forced to shut down its online bank after a fake website was set up and emails were sent to consumers asking for account details and Pin numbers. The internet banking operation was shut for security reasons. NatWest was unable to give details of how many customers were affected by the fraudsters but insisted that none had lost money as a result of the cyber attack.
Issue no. 293 - 7 December 2003
- Internet security - Fighting the worms of mass destruction
Bill Gates, the chairman of Microsoft, once made a habit of using his keynote speech at Comdex, the computer industry's top annual trade show, to launch his company's "next big thing". Times have changed. Mr Gates began his speech at the Las Vegas show by unveiling a dull bit of software that manages the distribution of security patches on a network. He followed this with an almost equally dreary firewall and a new spam-filtering initiative. These, rather than glitzy product announcements, are the industry's new priorities. [Ed: Recommended]
- Porn Trojan floods inboxes worldwide
Hundreds of reports are coming in of a new Trojan spreading around the globe by posing as home made pornographic pictures. The email arrives with the subject line 'Re Mary' . But once the 'Private.zip' attachment is opened, a Trojan called Sysbug copies a file to the hard drive and alters the registry settings to ensure that it is activated on start-up. The Trojan allows remote access to the PC, but is not a virus as it does not mail itself on to other computers.
Issue no. 292 - 23 November 2003
- EU - Agreement of Council and Parliament to set up the European Network and Information Security Agency
The Telecom Council has reached an agreement to set up the European Network and Information Security Agency ENISA. This has been achieved only nine months after the Commission originally proposed its draft regulation for ENISA. The agreement in Council follows a first reading vote by the European Parliament, on a compromise text for the regulation prepared by the Council and the European Parliament.
- US - CDT Releases 'Spyware' Report and Calls on Net Users to Send Stories
(Center for Democracy and Technology)
CDT has released "Ghosts in Our Machines: Background and Policy Proposals on the 'Spyware' Problem", a report addressing the growing problem of so-called 'spyware' programs, which range from targeted advertising programs to more invasive key stroke loggers and screen capture utilities that can be used to steal passwords and aid identity theft. The report examines types of spyware; suggests policy solutions to the problem, including legislation and better enforcement of current laws; and offers tips to consumers who want to take steps to avoid spyware on their computers. In conjunction with the report, CDT has begun a campaign on its website calling on Internet users to send in their experiences with specific 'spyware' products, so that CDT can collect the most egregious cases and file a complaint with the Federal Trade Commission.
Issue no. 291 - 15 November 2003
- Hackers crack Nokia's game gadget
Nokia has admitted hackers have cracked security codes on the N-Gage device, allowing its games to be played on other mobile phones. The protection system was supposed to stop games being copied and downloaded over the web.
- SG - Singapore tackles 'cyber terror'
Singapore has passed strict new legislation to protect the country's computer systems from attack. The government has said the legislation was necessary because of the damage that computer hacking can cause. The laws allow the monitoring of all computer activity and 'pre-emptive' action, though an official said they would be used 'sparingly'. Some members of parliament said the measures could be open to abuse, with threats to individual liberty.
Issue no. 290 - 9 November 2003
- E-police unlikely to get bigger budget
Businesses must take more responsibility for corporate security because funding for electronic policing will not increase. Organisations must work on the basis that prevention is better than cure and not rely on over-stretched police resources, according to Peter Sommer, senior research fellow at the London School of Economics.
- UK - Users face malicious attacks from HTML email
Net security experts are now predicting a growth in attacks that strike when people are simply browsing messages or the web. Russ Cooper, chief scientist at security specialist TruSecure, said the risk of such attacks would grow as long as e-mail messages were written that used the HTML formatting more usually used to create webpages. Mr Cooper said the threat from maliciously formed HTML was increasing and was being used to damage, disrupt or collect sensitive information about users and their computers.
- US - FTC accuses pop-up maker of 'extortion'
U.S. regulators said that Windows users should disable a back-door communications channel called Windows Messenger Service to prevent unscrupulous marketers from filling their screens with unwanted ads. see also FTC Obtains Order Barring Pop-up Spam Scam, Urges Consumers to Take Steps to Protect Themselves and how to disable Windows Messenger Service.
- Web Vipers
These days, careless computing can be downright dangerous. E-mail spam is not just annoying; it can bring offensive content, fraudulent schemes and damaging viruses into personal computers. Hackers are constantly probing home Internet connections, looking for vulnerabilities so they can gain remote entry and steal personal data. (Memo to those with wireless home networks: You are an especially inviting target.) Worms can literally take over your computer and allow hackers to turn it into a weapon for more mayhem. Viruses can wreck hard drives, wiping out years of hard work. Think we're exaggerating? Spam accounts for roughly 60 percent of all e-mail, up from 18 percent 18 months ago. In 1995, the number of hacking or computer attacks reported to the CERT Coordination Center for cybersecurity was 2,412. In the first three quarters of last year, the number was 114,855. In many cases, each attack affected hundreds of thousands of machines. see also Watch Your Wallet, Kids' Play, Stop Pop-Ups, Can Spam , Cookies & Spyware, Rx for Viruses, Wireless Worries, The Apple Alternative and Geek Speak.
Issue no. 288 - 19 October 2003
- Multinational consensus pegs top 20 net vulnerabilities
The U.S. Department of Homeland Security, along with its Canadian and British counterparts and the SANS Institute, today released a list of the 20 security vulnerabilities most often exploited by criminal hackers. The creation of the Top 20 list of commonly exploited Windows, Unix and Linux flaws marks one of the first times that a multinational consensus has been reached on critical Internet vulnerabilities that must be fixed to meet a minimum level of security protection for computers connected to the Internet.
Issue no. 287 - 11 October 2003
- Shift key breaks CD copy locks
A Princeton University student has published instructions for disabling the new anticopying measures being tested on CDs by BMG - and they're as simple as holding down a computer's Shift key. In a paper published on his Web site, Princeton Ph.D. student John Halderman explained how he disabled a new kind of copy-protection technology, distributed as part of a new album by BMG soul artist Anthony Hamilton. Student sued over CD piracy study (BBC). see also Threat of lawsuit passes for student (The Daily Princetonian).
- Trusted Computing: Promise and Risk
by Seth Schoen. Computer security is undeniably important, and as new vulnerabilities are discovered and exploited, the perceived need for new security solutions grows. 'Trusted computing' initiatives propose to solve some of today's security problems through hardware changes to the personal computer.
Issue no. 286 - 3 October 2003
- The e-spy who loves you could be a felon
A company calling itself Lover Spy has begun offering a way for jealous lovers--or anyone else--to spy on the computer activity of their mates by sending an e-greeting, the equivalent of a 'thinking of you' card that doubles as a bugging device. Computer security experts said the Lover Spy service and software appeared to violate U.S. law but also said the surveillance program pointed to an increasingly common way for hackers to seize control of computers. Marketed as a way to 'catch a cheating lover,' the Lover Spy company offers to send an e-mail greeting card to lure the victim to a Web site that will download onto the victim's computer a Trojan program to be used for spying.
Issue no. 285 - 28 September 2003
- US - Microsoft Critic Forced Out
A technology executive whose company does business with Microsoft has been forced out of his job after he helped write a cybersecurity report critical of the software giant. AtStake, a computer security firm, said that chief technology officer Daniel R. Geer Jr. is "no longer associated" with the firm. A company statement added that Geer's participation in preparation of the report was not sanctioned by the firm, and that "the values and opinions of the report are not in line with [AtStake's] views." Geer was one of several corporate and academic security experts who wrote the Computer and Communications Industry Assocation (CCIA) CyberInSecurity report, which argues that Microsoft's dominance over personal-computer operating systems and other software programs makes it easier for malicious hackers to attack millions of machines and networks at once.
Issue no. 284 - 21 September 2003
Issue no. 282 - 7 September 2003
- Heart of Darkness, on a Desktop
(New York Times)
More and more PC owners are discovering software lurking on their computers that they had no idea was there - software that can snoop, destroy or simply reproduce itself in droves. The SoBig and Blaster worms that have been invading computer systems worldwide for several weeks are slowing down. But the two intruders left behind software that could linger undetected for months.
Index page see also Computer crime
Links to news items about legal and regulatory aspects of Internet and the information society, particularly those relating to information content, and market and technology.
QuickLinks consists of
QuickLinks is edited by Richard Swetenham firstname.lastname@example.org
- a free newsletter appearing approximately once a week. The newsletter is distributed by electronic mail through an "announcement only" mailing list. To be included on the mailing list, send a blank email to email@example.com (HTML) or firstname.lastname@example.org (Text)
- a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.