QuickLinks - Security and encryption

recent items

Issue no. 372 - 25 February 2007

• Hackers target core internet computers (Guardian)
  Hackers mounted the most significant attack since 2002 on the computers that direct traffic on the internet. The hackers, believed to be from Asia, bombarded the 13 computers, or root servers, that serve as the internet's central address books. But although the assault lasting several hours was the largest in the past five years, it had little effect on internet users.

• Microsoft to back open ID scheme (BBC)
  A plan to make it easier for web users to manage their online identities has won the support of Microsoft. The Open ID scheme uses web addresses that people already own to help authenticate their identity. As part of the deal Microsoft is sharing some of its technology with Open ID developers and will include it in future identity-related products.

• US - AOL supports open ID scheme (BBC)
  AOL has joined Microsoft in supporting Open ID, giving the free identification scheme 63 million new users. OpenID is a decentralised identification system that lets individuals use a single password for any site that supports it.

• US - Spyware - Best Practices and Conflict Resoluion (Anti-Spyware Coalition)
  Public Comment Drafts of Best Practices and Conflict Resolution Documents. The Anti-Spyware Coalition released drafts of both its Best Practices and Conflict Resolution documents on January 25, 2007. Both documents began a public comment period that will last a month and which will close on February 26th at noon.

Issue no. 371 - 28 January 2007

• The social-engineering problem (& solution) (Net Family News)
  Watch out for emails that say there's been some unauthorized activity in your Amazon.com, Paypal, or bank account and 'click here' to confirm or reset your account information - username, password, social security number, etc. This is called 'social engineering,' and your kids get the messages too in IM, email, and social Web sites, in language tailored to their interests, (e.g., 'click to this cool video I put in YouTube...'). Beyond the tricks adults encounter, it's social engineering that gets kids to add people they don't know to friends lists or reveal more about themselves than they should.

Issue no. 368 - 15 October 2006

• Hackers find use for Google Code Search (IDG News Service)
  Google has inadvertently given online attackers a new tool. The company's new source-code search engine, unveiled as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet.

• UK - Internet banking security criticised (BCS)
  Britain's major banks have been criticized in a new study for failing to adequately protect their online banking customers. A report by Heise Security claims that many ebanking sites contain vulnerabilities and flaws that can be exploited by web criminals. The company also states that security holes can make it easier for phishing scammers to create more convincing attacks and employ frame spoofing techniques.

• UK - Thousands of Brits fall victim to data theft (CNET News)
  U.K. police struggle to contact people whose passwords and credit card details have been stolen. The police said that a computer seized in the U.S. had been found to contain personal information from around 2,300 PCs based in Britain. This included e-mail addresses, passwords, credit card numbers and details of online transactions.

Issue no. 367 - 23 September 2006

• UK - Sky suspends broadband movie download service (ZDNet UK)
  British TV network BSkyB has suspended its broadband movie download service, after a Microsoft security patch on Windows Media's digital rights management was cracked. A notice on the Sky by Broadband service's home page reads: 'In order to make an essential update to the Sky by broadband security system, we are sorry that access to all movies and some sports content has been temporarily suspended.'

Issue no. 366 - 3 September 2006

• Hackers target latest Microsoft Windows fix (BBC)
  Hi-tech hackers have started to produce malicious programs that target the latest bugs in Microsoft's Windows. A worm has been spotted online that tries to use the vulnerabilities to hijack home computers. Any computer compromised by the worm will become part of a large network set up to send out junk mail. At the same time Microsoft is re-issuing a recent security patch which has made the Internet Explorer browser crash on some computers.

• Microsoft warning on online games (BBC)
  Criminals are targeting the lucrative world of online games, an engineer at Microsoft has warned. Hackers could use malicious programs to steal players account information and then sell virtual items, such as gold or weapons, for real world cash. see also Microsoft warns game developers of security risk (CNET News).

• UK - Police: Let us seize encryption keys (CNET)
  Because British law enforcement officers don't have the authority to seize encryption keys, an increasing number of criminals are able to evade justice, a senior police officer said. Suspected terrorists, pedophiles and burglars have all walked free because encrypted data couldn't be opened. Earlier this summer, the British government announced that it plans to activate Part 3 of the Regulations of Investigatory Powers (RIP) Act, which will give the police the power, in some circumstances, to demand an encryption key from a suspect.

• US - Confidential data really is at risk / Laptop dangers (CNET)
  U.S. survey reports that 81 percent of companies and governmental entities have lost or misplaced one or more laptops containing confidential business information within the last 12 months. The survey, titled "Confidential Data at Risk," concludes that a main reason for corporate data security breaches is that many companies simply don't know where their sensitive or confidential business information resides. The survey goes on to summarize that "this lack of knowledge coupled with insufficient controls over data stores" poses "a serious threat to both business and governmental organizations."

Issue no. 365 - 15 August 2006

• Google warns on 'unsafe' websites (BBC)
  Google has started warning users if they are about to visit a webpage that could harm their computer. The warning will pop up if users click on a link to a page known to host spyware or other malicious programs. The initiative comes out of a larger project cataloguing programs that plague people with unwanted ads, spy on web habits or steal personal data.

• UK - House of Lords Committee to inquire into personal internet security (UK Parliament)
  The House of Lords Select Committee on Science and Technology has appointed a Sub-Committee to investigate personal Internet security. The inquiry invites evidence on security issues affecting private individuals when using communicating computer-based devices, either connecting directly to the Internet, or employing other forms of inter-connectivity. Areas the Committee will consider include: What is the nature of the security threat to private individuals and what is the scale of the problem? How well do the public understand the nature of the threat they face? What can be done to provide greater personal internet security? How much does this depend on software and hardware manufacturers? Is the regulatory framework for internet services adequate? How well equipped is Government to combat cyber crime? Is the legislative framework in UK criminal law adequate to meet this growing challenge?

• UK - HSBC to 'review' online security (BBC)
  HSBC is to review its online security after researchers at Cardiff University found a loophole which could allow access to customers online accounts. A bank spokesman said the loophole had not been used by fraudsters and was not a viable way for a hacker to steal.

• UK - Police want power to seize encryption keys (ZDNet UK)
  Hundreds of computers belonging to suspected terrorists or paedophiles are gathering dust as investigators are unable to decrypt the data on their hard drives, claim police.

Issue no. 362 - 11 June 2006

• EU - Commission seeks to improve network and information security in Europe (Europa)
  Businesses, individuals and public administrations in Europe still underestimate the risks of insufficiently protecting networks and information. Security presently represents only around 5-13% of IT expenditure, which is alarmingly low. The Commission is therefore promoting greater awareness, in a policy document, through an open and inclusive multi-stakeholder dialogue on a new IT Security Strategy for Europe. See also The Commission's New Approach to Network and Information Security: Frequently Asked Questions.

• Help is at hand for web security (BBC)
  A survey released in mid-May revealed the dangers inherent in just poking around the web. On average, between 4% and 6% of the sites found during common searches were classified as dangerous.The search results were analysed using the Site Advisor add-on for the Internet Explorer and Firefox web browsers that flags up dangerous websites. One other way that web users can see at a glance if a site is nice or nasty is by using the Scandoo website created by British firm ScanSafe.

Issue no. 361 - 23 May 2006

• ITU Announces Cybersecurity Survey and Launches Cybersecurity Gateway (Press Release)
  ITU announced a global opinion survey to assess trust of online transactions and awareness of cybersecurity measures. The survey was conducted by ITU in conjunction with World Telecommunication Day, celebrated on 17 May to commemorate the founding of ITU in 1865. The theme chosen this year - Promoting Global Cybersecurity - aims to highlight the serious challenges of ensuring the safety and security of networked information and communication systems.

Issue no. 359 - 9 May 2006

• EU - European Court of Justice confirms legality of ENISA (RAPID)
  The European Court of Justice confirmed that the European Network and Information Security Agency (ENISA), established in 2004 with its seat now in Heraklion (Greece), was correctly established on the basis of the single market clause in Article 95 of the EC Treaty. The Court thereby rejected a legal challenge made by the United Kingdom.

Issue no. 352 - 18 December 2005

• UK - eBay faces up to online fraud (BBC)
  The online auctioneer eBay has admitted an 'extreme growth' in the number of personal accounts being hijacked by fraudsters. Criminals are obtaining the secret passwords of eBay subscribers and using their sites to conduct bogus auctions for non-existent goods. The hijacking of sellers' accounts is a particularly sensitive issue for the auction site, which relies to a large degree on the level of trust between the buyer and seller of goods for its success. There are more than three million items for sale on the site at any one time. eBay blames its account holders for not installing proper security on their home computers and for replying to so-called "phishing" emails. These are fake emails made to look like official eBay messages and which demand the secret passwords to users accounts. Viruses are also said to be infecting home computers by installing themselves inside hard drives, where they monitor the keystrokes of eBay users, make a record of passwords before sending them onto the fraudsters.

Issue no. 347 - 19 October 2005

• European Biometrics Portal (EBP)
  The European Biometrics Portal (EBP) is initiated by the European Commission to encourage and support the exchange of information and data on biometric technology initiatives, deployments and trials in European Member States. EBP is access and membership free and the quality of the EBP content is dependant on the quality of the users community contributions.

• SE - Phishing attack targets one-time passwords (out-law.com)
  A Swedish internet bank was forced to shut down its website for a short time after its one-time password security system was targeted by a new type of phishing scam, according to reports.

Issue no. 343 - 4 September 2005

• ITU - WSIS Thematic Meeting on Cybersecurity (ITU)
  The ITU WSIS Thematic Meeting on Cybersecurity took place from 28 June - 1 July 2005 in Geneva, Switzerland. A large number of written contributions, presentations and a webcast archive are available online, with the following background papers: A Comparative Analysis of Spam Laws: the Quest for Model Law, A Comparative Analysis of Cybersecurity Initatives Worldwide, Harmonizing National Legal Approaches on Cybercrime and ITU Survey on Anti-Spam Legislation Worldwide

• New scam asks people to fax away data (CNET News.com)
  Phishers have added a new lure to their tackle boxes: e-mails that ask people to fax sensitive information to bogus security investigators.

• Phishing emails go formal (vnunet.com)
  Researchers have discovered a new method used by criminals to hide the location of phishing websites in email messages. The technique uses a form that sends the users to phishing websites after they have pushed a button. Traditionally phishers employ a link in the body of the email message, security watchdog, the SANS Internet Storm Centre has warned.

Issue no. 338 - 7 May 2005

• Reuters IM back online after worm attack (CNET News.com)
  International media company Reuters reinstated its instant messaging network, after shutting it down completely the previous day, when a variant of the Kelvir worm attempted an attack on systems using the IM application.

Issue no. 336 - 3 April 2005

• US - Microsoft sues 117 phishers (out-law.com)
  Microsoft has sued 117 phishers. The lawsuits, which will enable the software giant to identify the fraudsters behind phishing schemes, are part of the company's commitment to tackling cyber-crime. A typical phishing attack occurs when a fraudster sends an e-mail that contains a link to a fraudulent web site where users are asked to provide personal account information. The e-mail and web site are usually disguised to appear to recipients as though they are from a bank or other trusted service provider.

Issue no. 334 - 13 March 2005

• EU - Attacks against information systems (Consilium)
  Justice and Home Affairs 24 February 2005. The Council adopted a Framework Decision on attacks against information systems. The Framework Decision approximates rules on criminal law in the Member States in the area of attacks against information systems. Member States are required to take the necessary measures to ensure that illegal access to an information system and interference with the integrity of an information system or of its data are punishable as criminal offences.

• UK - IT security awareness (CommsWatch)
  The British Government has launched a new web site on IT security awareness, ITsafe, to protect home computer users and micro businesses from viruses and other threats online. The website offers free advice as well as virus and threat alerts allowing computer users to surf the net and send and receive emails more safely. The service, a Home Office funded initiative, uses information provided by the National Infrastructure Security Co-ordination Centre (NISCC) - the Government?s centre for electronic defence.

Issue no. 333 - 2 March 2005

• AU - Lover sentenced over email hack (Australian IT)
  A jilted computer technician has received a suspended sentence after hacking into his ex-lover's email account and deleting notes from her new boyfriend. The defendant pleaded guilty to unlawfully accessing data held in a computer. The judge sentenced him to five months' jail, fully suspended on the condition he did not get into further trouble in the next three years. he charge carried a maximum penalty of 10 years' imprisonment.

• EU geht schärfer gegen Hacker vor (Heise)
  Der EU-Rat hat einen umstrittenen EU-Rahmenbeschluss über Angriffe auf Informationssysteme offiziell verabschiedet. Ziel der Gesetzgebung ist es, Cracker und Angreifer auf vernetzte Computersysteme besser bekämpfen zu können. Dazu werden EU-weit erstmals strafrechtliche Mindeststandards auf dem Gebiet der Cyberkriminalität geschaffen. Verboten werden Handlungen wie das unerlaubte Eindringen in Computersysteme - "Hacking" im Wortlaut des Beschlusses, das Verbreiten von Viren oder Angriffe auf Online-Dienste etwa durch Denial-of-Service-Attacken. Kritikern zufolge schießt das Papier aber über das Ziel hinaus. Es wird befürchtet, dass auch legitime Sicherheitstester kriminalisiert werden könnten.

Issue no. 330 - 30 January 2005

• DE - BSI: Bürger surfen zu sorglos im Internet (Heise)
  Die meisten Deutschen surfen zu sorglos im Internet. Das belegt eine repräsentative Studie, die vom Bundesamt für Sicherheit in der Informationstechnik (BSI) bei TNS Emnid in Auftrag gegeben wurde. Danach interessierten sich die Nutzer kaum für das Thema Internetsicherheit, berichtet das BSI. Jeder vierte Internetnutzer bewege sich ohne Virenschutzprogramm im Netz und nur die Hälfte der Nutzer setze eine Firewall ein.

Issue no. 329 - 23 January 2005

• Microsoft Sends Shivers Through Antivirus Market (IDG News Service)
  The stocks of major antivirus software vendors dropped after Microsoft released beta anti-spyware technology and said it would begin giving away an improved tool to remove worms and viruses from its customers' computers. While the free antivirus and virus removal tools are not an immediate threat to the products from those companies, the releases could signal tougher times ahead for desktop security vendors, as Microsoft uses its size and influence to expand into markets now dominated by those companies. Microsoft Securit at Home page. see also Microsoft AntiSpyware First Impression (InsideMicrosoft - part of the Blog News Channel).

Issue no. 328 - 4 January 2005

• No-go zone for Passport (CNET News.com)
  Microsoft's Passport authentication technology lost a prominent partner when eBay announced that it would stop supporting customer logins through Microsoft's Passport and .Net services. The online auctioneer decided to stop supporting the service after Microsoft made an 'architectural change' to its online authentication service.

Issue no. 327 - 16 December 2004

• Who says safe computing must remain a pipe dream? (CNET News.com)
  by Bruce Schneier. I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, 'Nothing--you're screwed.' But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

Issue no. 325 - 28 November 2004

• ENISA - Call for expression of interest for Permanent Stakeholders' Group (ENISA)
  The Executive Director of the European Network and Information Security Agency has the intention to set up a Permanent Stakeholders' Group (PSG), which may advise him in the performance of his duties under the Regulation of the Agency, in drawing up a proposal for the Agency's work programme, as well as in ensuring communication with the relevant stakeholders on all issues related to the Agency's work programme. The PSG will be composed of leading experts in the area of network and information security representing relevant stakeholders, such as information and communication technologies industry, consumer organizations and academic institutions. The Executive Director hereby calls for expert expressions of interest to be included in a list of applicants for this Permanent Stakeholders' Group. Applications should be submitted at the latest by 15th December 2004.

Issue no. 323 - 24 October 2004

• IBM jumps into Liberty Alliance (ZDNet)
  IBM has joined the Internet security consortium Liberty Alliance at the request of a customer, European mobile telecommunications provider Orange. The Liberty Alliance is a group of technology providers and corporations, such as Fidelity and American Express, that is developing a set of industry standards for verifying a person's identity when he or she accesses Web sites.

Issue no. 321 - 10 October 2004

• NL - Dutch Government Web sites come under sustained attack (Reuters)
  Three Dutch government Web sites were taken down by a sustained attack by hackers, which had been coordinated in protest at proposed reforms to the Dutch benefits system.

• US - Spyware Bills Win House Approval (Washington Post)
  Two bills designed to curb the proliferation of Internet 'spyware' took another step toward law this week with overwhelming approval from the House of Representatives, but supporters said they face a tough race against the clock to get Senate approval before Congress disperses for the November elections.

• Top 20 computer threats unveiled (BBC)
  The yearly hit parade of hackers' favourite security vulnerabilities has been published. Issued by the respected Sans Institute, the Top 20 list helps organisations find out if they are closing the most commonly exploited loopholes. With more than 2,500 software vulnerabilities found every year many organisations need help to know which ones to tackle first. The list includes loopholes found in both Windows and Unix/Linux software.

Issue no. 320 - 25 September 2004

• European Network and Information Security Agency up and running (Europa)
  The European Network Information and Security Agency (ENISA), now has its Executive Director, internal rules of procedure are in place, and a drive to recruit technical experts has just begun. Technical experts will be appointed by Executive Director Mr Andrea Pirotti, in accordance with rules set out on the ENISA web site. The Management Board has also elected a Finn, Ms Kristiina Pietikainen, as its Chairperson, and a Hungarian, Mr Ferenc Suba, as its Vice-Chairperson. Recruitment of technical experts for ENISA?s operational tasks begins now, and the staff should be completed in the course of next year. After an initial setting-up period in Brussels, ENISA?s permanent seat will be in Heraklion (Greece).

• IT security culture must start from the top (vnunet.com)
  Senior executives need to help companies build an IT security-conscious culture from the top down, according to new research by Ernst & Young.Respondents to its Global Information Security Survey 2004 named lack of security awareness by users as the top obstacle to information security. But only 28 per cent of them listed raising employee information security awareness as a top initiative in 2004.

Issue no. 319 - 14 September 2004

• UK - Trust and security in IT are a critical area for debate, says DTI (Computing)
  Trust and security in IT and the internet is one of the critical areas for debate on emerging science and technology, according to the Department of Trade and Industry (DTI). Lord Sainsbury, minister for science and innovation, has launched a £ 1.2m grant scheme to increase debate on six key areas by funding projects that help the public and scientists to work together.

Issue no. 318 - 5 September 2004

• The tension between interoperability and information security (INDICARE)
  By: Ot Van Daalen, De Brauw Blackstone Westbroek, The Hague. Compulsory licensing of information security technology. Digital Rights Management (DRM) systems will become an important distribution channel for music and other content. Because of network effects and switching costs, DRM systems incline to dominance. In the absence of competition, one might consider having third party DRM providers offer parts of the system, in order to safeguard consumer interests. However, this might break the security of the system. A possible solution is to have dominant content providers compulsorily license their security technologies. This however, poses the question what can be considered a security technology and what not. Are, for example, skip-the-commercial buttons an information security technology or not? It should be content providers, not technology providers, who should decide on this distinction.

Issue no. 316 - 1 August 2004

• Bulk of year's PC infections pinned to one man (CNET News.com)
  Sven Jaschan, self-confessed author of the Netsky and Sasser viruses, is responsible for 70 percent of virus infections in 2004, according to a six-month virus roundup by antivirus company Sophos. The 18-year-old Jaschan was taken into custody in Germany in May by police who said he had admitted to programming both the Netsky and Sasser worms, something experts at Microsoft confirmed. (A Microsoft antivirus reward program led to the teenager's arrest.)

• Computer 'spy' that could clean you out (Guardian)
  Police battling to stay ahead in the war against online crime have unearthed a new threat to credit card holders and internet bank users. Tony Levene reveals how 'keystroke logging' works;

• MyDoom hits search engines (Guardian)
  An internet virus which infects computers by infiltrating search engines caused a crippling slowdown in online connections around the world. The world's most popular search engine, Google, stopped working for a time in parts of Britain, France and America. Rivals such as Yahoo, Lycos and Altavista were also affected. Experts said search engines were bombarded with requests generated by the MyDoom virus, which sends fake emails appearing to inform people that their mail has been returned. "

Issue no. 315 - 18 July 2004

• UK - Debunking six myths of biometrics (out-law.com)
  It's probably the hottest sector in the security field today. Yet the biometrics industry, which produces human-based identification systems, is weighed down with claims and counterclaims, fallacies and myths. Two years ago, OUT-LAW ran a story about the vulnerability of biometric products. Last month, we ran a report by a volunteer for the UK's trial of a biometric passport scheme. Today we present an article that was contributed to OUT-LAW by Russ Davis of ISL Biometrics, arguing against some of the criticisms faced by the technology.

more items

QuickLinks consists of

• a free newsletter appearing approximately every two to three weeks. The newsletter is distributed by electronic mail through an "announcement only" mailing list.
• a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.