Internet Changes Everything

RBN (Russian Business Network)

Europe.view | A walk on the dark side | Economist.com

ACCORDING to VeriSign, one of the world’s largest internet security companies, RBN, an internet company based in Russia’s second city, St Petersburg, is “the baddest of the bad”. In a report seen by The Economist, VeriSign’s investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.

In one sense, RBN (Russian Business Network) does not exist. It has
no legal identity; it is not registered as a company; its senior
figures are anonymous, known only by their nicknames. Its web sites are
registered at anonymous addresses with dummy e-mails. It does not
advertise for customers. Those who want to use its services contact it
via internet messaging services and pay with anonymous electronic cash.

But the menace it poses certainly exists. “RBN is a for-hire service
catering to large-scale criminal operations,” says the report. It hosts
cybercriminals, ranging from spammers to phishers, bot-herders and all
manner of other fraudsters and wrongdoers from the venal to the
vicious. Just one big scam, called Rock Phish (where gullible internet
users were tricked into entering personal financial information such as
bank account details) made $150m last year, VeriSign estimates.

Plenty of other internet companies sail close to the wind—hosting unregulated online gambling for example. But according to a VeriSign investigator, “the difference is that RBN is solely criminal”. The pricing depends on the level of complaints. A discreet organisation pays little; one that attracts a lot of unwelcome attention, forcing RBN to take expensive countermeasures, has to pay more.

Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as “trojans” that sit inside a victim’s computer collecting passwords and other sensitive information and sending them to their criminal masters.

A favourite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a programme such as Corpse’s Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth.

RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank’s security director belonged. RBN-based cybercriminals replied by crashing the bank’s home-page for three days.

What can be done? VeriSign has tracked down the physical location of RBN’s servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. “RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks,” says VeriSign. The head of RBN goes under the internet alias “Flyman”; his uncle is thought to be a senior St Petersburg politician. Repeated e-mails to RBN’s purported contact addresses asking for comment have gone unanswered.

Companies can simply block access to any site registered at an RBN IP address. But that will not help most victims, such as those who receive infected e-mails. VeriSign says only strong political pressure on Russia will make the criminal justice system there deal with this glaring example of cyber-illegality.

August 31, 2007 at 03:17 PM in Security | Permalink | Top of page | Blog Home

The Conference Board Consumer Internet Barometer Finds More Consumers Are Filing Taxes Online

Consumer Internet Barometer - Economics - The Conference Board

March 15, 2006

Consumer Internet Barometer

More consumers are filing their taxes online and using do-it-yourself tax software, The Conference Board reports today.

Approximately 37 percent of consumers intend to file their 2005 federal taxes online, up from less than 28 percent just two years ago. Some 62 percent of these consumers have been filing online for more than three years, while only 9 percent are first-time filers. "Do-it-yourself" software has become much more popular and will be used by nearly 40 percent of filers. Most filers prefer receiving their refunds by direct deposit. Among consumers who filed online last year, nearly three-quarters chose to receive their refund by direct deposit.

Fewer consumers are looking directly to the IRS website to file their taxes. The IRS does offer a "Free File" option for some taxpayers on its website as part of its E-file program, but fewer than 19 percent of online filers intend to use this service to file their taxes, down from nearly 24 percent in 2004.

The Consumer Internet Barometer is produced by The Conference Board and TNS, the world's largest custom research company, and covers 10,000 households.

"Once consumers file online, they tend to stay online," says Lynn Franco, Director of The Conference Board Consumer Research Center. "The number of people filing their federal taxes online continues to grow with do-it-yourself software paving the way. This year, nearly an equal proportion of consumers will file online using tax software as will file online using a professional service."

The number-one reason cited for not filing online is that the consumer does not do his/her own taxes. In fact, the number of filers not doing their own taxes has risen from less than 30 percent in 2004 to 34 percent today. The second most popular reason for not filing online is that filers don't want their personal information on the Internet. However, the proportion of online consumers citing security concerns as a deterrent has abated over the past two years.

More Filers Are Using 'Do-It-Yourself' Tax Software

Among consumers intending to file their federal taxes online, about 40 percent intend to use a professional service, with women slightly more likely than men to seek assistance. The use of do-it-yourself tax software has made tremendous inroads in a short span of time. In 2004, less than 31 percent of male filers and only 28 percent of females used do-it-yourself tax software. Today, the software will be used by 38 percent of all male filers and 37 percent of females.

Among online tax filers last year, more than 72 percent chose to receive their refund via direct deposit and a mere 16 percent requested a check. Says Franco: "The turnaround time offered by direct deposit clearly makes it the preferred choice of online filers."

Consumers Still Uncomfortable With Online Banking

Nearly 52 percent of online consumers are extremely concerned about security when banking online, but the level has fallen from 62 percent in 2004.

At the other end of the anxiety barometer is the filing of federal taxes online. Only 43 percent of web surfers feel the same degree of apprehension about filing their federal taxes online. But more people are getting comfortable with this process. Just two years ago, 52 percent of online consumers were extremely concerned about filing online.

Women are generally more concerned than men about security when conducting financial transactions online. But the gender gap has narrowed and both sexes are less concerned today than they were in 2004.

"It is not surprising that we still see high levels of wariness about the security of banking and filing taxes online," says David Stark, North America Privacy Officer of TNS.

"Many Americans are alarmed by Internet scams and media reports of data security breaches. The easing up in concern levels is encouraging, however, as it suggests that consumers are not only more familiar with banking and filing taxes online, but also increasingly aware of how to protect themselves on the Web," Stark added.

About This Survey:

The Consumer Internet Barometer is based on a quarterly survey of 10,000 households. A unique sample is surveyed each quarter. Return rates average 70 percent, which ensures highly representative data. Data is weighted as well to reflect the latest U.S. household demographic information. The latest survey was conducted during the first quarter of 2006. For more information, please email f.tortorici@conference-board.org or lynn.franco@conference-board.org.

About TNS

TNS, a market information group, is the world's largest custom research company. TNS operates a global network spanning 70 countries and employs over 13,000 people. We provide market information and measurement, together with insights and analysis, to local and multinational organizations.

In the U.S., TNS combines specialist sector knowledge with expertise in the areas of new product development, market understanding, brand and advertising research and stakeholder management to bring our clients up-to-the minute, internationally consistent information. Additionally, we provide the industry's most trusted consumer access panel. We think differently to help our clients build a competitive advantage, making TNS the sixth sense of business. www.tns-global.com.

For further information contact:
Lynn Franco
at (1) 212 339 0344
lynn.franco@conference-board.org

March 16, 2006 at 12:35 AM in Security | Permalink | TrackBack (46) | Top of page | Blog Home

Lessons to Learn From Citi Data Breach

The blame is being placed firmly on the merchant here, (originally indicated to be OfficeMax, but now unspecified?).  This explanation seems all too simple, but perhaps it is that simple.

In order for this to be the case, the merchant would have to be storing:
a) PIN
b) complete replica of the mag strip data

I still suspect there is more to it, in what is clearly an inside job.

However, if that is all there is to it, then  ....

Relevance to Bankwatch:

• Banks have to be accountable for the data that is shared with private networks, and merchants;  its unacceptable to blame all the links in the chain, because there are so many. 
  
• Customers will (rightly) look to the issuing bank to protect their information
• Technology allows for sufficient data sharing to complete a transaction, without sharing all the customers authentication credentials (e.g. public key encryption). Anything short of that is technological laziness
  

Lessons to Learn From Citi Data Breach

Yet experts say two important points to keep in mind when examining this situation are
1) the breach occurred at a third party, not the bank, and
2) this incident is not about PIN technology itself, but the way the data was stored.

"This issue isn't about the [strength] of PINs—it's about the
merchants and how they store this data," says Bruce Cundiff, an analyst
with Pleasanton, Calif.-based Javelin Strategy & Research.

Jon Gossels, founder of SystemExperts (Sudbury, Mass.), agrees.
"PIN wasn't the problem [in the Citibank case]. Having a card and
typing a PIN is perfectly adequate authentication," he says. "It was
the data that was stolen internally."

March 14, 2006 at 11:51 PM in Security | Permalink | TrackBack (121) | Top of page | Blog Home

Some companies helped the NSA, but which?

Some companies helped the NSA, but which? | CNET News.com

By Declan McCullagh and Anne Broache
Staff Writer, CNET News.com
Published: February 6, 2006, 4:00 AM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint

This is the first in a two-part series. Part two offers a glimpse at the technical details of how the National Security Agency's electronic surveillance system seems to work.

Even after the recent scrutiny of the National Security Agency's domestic surveillance project approved by President Bush, an intriguing question remains unanswered: Which corporations cooperated with the spy agency?

Some reports have identified executives at "major telecommunications companies" who chose to open their networks to the NSA. Because it may be illegal to divulge customer communications, though, not one has chosen to make its cooperation public.

Under federal law, any person or company who helps someone "intercept any wire, oral, or electronic communication"--unless specifically authorized by law--could face criminal charges. Even if cooperation is found to be legal, however, it could be embarrassing to acknowledge opening up customers' communications to a spy agency.

A survey by CNET News.com has identified 15 large telecommunications and Internet companies that are willing to say that they have not participated in the NSA program, which intercepts e-mail and telephone calls without a judge's approval.

Twelve other companies that were contacted and asked identical questions chose not to reply, in some cases citing "national security" as the reason.

Those results come amid a push on Capitol Hill for more information about the NSA's wiretapping practices. On Monday, Attorney General Alberto Gonzales is expected to testify at a Senate Judiciary Committee hearing, and President Bush and his closest allies have been stepping up their defense of the program in preparation for it.

To be sure, there are a number of possible explanations for the companies' silence. In some cases, a company's media department could have been overworked. Another possibility is the company's lawyers were unavailable or chose not to reply for unknown reasons.

Also, some survey recipients, such as NTT Communications, responded with a general statement expressing compliance "with law enforcement requests as permitted and required by law" rather than addressing the question of NSA surveillance.

A lawsuit that could yield more details about industry cooperation is winding its way through the federal courts. Last week, the Electronic Frontier Foundation, a civil liberties group based in San Francisco, sued AT&T after a report that the company had shared its customer records database--though not its network--with the NSA.

AT&T would not respond when asked whether it participated. An AT&T spokesman, Dave Pacholczyk, said: "We don't comment on matters of national security."

The News.com survey, started Jan. 25, found that wireless providers and cable companies were the most likely to distance themselves from the NSA. Cingular Wireless, Comcast, Cox Communications, Sprint Nextel and T-Mobile said they had not turned over information or opened their networks to the NSA without being required by law.

Companies that are backbone providers, or which operate undersea cables spanning the ocean, were among the least likely to respond. AT&T, Cable & Wireless, Global Crossing, Level 3, NTT Communications, SAVVIS Communications and Verizon Communications chose not to answer the questions posed to them.

The New York Times reported on Dec. 24 that the NSA has gained access to switches that act as gateways at the borders between the United States' communications networks and international networks. But "the identities of the corporations involved could not be determined," the newspaper added.

At the water's edge
Analysts and historians who follow the intelligence community have long said the companies that operate submarine cables--armored sheaths wrapped around bundles of fiber optic lines--surreptitiously provide access to the NSA.

"You go to Global Crossing and say...once your cable comes up for air in New Jersey or on the coast of Virginia, wherever it goes up, we want to put a little splice in, thank you very much, which NSA can do," said Matthew Aid, who recently completed the first volume in a multiple-volume history of the NSA. "The technology of getting access to that stuff is fairly straightforward."

Aid was citing Global Crossing as an example, not singling it out. Global Crossing describes itself as an Internet backbone network that shuttles traffic for about 700 telecommunications carriers, mobile operators and Internet service providers. According to the International Cable Protection Committee, the company has full or partial ownership of several trans-Atlantic and trans-Pacific cables.

Global Crossing spokesman Tom Topalian said "99 percent of wiretapping is done at a local phone company level" instead of at backbone providers. Topalian declined to answer questions about NSA access, and added: "All U.S. carriers have to comply with the CALEA act, and Global Crossing complies with CALEA." (CALEA is a 1994 federal law requiring certain telecommunications providers to make their networks wiretap-friendly for domestic law enforcement, not intelligence agencies.)

Rep. John Conyers, D-Mich., last month sent a letter (click for PDF) to companies including Google, Yahoo, EarthLink, Verizon and T-Mobile asking them if they cooperated with the NSA. News.com asked similar questions, but expanded the number of companies to include backbone and submarine cable providers.

Among the companies that responded, some offered far more detail than others. Les Seagraves, EarthLink's chief privacy officer, said: "We've never even been asked to give information without the benefit of a subpoena or a court order behind it. And our policy is to require a subpoena or court order, basically to require a court of law behind the inquiry."

"We're very interested in protecting our customers' privacy and balancing that with our duties to comply with the law," Seagraves added. "Our way to balance that is to definitely make sure we have a valid legal request before we release any information."

Comcast spokesman Tim Fitzpatrick said the company "will only provide customer information pursuant to a valid court order and only if Comcast's records contain information sufficient to identify the customer account on the (date or dates) listed in the court order."

A representative of Cox Communications, David Grabert, said: "Cox has never received a request for information or a wiretap that was not accompanied by a warrant."

NSA's history of industry deals
Louis Tordella, the longest-serving deputy director of the NSA, acknowledged to overseeing a similar project to intercept telegrams as recently as the 1970s. It relied on the major telegraph companies including Western Union secretly turning over copies of all messages sent to or from the United States.

"All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA's inspector general.

The telegraph interception operation was called Project Shamrock. It involved a courier making daily trips from the NSA's headquarters in Fort Meade, Md., to New York to retrieve digital copies of the telegrams on magnetic tape.

Like today's eavesdropping system authorized by Bush, Project Shamrock had a "watch list" of people in the U.S. whose conversations would be identified and plucked out of the ether by NSA computers. It was intended to be used for foreign intelligence purposes.
Click for info-graphic

Then-President Richard Nixon, plagued by anti-Vietnam protests and worried about foreign influence, ordered that Project Shamrock's electronic ear be turned inward to eavesdrop on American citizens. In 1969, Nixon met with the heads of the NSA, CIA and FBI and authorized a program to intercept "the communications of U.S. citizens using international facilities," meaning international calls, according to James Bamford's 2001 book titled "Body of Secrets."

Nixon later withdrew the formal authorization, but informally, police and intelligence agencies kept adding names to the watch list. At its peak, 600 American citizens appeared on the list, including singer Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda and the Rev. Martin Luther King Jr.

Details about Project Shamrock became public as part of a Senate investigation of the NSA. Telegraph companies participating in the program initially balked when questioned by Senate investigators. But documents turned over by the NSA "cast doubt on the veracity of the companies' claims that they could find no documentation pertaining to Shamrock," wrote Snider. "After all, this had concerned the highest levels of their corporate management for at least four years."

Another apparent example of NSA and industry cooperation became public in 1995. The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so U.S. eavesdroppers could easily break their codes.

The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its compromised security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia. (Crypto AG disputed the allegations.)

"Only a very few top executives"
The extent of the NSA's surveillance project in operation today remains unclear. Attorney General Gonzales has stressed that the program intercepts e-mail and phone conversations only when "one party to the communication is outside the United States."

In his book titled "State of War," New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."

Tapping into undersea copper and fiber-optic cables where they make landfall would be one way to create a virtual web of surveillance that can snare Internet packets or voice communications when they traverse U.S. borders. One benefit for the government is that one participant in the conversation is likely to be overseas--permitting Gonzales and the NSA to stress the interception's international nature.
In other news:

* Capitol Hill's fury on China
* Power lunching with wizards, warriors
* RSA coverage: A deeper level of security
* Open source's musical chairs

Another method would be to seek the cooperation of backbone providers with networks entirely within the United States. That could be done with a tap hooked up to the switches at a telephone company or backbone provider, said Phill Shade, a network engineer for WildPackets who is the company's director of international support services. WildPackets sells network analysis software.

"The tap essentially splits off a copy of the traffic--it would literally take a copy of all the traffic as it moves through the wire," Shade said. "Picture a capital letter 'Y' in your head...One copy goes back out the regular wire on the right side of the wire, and the copy you're interested in splitting goes off the left side of the Y to you. These are very common networking devices, used in networks all over the world."

The tap's exact location may matter. Sen. Arlen Specter, a Pennsylvania Republican who is convening Monday's hearing, has asked Gonzales to respond to a series of questions about the legality of the program. One question Specter is posing: If intercepted calls are "routed through switches which were physically located on U.S. soil, would that constitute a violation of law or regulation restricting NSA from conducting surveillance inside the United States?"

Who's helping the NSA?

CNET News.com asked telecommunications and Internet companies about cooperation with the Bush administration's domestic eavesdropping scheme. We asked them: "Have you turned over information or opened up your networks to the NSA without being compelled by law?"
Company Response
Adelphia Communications Declined comment
AOL Time Warner No [1]
AT&T Declined comment
BellSouth Communications No
Cable & Wireless* No response
Cablevision Systems No
CenturyTel No
Charter Communications No [1]
Cingular Wireless No [2]
Citizens Communications No response
Cogent Communications* No [1]
Comcast No
Cox Communications No
EarthLink No
Global Crossing* Inconclusive
Google Declined comment
Level 3* No response
Microsoft No [3]
NTT Communications* Inconclusive [4]
Qwest Communications No [2]
SAVVIS Communications* No response
Sprint Nextel No [2]
T-Mobile USA No [2]
United Online No response
Verizon Communications Inconclusive [5]
XO Communications* No [1]
Yahoo Declined comment

* = Not a company contacted by Rep. John Conyers.
[1] The answer did not explicitly address NSA but said that compliance happens only if required by law.
[2] Provided by a source with knowledge of what this company is telling Conyers. In the case of Sprint Nextel, the source was familiar with Nextel's operations.
[3] As part of an answer to a closely related question for a different survey.
[4] The response was "NTT Communications respects the privacy rights of our customers and complies fully with law enforcement requests as permitted and required by law."
[5] The response was "Verizon complies with applicable laws and does not comment on law enforcement or national security matters."

February 16, 2006 at 08:25 AM in Security | Permalink | TrackBack (39) | Top of page | Blog Home

Yahoo on NSA surveillance: No comment

Yahoo on NSA surveillance: No comment | CNET News.com

By Declan McCullagh
Staff Writer, CNET News.com
Published: February 15, 2006, 1:55 PM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint

Under cross-examination during a congressional hearing, Yahoo's top lawyer refused on Wednesday to say whether the company opens its records for government surveillance without a court order.

Michael Callahan, Yahoo's senior vice president and general counsel, declined five times to answer that question from Rep. Brad Sherman, a California Democrat who was probing whether the Internet company had cooperated with the National Security Agency's domestic surveillance efforts.

"It wouldn't be appropriate for me to comment," said Callahan, who was testifying under oath. He added that Yahoo would "only turn over information if it's required by law."

But Callahan refused to say whether a demand from the NSA--not backed by a court order--qualifies as required by law.

No law or regulation prohibits Yahoo from answering the question. In a survey published last week by CNET News.com, companies as varied as BellSouth, Comcast, EarthLink and T-Mobile answered in the negative. Rep. John Conyers, a Michigan Democrat, has posed similar questions to those companies, and AT&T has been sued for allegedly turning information over to the NSA in violation of privacy laws.

Sherman, who represents the San Fernando Valley near Los Angeles, is a Harvard Law graduate who was known as a stickler for detail while a lawyer in private practice. He's been critical of the NSA surveillance program, and said last week that President Bush's recent claims about terrorists planning to attack a Los Angeles skyscraper were a political stunt.
Click here to Play

Video: Can the NSA look at your e-mail?
During a House hearing on Wednesday, Rep. Brad Sherman, D-Calif., asks Yahoo general counsel Michael Callahan if the NSA can access the e-mail of private American citizens.

Below is a transcript, edited for clarity, of Wednesday's exchange that took place during a House of Representatives hearing about China and the Internet.

Rep. Brad Sherman: Let's say you get a call from the NSA saying they want you to give them a copy of all my e-mails. Can I rely on your privacy policy that you're not going to give those e-mails to the NSA unless you get a court order?

Yahoo General Counsel Michael Callahan: We would only disclose information in compliance with law and our privacy policy.

Sherman: Does that include a court order or letter from the NSA?

Callahan: I wouldn't be able to comment.

Sherman: The attorney general says the executive branch, without any OK from either of the other two branches, has the right to read everything you have in your files about me. You might very well agree?

Callahan: It wouldn't be appropriate for me to comment.

Sherman: How can I be a Yahoo user?... If you tell me you'll decide later if a sheriff in some obscure county (that I've never visited can obtain access to my files based on a simple request?)

Callahan: We only turn over information if it's required by law.

Sherman: An investigation from some county that I've never been to?

Callahan: If we were served with proper legal process, we would have to give it.

Sherman: Sir, you're assuming the answer to the question and pretending that's an answer. I'm asking you, as the chief lawyer from Yahoo, is e-mail from some sheriff...is that a requirement that you would adhere to or would you fight it in court?

Callahan: That is not something we would provide.

Sherman: How about if it came from the NSA?

Callahan: (I can't comment on that.)

February 16, 2006 at 08:23 AM in Security | Permalink | TrackBack (74) | Top of page | Blog Home

VeriSign Introduces VeriSign® Identity Protection (VIP) To Protect Consumer Online Identities

VeriSign Introduces VeriSign® Identity Protection To Protect Consumer Online Identities from VeriSign, Inc.

PayPal, eBay and Yahoo! To Join Shared Authentication Network As Strategic Anchor Tenants; Motorola and SanDisk To Lend Technology Support

MOUNTAIN VIEW, CA., February 13, 2006 – VeriSign, Inc., (NASDAQ: VRSN), the leading provider of intelligent infrastructure services for Internet and telecommunications networks, today announced the launch of VeriSign® Identity Protection (VIP), a comprehensive solution that will help provide identity protection for consumers who conduct business online. VIP is supported by several leading online companies, including PayPal, eBay and Yahoo!. In addition, technology partner SanDisk has announced plans to support VIP by manufacturing and distributing OATH compliant USB mass-storage and trusted flash devices, while Motorola plans to lend its support in enabling this technology on consumer mobile devices.

A recent report by the Federal Trade Commission found that 37 percent of all Internet Fraud complaints filed dealt with identity theft. Additionally, Gartner research vice president Avivah Litan noted in her report “Credit Report and Internet Data Theft Results in More Fraud in 2005” that of those surveyed, financial losses resulting from information stolen of the Internet was $2.7 Billion.

VIP is a modern approach to combating digital identity theft targeted for both consumers and online services that demand better identity protection without sacrificing the convenience of everyday Web lifestyles. VIP will allow consumers to use a single security device to authenticate themselves across any future VIP-enabled Web site of network members, such as PayPal, eBay or Yahoo!. VIP will make it simpler and more cost-effective for online companies such as financial institutions, ISPs or e-commerce sites to implement stronger authentication by leveraging a shared infrastructure and enabling everyday devices to become authentication devices.

VIP will take a layered approach to Identity Protection by providing a comprehensive set of services enhanced by network intelligence. It will include the following components:

o Shared Authentication Network: Operated by VeriSign, the VIP Network will allow online service providers and enterprises to accept the same VIP authentication credentials as other participating members of the network. The VIP Network will enable consumers to utilize a single, OATH-compliant strong authentication credential, no matter the form, across any of the VIP-enabled Web sites of network members.
o Multi-factor Authentication: The VIP Authentication Service is a flexible, easy-to-deploy two-factor authentication solution that will facilitate the management of devices distributed to end-users. It will be based on open standards defined by OATH, an industry-wide working group for authentication. These open standards will allow VIP authentication to deliver an unprecedented array of credential choices for consumers.
o Fraud Detection: Using advanced anomaly detection technology, the service will monitor and detect fraudulent login and transactional fraud in real-time to enable risk-based authentication. To catch known and unknown fraud, the service will combine both a policy and a self-learning anomaly detection engine. This non-intrusive approach will not require any change to a Web site and will remain invisible to the consumer until a fraud is detected.
o Fraud Intelligence Network: The fraud intelligence network, which VeriSign intends to make available in the summer of 2006, will allow the sharing of critical fraud data and signatures across VIP-enabled Web sites of network members. The VIP Fraud Intelligence Network will leverage VeriSign’s unique visibility gleaned from the operation of core Internet technologies.

VeriSign intends to add additional services in the summer of 2006 including the VeriSign VIP portal, which will allow consumers to obtain, for VIP-enabled authentication devices, first-level support directly from VeriSign.

In addition to VeriSign, PayPal has agreed to become the first device issuers for the VIP network. Yahoo! plans to join the VIP network as founding members and anchor tenants, enabling the use of VIP devices on any of their VIP-enabled Web sites. In order to deliver strong authentication devices across a large user base, VeriSign has also signed key technology partnerships that will embed one-time password algorithms into common, everyday devices. SanDisk intends to embed OATH-compliant One Time Passwords (OTP) into their mass-storage and trusted flash devices, while Motorola is endorsing VIP’s unique shared network authentication approach to protecting online identities and its proliferation to consumers.

“With the increase in both the frequency and sophistication of malicious online activities such as phishing and identity theft, a fresh approach is needed to protect consumers as they conduct business online,” said Judy Lin, executive vice president and general manager, VeriSign Security Services. “VeriSign Identity Protection will provide a new means to protect consumer identities, combining multi-factor authentication, a shared network of information and intelligence and actionable fraud monitoring. With our partners, the VIP service will provide end-users with easy-to-purchase and easy-to-deploy multi-factor authentication.”

VIP will be available directly from VeriSign, or through any of the service providers participating in the VIP Network. Elements of VIP, including strong authentication and shared authentication network capabilities are available today, with additional capabilities being added this summer. For more information, please go to: http://www.verisign.com/dm/vip

SUPPORT QUOTES FOR VIP

eBay/PayPal
“Online security is central to everything we do at eBay and PayPal, so we are pleased to be working with VeriSign as one of the first members of the VIP Network”
– Rob Chesnut, Senior Vice President of Trust and Safety, eBay and PayPal.

Yahoo!
“Yahoo! has always been focused on providing consumers with the safest Internet experience possible. We continuously look for ways to meet our users’ evolving needs and are proud to participate in the VIP Network. We look forward to delivering added security for our customers through this innovative industry standard solution.”
-- Ash Patel, Chief Product Officer, Yahoo!

Motorola
“As mobile data experiences increase in richness and complexity, so does the need to protect them. No one wants to suffer the consequences of identity theft, so security is critical to gaining consumer acceptance of new mobile data services. VeriSign and Motorola share a vision for mobile security, and we look forward to supporting VIP and working together to bring consumers stronger protection for their online identities in the mobile world.”
-- Christy Wyatt, Vice President, Ecosystem and Market Development, Motorola.

SanDisk
“The addition of strong authentication services from VeriSign will greatly augment the extensive storage capabilities of our SanDisk devices and provide a level of ‘out of the box’ consumer online identity protection. Through our partnership with VeriSign, our flash devices will contain a capability previously unavailable – at no additional cost to consumers.”
-- Carlos Gonzalez, Senior Director of Consumer Marketing, SanDisk Corporation

About VeriSign
VeriSign, Inc. (Nasdaq: VRSN), operates intelligent infrastructure services that enable and protect billions of interactions every day across the world’s voice and data networks. Additional news and information about the company is available at www.verisign.com

For more information, contact:
VeriSign Media Relations: Brendan P. Lewis, brlewis@verisign.com, 650-426-4470
VeriSign Investor Relations: Tom McCallum, tmccallum@verisign.com, 650-426-3744

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the risk that VeriSign's announced strategic relationships, including the relationships with PayPal, eBay, Yahoo!, SanDisk and Motorola, may not result in additional products, services, customers, profits or revenues; and increased competition and pricing pressures. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2004 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.

February 14, 2006 at 12:59 PM in Security | Permalink | TrackBack (23) | Top of page | Blog Home

U.S. Concludes 'Cyber Storm' Mock Attacks

U.S. Concludes 'Cyber Storm' Mock Attacks - Yahoo! News

By TED BRIDIS, Associated Press Writer Fri Feb 10, 4:42 PM ET

WASHINGTON - The government concluded its "Cyber Storm" wargame Friday, its biggest-ever exercise to test how it would respond to devastating attacks over the Internet from anti-globalization activists, underground hackers and bloggers.

Bloggers?

Participants confirmed parts of the worldwide simulation challenged government officials and industry executives to respond to deliberate misinformation campaigns and activist calls by Internet bloggers, online diarists whose "Web logs" include political rantings and musings about current events.

The Internet survived, even against fictional abuses against the world's computers on a scale typical for Fox's popular "24" television series. Experts depicted hackers who shut down electricity in 10 states, failures in vital systems for online banking and retail sales, infected discs mistakenly distributed by commercial software companies and critical flaws discovered in core Internet technology.

Some mock attacks were aimed at causing a "significant cyber disruption" that could seriously damage energy, transportation and health care industries and undermine public confidence, said George Foresman, an undersecretary at the
Homeland Security Department.

There was no impact on the real Internet during the weeklong exercise. Government officials from the United States, Canada, Australia and England and executives from Microsoft, Cisco, Verisign and others said they were careful to simulate attacks only using isolated computers, working from basement offices at the Secret Services headquarters in downtown Washington.

The Homeland Security Department promised a full report on results from the exercise by summer.

Foresman likened his agency's role during any Internet attack to an orchestra conductor, coordinating responses from law enforcement, intelligence agencies, the military and private firms. The government's goal is a "symphony of preparedness," Foresman said.

Homeland Security coordinated the exercise. More than 115 government agencies, companies and organizations participated. They included the White House National Security Council, Justice Department, Defense Department, State Department, National Security Agency and
CIA, which conducted its own cybersecurity exercise called "Silent Horizon" last May.

An earlier cyberterrorism exercise called "Livewire" for Homeland Security and other federal agencies concluded there were serious questions over government's role during a cyberattack depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.

It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.

___

On the Net:

Department of Homeland Security: http://www.dhs.gov

February 11, 2006 at 12:09 PM in Security | Permalink | TrackBack (14) | Top of page | Blog Home

PassMark Security appoints Kim MacPherson VP of engineering

Finextra: PassMark Security appoints Kim MacPherson VP of engineering

PassMark Security, the leading developer of authentication solutions for consumer ecommerce, announced the expansion of its world-class engineering management team with the addition of Kim MacPherson as vice president of engineering.

For the past five years, MacPherson was vice president of engineering at Securify, where she built network security platforms deployed in ultra-high-security environments in the federal government's military and espionage agencies. Previously, she built secure financial services applications at Intuit, including electronic tax filing systems.

MacPherson joins a product development executive team with extraordinary experience and depth:

Louie Gasparini, CTO, was SVP Internet Transaction Systems at Wells Fargo for many years, where he helped build Wells' pioneering online banking platform.

Charley Chell, director of engineering, managed development teams at CyberSource, a leading payment processing and fraud screening provider for Internet merchants.

William Wright, PhD, chief scientist, was lead architect of both the world's leading back-end credit card fraud detection system (HNC's Falcon system) and a leading front-end credit card fraud detection system (CyberSource's AFS system).

PassMark's system is the preeminent consumer-based online authentication solution in the market today. In its year-end cover story, BusinessWeek named it one of the "25 Best Products of 2005." Installed at major financial institutions such as Bank of America, it is currently deployed to more than 10 million users today, and will roll out to more than 20 million users by the end of the first quarter.

"PassMark pioneered the category of tokenless two-factor authentication," said Louie Gasparini. "With the FFIEC's recent endorsement of two-factor for all U.S. banks, we're gearing up to manage rapidly rising demand based on the market's acceptance of our innovative approach. Experience counts when you're building and installing high-scale, mission-critical systems. Kim has exactly that experience."

January 6, 2006 at 12:49 AM in Security | Permalink | TrackBack (8) | Top of page | Blog Home

Bank of America extends SiteKey security to Northeast states

Finextra: Bank of America extends SiteKey security to Northeast states

An Online Banking security feature that helps prevent fraud and identity theft expanded to the Northeast in December, Bank of America announced today.

The free service, called SiteKey, provides an extra level of authentication to enhance security. Customers pick one of thousands of images, write a brief phrase and select three challenge questions. The customer and the bank pass that information securely back and forth to confirm each other's identity.

Using SiteKey is like getting a safe deposit box that takes two keys to open. Before the customer and the bank agree to open the box together, they confirm each other's identity. Industry experts have recognized the bank as the first major financial services company to provide this added level of security.

Bank of America has the most online banking customers in the world, with 14.6 million subscribers and 7.2 million online bill payers. Bank of America customers make up more than 34 percent of all online bankers and more than 58 percent of online banking bill payers in the United States.

The most recent states to receive SiteKey were Connecticut, Massachusetts, Maine, New Hampshire, New Jersey, New York, Pennsylvania and Rhode Island. SiteKey is now available throughout the country, except in Washington and Idaho, where it will launch later this year. The free service is moving from an optional to a standard part of sign-in. Customers will be told about the change through onscreen messages in advance.

"We're the first major bank to offer this extra level of protection and we're making it a standard part of signing-in to help protect all of our Online Banking customers from fraud and identity theft," said Sanjay Gupta, e-Commerce executive. "Signing up for SiteKey only takes a few minutes, and it's easy to use because you don't need extra hardware or other equipment."

Also in December, the bank took an additional security step to help customers identify fraudulent Web sites by posting the Bank of America Toolbar, powered by EarthLink, on the home page for free. The toolbar provides an icon that changes colors as the consumer surfs the Internet, letting the person know with a red, yellow or green symbol whether they've landed on what could be a dangerous Web site. It also alerts consumers before they go to a Web page that is on a list of known phisher sites. The toolbar also includes a pop-up blocker tool, which prevents advertising windows from appearing in the consumer's main browser window.

SiteKey and the Bank of America Toolbar are part of an umbrella of security measures that includes a zero liability guarantee that protects customers from fraud losses, two-tiered authentication for funds transfers, and the capability for customers to stop receiving paper statements to reduce risks associated with sending sensitive information through the mail.

Bank of America also has enhanced the privacy and security sections of its Web site to include more tips about online and offline security.

January 5, 2006 at 10:40 PM in Security | Permalink | TrackBack (15) | Top of page | Blog Home

Cyber Security Bulletin 2005 Summary

US-CERT Cyber Security Bulletin SB2005 -- Cyber Security Bulletin 2005 Summary

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.

Vulnerabilities

* Windows Operating System
* Unix/ Linux Operating System
* Multiple Operating System

#
Windows Operating Systems

* 1Two Livre d'Or Input Validation Errors Permit Cross-Site Scripting
* 3Com 3CDaemon Multiple Remote Vulnerabilities
* 3Com 3CDaemon Multiple Remote Vulnerabilities (Updated)
* 3Com 3CDaemon Multiple Remote Vulnerabilities (Updated)
* 3Com 3CServer FTP Command Buffer Overflows
* 3Com Network Supervisor File Disclosure
* 7-Zip Arbitrary Code Execution
* Aaron Outpost ASP Inline Corporate Calendar Permits Remote SQL Injection
* Absolute Image Gallery XE Cross-Site Scripting
* Absolute Shopping Package Solutions Shopping Cart Cross-Site Scripting
* Access Remote PC Password Disclosure
* Acidcat CMS SQL Injection Vulnerability
* ACNews Information Disclosure
* Acoo Browser Javascript Spoofing
* Acrobat Reader Invalid-ID-Handle-Error Remote Code Execution Vulnerability
* Active News Manager Username and Password SQL Injection
* ActiveBuyandSell SQL Injection and Cross-Site Scripting
* ActiveWeb Active Auction House SQL Injection and Cross-Site Scripting Vulnerability
* Acuity CMS Cross-Site Scripting
* Acute Website Incorporated PeerFTP_5 FTP Password Disclosure
* Adaptive Hosting Solutions ProductCart Cross-Site Scripting and SQL Injection Vulnerabilities
* Adobe Acrobat and Reader File Discovery
* Adobe Acrobat and Reader File Discovery (Updated)
* Adobe Acrobat Reader Invalid-ID-Handle-Error Remote Code Execution (Updated)
* Adobe License Management Service Elevated Privilege Vulnerability
* Adobe SVG Viewer Lets Remote Users Determine if Files Exist
* Advanced Browser Javascript Spoofing
* Advanced Communications Hosting Controller Lets Remote Users Create User and Host Accounts
* Adventia Chat Cross-Site Scripting Vulnerabilities
* aeNovo Information Disclosure
* aeNovo SQL Injection or Cross-Site Scripting
* A-FAQ SQL Injection
* AhnLab V3 Antivirus Arbitrary Code Execution
* AhnLab V3 DeviceIoControl Multiple Vulnerabilities
* Allinta Cross-Site Scripting
* Altiris Deployment Solution AClient Security Bypass
* Alt-N MDaemon and WorldClient Denial of Service
* Alt-N MDaemon Directory Traversal and Arbitrary File Writing
* Alt-N Technologies MDaemon Denial of Service
* Alt-N WebAdmin Multiple Remote Vulnerabilities
* ALWIL avast! antivirus May Fail to Detect Certain Viruses
* ALWIL Software Avast! Antivirus Aavmker4 Device Driver Elevated Privileges
* ALZip Arbitrary Code Execution
* ALZip Unauthorized System Control
* AM Browser Javascript Spoofing
* AMAX Information Technologies, Inc. Magic Winmail Server Input Validation
* Amp II 3D Game Engine Remote Denial of Service
* AN HTTP Server 'cmdIS.DLL' Buffer Overflow Arbitrary Code Execution and Cross-Site Scripting Vulnerability
* AOL Instant Messenger Buddy Icon Remote Denial of Service (Updated)
* AOL Instant Messenger Smiley Icon Location Remote Denial Of Service Vulnerability
* APG Technology ClassMaster Folder Access Vulnerability
* Apple Darwin Streaming Server Denial of Service
* Apple iTunes Arbitrary Code Execution
* Apple QuickTime for Windows Denial of Service Vulnerability
* Apple 'quicktime.qts' Error in Parsing 'qtif' Images Remote Denial of Service
* Ares Arbitrary Code Execution
* ArGoSoft FTP Server 'DELE' Command Remote Buffer Overflow
* ArGoSoft FTP Server 'DELE' Command Remote Buffer Overflow (Updated)
* ArGoSoft FTP Server Discloses Username Status to Remote Users
* ArGoSoft FTP Server 'SITE COPY' Shortcut File
* Argosoft Mail Server Cross-Site Scripting and Script Insertion Vulnerabilities
* ArGoSoft Mail Server Directory Traversals
* ASP Fast Forum Cross Site Scripting
* ASP Knowledgebase SQL Injection Vulnerability
* ASP Nuke SQL Injection and Cross Site Scripting
* Asp Press ACS Blog Access Vulnerability
* ASP Resources Forum SQL Injection
* ASPBB Information Disclosure
* aspclick.it ACNews Administrative Access Vulnerability
* ASP-DEV XM Forum Cross Site Scripting
* ASP-DEv XM Forum Cross-Site Scripting Vulnerability
* ASPJar Guestbook Input Validation
* ASPjar Guestbook SQL Injection
* ASPMForum SQL Injection
* ASPNuke Cross Site Scripting
* ASPPlayground .NET Arbitrary Upload
* asppress ACS Blog Cross-Site Scripting Vulnerability
* aspReady FAQ Manager SQL Injection
* ASP-Rider SQL Injection
* Asus VideoSecurity Online Directory Traversal or Information Disclosure
* atrium software Mercur Messaging Multiple Vulnerabilities
* Avant Browser Dialog Box Origin Spoofing
* Avast! antivirus Arbitrary Code Execution
* Avaya CMS FTP Daemon Wildcard Denial of Service
* AVIRA Antivirus Arbitrary Code Execution
* BakBone NetVault Buffer Overflows Permit Remote Code Execution
* Befriendly.com Einstein Password Disclosure
* BFCommand & Control Server Managers Multiple Vulnerabilities
* BisonFTP Server Denial of Service
* BitDefender Anti-Virus Arbitrary Code Execution or Privilege Elevation
* Bjornar Henden 'Yet Another Forum.net' Input Validation Errors Permits Cross-Site Scripting
* BK Forum SQL Injection Vulnerability
* Black Cactus Warrior Kings Denial of Service and Format String Vulnerabilities
* BlueCollar Productions i-Gallery Cross-Site Scripting & Directory Traversal
* BlueWhaleCRM SQL Injection
* Bontago Game Server Nickname Remote Buffer Overflow
* Brat Designs Breed Remote Denial of Service
* BrightStor ARCserve Backup Arbitrary Code Execution or Denial of Service
* BrightStor ARCserve Backup Discovery Service Buffer Overflow
* bttlxeForum Discloses Installation Path to Remote Users
* Bugtracker.NET Unspecified SQL Injection Vulnerabilities
* BulletProof FTP Server Privilege Escalation
* Bungie Studios Halo: Combat Evolved Denial of Service Vulnerability
* Captaris Infinite Mobile Delivery Input Validation
* Capturix ScanShare Password Disclosure
* CartWIZ Cross Site Scripting
* CartWIZ Cross Site Scripting or SQL Injection
* Centra Profile Script Insertion Vulnerability
* Centrinity FirstClass Bookmark Input File Execution Vulnerability
* Cerberus FTP Server Denial of Service
* Cerulean Studios Trillian Insecure Image Data Remote Buffer Overflow
* Cerulean Studios Trillian Remote Code Execution Vulnerability
* Cerulean Studios Trillian User Information Disclosure
* CF_Nuke Cross-Site Scripting or Information Disclosure
* Chris Moneymaker's World Poker Championship Arbitrary Code Execution
* CIS WebServer Remote Directory Traversal
* Cisco Security Agent Elevated Privileges
* CiscoWorks Information Spoofing or Disclosure
* Citrix MetaFrame Conferencing Manager Access Control Vulnerability
* Citrix MetaFrame Secure Access Manager and NFuse Elite Cross-Site Scripting
* Citrix MetaFrame Security Restriction Bypassing
* Citrix Program Neighborhood Agent Two Vulnerabilities
* Citrix Program Neighborhood Client Information Disclosure
* ClearSwift MIMEsweeper Arbitrary Code Injection
* Clever's Games Terminator 3: War of the Machines Remote Buffer Overflow & Denial of Service
* Code Ocean Ocean FTP Server Multiple Connections Denial of Service
* Comersus BackOffice Multiple Vulnerabilities
* Comersus BackOffice Plus Cross-Site Scripting
* Comersus Cart Cross Site Scripting or SQL Injection
* Comersus Cart Multiple Vulnerabilities
* Comersus Cross-Site Scripting Vulnerability
* Comersus Cross-Site Scripting Vulnerability
* Community Server Cross Site Scripting
* Community Server Forums Cross Site Scripting
* Computalynx CProxy Directory Traversal & Remote Denial of Service
* Computer Associates eTrust Antivirus Integer Overflow in Processing Microsoft OLE Data Lets Remote Users Execute Arbitrary Code
* Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability
* Computer Associates Unicenter Asset Management Multiple Vulnerabilities
* Computer Knacks, Inc. SendLink Password Disclosure
* Compuware DriverStudio Privilege Elevation or Arbitrary Code Execution
* Compuware Softice 'DbgMsg.sys' Remote Denial of Service
* CoolCafe 'login.asp' SQL Injection & Information Disclosure
* Cosminexus Collaboration and Groupmax Collaboration Cross-Site Scripting or Denial of Service
* Crazy Browser Javascript Spoofing
* Crob FTP Server Buffer Overflow Vulnerabilities
* Crystal FTP Pro Buffer Overflow (Updated)
* Crystal Reports/ Business Objects Enterprise Server Denial of Service
* CSystems WebArchiveX Arbitrary File Access
* Cybration ICUII Password Disclosure
* DameWare Arbitrary Code Execution
* DameWare Mini Remote Control Privilege Escalation Vulnerability
* DameWare Password Disclosure Vulnerability
* Darrel O'Neil ASP Virtual News Remote SQL Injection Vulnerability
* Dead Pirate Software SimpleCam Directory Traversal Flaw
* DelphiTurk CodeBank (KodBank) Elevated Privileges
* DelphiTurk CodeBank Password Disclosure
* DelphiTurk FTP Information Disclosure
* DG Remote Control Server Denial of Service
* Digger Solutions Intranet Open Source SQL Injection
* DivX Player Skin File Directory Traversal
* DotNetNuke Script Insertion Vulnerabilities
* Doug Luxem Liberum Help Desk "id" SQL Injection Vulnerability
* DVBBS Cross Site Scripting
* DzSoft PHP Editor Denial of Service
* Early Impact ProductCart Input Validation Flaws in Lets Remote Users Inject SQL Commands
* Ecomm Professional Guestbook "AdminPWD" SQL Injection
* Ecomm Professional Shopping Cart SQL Injection Vulnerability
* ECW-Cart Cross-Site Scripting
* Elemental Software CartWIZ SQL Injection and Cross-Site Scripting Vulnerability
* EnCase Device Configuration Overlay Data Acquisition Vulnerability
* enVivo!soft enVivo!CMS SQL Injection and Privilege Escalation
* ePolicy Information Disclosure and Privilege Elevation
* E-POST SPA-PRO Mail @Solomon IMAP Directory Traversal and Buffer Overflow
* e-Quick Cart Multiple Vulnerabilities
* Eset NOD32 Arbitrary Code Execution
* Eternal Lines Web Server Remote Denial of Service
* Eternal Lines Web Server Remote Denial of Service (Updated)
* Eudora WorldMail Server Information Disclosure
* Eurofull E-Commerce 'mensresp.asp' Cross-Site Scripting
* exdwc NewsletterEz Input Validation Vulnerability Lets Remote Users Inject SQL Commands
* eXeem Password Disclosure
* ExoticSoft FilePocket Password Disclosure
* exploitlabs WebcamXP User Redirection and Denial of Service Vulnerability
* Fast Browser Pro Javascript Spoofing
* Fastream NETFile FTP/Web Server FTP Bounce Vulnerability
* Fastream NETFile Server File Creation Vulnerability
* FastStone 4in1 Browser Information Disclosure Vulnerability
* File Transfer Anywhere Passwords Disclosure
* FileZilla Server Denial of Service
* FileZilla Server Terminal Privilege Elevation or Arbitrary Code Execution
* Firefly Studios Stronghold 2 Remote Denial of Service
* FL Studio Arbitrary Code Execution
* Fortibus CMS SQL Injection & Information Modification
* forumKIT Cross-Site Scripting
* Foxmail 'MAIL FROM:' Remote Buffer Overflow
* Free SMTP Server As Open Relay
* Freeftpd Denial of Service
* freeFTPd Denial of Service
* F-Secure Anti-Virus for Exchange and Internet Gatekeeper Directory Traversal
* F-Secure ARJ Archive Buffer Overflow
* FTGate Denial of Service or Arbitrary Code Execution
* FTPshell Server Denial of Service
* FUN labs Games Denial of Service Vulnerability
* Funduc Search and Replace Buffer Overflow
* FutureSoft TFTP Server 2000 Directory Traversal & Buffer Overflows
* Gaim File Transfer Remote Denial of Service
* GASoft Gurgens Guest Book Discloses Database and Passwords to Remote Users
* GASoft Ultimate Forum Discloses Database and Passwords to Remote Users
* GD Software SD Server Directory Traversal
* Gene6 FTP Server Insecure Critical Functionality
* GeoVision Digital Video Surveillance System Authentication Bypass
* GFI LANguard Network Security Scanner Password Disclosure
* GFi MailEssentials Denial of Service Vulnerability
* GFI MailSecurity Arbitrary Code Execution or Denial of Service
* GlobalScape CuteFTP Multiple Command Response Buffer Overflow (Updated)
* GlobalSCAPE Secure FTP Server Buffer Overflow Lets Remote Users Execute Arbitrary Code
* GlobalSCAPE Secure FTP Server Buffer Overflow Lets Remote Users Execute Arbitrary Code (Updated)
* GNU DC++ Arbitrary Files Modification Vulnerability
* GNU FileZilla Server Denial of Service Vulnerabilities
* GNU Maxthon Security ID Disclosure Vulnerability
* GNU MyServer Directory Listing and Cross-Site Scripting Vulnerability
* Golden FTP Server File and Path Disclosure
* GoodTech Systems GoodTech SMTP Server "RCPT TO" Denial of Service Vulnerability
* GoodTech Systems Telnet Server for Windows NT/2000/XP/2003 Remote Buffer Overflow
* GoodTech's SMTP Server Arbitrary Code Execution
* Google Talk Denial Of Service
* GoSurf Browser Javascript Spoofing
* Gracebyte Network Assistant Remote Denial of Service
* GraphOn GO-Global For Windows Denial of Service or Arbitrary Code Execution
* Groove Virtual Office / Workspace Multiple Vulnerabilities
* Halocon Remote Denial of Service
* Handy Address Book Server Cross-Site Scripting
* Handy Address Book Server Cross-Site Scripting (Updated)
* Hauri Arbitrary Code Execution
* Hitachi Multiple Hibun Products Security Restriction Bypass
* Home FTP Server Arbitrary File Access
* Hosting Controller Credit Modification or Account Creation
* Hosting Controller Error.ASP Cross Site Scripting
* Hosting Controller Information Disclosure
* Hosting Controller Multiple Information Disclosure
* Hosting Controller Multiple Vulnerabilities
* Hosting Controller 'resellerresources.asp' SQL Injection
* Hosting Controller 'UserProfile.asp' Authentication Bypass
* HP VCRM Password Disclosure
* HTMLJunction EZGuestbook Discloses Database to Remote Users
* Hyper Estraier Information Disclosure
* IA eMailServer Denial of Service
* Iatek PortalApp Cross-Site Scripting Vulnerabilities
* Iatek PortalApp SQL Injection and Cross-Site Scripting Vulnerabilities
* Iatek SiteEnable SQL Command Injection and Cross-Site Scripting Vulnerabilities
* IBM DB2 Denial of Service & Information Disclosure
* IBM Rational ClearQuest Multiple Cross-Site Scripting
* IBM WebSphere Application Server File Servlet Source Code Disclosure
* IBM WebSphere Application Server JSP Engine Source Code Disclosure
* IceWarp Web Mail Cross Site Scripting or Directory Traversal
* IceWarp Web Mail Multiple Remote
* IceWarp Web Mail Multiple Remote Vulnerabilities (Updated)
* iCMS Cross-Site Scripting or SQL Injection
* IISWorks ASPKnowledgeBase Cross-Site Scripting
* IISWorks.com ASP KnowledgeBase Database Disclosure
* IISWorks.com ASP Webmail Database Disclosure
* IISWorks.com Fileman Database Disclosure
* IISWorks.com ListPics Database Disclosure
* IMRadio Password Disclosure
* INCA nProtect Gameguard Unauthorized Read/Write Access
* INCA nProtect Gameguard Unauthorized Read/Write Access (Updated)
* India Software Solution Shopping Cart 'signin.asp' SQL Injection
* Indiatimes Messenger Denial of Service
* InnerMedia DynaZip Arbitrary Code Execution
* Internet Explorer Arbitrary Code Execution
* Intersoft NetTerm Remote Code Execution (Updated)
* Ipswitch IMail Server IMAP EXAMINE Command Remote Buffer Overflow
* Ipswitch IMail Server Multiple Vulnerabilities
* Ipswitch IMail Server Multiple Vulnerabilities (Updated)
* Ipswitch IMail Server Remote Buffer Overflow (Updated)
* Ipswitch IMailMailEnable Denial of Service
* Ipswitch WhatsUp Multiple Vulnerabilities
* Ipswitch WhatsUp Professional SQL Injection Vulnerability
* Ivory.org Whisper 32 Password Disclosure
* IVT BlueSoleil Directory Traversal Vulnerability
* Jeuce Personal Web Server Directory Traversal & Denial of Service
* Jeuce Personal Web Server Remote Denial of Service
* JiRo's Upload System Input Validation Vulnerability Lets Remote Users Inject SQL Commands
* JoWood Chaser Remote Buffer Overflow
* JoWood Productions Soldner Secret Wars Multiple Remote Vulnerabilities
* JView Profiler Arbitrary Code Execution
* KarjaSoft Sami HTTP Server Input Validation Holes
* Kaspersky Anti-Virus Klif.Sys Privilege Escalation Vulnerability
* Kerio Personal Firewall Access Vulnerability
* Kerio Personal Firewall and Server Firewall Denial of Service
* Kerio Products Password Brute Force and Denial of Service
* Kerio WinRoute Firewall Security Restriction Bypassing
* Keyvan1 ImageGallery Information Disclosure Vulnerability
* KF Web Server Directory Listings Disclosure
* KillProcess Arbitrary Code Execution
* K-Meleon Denial of Service
* K-Meleon Denial of Service (Update)
* Kmint Software Golden FTP Server 'USER" Remote Buffer Overflow
* KMiNT21 Software Golden FTP Server RNTO Command Buffer Overflow
* KMiNT21 Software Golden FTP Server RNTO Command Buffer Overflow (Updated)
* LeapFTP Arbitrary Code Execution
* Lightspeed Technologies DeluxeFTP Information Disclosure Vulnerability
* LionMax Software Chat Anywhere Password Disclosure
* livingmailing Input Validation Hole Lets Remote Users Inject SQL Commands
* LocazoList Classifieds Cross-Site Scripting
* LogiSphere Denial of Service
* Loki Download Manager SQL Injection
* LS Games War Times Denial of Service
* M. Dev Software ZipGenius Remote File Creation Vulnerability
* Macallan Mail Solution Denial of Service Vulnerability
* Macromedia Breeze Communication Server Denial of Service
* Macromedia Breeze Information Disclosure
* Macromedia Contribute Publishing Server Information disclosure
* Macromedia Products eLicensing Function Escalated Privilege Vulnerability
* Magnus Lundvall Yawcam Information Disclosure Vulnerability
* MailEnable Arbitrary Code Execution
* MailEnable Arbitrary Code Execution
* MailEnable Arbitrary Code Execution
* MailEnable Arbitrary Code Execution (Updated)
* MailEnable Arbitrary Code Execution or Denial of Service
* MailEnable Denial of Service
* MailEnable Denial of Service
* MailEnable Denial of Service Vulnerability
* MailEnable HTTPMail Vulnerability
* MailEnable IMAP "LOGIN" Command Buffer Overflow Vulnerability
* MailEnable Professional Arbitrary Code Execution
* MailEnable Standard SMTP Format String Vulnerability
* MailEnable Unspecified SMTP Authentication Denial of Service
* MailSite Express Arbitrary Code Execution
* Mall23 SQL Injection
* Mall23 SQL Injection (Updated)
* Massimiliano Montoro Cain Abel Buffer Overflow Causes Remote Code Execution
* MaxWebPortal Cross-Site Scripting and SQL Injection
* MaxWebPortal Input Validation Hole in 'password.asp' Permits SQL Injection
* MaxWebPortal SQL Injection and Cross-Site Scripting Vulnerabilities
* MaxWebPortal SQL Injection and Privilege Escalation
* McAfee Internet Security Suite Elevated Privilege Vulnerability
* McAfee IntruShield Security Management System Cross Site Scripting & Information Disclosure
* McAfee Security Management System Elevated Privileges or Cross Site Scripting
* Media Online Store Portal SQL Injection Vulnerability
* Media2 CMS Shop SQL Injection
* Merak Mail Server Arbitrary File Access
* Mercury Mail Arbitrary Code Execution
* MercurySteam Scrapland Game Server Remote Denials of Service
* Metalinks MetaBid Three SQL Injection Vulnerabilities
* Metalinks MetaCart Multiple SQL Injection Vulnerabilities
* Microsoft ActiveSync Information Disclosure or Denial of Service
* Microsoft Agent Could Allow Spoofing
* Microsoft Agent Could Allow Spoofing
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Unicode Character Conversion Multiple Cross-Site Scripting
* Microsoft ASP.NET ViewState Denial of Service and Security Bypass
* Microsoft Client Service for NetWare Arbitrary Code Execution
* Microsoft Client Service for NetWare Arbitrary Code Execution (Updated)
* Microsoft Collaboration Data Objects Arbitrary Code Execution
* Microsoft DirectX DirectShow Arbitrary Code Execution
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft Excel Arbitrary Code Execution
* Microsoft Exchange Server 2003 Denial of Service
* Microsoft Exchange Server Nested Subfolders Remote Denial of Service
* Microsoft Exchange Server Remote Code Execution Vulnerability
* Microsoft Exchange Server Remote Code Execution Vulnerability (Updated)
* Microsoft Exchange Server Remote Code Execution Vulnerability (Updated)
* Microsoft FrontPage 2000 DAV File Upload
* Microsoft FrontPage Denial of Service
* Microsoft HTML Help Could Allow Remote Code Execution
* Microsoft IIS Denial of Service
* Microsoft Internet Explorer AddChannel Cross-Zone Scripting
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Could Allow Remote Code Execution
* Microsoft Internet Explorer Denial of Service
* Microsoft Internet Explorer Denial of Service
* Microsoft Internet Explorer Denial of Service (Updated)
* Microsoft Internet Explorer DHTML Edit Control Script Injection (Updated)
* Microsoft Internet Explorer DHTML Edit Control Script Injection (Updated)
* Microsoft Internet Explorer DHTML Edit Control Script Injection (Updated)
* Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability
* Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability (Updated)
* Microsoft Internet Explorer Dynamic IFRAME Security Bypass
* Microsoft Internet Explorer Favorites List
* Microsoft Internet Explorer FTP Download Directory Traversal
* Microsoft Internet Explorer HREF Tag Mouse Event
* Microsoft Internet Explorer Information Disclosure
* Microsoft Internet Explorer Information Disclosure
* Microsoft Internet Explorer Information Disclosure (Updated)
* Microsoft Internet Explorer JavaScript OnLoad Handler Remote Denial of Service
* Microsoft Internet Explorer Lets Remote Users Hide Scripting Code
* Microsoft Internet Explorer Malformed 'File:' URI Denial of Service
* Microsoft Internet Explorer MSHTML.DLL CSS Handling Remote Denial of Service
* Microsoft Internet Explorer Remote Code Execution Vulnerability
* Microsoft Internet Explorer Remote Code Execution Vulnerability (Updated)
* Microsoft Internet Explorer Remote Information Disclosure
* Microsoft Internet Explorer Restricted Sites Malformed URI Remote Denial of Service
* Microsoft Internet Explorer Script-initiated Pop-up Windows Spoofing
* Microsoft Internet Explorer Unauthorized Access
* Microsoft Internet Explorer Unauthorized Access (Updated)
* Microsoft Internet Explorer Unauthorized Access (Updated)
* Microsoft Internet Explorer Unauthorized Access (Updated)
* Microsoft Internet Explorer Vulnerabilities
* Microsoft Internet Explorer Vulnerabilities (Updated)
* Microsoft Internet Explorer Web Folder Behaviors Information Disclosure or Arbitrary Code Execution
* Microsoft Internet Information Server HTTP Response Smuggling
* Microsoft IPV6 TCPIP Loopback LAND Denial of Service Vulnerability
* Microsoft ISA Access and Elevation of Privilege Vulnerabilities
* Microsoft ISA Server in SecureNAT Configuration Denial of Service
* Microsoft Jet Database Remote Code Execution Vulnerability
* Microsoft Jet Database Remote Code Execution Vulnerability (Updated)
* Microsoft Jet Database Remote Code Execution Vulnerability (Updated)
* Microsoft JView Profiler Arbitrary Code Execution (Updated)
* Microsoft Log Sink Class ActiveX Control
* Microsoft Media Player & Windows/MSN Messenger PNG Processing
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft MSN Messenger / Internet Explorer Application Crash
* Microsoft MSN Messenger Remote Code Execution Vulnerability
* Microsoft MSN Messenger Remote Code Execution Vulnerability (Updated)
* Microsoft MSRPC Information Disclosure
* Microsoft NetDDE Remote Code Execution (Updated)
* Microsoft Network Connection Manager Denial of Service
* Microsoft Network Connection Manager Denial of Service (Updated)
* Microsoft Office Denial of Service
* Microsoft Office InfoPath 2003 Information Disclosure Vulnerability
* Microsoft Office RC4 Stream Cipher
* Microsoft Office URL File Location Handling Buffer Overflow
* Microsoft Office URL File Location Handling Buffer Overflow (Updated)
* Microsoft Office URL File Location Handling Buffer Overflow (Updated)
* Microsoft Office URL File Location Handling Buffer Overflow (Updated)
* Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability
* Microsoft Outlook and Outlook Web Access Email Spoofing Vulnerability
* Microsoft Outlook Express Could Allow Remote Code Execution
* Microsoft Outlook Express Could Allow Remote Code Execution (Updated)
* Microsoft Outlook Express Could Allow Remote Code Execution (Updated)
* Microsoft Outlook Express Information Disclosure or System Crash
* Microsoft Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks
* Microsoft Outlook Web Access URI Redirection
* Microsoft Plug and Play Arbitrary Code Execution or Elevated Privileges
* Microsoft Plug and Play Arbitrary Code Execution or Elevated Privileges (Updated)
* Microsoft Plug and Play Arbitrary Code Execution or Elevated Privileges (Updated)
* Microsoft Remote Desktop Protocol Denial of Service
* Microsoft Server Message Block Could Allow Remote Code Execution
* Microsoft SMTP Remote Code Execution (Updated)
* Microsoft SMTP Remote Code Execution (Updated)
* Microsoft SQL Server 2000 Multiple Vulnerabilities
* Microsoft Step-by-Step Interactive Training Could Allow Remote Code Execution
* Microsoft Telephony Service Remote Code Execution
* Microsoft Telnet Client Could Allow Information Disclosure
* Microsoft Update Rollup 1 for Windows 2000 SP4
* Microsoft Web Client Service Could Allow Remote Code Execution
* Microsoft Windows 2000 Group Restriction Bypass
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows Color Management Module Buffer Overflow or Arbitrary Code Execution
* Microsoft Windows Color Management Module Buffer Overflow or Arbitrary Code Execution (Updated)
* Microsoft Windows CreateRemoteThread Denial of Service
* Microsoft Windows Drag and Drop
* Microsoft Windows EMF File Denial of Service Vulnerability
* Microsoft Windows EMF File Denial of Service Vulnerability (Updated)
* Microsoft Windows Explorer and Internet Explorer Denial of Service Vulnerability
* Microsoft Windows Explorer Preview Pane Script Injection Vulnerability
* Microsoft Windows Explorer Preview Pane Script Injection Vulnerability (Updated)
* Microsoft Windows FTP Client Arbitrary File Control
* Microsoft Windows FTP Client Arbitrary File Control (Updated)
* Microsoft Windows Graphics Rendering Engine Arbitrary Code Execution
* Microsoft Windows HTML Help ActiveX Control
* Microsoft Windows HTML Help ActiveX Control (Updated)
* Microsoft Windows Hyperlink Object Library Buffer Overflow
* Microsoft Windows Hyperlink Object Library Buffer Overflow (Updated)
* Microsoft Windows Hyperlink Object Library Buffer Overflow (Updated)
* Microsoft Windows Image Rendering Denial of Service Vulnerability
* Microsoft Windows Indexing Service Buffer Overflow
* Microsoft Windows Indexing Service Buffer Overflow (Updated)
* Microsoft Windows Kerberos PKINIT Information Disclosure or Denial of Service
* Microsoft Windows Kerberos PKINIT Information Disclosure or Denial of Service
* Microsoft Windows Kernel Denial Of Service
* Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities
* Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows LAND Attack Remote Denial of Service
* Microsoft Windows License Logging Service Buffer Overflow
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows LoadImage API Buffer Overflow (Updated)
* Microsoft Windows LoadImage API Buffer Overflow (Updated)
* Microsoft Windows LoadImage API Buffer Overflow (Updated)
* Microsoft Windows Local Denial Of Service Vulnerability
* Microsoft Windows Media Player May Allow Redirection
* Microsoft Windows Message Queuing Remote Code Execution Vulnerability
* Microsoft Windows Message Queuing Remote Code Execution Vulnerability (Updated)
* Microsoft Windows Message Queuing Remote Code Execution Vulnerability (Updated)
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service (Updated)
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service (Updated)
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service (Updated)
* Microsoft Windows Network Connections Manager Library Denial of Service
* Microsoft Windows NTFS File Block Initialization
* Microsoft Windows OLE / COM Remote Code Execution
* Microsoft Windows Plug and Play Arbitrary Code Execution
* Microsoft Windows Plug and Play Arbitrary Code Execution (Updated)
* Microsoft Windows Plug and Play Arbitrary Code Execution (Updated)
* Microsoft Windows Print Spooler Arbitrary Code Execution
* Microsoft Windows Privilege Elevation
* Microsoft Windows Privilege Elevation (Updated)
* Microsoft Windows Remote Desktop Denial of Service
* Microsoft Windows Remote Desktop Protocol Private Key Disclosure
* Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure
* Microsoft Windows Remote Desktop 'TSShutdn.exe' Denial of Service Vulnerability
* Microsoft Windows Resource Kit 'w3who.dll' Buffer Overflow & Input Validation (Updated)
* Microsoft Windows Server 2003 Local Denial of Service Vulnerabilities
* Microsoft Windows SharePoint Services Cross-Site Scripting & Spoofing
* Microsoft Windows SharePoint Services Cross-Site Scripting & Spoofing (Updated)
* Microsoft Windows Shell Arbitrary Code Execution
* Microsoft Windows Shell Arbitrary Code Execution (Updated)
* Microsoft Windows Shell Remote Code Execution (Updated)
* Microsoft Windows Shell Remote Code Execution Vulnerability
* Microsoft Windows Shell Remote Code Execution Vulnerability (Updated)
* Microsoft Windows SMB Buffer Overflow
* Microsoft Windows SMB Buffer Overflow (Updated)
* Microsoft Windows SMB Buffer Overflow (Updated)
* Microsoft Windows SMB Buffer Overflow (Updated)
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows USB Driver Buffer Overflow
* Microsoft Windows 'User32.DLL' Icon Handling Remote Denial of Service
* Microsoft Windows XP Named Pipe Information Disclosure
* Microsoft Windows XP Windows Management Instrumentation Denial of Service
* Microsoft Windows XP Wireless Zero Configuration Service Information Disclosure
* Microsoft WINS Name Validation (Updated)
* Microsoft WINS Name Validation (Updated)
* Microsoft Word Buffer Overflow or Arbitrary Code Execution
* Microsoft Word MCW File Handler Buffer Overflow Vulnerability
* Microsoft Word Remote Code Execution & Escalation of Privilege Vulnerabilities (Updated)
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities (Updated)
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities (Updated)
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities (Updated)
* MindAlign Multiple Vulnerabilities
* Miranda IM PopUp Plus Plugin Remote Code Execution Vulnerability
* Miranda IM PopUp Plus Plugin Remote Code Execution Vulnerability (Updated)
* Mozilla Bugzilla Internal Error
* Mozilla Firefox Download Dialog Spoofing Vulnerabilities
* MS ASP.NET Denial of Service
* MSN Messenger Protocol Denial of Service
* Multi-Computer Control System Denial of Service
* Multiple Vendor Arbitrary Code Execution
* Multiple Vendor ZoneAlarm Denial of Service
* Multiple Vendors Mozilla/Netscape/Firefox Browser Modal Dialog Spoofing
* Multiple Vendors Mozilla/Netscape/Firefox Browser Modal Dialog Spoofing (Updated)
* Musicmatch Jukebox Elevated Privilege and Cross-Site Scripting Vulnerabilities
* My Album Information Disclosure
* MyInternet Browser Javascript Spoofing
* Mysoft Technology Maxthon "m2_search_text" Information Disclosure Vulnerability
* MyTemplateSite Cross-Site Scripting
* NateOn Messenger Arbitrary Code Execution or Denial of Service
* Naxtor e-Directory Cross-Site Scripting or SQL Injection
* Naxtor Shopping Cart Cross-Site Scripting or SQL Injection
* Neslo Desktop Rover Denial of Service Vulnerability
* NetAuctionHelp Auction Software Cross-Site Scripting
* NetCaptor Browser Javascript Spoofing
* NetCPlus BusinessMail Server SMTP Command Validation Error Remote Denial of Service
* NetLeaf Limited NotJustBrowsing Discloses Application Passwords
* NetManage RUMBA Profile Handling Multiple Buffer Overflow
* NetManage RUMBA Profile Handling Multiple Buffer Overflow (Updated)
* NetObjects Fusion Information Disclosure
* Netscape Browser Information Disclosure Vulnerability
* Netscape Denial of Service
* Netscape IDN Implementation URL Spoof
* NetWin DMail Errors Let Remote Users Bypass Authentication and Execute Code
* NetworkActiv Web Server Cross-Site Scripting
* Network-Client.com FTP Now Local Information Disclosure Vulnerability
* Newmad Technologies PicoWebServer Remote Buffer Overflow
* NEXTWEB (i)Site Discloses Database and Passwords to Remote Users and Permits SQL Injection
* NodeManager SNMPv1 traps Buffer Overflow
* NodeManager SNMPv1 traps Buffer Overflow (Updated)
* Nortel Contivity VPN Client Password Disclosure Vulnerability
* Nortel Contivity VPN Client Password Disclosure Vulnerability (Updated)
* Nortel VPN Client Privilege Elevation
* Notify Technology NotifyLink Enterprise Server Multiple Vulnerabilities
* NotJustBrowsing Browser Javascript Spoofing
* Novell eDirectory Can Be Crashed With Requests Containing MS-DOS Device Names
* Novell eDirectory Denial of Service or Unauthorized File Access
* Novell eDirectory Security Bypass
* Novell GroupWise Arbitrary Code Execution
* Novell GroupWise Client Local Password Disclosure
* Novell Nsure Audit Denial of Service Vulnerability
* Nullsoft Winamp Malformed MP4 Remote Denial of Service (Updated)
* Nullsoft Winamp Multiple Unspecified Vulnerabilities
* Nullsoft Winamp Variant IN_CDDA.dll Remote Buffer Overflow
* OASYS Lite Cross-Site Scripting
* Ocean12 Calendar Manager Pro Authentication Bypassing
* Ocean12 Calendar Manager SQL Injection Vulnerability
* Ocean12 Mailing List Manager Remote SQL Injection
* Ocean12 Membership Manager Pro Cross-Site Scripting and SQL Injection Vulnerability
* OKBSYS Lite Cross-Site Scripting
* Oleh Yuschuk OllyDbg Error in Loading Causes Denial of Service Vulnerability
* Omni Browser Javascript Spoofing
* OneWorldStore Denial of Service Vulnerability
* OneWorldStore Information Disclosure Vulnerability
* OneWorldStore Multiple Vulnerabilities
* OpenConnect Systems WebConnect Remote Denial of Service and Information Disclosure
* OpenConnect Systems WebConnect Remote Denial of Service and Information Disclosure (Updated)
* Opera 'data:' URI Handler Spoofing
* Opera Web Browser Download Dialog File Manipulation
* Optimal Desktop Javascript Spoofing
* Orenosv HTTP/FTP Server Buffer Overflows
* Orvado ASP Nuke SQL Injection and Cross-Site Scripting Vulnerabilities
* OS4E 'LOGIN.ASP' SQL Injection
* Painkiller Buffer Overflow Remote Denial of Service
* Panda Software Antivirus Library ZOO Archive Heap Overflow
* pcAnywhere Authentication Denial of Service Vulnerability
* Peer2Mail Password Disclosure
* Peer2Mail Password Disclosure (Updated)
* Pegasus Mail Arbitrary Code Execution
* Perception LiteWeb Protected File Access Vulnerability
* Piotr Kowalski LANChat Pro Remote Denial of Service
* PlatinumFTPServer Malformed User Name Connection Remote Denial of Service
* PMSoftware Simple Web Server Buffer Overflow Permits Remote Code Execution
* PMSoftware Simple Web Server Remote Code Execution Vulnerability (Updated)
* PowerArchiver Arbitrary Code Execution
* PPP Infotech netMailshar Professional Two Vulnerabilities
* Pragma TelnetServer Lets Remote Users Hide Log Entries
* Prevx Pro File Modification & Driver Spoofing
* PrivaShare Denial of Service
* Process Explorer Arbitrary Code Execution
* ProRat Server Arbitrary Code Execution
* PY Software Active Webcam Webserver Remote Denials of Service & Information Disclosure
* Qualcomm Eudora E-mail, Stationary/Mailbox Files Remote Code Execution
* Quick 'n Easy FTP Server Denial of Service
* RaidenHTTPD Directory Traversal
* RaidenHTTPD Multiple Remote Vulnerabilities
* Randy Wable datatrac Denial of Service Vulnerability
* RARLAB WinRAR Directory Traversal
* Raysoft Video Cam Server Multiple Vulnerabilities
* RealArcade Vulnerabilities
* RealNetworks Realplayer Enterprise Buffer Overflow Vulnerability
* RealPlayer Enterprise Arbitrary Code Execution
* RealPlayer Security Zone Bypass
* Rebrand P2P Share Spy Information Disclosure Vulnerability
* Rediff Bol Window's Address Book Disclosure
* Reflection for Secure IT Multiple Vulnerabilities
* RhinoSoft Serv-U FTP Server Remote Denial of Service
* RockLiffe MailSite Express WebMail Multiple Vulnerabilities
* RSA ACE/ Agent for Web Cross Site Scripting
* RSA Authentication Agent for Web Buffer Overflow Vulnerability
* RSA Authentication Agent for Web Buffer Overflow Vulnerability (Updated)
* RSA Authentication Agent for Web for IIS Cross-Site Scripting Vulnerability
* RSA Authentication Agent for Web for IIS Cross-Site Scripting Vulnerability (Updated)
* Runtime GetDataBack for NTFS Local Information Disclosure Vulnerability
* rwAuction Pro Cross-Site Scripting
* SafeNet Sentinel License Manager Remote Buffer Overflow
* SafeNet Sentinel License Manager Remote Buffer Overflow (Updated)
* SafeNet SoftRemote VPN Client Key Disclosure
* Savant Web Server Remote Buffer Overflow
* Savant Web Server User Information Disclosure
* SecureOL VE2 Security Restriction Bypass
* SecureW2 Information Disclosure
* SecureW2 Information Disclosure (Updated)
* ServersCheck Directory Traversal
* Serv-U FTP Server Denial of Service
* Sights 'n Sounds Streaming Media Server Denial of Service
* Sigma ISP Manager SQL Injection Vulnerabilities
* SiteBeater MP3 Catalog Cross-Site Scripting
* SiteBeater News System Cross-Site Scripting
* Skype for Windows Security Bypass
* Slim Browser Javascript Spoofing
* SlimFTPd Arbitrary Code Execution
* SlimFTPd Denial of Service
* Small HTTP Server Arbitrary File Writing
* SmarterMail Cross-Site Scripting
* SnugServer FTP Service Directory Traversal
* soft3304 04WebServer Directory Traversal
* software602 602LAN SUITE HTML Log File Processing Flaw Lets Remote Users Hide Log Entries
* Software602 602LAN SUITE Input Validation
* Software602 602LAN SUITE Input Validation (Updated)
* Software602 602LAN SUITE Local File Detection and Denial of Service
* Software602 602LAN SUITE Local File Detection and Denial of Service (Updated)
* Softwin BitDefender Insecure Program Execution Vulnerability
* Solupress News Cross-Site Scripting
* Sony SunnComm MediaMax Insecure Directory Permissions (Updated)
* Sophos Anti-Virus Denial of Service
* SpeedProject Arbitrary Code Execution
* SSH Secure Shell and Tectia Server Key Disclosure
* SSH Secure Shell and Tectia Server Key Disclosure (Updated)
* StoneGate Firewall and VPN Engine Denial of Service
* Storage Exec/ StorageCentral Arbitrary Code Execution
* Storage Exec/ StorageCentral Arbitrary Code Execution
* StorePortal Multiple SQL Injection High
* Stormy Studios KNet Remote Buffer Overflow
* StumbleInside GoText Discloses Users Configuration Data
* Sukru Alatas's Guestbook Database Disclosure
* Sun Java System Web Server Denial of Service Vulnerability
* Sybari Antigen for Exchange Security Bypass
* Sybase Adaptive Server Enterprise Unspecified Vulnerability
* Symantec Anti Virus Arbitrary Code Execution
* Symantec Anti Virus Arbitrary Code Execution (Updated)
* Symantec Anti Virus Password Disclosure
* Symantec AntiVirus Corporate Edition and Client Security Privilege Elevation
* Symantec AntiVirus Products RAR Archive Virus Detection Bypass
* Symantec AntiVirus SMB Scan Detection Bypass
* Symantec 'CcErrDsp.ErrorDisplay.1' ActiveX Buffer Overflow
* Symantec Discovery Unauthorized Access
* Symantec Multiple Products AutoProtect Errors Denial of Service Vulnerability
* Symantec Multiple Products AutoProtect Errors Denial of Service Vulnerability (Updated)
* Symantec Norton GoBack Lets Local Users Bypass Authentication
* Symantec pcAnywhere Privilege Escalation Vulnerability
* TAC Vista Directory Traversal
* TCP Chat Denial of Service
* TCP-IP Datalook Denial of Service
* Team JohnLong RaidenFTPD Information Disclosure Vulnerability
* Techland Xpand Rally Remote Denial of Service
* Techland XPand Rally Remote Format String
* Techno Dreams Multiple Product SQL Injection
* ThePoolClub iPool Information Disclosure Vulnerability
* ThePoolClub iSnooker Information Disclosure Vulnerability
* ToCA Race Driver Arbitrary Code Execution
* TrackerCam Multiple Remote Vulnerabilities
* TrackerCam Multiple Remote Vulnerabilities (Updated)
* Trend Micro OfficeScan Information Disclosure
* Trend Micro PC-cillin Privilege Elevation
* Trend Micro ServerProtect Multiple Vulnerabilities
* Typsoft FTP Server Denial of Service
* Uapplication Products Password Disclosure
* Uapplication Ublog Cross-Site Scripting Vulnerability
* Ubisoft The Settlers: Heritage of Kings Player Logging Buffer Overflow Vulnerability
* Ublog Reload SQL Injection and Cross-Site Scripting
* UR Software W32Dasm Remote Buffer Overflow
* UStore Cross-Site Scripting or SQL Injection
* VERITAS Backup Exec Buffer Overflow (Updated)
* Veritas Backup Exec Multiple Vulnerabilities
* Veritas Backup Exec Multiple Vulnerabilities (Updated)
* VERITAS NetBackup Arbitrary Code Execution
* VERITAS NetBackup Arbitrary Code Execution (Updated)
* Veritas NetBackup Denial of Service
* Virtools Web Player Arbitrary Code Execution or Arbitrary File Control
* VLAIBB 'sig2dat' Integer Overflow & Remote Denial of Service
* VP-ASP Shopping Cart Cross-Site Scripting
* VP-ASP SQL Injection
* vxFtpSrv Arbitrary Code Execution
* vxTftpSrv Arbitrary Code Execution
* vxWeb Denial of Service
* Walla! TeleSite SQL Injection or Cross-Site Scripting
* War FTP Daemon Remote Denial of Service
* Watchfire AppScan Arbitrary Code Execution
* Web Vulnerability Scanner Denial of Service
* Web Wiz Forums Information Disclosure
* WebEOC Multiple Vulnerabilities
* WebInspect Cross Site Scripting
* Webroot Desktop Firewall Authentication Bypassing or Arbitrary Code Execution
* Webroot Software My Firewall Plus Arbitrary File Corruption Vulnerability
* WebWasher Classic HTTP CONNECT Unauthorized Access
* WebWasher Classic HTTP CONNECT Unauthorized Access (Updated)
* WhatsUp Small Business Directory Traversal and Information Disclosure
* WheresJames Webcam Publisher Remote Code Execution Vulnerability
* Wichio 27Tools-in-1 Browser Javascript Spoofing
* Winace Remote Directory Traversal
* Winamp Arbitrary Code Execution
* WinHKI Multiple Remote Vulnerabilities
* Winmail Server Multiple Vulnerabilities
* WinRAR Arbitrary Code Execution
* WMailserver Information Disclosure
* WMR Simpson BookReview Input Validation Holes Permit Cross-Site Scripting & Path Disclosure
* Woodstone Servers Alive Help Function Escalated Privilege Vulnerability
* Woppoware PostMaster Multiple Vulnerabilities
* Working Resources BadBlue MFCISAPICommand Remote Buffer Overflow
* WSW ShowOff! Digital Media Software Two Vulnerabilities
* WWWeb Concepts Events System Input Validation Vulnerability
* WWWguestbook SQL Injection
* XcClassified Cross-Site Scripting
* XcPhotoAlbum Cross-Site Scripting
* Xinkaa WEB Station Directory Traversal
* X-Ways WinHex Denial of Service Vulnerability
* Yager Denial of Service and Remote Code Execution Vulnerabilities
* Yahoo! Messenger Custom Message Buffer Overflow
* Yahoo! Messenger Download Dialogue Box File Name Spoofing
* Yahoo! Messenger Insecure Default Installation
* Yahoo! Messenger URL Handler Remote Denial Of Service Vulnerability
* Yaosoft COOL! Remote Control Denial of Service
* YusASP Web Asset Manager Unauthorized Access
* ZipGenius Arbitrary Code Execution
* ZipGenius Multiple Directory Traversal Vulnerabilities
* ZipTorrent Password Disclosure
* ZixForum SQL Injection
* Zone Labs ZoneAlarm Vet Antivirus Engine Buffer Overflow
* ZonGG Input Validation Hole in 'ad/login.asp' Permits SQL Injection

[back to top]

#
Unix/ Linux Operating Systems

* 4D WebSTAR Grants Access to Remote Users and Elevated Privileges to Local Users
* 4D WebStar Remote IMAP Denial of Service
* 4D WebStar Tomcat Plugin Remote Buffer Overflow
* 4D WebStar Tomcat Plugin Remote Buffer Overflow (Updated)
* Abuse Multiple Vulnerabilities
* Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
* Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
* Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow
* Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow (Updated)
* Adobe Reader / Acrobat Arbitrary Code Execution & Elevated Privileges
* Adobe Reader For Unix Local File Disclosure
* Adobe Version Cue for Mac OS X Elevated Privileges
* Adobe Version Cue for Mac OS X Elevated Privileges (Updated)
* ADP Elite System Max 9000 Series Shell Access
* Adrian Pascalau GIPTables Firewall Insecure Temporary File Creation
* Alexander Barton ngIRCd Remote Buffer Overflow
* Alexander Barton ngIRCd Remote Format String
* Alexander Palmo Simple PHP Blog Remote Directory Traversal
* Alexis Sukrieh Backup Manager Information Disclosure
* Alexis Sukrieh Backup Manager Information Disclosure (Updated
* Alkalay.Net Multiple Scripts Arbitrary Remote Command Execution & Directory Traversal
* AlmondSoft Almond Classifieds SQL Injection
* ALSA Stack Protection Weakness
* AltantForum Multiple Cross-Site Scripting
* Andrew Church IRC Services LISTLINKS Information Disclosure
* Andrew W. Rogers pcal Buffer Overflows (Updated)
* Apache Insecure Temporary File Creation
* Apache mod_include Buffer Overflow (Updated)
* Apache mod_include Buffer Overflow (Updated)
* Apache Mod_Proxy Remote Buffer Overflow (Updated)
* Apache mod_ssl Denial of Service (Updated)
* Apache mod_ssl Remote Denial of Service (Updated)
* Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow (Updated)
* Apache mod_ssl SSLCipherSuite Access Validation (Updated)
* Apache mod_ssl SSLCipherSuite Access Validation (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache SpamAssassin Lets Remote Users Deny Service
* Apache SpamAssassin Lets Remote Users Deny Service (Updated)
* Apache SpamAssassin Lets Remote Users Deny Service (Updated)
* ApacheTop Insecure Temporary File Creation
* Appfluent Technology Database IDS Buffer Overflow
* Appfluent Technology Database IDS Buffer Overflow (Updated)
* Apple ColorSync ICC Header Remote Buffer Overflow
* Apple iSync mRouter Buffer Overflow
* Apple iSync mRouter Buffer Overflow
* Apple Keynote 'keynote:' Lets Remote Users Access Local Files
* Apple Mac OS X AirPort Card Automatic Network Association
* Apple Mac OS X AppleFileServer Remote Denial of Service
* Apple Mac OS X 'at' Utility Information Disclosure
* Apple Mac OS X 'at' Utility Information Disclosure (Updated)
* Apple Mac OS X Default Pseudo-Terminal Permission
* Apple Mac OS X Finder 'DS_Store' Insecure File Creation
* Apple Mac OS X Font Book Font Collection Buffer Overflow
* Apple Mac OS X Java Update
* Apple Mac OS X Kernel searchfs() Buffer Overflow
* Apple Mac OS X Multiple Arbitrary Code Execution Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities (Updated)
* Apple Mac OS X Multiple Vulnerabilities (Updated)
* Apple Mac OS X NetInfo Setup Tool Buffer Overflow
* Apple Mac OS X NetInfo Setup Tool Buffer Overflow (Updated)
* Apple Mac OS X 'parse_machfile()' Denial of Service
* Apple Mac OS X Perl Privilege Dropping
* Apple Mac OS X Security Update
* Apple Mac OS X Security Update
* Apple Mac OS X Security Update
* Apple Mac OS X Vulnerabilities
* Apple MacOS X Vulnerabilities
* Apple Mail EMail Message ID Header Information Disclosure
* Apple QuickTime Quartz Composer File Information Disclosure
* Apple QuickTime Quartz Composer File Information Disclosure (Updated)
* Apple Safari Data URI Memory Corruption
* Apple Safari Dialog Box Origin Spoofing
* Apple Safari IDN Implementation URL Spoof
* Apple Safari IDN Implementation URL Spoof (Updated)
* Apple Safari Input Validation
* Apple Safari Input Validation (Updated)
* Apple Safari Open Windows Injection (Updated)
* Apple Safari Web Browser HTTPS Denial of Service
* Apple Safari Web Browser JavaScript Remote Denial of Service
* APSIS Pound Remote Buffer Overflow
* APSIS Pound Remote Buffer Overflow (Updated)
* Arc Insecure Temporary File Creation
* Arc Insecure Temporary File Creation (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* Astaro Security Linux HTTP CONNECT Unauthorized Access
* Astaro Security Linux HTTP CONNECT Unauthorized Access (Updated)
* Astaro Security Linux ISAKMP IKE Traffic Denial of Service
* Astaro Security Linux PPTP Server Unspecified Remote Denial of Service
* Asterisk Voicemail Unauthorized Access
* Atlant Pro Cross-Site Scripting
* Avaya Labs Libsafe Multi-threaded Process Race Condition Security Bypass
* Backup Manager File Permissions
* BackupNinja Insecure Temporary File Creation
* Bacula Insecure Temporary File Creation
* Bacula Insecure Temporary File Creation (Updated)
* BeMoore Software News2Net SQL Injection
* Benchmark Designs WHM AutoPilot 'server_inc' Include File Flaw
* Berlios GPSD Remote Format String
* Bidwatcher Remote Format String
* Bidwatcher Remote Format String (Updated)
* Binary Board System Multiple Cross-Site Scripting
* Black List Daemon select() Remote Buffer Overflow
* Black List Daemon select() Remote Buffer Overflow (Updated)
* Blog Torrent Password Disclosure
* Blue Coat Reporter Multiple Vulnerabilities
* BlueZ Arbitrary Command Execution
* BlueZ Arbitrary Command Execution (Updated)
* BlueZ Arbitrary Command Execution (Updated)
* BlueZ Arbitrary Command Execution (Updated)
* BMC Control M Agent Insecure File Permission
* BMV Buffer Overflow
* Brooky CubeCart Multiple Vulnerabilities
* BrT CopperExport 'XP_Publish.PHP' SQL Injection
* Bugzilla Private Summary Disclosure or Flag Modification
* BZip2 File Permission Modification
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* BZip2 File Permission Modification (Updated)
* bzip2 Remote Denial of Service
* bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* Bzip2 Remote Denial of Service (Updated)
* CA BrightStor ARCserve Backup UniversalAgent Backdoor Account
* Cadsoft.de VDR Daemon Remote File Overwrite
* Caolan McNamara & Dom Lachowicz wvWare Library Buffer Overflow (Updated)
* Carnegie Mellon Cyrus IMAP Server Off-by-one Overflow (Updated)
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows (Updated)
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows (Updated)
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows (Updated)
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows (Updated)
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows (Updated)
* Carnegie Mellon University Cyrus IMAP Server Multiple Remote Buffer Overflows (Updated)
* Carnegie Mellon University Cyrus SASL Buffer Overflow & Input Validation (Updated)
* Carnegie Mellon University Cyrus SASL Buffer Overflow & Input Validation (Updated)
* Carnegie Mellon University Cyrus SASL Buffer Overflow & Input Validation (Updated)
* Carsten Haitzler imlib Image Decoding Integer Overflow (Updated)
* Carsten Haitzler imlib Image Decoding Integer Overflow (Updated)
* Carsten Haitzler imlib Image Decoding Integer Overflow (Updated)
* CartKeeper CKGold Cross-Site Scripting
* CDRTools Unspecified Privilege Escalation (Updated)
* Centericq Empty Packet Remote Denial of Service
* Centericq Empty Packet Remote Denial of Service (Updated)
* CenterICQ Insecure Temporary File
* CenterICQ Insecure Temporary File (Updated)
* CenterICQ Insecure Temporary File (Updated)
* Cheetah Elevated Privileges
* Cheetah Elevated Privileges (Updated)
* Christoph Dalitz abctab2ps Buffer Overflows (Updated)
* Citadel/UX select() System Call Remote Buffer Overflow
* Clam Anti-Virus ClamAV Mac OS X Command Execution
* Clam Anti-Virus ClamAV OLE2 File Handling Denial of Service
* Clam Anti-Virus ClamAV Remote Denials of Service
* Clam Anti-Virus ClamAV Remote Denials of Service (Updated)
* Clam AntiVirus Denial of Service
* Clam AntiVirus Multiple Vulnerabilities (Updated)
* Clam AntiVirus Multiple Vulnerabilities (Updated)
* Clam AntiVirus Remote Denial of Service& Arbitrary Code Execution
* ClamAV UPX Buffer Overflow & FSG Handling Denial of Service
* ClamAV UPX Buffer Overflow & FSG Handling Denial of Service (Updated)
* ClamAV UPX Buffer Overflow & FSG Handling Denial of Service (Updated)
* ClamAV UPX Buffer Overflow & FSG Handling Denial of Service (Updated)
* Cmd5checkpw Poppasswd Disclosure
* Cocktail Admin Password Disclosure
* Common-lisp-controller Elevated Privileges
* Common-lisp-controller Elevated Privileges (Updated)
* Conectiva netpbm Privilege Escalation
* Courier Mail Server Remote Denial of Service
* Courier Mail Server Remote Denial of Service (Updated)
* cPanel Cross-Site Scripting
* cPanel 'User' Parameter Cross-Site Scripting
* Crip Helper Script Insecure Temporary File Creation
* Crip Helper Script Insecure Temporary File Creation (Updated)
* cURL / libcURL URL Parser Buffer Overflow
* cURL / libcURL URL Parser Buffer Overflow (Updated)
* cURL / libcURL URL Parser Buffer Overflow (Updated)
* CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
* CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
* CVS 'Cvsbug.In' Script Insecure Temporary File Creation (Updated)
* Cyphor Cross-Site Scripting & SQL Injection
* Cyphor SQL Injection
* Cyrus SASL Buffer Overflow & Input Validation (Updated)
* Cyrus SASL Buffer Overflow & Input Validation (Updated)
* Cyrus SASL Buffer Overflow & Input Validation (Updated)
* D. J. Bernstein QMail Remote Denials of Service
* Dada Mail Archives HTML Injection
* Darryl Burgdorf Webhints Remote Command Execution
* Darwin Kernel Denial of Service
* David Gay F2C Multiple Insecure Temporary File Creation
* David Gay F2C Multiple Insecure Temporary File Creation (Updated)
* David Mischler Linux IPRoute2 'Netbug' Script Insecure Temporary File
* DCP-Portal Cross-Site Scripting & SQL Injection
* DCP-Portal Input Validation
* Debian Apt-Cacher Remote Arbitrary Code Execution
* Debian CVS-Repouid Remote Authentication Bypass & Denial of Service
* Debian CVS-Repouid Remote Authentication Bypass & Denial of Service (Updated)
* Debian File Permission
* Debian Horde Default Administrator Password
* Debian Lintian Insecure Temporary File
* Debian Linux Firewall Loading Failure
* Debian Module-Assistant Insecure Temporary File Creation
* Debian Pam Radius Auth File Information Disclosure
* Debian Reportbug Multiple Information Disclosure
* Debian Toolchain-Source Multiple Insecure Temporary File Creation
* Denial of Service & IRC Protocol Plug-in Arbitrary Code Execution
* dhcpcd Denial of Service (Updated)
* Dick Copits PDEstore Cross-Site Scripting
* Dillo 'a_Interface_msg()' Format String
* DNA MKBold-MKItalic Remote Format String
* Dnsmasq Multiple Remote Vulnerabilities
* Dnsmasq Multiple Remote Vulnerabilities (Updated)
* Dnsmasq Multiple Remote Vulnerabilities (Updated)
* Domain Name Relay Daemon Arbitrary Code Execution
* Dropbear SSH Server Buffer Overflow
* DRZES HMS Cross-Site Scripting & SQL Injection
* Easy Search System Cross-Site Scripting
* Easy Software Products CUPS Access Control List Bypass
* Easy Software Products CUPS Access Control List Bypass (Updated)
* Easy Software Products CUPS HTTP GET Denial of Service
* Easy Software Products CUPS HTTP GET Denial of Service (Updated)
* Easy Software Products CUPS HTTP GET Denial of Service (Updated)
* Edgewall Software Trac Arbitrary File Upload/Download
* Edgewall Software Trac Search Module SQL Injection
* Edgewall Trac SQL Injection
* EKG 'LIbGadu' Multiple Vulnerabilities (Updated)
* Elm 'Expires' Header Remote Buffer Overflow
* Elm 'Expires' Header Remote Buffer Overflow (Updated)
* Elm 'Expires' Header Remote Buffer Overflow (Updated)
* Elmo Arbitrary File Overwrite
* Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure
* Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure (Updated)
* Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure (Updated)
* Eric Raymond Fetchmail 'fetchmailconf' Information Disclosure (Updated)
* Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated)
* Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated)
* Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated)
* Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated)
* eric3 Unspecified Vulnerability
* eric3 Unspecified Vulnerability (Updated)
* eric3 Unspecified Vulnerability (Updated)
* Eskuel Unauthorized Administrator Access
* ESMI PayPal Storefront SQL Injection & Cross-Site Scripting
* ESRI ArcInfo Workstation s Buffer Overflows and Format String
* Ethereal Multiple Dissector Vulnerabilities
* Ethereal Multiple Dissector Vulnerabilities (Updated)
* Ethereal Multiple Dissector Vulnerabilities (Updated)
* Ethereal Multiple Remote Protocol Dissector Vulnerabilities
* Ethereal Multiple Remote Protocol Dissector Vulnerabilities (Updated)
* Ethereal Multiple Remote Protocol Dissector Vulnerabilities (Updated)
* Ethereal Multiple Remote P

December 31, 2005 at 11:47 AM in Security | Permalink | TrackBack (525) | Top of page | Blog Home

Hacker cracks police force network

TheStar.com - Hacker cracks police force network

RCMP, OPP and Toronto service may be among victims
Thieves raid database favoured by law enforcement agencies
Dec. 26, 2005. 01:00 AM

OTTAWA—Major police forces across Canada, including the RCMP, OPP and the Toronto force, are among thousands of law enforcement agencies and forensic investigators whose private and financial information may have been stolen this month in a hacker attack, a published report says.

Guidance Software, Inc., a private Pasadena, Calif., firm, said in a letter sent out to law enforcement agencies last week that thieves had raided its database sometime in November, stealing credit card numbers and in certain cases information such as addresses and telephone numbers for 3,800 customers.

Guidance makes EnCase, a suite of forensic investigation software that has become the standard tool used by computer crime units of police, insurance companies, banks and private computer forensics specialists.

The RCMP, the OPP and the Toronto police are among Canadian agencies that say they received letters from Guidance informing them that their units' confidential information had been exposed. Guidance became aware of the breach Dec. 7, the Ottawa Citizen reports.

Toronto Police Service spokesman Mark Pugash told the Star's Betsy Powell yesterday the matter will be investigated to see what, if anything, the breach means to Canada's largest municipal force.

EnCase products are used, among other things, to extract and analyse digital evidence from computers to identify hacker attacks.

Guidance's own software "certainly should have set off some alarms that `someone is downloading our entire database,'" said Ryan Purita, an EnCase-certified investigator with Totally Connected Security Ltd. in Vancouver. He is one of a handful of Canadian computer forensics experts authorized to testify in court.

"It highlights that intrusions can happen to anybody."

John Colbert, head of Guidance Software, Inc.

"Something fell apart here."

John Colbert, chief executive of Guidance, said the attack "is ironic, but it highlights that intrusions can happen to anybody. It's not a matter of if, but of when, so nobody should be complacent about their (computer network) security."

The Los Angeles Electronic Crimes Task Force is leading an investigation, along with the U.S. Secret Service and FBI, Colbert said. He said the breach has led to "a few instances of fraud" involving stolen credit card numbers.

Colbert admitted Guidance broke the rules of credit card issuers by storing in its database the card value verification (CVV) codes — a security feature meant to stop the cards from being used in Internet or telephone fraud. The company could face fines for keeping CVVs permanently on file.

OPP spokesman Supt. Bill Crate said the computer investigation unit's credit card information had been kept on file by Guidance, but that despite concerns over the breach of confidentiality there is no evidence the agency has suffered any financial loss.

RCMP Staff Sgt. Paul Marsh said the breach of confidentiality "is of concern."

CANADIAN PRESS

December 26, 2005 at 06:51 PM in Security | Permalink | TrackBack (14) | Top of page | Blog Home

SANS Warns of Attack Shift to Apps, Network Devices

SANS Warns of Attack Shift to Apps, Network Devices

By Paul F. Roberts
November 22, 2005

An increase in the number of holes in software applications and network devices like routers and switches is allowing malicious hackers to gain access to sensitive systems, including government and military systems, according to the SANS Institute.

SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. Critical holes in computer backup and antivirus applications, as well as switch and router platforms, are enabling a new wave of attacks that is shifting attention from holes in operating systems like Microsoft Corp.'s Windows, Web and e-mail servers, SANS said. Software vulnerability scanning and better patching are the best way to address the holes, SANS said.

The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. As in past years, the SANS Top 20 contains warnings about security holes in Windows and popular Internet applications like the Internet Explorer Web browser and Outlook Express e-mail program.

However, Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines.

Enterprises have been preoccupied with operating system and Internet threats and have ignored the threat posed by holes in software applications by major vendors, according to Alan Paller, director of research at SANS.

For example, computer backup systems are rich targets for attack because they collect sensitive information from other systems and also must be accessible to enterprise systems that they manage, said Paller.

The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.

"Everybody needs to have access to the backup server to do backups. It's a critical service," he said.

Automated hacking tools that lowered the technical bar for attacking Web and e-mail servers have been modified to target applications, said Paller from London, where SANS was planning to announce the Top 20 list with representatives of the UK's NISCC (National Infrastructure Security Co-Ordination Center).

The stakes for patching holes in software are getting higher, SANS said.

"The business of stealing data for extortion and resale is a multibillion dollar business," Paller said.

Governments also have reason to take a close look at their networks for vulnerabilities in the operating systems that run desktop and server machines, as well as software applications, experts agree.

SANS, NISCC and the U.S. Department of Homeland Security issued a dire warning about the impact of software vulnerabilities on national security.

Paller said that unknown enemies—possibly sponsored by states hostile to the U.S. —are conducting round-the-clock electronic attacks against companies and government Web sites to gather and transmit privileged information.

He cited coordinated "phishing" attacks that placed Trojan horse programs on systems owned by leading British companies and the U.K. government in June, and coordinated Chinese attacks on U.S. government computers, dubbed "Titan Rain," that netted military flight planning software as examples of widespread hacking of "devastating attacks that are being carried out against U.S. government and military contractor sites," SANS said.

Unlike worms and viruses, the new wave of malicious attacks are super stealthy and may lurk for months or years, only "waking up" to snatch sensitive information and send it back to those orchestrating the attack, said Paller.

Focusing on application security is nothing new at Morgan Stanley, said Lance Braunstein, executive director of technical operations.

November 22, 2005 at 05:52 PM in Security | Permalink | TrackBack (24) | Top of page | Blog Home

Dutch smash 100,000-strong zombie army

Dutch smash 100,000-strong zombie army [printer-friendly] | The Register

By Drew Cullen (drew.cullen at theregister.co.uk)
Published Friday 7th October 2005 20:30 GMT

Dutch police have arrested three people for building a worldwide zombie network of more than 100,000 PCs used to launch internet attacks on companies and to hack into bank and Paypal accounts.

The main suspect, a 19 year-old man, and his alleged accomplices, a 22 year-old and a 27 year-old, were collared in raids on their homes. Police seized "several computers, documents, a bank account, bare cash and a sports car". More arrests are expected.

The compromised PCs were hacked using a trojan horse, called W 32.Toxbot, according to the police, who say that "some thousands" of the victims were based in the Netherlands.

Investigators have identified at least one distributed denial of service (DDoS) attack, targeting an unnamed American company, emanating from the zombie botnet. DDoS attacks are often used by extortionists to unleash a barrage of computer-generated request to victim websites to cripple their operations. Online gambling firms and web retailers are typical victims.

The suspects are also thought to have hacked into a "large number of PayPal and eBay accounts, enabling them to order several goods over the internet, without actually paying for them".

The gang controlling the zombie botnet played cat and mouse with the anti-virus vendors, Dutch police say: "The Toxbot registers all keyboard actions of the infected computers and sends this information to the cyber-criminals. Anti-virus software has been available for some time. The hackers, however, frequently revised the virus, in a catch up game with the anti virus producers".

The botnet has now been dismantled, courtesy of GOVCERT.NL, the Computer Emergency Response Team of the Dutch government, in tandem with XS4All Internet and other unidentified providers. ®

October 8, 2005 at 09:14 PM in Security | Permalink | TrackBack (19) | Top of page | Blog Home

Westpac considering biometric authentication

Australian banking group Westpac is exploring the application of fingerprint identification technology for Web banking, with a small-scale pilot possible within the next two years.

According to press reports, the bank is looking at the potential for using biometric controls to safeguard customer accounts. One possibility would be to issue customers with fingerprint scanning devices to access their accounts online.

Westpac's head of media, David Lording, emphasised that the bank was only at the "very early stages" of looking at the technology.

He says the bank has been working with ANZ and the Commonwealth Bank to try to identify standards for an industry-wide application of biometric technology, as one of a number of options for combating Web fraud.

But National Australia Bank is more sceptical about the value of biometric authentication. NAB senior operational risk manager Kayelene O'Neill, reportedly told a banking technology conference in Sydney that if banks moved authentication to a biometric standard, there was a risk that customers would be targeted by criminals as a means to gain access to funds.

Australian banks are set to introduce an industry standard for two-factor authentication for verifying online banking customers later this year. Each bank is free to choose its own method of secondary identification, which will be used in addition to passwords. National Australia Bank said earlier this year that it was going to introduce SMS-based two-factor authentication to its online customers.

September 16, 2005 at 02:34 PM in Security | Permalink | TrackBack (18) | Top of page | Blog Home

Digital Envoy establishes online fraud prevention unit

Digital Envoy, the inventor and leading provider of IP Intelligence solutions, today announced the creation of a new business unit - Digital Resolve - dedicated to the prevention of online fraud and identity theft for financial services institutions and other online entities.

"Digital Resolve executives have more than 50 years of combined experience within our key industry focus areas," said Bill Calpin, Digital Envoy President and CEO. "The creation of this new business unit demonstrates our commitment to these industries and allows us to better address the unique needs and issues of these markets. Digital Resolve has worked hand-in-hand with leading market players to develop best-of-breed online authentication products to secure Internet transactions and communications against fraud."

Calpin will maintain his leadership role with Digital Envoy and will direct operations for the Digital Resolve business unit, which will operate from the company's headquarters in Norcross, Ga. Furthermore, Dennis Maicon, a co-founder of Digital Envoy and the Executive Vice President of Financial Services Solutions for Digital Resolve, will spearhead the business unit's efforts in the financial services arena.

Through its Fraud Analyst and E-Scam products, Digital Resolve provides financial institutions, Internet Service Providers (ISPs) and other online entities with seamless and non-invasive methods to protect the online channel and to build consumer confidence in utilizing Internet communications and transactions.

"Customers and partners will have a seamless transition, continuing to benefit from our industry leadership, high-performance platforms, exemplary customer service and a laser focus on the issues and trends affecting the Internet," Calpin added.

September 13, 2005 at 10:07 AM in Security | Permalink | TrackBack (22) | Top of page | Blog Home

The human factor

Finextra: research - The human factor

The human factor has overtaken technology as the leading IT security threat at the world's largest financial institutions, according to the 2005 Global Security Survey released by Deloitte Touche Tohmatsu (DTT).

Deloitte finds the biggest threat to bank security in the past year came from both internal insider attacks and from the phishing and pharming exploits of hackers targeting gullible consumers.

Despite the rising threat, future investment plans in security show that most of the budget is assigned to technology (64%), compared to only 15% for employee awareness and training.

Download file

September 6, 2005 at 12:36 PM in Security | Permalink | TrackBack (18) | Top of page | Blog Home

Geeks Meet at 'What the Hack' Conferenc

Geeks Meet at 'What the Hack' Conference - Yahoo! News

By DOUGLAS HEINGARTNER, Associated Press Writer Thu Jul 28,10:37 PM ET

LIEMPDE, Netherlands - There are hundreds of tents on the hot and soggy campground, but this isn't your ordinary summertime outing, considering that it includes workshops with such titles as "Politics of Psychedelic Research" or "Fun and Mayhem with RFID."
ADVERTISEMENT

This is the three-day "What The Hack" convention, a self-styled computer-security conference dealing such issues as digital passports, biometrics and cryptography.

Borrowing heavily from Woodstock and the more professionalized Def Con conference that begins Friday in Las Vegas, the event held every four years in the Netherlands draws an international array of experts and geeks. About 3,000 gathered Thursday for the opening.

Unlike better-known and better-funded industry meetings, "What the Hack" had to fight for its right to exist. The mayor of the southern Dutch town of Boxtel, who oversees the village of Liempde where the convention is held, initially tried to stop the event from pitching its hundreds of tents outside his town — a reluctance stemming from the lingering public image of hackers as asocial, anarchistic and vaguely menacing.

The mayor withdrew his objections after meetings with organizers.

Some of the scheduled lectures and workshops might reinforce the convention's shady reputation, such as the talk about mayhem with RFID, which stands for radio frequency identification tags.

But other seminars appeared wholesome enough, such as the workshop on how to make homes more energy efficient or how activists can lobby governments more effectively.

Even the local police officers assigned to monitor "What the Hack" are being included in the event. Officers are holding daily workshops to educate the public about how they go about securing events like these. Such cooperation with authorities would have raised eyebrows in previous years.

Befitting the age of terrorism, the conference is taking up such security issues as biometrics and new passport technology.

But in line with its anarchic reputation, organizers have made a parody of their own security arrangements, asking attendees to screen their own belongings at an unmanned baggage scanner. Rubber gloves for a "do-it-yourself body cavity search" are provided free of charge.

Overall, the atmosphere resembles that of a music festival, with orderly people waiting in line to buy Jolt colas and vegetarian meals. Children and hammocks are as prevalent as ponytails and laptops, and a curiously popular hangout is the Slacker Salon, a computer-free zone where frenetic Web surfing is taboo.

The relaxed setting is a conscious choice, according to Internet entrepreneur Rop Gonggrijp, who in 1989 helped organize the seminal Galactic Hacker Party, an open-air convention that formed the template for What The Hack.

"The idea was to break the stereotype" of hackers as sun-averse malcontents bent on vandalism, he said. "They've never been part of this community. And now there's fortunately space in the media for more than one kind of hacker."

Rutgers University anthropologist Biella Coleman said events like these serve a critical function for the many communities of people who are acquainted online, but rarely get the chance to meet in the real world.

"Virtuality needs sociality," she said.

Klaartje Bruyn, for example, is a sign-maker by day, but came to What the Hack for social, rather than professional reasons. Electronically arranging meetings with friends both real and virtual from the comfort of her hammock, she lauded how the festival could bring together so many far-flung yet like-minded people.

"It's like a blind date with 3,000 people," she said.

July 31, 2005 at 12:27 PM in Security | Permalink | TrackBack (57) | Top of page | Blog Home

Lost a BlackBerry? Data Could Open A Security Breach

Lost a BlackBerry? Data Could Open A Security Breach - Yahoo! News

By Yuki Noguchi, Washington Post Staff Writer Mon Jul 25, 1:00 AM ET

The ability to carry vast amounts of data in small but easily misplaced items such as computer memory sticks and mobile e-mail devices has transformed the way Americans work, but it has also increased the risk that a forgotten BlackBerry or lost cell phone could amount to a major security breach.

Worried that sensitive information could ride off in the back of a taxicab or be left in a hotel room, companies are peeling back some of the convenience of mobile devices in favor of extra layers of password protection and other restrictions. Some are installing software on their networks to make it impossible to download corporate information to a portable device or a memory stick, which is a plug-in device that holds data for use on other computers. Wireless providers are developing weapons to use against their own products, like digital "neutron bombs" that can wipe out information from long distance so one misplaced device doesn't translate into corporate disaster.

It's a nightmare that individuals and corporations fret about when their mobile e-mail or handheld devices go missing or fall into the wrong hands. With the swift stroke of a keypad, someone's e-mail, corporate data and business contacts can be laid bare for others to see -- and potentially abuse.

Personal devices "are carrying incredibly sensitive information," said Joel Yarmon, who, as technology director for the staff of Sen. Ted Stevens (news, bio, voting record) (R-Alaska), had to scramble over a weekend last month after a colleague lost one of the office's wireless messaging devices. In this case, the data included "personal phone numbers of leaders of Congress. . . . If that were to leak, that would be very embarrassing," Yarmon said.

A couple of years ago, David Yach and all other workers at his Canadian company woke up to an e-mail full of expletives from an otherwise mild-mannered female employee.

But it was not sent by the woman. A thief had broken into her home, commandeered her BlackBerry wireless device and sent the note, said Yach, vice president of software at Research in Motion Ltd., the company that makes the BlackBerry, a device that allows e-mail to be sent and received.

"It's terrifying," said Mark Komisky, chief executive of Baltimore's Bluefire Security Technologies Inc., who recently lost his iPaq 6315 Pocket PC in a cab or at O'Hare International Airport in Chicago. The device, a small pocket phone with a miniature keyboard, contained his e-mail, details of his company's strategy,
Social Security numbers of his wife and son, and phone numbers for high-level executives at companies with which Bluefire does business, such as Intel Corp.

"I got off the plane in Baltimore and did the pat-down, and didn't have it," he said. "It's bad," even for the head of a firm that sells security services for companies and government agencies trying to secure their wireless devices. At 10:30 p.m., he called a technician at Bluefire, who erased the information on the iPaq remotely. Luckily, it was also locked with a password, he said.

Companies are seeking to avoid becoming the latest example of compromised security. Earlier this year, a laptop computer containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from the car of an MCI financial analyst in Colorado. In another case, a former Morgan Stanley employee sold a used BlackBerry on the online auction site eBay with confidential information still stored on the device. And in yet another incident, personal information for 665 families in Japan was recently stolen along with a handheld device belonging to a Japanese power-company employee.

To combat the problem, security companies have come up with ways to install layers of password protection and automatic locks on devices. Others market the ability to erase data over the air once the device is reported lost. In Japan, cell phone carrier NTT DoCoMo Inc. started selling models that come with fingerprint scanners to biometrically unlock phones.

Some companies suffer only embarrassment from such incidents. But for public companies or financial firms, a lost device could mean violation of the Sarbanes-Oxley Act, which requires strict controls over disclosure of financial information. For doctors and health care companies, the loss of customer data compromises patient confidentiality, protected by the Health Insurance Portability and Accountability Act.

Potential security breaches are made scarier by the greater reliance on mobile devices. Smart phones, such as the Treo or some BlackBerry models, come with enough memory and high-speed Internet access to function as small computers. In some cases, accompanying memory cards allow users to store even more data, including client lists and contract information.

"I hear less about the cost of the devices, because it really is a pittance, but I really do hear more about the potential cost of someone gaining access to corporate data," said Kenny Wyatt, a vice president for Sprint Corp., which helps some of its business customers manage the security of wayward devices.

Three years ago, Wyatt lost a cell phone containing phone numbers of co-workers and clients. Sprint now can delete information by sending a signal to a phone over the air, he said, although if the device is turned off, the kill signal won't work.

Without the kill service, losing his phone would be a bigger deal today than it was three years ago because the device contains so much more information, he said. "It'd be like I lost an appendage."

In Chicago, 160,000 portable devices are left in taxicabs every year, according to a survey earlier this year by Pointsec Mobile Technologies, a security software firm. Fifty to 60 percent of those are reunited with their owner, according to the firm, which polled cab companies.

According to another survey sponsored by software maker Symantec Corp., 37 percent of smart-phone users store confidential business data on their phones. Only 40 percent of those surveyed worked at companies that have corporate policies about wireless security.

Yarmon, the staffer for Sen. Stevens, said he sends an e-mail every few months reminding colleagues to install passwords on devices. "That is my worst fear," he said, "for a user to have it fall into the hands of somebody who disseminates it or uses that information against my boss."

July 25, 2005 at 11:12 PM in Security | Permalink | TrackBack (61) | Top of page | Blog Home

Hackers target flawed backup software-survey

Hackers target flawed backup software-survey - Yahoo! News

By Andy Sullivan Mon Jul 25, 3:04 PM ET

WASHINGTON (Reuters) - Flawed backup software has emerged as the latest target for hackers looking for corporate secrets, according to a survey released on Monday.

The survey by the nonprofit SANS Institute found new holes in widely used software products, even as computer users are getting better at patching some favorite hacker targets.

Attackers are now focusing on desktop software, like Web browsers and media players, that might not get fixed as frequently as Microsoft Corp.'s Windows operating system and other software widely used by business, the cybersecurity research organization found.

More than 422 significant new Internet security vulnerabilities emerged in the second quarter of 2005, the cybersecurity research organization found, an increase of 11 percent from the first three months of the year.

Particularly troubling are holes in backup software made by Computer Associates International Inc. and Veritas Software Corp., which together account for nearly one-third of the backup-software market, said Ed Skoudis, founder of the security company Intelguardians.

"If you think about it, people back up information that is their most important information, otherwise they wouldn't back it up at all, right?" Skoudis said on a conference call.

"By exploiting one of these vulnerabilities, an attacker can get in there and exploit some of the most sensitive information for some of the most sensitive organizations."

Fixes are available for all the problems outlined in the SANS report, but many of the new flaws aren't fixed as quickly as older ones.

Administrators take an average of 62 days to fix backup software and other software inside their firewall, compared to an average of 21 days for e-mail servers and other products that deal directly with the Internet, said Gerhard Eschelbeck, chief technical officer of business-software maker Qualsys.

Home users typically take even longer to fix problems, said SANS chief executive Allan Paller.

Many of the new flaws were found on products popular with home users.

Flaws in media players like Apple Computer Inc.'s iTunes and RealNetworks Inc.'s RealPlayer could enable a hacker to get into a user's computer through a poisoned MP3 file.

Users of Microsoft's Internet Explorer Web browser could be compromised simply by visiting a malicious Web site, SANS said.

Even the open-source Mozilla and Firefox Web browsers, which has gained in popularity thanks to security concerns, had flaws as well, Paller said.

July 25, 2005 at 10:18 PM in Security | Permalink | TrackBack (10) | Top of page | Blog Home

FDIC urges banks to guard against spyware

FDIC urges banks to guard against spyware - Yahoo! News

Mon Jul 25, 8:32 AM ET

NEW YORK (Reuters) - The FDIC on Friday urged banks to enhance their protections against spyware, to limit the risk that customers' personal data may be stolen.

The guidance from the Federal Deposit Insurance Corp. comes amid a growing stream of reported incidents of the theft or exposure of personal customer data.

Spyware is a kind of software installed on a computer without the user's knowledge, often through a virus or when a user downloads a free program.

It is designed to let a hacker eavesdrop, collect personal or confidential information and perhaps track and record a user's activities. Some spyware can obtain such information as passwords or card numbers. It also often buries users under a blizzard of unwanted ads.

In the biggest reported security breach, details on some 40 million Visa, MasterCard, American Express and Discover credit cards were exposed to potential fraud through a breach at CardSystems Solutions Inc., a Tucson, Arizona, processor.

Data on hundreds of thousands of customer accounts at such banks as Bank of America Corp. (NYSE:BAC - news) and Wachovia Corp. (NYSE:WB - news) may also have been exposed in other incidents.

"Information collected through spyware can be used to compromise a bank's systems or conduct identity theft," said Michael Zamorski, director of the FDIC division of supervision and consumer protection.

"It is critical that banks stay vigilant about the risks involved with this malicious software."

The FDIC said banks should educate customers about the risks of spyware and encourage them to take steps to prevent and detect spyware on their own computers.

Banks should also advise customers of the risks of banking online on public computers -- such as in hotels, libraries or Internet cafes -- where spyware might have been installed.

The agency said banks should also enhance internal security and Internet-use policies, such as by prohibiting Internet downloads and visits to inappropriate Web sites, and train employees about the risks of spyware. It also said banks should consider adopting new authentication methods to thwart hackers who might already have customer account numbers and passwords.

David Cole, director of product management at Symantec Corp.'s (Nasdaq:SYMC - news) security response unit, said data stolen through spyware is often sold on the black market.

"Its value is dependent on its completeness and quality," he said. "We've seen increasing sophistication across the board." Cupertino, California-based Symantec is the No. 1 maker of software that protects against Internet viruses.

Earlier this month, a Pew Internet and American Life Project survey said nine out of 10 Internet users claimed to have changed their online habits to avoid spyware and other Web-based threats. Two in three said spyware had caused slower computer performance or other problems.

July 25, 2005 at 10:17 PM in Security | Permalink | TrackBack (14) | Top of page | Blog Home

Professors Make Password Protection Product

Professors Make Password Protection Product - Yahoo! News

Mon Jul 25, 2:15 PM ET

SAN FRANCISCO - The increase in identity theft has prompted two Stanford University professors to develop software that protects computer passwords from Internet thieves.

John Mitchell and Dan Boneh will unveil Pwdhash, software that scrambles passwords typed into Web sites, then creates a unique sign-on for each site visited, at the Usenix Security Symposium in Baltimore next week.

It's the latest attempt to thwart attempts by cyber-criminals who steal passwords by creating phony online banking or e-commerce sites. Cyber criminals dupe victims into believing the site is legitimate and lure them into typing their passwords. The crooks then use the password to loot the victim's bank account. For e-commerce shoppers, many of whom have stored credit card information at their favorite online stores, the thieves may use their information to go on a shopping spree.

Last year, Mitchell and Boneh developed SpoofGuard, which inspects Web sites users visit and hunts for clues the site may be bogus. The technology pores over URLs, graphics, and links. When there's something wrong, the software notifies the user.

All the security tools are free browser plug-ins available at Stanford's Web site.

___

Information from: San Francisco Chronicle

July 25, 2005 at 05:47 PM in Security | Permalink | TrackBack (7) | Top of page | Blog Home

Encrypted files frustrate police

London bombs terror attack The Times and Sunday Times Times Online

By Stewart Tendler, Crime Correspondent
TERRORIST suspects are using encryption techniques to prevent police from accessing vital intelligence on seized computers, Britain’s top police commander said yesterday.

Sir Ian Blair, the Commissioner of the Metropolitan Police, said that government plans for counter-terrorist legislation should include prosecutions for suspects who refuse to unlock their computer files.

He said that the police can hold a suspect for 14 days without charge and if he or she refuses to co-operate the investigation becomes “a race against time” as police computer experts try to decrypt files in that time.

Encryption has become a “powerful tool” for the terrorists in recent years, he said.

The call for laws to combat the problem comes as security on the London Underground is tightened with the introduction of police sniffer dogs. British Transport Police confirmed yesterday that dogs are patrolling trains and stations in the biggest deployment that the force has mounted.

The dogs have already been used on the Heathrow Express and at Paddington. Now their deployment will be widened as a deterrent and to reassure the public. The dogs are taught not to tear at suspect packages or luggage. Instead they sit down by the object, indicating to their handler that they have found something.

The dogs will work at ticket barriers in groups, with back-up units of police, and search through trains. If anyone deliberately tries to avoid the dogs, usually spaniels or labradors, or leaves a station or train suddenly, they will be stopped by other officers.

Community support officers are also being drafted in to provide extra uniformed patrols on the Tube system.

July 19, 2005 at 10:00 PM in Security | Permalink | TrackBack (8) | Top of page | Blog Home

The impact of spyware - PEW

Spyware problems have struck tens of millions of computer users 91% of internet users have changed their online behavior for fear of becoming victims

Download file

Computer programs that secretly plant themselves on people's computers and then monitor users' online behavior or hijack their browsers have become a scourge.

Tens of millions of Americans have been struck by so-called spyware.
Fully 91% of internet users have changed the way they behave online as they try to avoid unwanted and invasive software. A new nationwide survey by the Pew Internet & American Life Project shows that:

*81% of internet users say they have stopped opening email attachments unless they are sure these documents are safe.
*48% of internet users say they have stopped visiting particular Web sites that they fear might deposit unwanted programs on their computers.
*25% of internet users say they have stopped downloading music or video files from peer-to-peer networks to avoid getting unwanted software programs on their computers.
*18% of internet users say they have started using a different Web browser to avoid software intrusions.

A new Pew Internet Project report shows that about 93 million American internet users (68% of them) have had computer trouble in the past year that is consistent with problems caused spyware and viruses, though 60% of those who had problems were not sure where the problem originated.
Some 25% of internet users have seen new programs on their computers that they did not install or new icons on their desktop that seemed to come out of nowhere. One in five internet users (18%) have had their homepage inexplicably changed.

The report, written by PIP's Associate Director Susannah Fox, says that those who have broadband connections at home and those who range far and wide online are among those most vulnerable to spyware. Some of the most risky online behaviors that seem to attract spyware are downloading peer-to-peer services and swapping files over them, visiting adult Web sites, and playing online games.

"Familiarity breeds contempt when it comes to spyware. The more internet users know about these programs, the more they want to sound the alarm and take steps to protect themselves," said Fox. "These survey results show that as internet users gain experience with spyware and adware, they are more likely to say they are changing their behavior. But what is more alarming is the larger universe of people who have struggled with mysterious computer problems, but have no idea why. Internet users are increasingly frustrated and frightened that they are not in charge of their internet experience."

This new telephone survey was conducted among a sample of 1,336 internet users and has a margin of error of plus or minus 3 points.

It was designed to probe the impact of spyware and adware on people's internet experiences. The report used these definitions in talking to
respondents:

*Spyware: can be installed on a person's computer without their explicit consent, either by 'piggy-backing' onto a file or program the person downloads from the internet or just by visiting a particular Web site.
These programs can keep track of a person's internet habits and the sites they visit, and can transmit this information back to a central source.
*Adware: comes bundled with free files and programs people download from the internet, such as games, file-sharing programs, and screensavers.
These programs can keep track of a person's internet habits and the sites they visit, and can use that information to provide targeted advertising on the person's computer.

Fully 49% of internet users see spyware as a serious threat to their online security. And many believe that more should be done to alert consumers when adware is being loaded onto their computers at the same time they are installing other software, such as a peer-to-peer programs. In many cases, adware is installed after internet users check off and consent to a user agreement, but 73% of internet users admit they do not always read such agreements.

You can find the full report at:
http://www.pewinternet.org/PPF/r/160/report_display.asp

About the Pew Internet & American Life Project: The Pew Internet Project produces reports that explore the impact of the internet on children, families, communities, the work place, schools, health care, and civic/political life. The Project aims to be an authoritative source on the evolution of the internet through collection of data and analysis of real-world developments as they affect the virtual world. Support for the non-profit Pew Internet Project is provided by The Pew Charitable Trusts. The Project is an initiative of the Pew Research Center. The Project's Web site: www.pewinternet.org

Please feel free to forward this email alert to colleagues, friends, or family members who might be interested in it. If you have received this message from a subscriber, you can sign up to receive your own alerts
at:
http://www.pewinternet.org/signup.asp

------------------------------------------------------------------------------
To subscribe, send a blank message to pewinternet-on@pewinternet.org
To unsubscribe, send a blank message to pewinternet-off@pewinternet.org To change your email address, send a message to pewinternet-change@pewinternet.org
with your old address in the Subject: line To contact the list owner, send your message to
pewinternet-list-owner@pewinternet.org

http://www.pewinternet.org/

To unsubscribe, click on the following web page.
http://cgi.mail-list.com/u?ln=pewinternet&nm=colin.henderson@bmo.com

This message was launched into cyberspace to colin.henderson@bmo.com

July 7, 2005 at 09:24 AM in Security | Permalink | TrackBack (7) | Top of page | Blog Home

Net users change habits to avoid spyware-survey

Net users change habits to avoid spyware-survey - Yahoo! News

Wed Jul 6, 4:16 PM ET

WASHINGTON (Reuters) - Nine out of 10 Internet users say they have changed their online habits to avoid spyware and other Internet-based threats, according to a study released on Wednesday.

The Pew Internet and American Life Project found that an overwhelming majority of Internet users have stopped opening questionable e-mail attachments, or taken other steps to avoid a plague of stealthy, unwanted programs that can disable computers or secretly monitor online activity.

Nearly half said they have stopped visiting particular Web sites that they suspect may deposit unwanted programs on their computers, while 25 percent say they have stopped downloading music or movies from "peer to peer" networks that may harbor spyware.

Eighteen percent said they had switched the type of Web browser they use in order to avoid spyware.

Spyware has emerged as a major headache for computer users over the last several years.

It can sap computing power, crash machines and bury users under a blizzard of unwanted ads. Scam artists use spyware to capture passwords, account numbers and other sensitive data. It can end up on users' computers through a virus or when they download games or other free programs from the Internet.

Sixty-eight percent of those surveyed said they had suffered slower performance or other problems that could be attributed to spyware. Other surveys have found the level of infection to be as high as 80 percent.

The nonprofit group surveyed 1,336 U.S. Internet users, between May 4 and June 7. The survey has a margin of error of plus or minus 3 percent.

July 6, 2005 at 11:38 PM in Security | Permalink | TrackBack (67) | Top of page | Blog Home

Vote looms for EU 'software law'

BBC NEWS | Technology | Vote looms for EU 'software law'

European lawmakers are preparing to vote on a directive which could protect companies' computerised inventions.

The proposed law, the Computer Implemented Inventions Directive, has been a bone of contention since 2001.

Opponents say it would lead to the patenting of software, which is already protected by copyright.

This would harm small firms and open source developers. Supporters say programs that make other technologies work need more protection.

Amendments made

The proposed law has undergone several amendments from its original form, or "Common Position."

The vote on Wednesday in the European Parliament will be on the amendments which were agreed upon by the European Council in May.

On Monday, key representatives from several big technology firms said opposed the changes.

Consumer interest groups have added several more amendments in recent weeks.

As it stands, the current text of the directive will impose software and business process patents across the EU
Rufus Pollock, FFII-UK
They say the European Members of Parliament should vote in favour of the key amendments.

If the law is eventually approved, it would mean that there would be an EU-wide patent protection scheme for any computer-based invention, such as programs for medical scanners, mobiles, or ABS car-brake systems.

In other words, it would affect computer programs when the software is used to make an invention or innovation work.

In the US, the patenting of computer programs and net business processes is allowed.

The US-based Amazon.com holds a patent for its one-click shopping service, for example.

Protection and innovation

Protesters began to gather on Tuesday outside the European Parliament ahead of the vote.

More than 1,700 Europe-wide companies, represented by the Free Information Infrastructure UK (FFII-UK), joined the plea for the European Union to reject any law which patents software.

Any departure from the Common Position would put at risk our future prosperity and significant numbers of jobs across Europe
Serge Tchuruk, Alcatel
"If we want to preserve a competitive, innovative and successful European IT sector, it is essential that the Council's common position be amended," said Rufus Pollock, director of the FFII-UK.

"We believe the set of 21 compromise amendments being put forward by MEPs from all political groups is what is needed to achieve this goal and to avoid the worst-case scenario of a US-style software patent system.

"As it stands, the current text of the directive will impose software and business process patents across the EU."

Divided industry

But the big technology players remained adamant.

"Any departure from the Common Position would put at risk our future prosperity and significant numbers of jobs across Europe," said Serge Tchuruk, chief executive of French telecoms firm Alcatel.

Philips, Nokia, and Siemens, have also voiced concern over the amendments.

Telecoms firm Ericsson's chief executive Carl-Henric Svanberg said in a joint letter to EU leaders: "If we are not able to patent our computer-implemented inventions, the digital technology industry, and also Europe as a region, will have difficulty staying competitive."

Other big companies, such as IBM and Sun, have voiced their opposition to the proposed law.

Many fear that the law would suffocate innovation and openness to research and development within smaller companies that have less legal power.

Larger, more powerful companies would be able to collect patents on software processes.

After Wednesday's vote, the Council has three months to consider the decision. If it then votes to reject it, Parliament and the Council would go to a conciliation process to come up with an agreement.

The directive could be abandoned if that process failed.

July 5, 2005 at 04:48 PM in Security | Permalink | TrackBack (33) | Top of page | Blog Home

Firms are not protecting the data they hold. Their complacency may cost them dear

Information security | The leaky corporation | Economist.com

IT NEVER rains but it pours. Just as bosses and boards had finally sorted out their worst accounting and compliance troubles, and beefed up their feeble corporate governance, a new problem threatens to earn them—especially in America—the sort of nasty headlines that inevitably lead to heads rolling in the executive suite: data insecurity. Left, until now, to geeky, low-level IT staff to put right, and seen as a concern only of data-rich industries such as banking, telecoms and air travel, information protection is now high on the boss's agenda in businesses of every variety.

Several massive leakages of customer and employee data this year—from organisations as diverse as Polo Ralph Lauren, Time Warner, MCI, the large American defence contractor Science Applications International Corp and even the University of California, Berkeley—have left managers hurriedly peering into their labyrinthine IT systems and business processes in search of potential vulnerabilities.

“Data is becoming an asset which needs to be guarded as much as any other asset,” says Haim Mendelson of Stanford University's business school. “The ability to guard customer data is the key to market value, which the board is responsible for on behalf of shareholders”. Indeed, just as there is the concept of Generally Accepted Accounting Principles (GAAP), perhaps it is time for GASP, Generally Accepted Security Practices, suggests Eli Noam of New York's Columbia Business School. “Setting the proper investment level for security, redundancy, and recovery is a management issue, not a techie one,” he says.

The mystery is that this should come as a surprise to any boss. Surely it should be obvious to the dimmest executive that trust, that most valuable of economic assets, is easily destroyed and hugely expensive to restore—and that few things are more likely to destroy trust than a company letting sensitive personal data get into the wrong hands.

Don't ask, don't tell

Such complacency may have been encouraged—though not justified—by the lack of legal penalty (in America, but not Europe) for data leakage. Until California recently passed a law, American firms did not have to tell anyone, even the victim, when data went astray. That may change fast: lots of proposed data-security legislation is now doing the rounds in Washington, DC. Meanwhile, the theft of information about some 40m credit-card accounts in America, disclosed on June 17th, overshadowed a hugely important decision a day earlier by America's Federal Trade Commission (FTC) that puts corporate America on notice that regulators will act if firms fail to provide adequate data security.

The FTC decided to settle with BJ's Wholesale Club, a retailer whose lax data-protection practices the agency said constituted an “unfair practice that violated federal law.” The firm collected too much data, kept it too long, did not encrypt it, lacked password protections and left its wireless network open. This, in turn, enabled criminals to produce counterfeit credit and debit cards using stolen customer data and rack up millions of dollars in fraudulent charges. The firm has agreed to fix these problems and undergo information-security audits for 20 years.

Many of the worst recent data leakages resulted from failure of the most basic kind

This settlement represents a big step for the FTC, which had settled various other cases concerning sloppy data management since 2001—including against Eli Lilly, clothing designer Guess, Tower Records and Microsoft—but did so on narrow, technical grounds. For instance, in several cases the FTC applied the doctrine of “deceptive practices” to firms that failed to live up to their data-security claims.

In its settlement with BJ's, the FTC used its broad “fairness authority” to penalise bad information-security management. For the FTC to act, this requires evidence both of substantial consumer harm and that the firm did not have reasonable grounds for failing to implement certain practices. The BJ's case, said FTC chair Deborah Platt Majoras, signalled the regulator's “intention to challenge companies that fail to protect adequately consumers' sensitive information”.

“Boards should pay as much attention to these IT operational risks as they do to other operational risks in the firm,” argues George Westerman of the MIT Sloan School of Management. After all, boards have audit committees and compensation committees. It may be time for a data-protection committee, he argues. Bosses must ensure that there are effective data risk-management processes in place, be aware of their greatest vulnerabilities and promote a corporate culture that acknowledges data risks rather than hides them.

But the problem is often a lack of understanding by senior managers not just of technology but of business processes, says Thomas Parenty, author of “Digital Defense: What You Should Know About Protecting Your Company's Assets (Harvard Business School Press, 2003). “No one in the organisation bothers to look at the value of what data they hold, the consequences if something bad happens to it, and the appropriate mechanisms to prevent that from happening,” he says.

So, what should a boss do? Accountancy firms and consultants are already spotting a chance to profit by conducting an independent security and privacy audit—and for many firms, their (no doubt) huge fee will probably be worth the money. The auditors inspect technology systems, data flow and the controls on access to data within an organisation and with its business partners.

A wise boss will also appoint a senior executive to be responsible for data security—and not just to have a convenient scapegoat in the event of a leak. Diana Glassman, a data protection expert, says that a useful first step would be for the boss to write to all employees reminding them of the risks and potential cost of data leakage, and asking them, before passing data to anyone else, to question whether that person truly needs, or is entitled to, it.

Many of the worst recent data leakages resulted from failure of the most basic kind. The data-processing firm that suffered the breach that exposed 40m credit-card accounts was not in compliance with the security standards of Visa and MasterCard—which may now find themselves liable for negligence. If nothing else gets bosses to focus on data security, surely the prospect of ending up in court will.

July 5, 2005 at 12:30 PM in Security | Permalink | TrackBack (7) | Top of page | Blog Home

Security is Microsoft's biggest technology challenge: Bill Gates

Security is Microsoft's biggest technology challenge: Bill Gates - Yahoo! UK & Ireland News

SINGAPORE (AFP) - Internet security is Microsoft's greatest challenge while developing mainstream technology to be able to talk to a computer is a frontier about to be crossed, company chairman Bill Gates revealed.
Delivering a wide-ranging lecture on technology to thousands of delegates at a Microsoft forum, Gates said giving instructions to a personal computer by voice would become mainstream in "three to four years".

Gates, who is also Microsoft's chief software architect, said the company was investing "tens of millions of dollars" annually on this technology, although he expected the computer keyboard would remain an important device.

Asked what was the biggest technology challenge for Microsoft apart from piracy, Gates identified security on the Internet, which he explained included privacy issues and controlling spam e-mails.

"The thing we are investing the most in is our work on security," Gates said, adding that users should feel more secure in giving out their credit card numbers and other information online.

"I think the security challenge certainly for the forseeable future will be the biggest thing."

Gates also said the "next big thing" on the information technology horizon was pushing the functions of the Internet to a higher level, such as making online searches faster and easier.

"The Internet is so popular today that we need to just keep evolving ... the way we navigate information -- we need to make it easier to find.

"People are very impressed about searches today but it's really quite poor compared to what it should be," Gates said.

He said searching for information on the web directs the user to a lot of links instead of giving out the information immediately.

"(A) higher level of understanding (by the computer) -- that's the biggest thing because it means you will write a lot less code and you'll find anything you want very quickly," he said.

Gates said the next 10 years would be "far more interesting" than the past 30 years because technology gains will change at a faster pace the way people work and live.

July 3, 2005 at 10:54 AM in Security | Permalink | TrackBack (12) | Top of page | Blog Home

The human factor

Finextra: research - The human factor

The human factor has overtaken technology as the leading IT security threat at the world's largest financial institutions, according to the 2005 Global Security Survey released by Deloitte Touche Tohmatsu (DTT).

Deloitte finds the biggest threat to bank security in the past year came from both internal insider attacks and from the phishing and pharming exploits of hackers targeting gullible consumers.

Despite the rising threat, future investment plans in security show that most of the budget is assigned to technology (64%), compared to only 15% for employee awareness and training.

Download file

June 29, 2005 at 06:45 PM in Security | Permalink | TrackBack (99) | Top of page | Blog Home

Security breach exposes holes in credit card system

ITBusiness.ca

6/22/2005 5:00:00 PM - After millions of numbers are stolen, Mastercard and Visa are forced to review their third-party relationships. Experts discuss contract limitations, the impact on technology use and the costs to banks and retailers

by Neil Sutton

Credit card companies may be able to limit the impact of hacker attacks on third-party partners, like the one reported last week, but analysts claim that there are no assurances it won’t happen again.

MasterCard said on Friday that
as many as 40 million credit card numbers may have been stolen due to an attack on CardSystems Solutions, a third-party processor of payment data in Tuscon, Ariz. The company claimed it was keeping customer card data, contrary to its agreement with MasterCard, for “research purposes.”

Of the compromised accounts, about 20 million are Visa, 14 million are MasterCard and the remainder are American Express, Discover and other brands.

Carmi Levy, an analyst with Info-Tech Research Group Inc., based in London, Ont., said credit card companies have relationships with hundreds of these third-party processors. Contractual obligations are designed to prevent the CardSystems incident from ever happening, but “it’s impossible for the credit card companies -- with whom consumers and businesses have this relationship -- to validate and verify that their third-party organizations are living up to their end of the bargain,” he said.

According to MasterCard Canada, 97 card holders may be at risk and those people have all been contacted. They would only be at risk if they had recently used their cards to make purchases in the U.S.

Both MasterCard and Visa offer their customers a “zero liability” policy, making them immune from purchases that were made without their consent. No confidential data, such as social insurance numbers or dates of birth, was put at risk as a result of the leak, according to the company.

The card holders may be protected, but when credit card numbers are used illegally, it’s the retailers that end up swallowing the cost of the purchase, said Richard Purcell, CEO of the Corporate Privacy Group, a consulting practice in Nordland, Wash.

“For Amazon, maybe that’s something they can tolerate, but for a smaller (retailer), that’s something that could be really harmful to them,” he said.

“Really, I think the harm is in the system itself in an overall way. Merchants suffer harm, consumers lose confidence; the whole idea of using technology gets lowered. These (credit card companies) don’t appreciate the value of what it is they’re protecting and transacting. Information is far more valuable than they realize. And I think the reason that there was a breach is that they’ve failed to realize that it’s that valuable.”

Louise Wardrop, head of operations for MasterCard Canada, said that third-party providers are continually monitored for signs of activities that could lead to a breach.

“Luckily this does not happen often,” she said. “Any time that it does, our processors, our banks are on heightened awareness.”

Third-party transaction processors are subject to reviews, she said, and are required to fill out performance questionnaires. “When we get those questionnaires in we assess the risks and make sure that if there is a risk, we’re on site to evaluate their security procedures.”

MasterCard isn’t planning to substantially change its policies and procedures with third-party providers, she said, “but we will continue to review them and monitor then and make sure that what we do have in place is working and make any adjustments to make sure that it doesn’t happen again.”

The Bank of Montreal, the largest MasterCard issuer in Canada, has been in touch with all of its card holders that may have been affected by the breach, according to spokesperson Ralph Marranca. The bank will issue any person deemed at risk with a new card next week.

“The good news is that we’ve got some pretty sophisticated systems in place. Criminals . . . understand that we have some pretty sophisticated equipment. We can move pretty quickly to mitigate or limit the amount of incidents that occur,” said Marranca.

“Any time something like this happens, you sit down with MasterCard and look at your processes and make sure your processes are working as they should. And look at if there’s anything more we can do or need to do.”

Credit card companies and their issuing institutions may be doing their best to limit the effects of a breach, said Levy, but as long as there are holes to be exploited, hackers will find them.

“The weakest link is where the hacker is going to focus his or her effort, the weakest link is where the breach is going to occur,” he said. “Do I think this is going to improve? No. There’s no way to control every single level of customer data along the chain, especially if you are outsourcing to such a great degree.”

“I guess you could say, ‘Never say never,’ unless you have a crystal ball,” said Wardrop. “But the point to reinforce is that we’re out all the time monitoring.”

Last year, MasterCard and Visa created the Payment Security Industry (PCI) Data Security Standard by aligning their data security programs. PCI, also supported by Amex, Diner’s Club, Morgan Stanley’s Discover Financial Services and JCB Co. Ltd., went into effect in January 2005. PCI is designed to allow merchants and third party providers to measure the effectiveness of their security measures. CardSystems Solutions did not comply with these measures, according to MasterCard.

The rules and policies that credit card companies have in place for dealing with issuers and third-party processors are generally sufficient, said Purcell, but they may have to become more vigilant about enforcing them.

June 22, 2005 at 08:16 PM in Security | Permalink | TrackBack (144) | Top of page | Blog Home

Hackers score big by thinking small, experts say

Hackers score big by thinking small, experts say - Yahoo! News

Mon Jun 20, 5:04 PM ET

WASHINGTON (Reuters) - A recent computer security breach that left 40 million credit cards vulnerable to fraud shows how online criminals are scoring big by thinking small, experts said on Monday.

Cybercriminals are increasingly crafting more focused attacks with a potential for profit as they target one or two companies at a time, rather than blasting out Internet virus attacks across the globe, according to security experts.

The payoffs can be enormous. MasterCard International said on Friday that an outsider gained access to as many as 40 million credit and debit cards from CardSystems Solutions Inc., a payment processor. A MasterCard spokeswoman said on Monday that the attacker had placed a malicious computer script on CardSystems computers.

In Israel, police are investigating a massive case of industrial espionage that used a "Trojan horse" computer program to copy confidential information from some of the country's top businesses.

Security vendors say such attacks are increasingly common.

"We have seen several examples of targeted, manually crafted Trojans that people write and implement for a very small number of companies," said Aladdin Security Vice President Shimon Gruper.

MessageLabs chief technical officer Mark Sunner said that since January the company has seen a 150 percent increase in attacks that only target one or two companies.

Experts said there are a number of reasons behind the shift. Playful hackers looking for kicks could write viruses that plagued companies and computers around the world but brought them no financial return. They have been elbowed aside by organized criminals, often based in Eastern Europe, who are motivated by profit and willing to launch a sustained, sophisticated assault.

Targeted attacks have another key advantage: they are usually small enough to stay off the radar of Internet security firms that are looking for broader attacks. That gives the high-tech criminals the time to research a company thoroughly before trying to penetrate it.

"You know there's specific technology, a piece of intellectual property, how much money is in their accounts," said RSA Security Inc. (Nasdaq:RSAS - news) CEO Art Coviello. "That's the advantage -- you have a little bit more knowledge."

Attackers can then send individual, personalized e-mails to the target company's employees, or pose as an IT administrator who needs to install a software update. Once in, they can use simple spyware programs to pick up passwords, account numbers and other valuable information.

"When you see a focused attack like this, this is kind of your worst-case scenario. These are people who are going to actually do something with those credit cards once they get them," said Mike Gibbons, a Unisys Corp. (NYSE:UIS - news) vice president and former
FBI cybercrime chief.

E-mail viruses have lost their teeth now that more people are using antivirus software properly, said Alfred Huger, senior director of engineering at the antivirus provider Symantec Corp. (Nasdaq:SYMC - news).

While old viruses continue to circulate, "they're background noise," he said.

At the same time, Microsoft Corp. (Nasdaq:MSFT - news) has patched the most gaping holes in its Windows operating system and companies have learned to install those patches quickly, said John Pescatore, a vice president at the consulting firm Gartner Inc. (NYSE:IT - news).

Identity thieves who used to go through trash bins to find credit-card receipts have learned that it's more worthwhile to extract such information from companies that collect it.

"Two years ago I would say one of the things you should do is shred your trash. Now that is completely obsolete advice," said Bruce Schneier, chief technical officer for Counterpane Internet Security Inc.

June 21, 2005 at 07:54 AM in Security | Permalink | TrackBack (14) | Top of page | Blog Home

Lax Security Cited in Massive Credit Card Data Theft

Netcraft: Lax Security Cited in Massive Credit Card Data Theft

Inadequate security at credit card processor CardSystems Solutions Inc. is being blamed for a break-in that has exposed more than 40 million credit card accounts to potential theft. The company says the system compromise was discovered May 22, after a MasterCard inquiry into a wave of fradulent transactions.

MasterCard International said it "worked with CardSystems to remediate the security vulnerabilities in the processor's systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data." Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems' security. The CardSystems web site runs on the Windows 2000 operating system and Microsoft IIS Server 5.0.

CardSystems, which processes more than $15 billion in transactions a year for 105,000 small businesses, said it "immediately began a remediation process to ensure all systems were secure," the company said in a statement. "Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security."

Third-party testing is critical to the security of the work's online banking and e-commerce systems, but is obviously less valuable if an institution defers it until after an enormous breach has occurred. The CardSystems breach offers a cautionary tale for all institutions handling sensitive financial data. Our interest here should be clearly stated: Netcraft offers a range of advanced security services, including web application security testing and an auditing service to provide onoging detection of new security vulnerabilities and configuration errors caused by system and network maintenance.

But security service providers aren't alone in viewing third-party audits as the weak link in data protection. On Thursday the U.S. Federal Trade Commission mandated third-party audits for BJ's Warehouse Club as part of a settlement resulting from a security incident that exposed customer data. The FTC previously took similar action against Tower Records, Microsoft, Guess and Eli Lilly for leaks of customer information.

Weak security could even invite criminal prosecution, as the FTC found that BJ's lax security was an unfair practice that violated federal law. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information," said Deborah Platt Majoras, Chairman of the FTC. Banking regulators are focused on this issue as well.

Then there's the potential financial cost. Reissuing credit cards costs the issuer about $10 per card, according to industry sources, suggesting a cost of $400 million to replace the accounts affected by the CardSystems incident. Credit card issuers generally don't replace a card number until evidence of fraudulent transactions is found.

Consumer uneasiness about the security of their data is heightened by suspicions that breaches have been occurring for years without their knowledge. Disclosures of security incidents was rare before the 2003 passage of a California law requiring that customers be notified when their information has been inappropriately disclosed.

The CardSystems breach illustrates the inconsistencies in disclosure policies by credit card providers. While MasterCard made an announcement that 13.9 million of its accounts may have been compromised, as of midday Saturday similar announcements were missing from online newsrooms for Visa, Discover or American Express. Newsreports say accounts at all four providers were affected.

June 18, 2005 at 05:17 PM in Security | Permalink | TrackBack (41) | Top of page | Blog Home

Up to 40m credit cards 'hacked'

BBC NEWS | World | Americas | Up to 40m credit cards 'hacked'

A computer hacker may have broken into more than 40 million credit card accounts, US company officials say.

MasterCard International said the breach was traced to a company in Atlanta which processes transactions for banks and merchants.

All brands of credit cards could be affected, it warned.

The company, CardSystems Solutions, said it identified the breach last month and immediately contacted the FBI, which was investigating.

MasterCard announced the breach in a news release on Friday, saying security "vulnerabilities" had allowed an unauthorised individual to infiltrate the network of CardSystems and access the cardholder data.

It said 14 million of its customers may have been exposed to fraud. Another 22 million were Visa cards, said a spokeswoman for the Visa company.

MasterCard spokeswoman Sharon Gamsin told the Associated Press news agency the data - names, banks and account numbers - could be used to steal funds, but not identities. The company was notifying banks that issue MasterCards.

In its own press release, CardSystems Solutions said it had identified a "potential security incident" on 22 May and contacted the FBI a day later.

The company said it was installing extra security procedures.

June 18, 2005 at 05:14 PM in Security | Permalink | TrackBack (2406) | Top of page | Blog Home

Hacker 'was trying for proof of aliens'

Telegraph | Expat | Hacker 'was trying for proof of aliens'

By Duncan Gardham
(Filed: 09/06/2005)

A Briton said to be the "biggest military hacker of all time" was accused yesterday of breaking into 97 US government computers.

Janet Boston representing the US government, told an extradition hearing at Bow Street magistrates' court in London that Gary McKinnon, 39, an unemployed computer engineer, had caused around $700,000 (�383,000) damage.

She said: "On one instance, the US Army's military district of Washington network became inoperable."

McKinnon had broken into systems partly in an attempt to prove aliens exist, his solicitor Karen Todner said after the hearing. "He believes the US government knew about UFOs and had been concealing it," she added.

"He also wanted to expose weaknesses in the American security systems because he is a pacifist."

Mrs Todner added: "He doesn't deny that he did infiltrate their computer system. In relation to the specific charges, we need to work out whether there are offences in relation to his action."

McKinnon, of Wood Green, north London, now faces a US jail term of up to 70 years on 20 charges.

The court heard he had recently started a temporary computer job and would be contesting the extradition request.

He was granted bail to reappear on July 27.

June 10, 2005 at 07:35 AM in Security | Permalink | TrackBack (22) | Top of page | Blog Home

Briton is held over hacking at Pentagon

Britain, UK news from The Times and The Sunday Times - Times Online

By Nicola Woolcock
A BRITISH man wanted in the United States as allegedly the biggest military computer hacker has been arrested, Scotland Yard said last night.

Gary McKinnon, 39, an unemployed systems administrator from Wood Green, North London, will appear at Bow Street Magistrates� Court in London today to face extradition proceedings.

He is accused of gaining illegal access and making unauthorised modifications to 53 computers belonging to Nasa, the US Army, Navy, Air Force, the Department of Defence and the Pentagon between 2001 and 2002.

The US Government estimated that the cost of tracking and correcting the alleged problems was about $1 million (�570,000).

A spokeswoman for Scotland Yard said that Mr McKinnon was arrested by officers from the Metropolitan Police Service Extradition Unit.

If extradited and found guilty, Mr McKinnon faces a maximum penalty of five years in prison and a �157,000 fine.

June 8, 2005 at 05:15 PM in Security | Permalink | TrackBack (12) | Top of page | Blog Home

Consumer security fears weakening resistance to biometrics

Finextra: Consumer security fears weakening resistance to biometrics

One in three UK citizens would like banks to introduce biometric security to help combat card fraud, according to research commissioned by Fujitsu Services.

The IT management services company claims that growing fears over the security of online banking services is breaking down traditional consumer resistance to the use of biometrics.

The Bank of Tokyo-Mitsubishi in Japan is preparing to deploy a biometric security system based on vein-pattern recognition technology from Fujitsu. From October, the bank will start issuing Visa credit cards with embedded integrated circuits that contain customer vein pattern information. The cards function as cash cards, credit cards and as electronic money and are read whenever cardholders use ATMs or make transactions at bank counters.

Ann Hosford, business development manager for financial services at Fujitsu Services, says banks need to draw on the experience of other financial institutions around the world if card fraud is to be reduced.

"Biometric security can be used to build customer confidence and to reduce PIN theft," she comments.

Fujistsu's survey of 1000 UK adults additionally found that 29% of people are fearful of using online banking services due to security worries.

May 6, 2005 at 07:46 AM in Security | Permalink | TrackBack (11) | Top of page | Blog Home

UK banks to establish two-factor security standard

Finextra: UK banks to establish two-factor security standard

The UK's banks are expected to agree a common industry standard for two-factor authentication of online transactions next month in a bid to cut card-not-present fraud and losses from phishing scams.

Card-not-present fraud in the UK rose 24% last year to �150.8m, making it the biggest category of fraud, while direct fraud losses from online phishing scams reached �12m in 2004, according to stats from UK payment association Apacs.

Jemma Smith, communications manager at Apacs, told Finextra that a technical specification for two-factor devices should be agreed in May. Banks are then expected to begin distributing authnetication devices to online customers in the next nine to 12 months.

Smith says the standard, based on a technical specification developed by Visa and MasterCard, will be adapted for domestic use, in the same way that the Chip and PIN standard was adapted.

In March Barclaycard said it was in talks with UK retailers about plans to roll out pocket-sized card authentication device for customers to use when shopping online. Customers are prompted to insert their card into the reader and enter their four-digit PIN code when shopping online. The reader then generates a unique password for entry on a Web form.

A recent report released by analyst house Forrester Research found that just 30% of Web users are confident of the security of financial data when used to make transactions online. Forrester urged banks to adopt two-factor authnetication in order to increase customer confidence in online channels.

Earlier this month HSBC COO Alan Jebson admitted that phishing scams are damaging customer confidence in online services and said the bank was considering introducing three factor authentication which would include biometric verification.

April 19, 2005 at 06:45 AM in Security | Permalink | TrackBack (8) | Top of page | Blog Home

Physical security becoming an IT problem

Physical security becoming an IT problem - Yahoo! UK & Ireland News

By Andrew Donoghue, ZDNet UK

Security experts from the Royal Mail, Proctor & Gamble and Barclaycard agree that the systems used to secure company facilities and IT systems are merging

The proliferation of technologies such as identity management mean more IT managers are having to take responsibility for physical security, according to a panel of leading IT security managers.

Speaking at the Business Continuity Expo in London's Docklands, IT security experts from the Royal Mail Group, Proctor & Gamble and Barclaycard acknowledged that their companies are increasingly merging systems used to authenticate employees' entry to physical facilities with those used to control access to computing resources.

"I have worked in a lot of different areas of our company and I have found that physical and IT security are coming together, especially around the area of identity management," said David Lacey, director of information security, Royal Mail Group.

David McCaskill, section manager for global security solutions at Proctor & Gamble, explained that the pharmaceutical giant had also integrated its physical and IT authentication systems. "We are also seeing these authentication systems come together. Before, if you forgot your passcard to access the building that wasn't a major problem, but now it is."

Companies have generally treated physical security as the responsibility of the facilities department and computer security as that of IT. But employee information has increasingly become integrated, allowing businesses to link the two systems, Steve Hunt, an analyst with Forrester Research, said in a recent report.

"Locks, cameras, entry systems, and even guard desks will be upgraded to work with the same computing systems that control computer and network sign-on, identity management and security incident management," Hunt wrote. "Consequently, IT security vendors will rush to merge or find partnerships with their physical security brethren to respond to the new opportunities."

The link between physical security systems and network security is another ripple emanating from the terrorist attacks of September 11, 2001. Twice as much will be spent on such integration this year compared with 2004, reaching $1.1bn in Europe and the United States, according to Forrester.

Jamie Watters, business continuity manager at Barclaycard, agreed that IT and physical security were coming together, but said it was more important to unite the disparate groups in charge of IT security to create a single body with responsibility for protecting an organisations infrastructure. "For me the most pressing issue is not the coming together of IT and physical security but more importantly the coming together of IT security groups. Companies I have worked for have two or three different IT security organisations.

Lacey agreed it was vital that companies had one single group with overarching responsibility otherwise decisions on IT security would be delayed by a "court of infinite appeals". He advocated creating one single business continuity group with cross-organisational responsibility for physical and IT security.

March 20, 2005 at 10:36 PM in Security | Permalink | TrackBack (6) | Top of page | Blog Home

Web of deceit

finextra.com

The day when two-factor authentication is mandatory for online banking access is drawing near.

In the US, the Federal Deposit Insurance Corporation (FDIC) is currently formulating guidance that will encourage US banks to abandon single password-based ID systems in favour of two-factor authentication following a sharp rise in 'account hijacking' ID theft. And in Australia, the national banking association is drawing up an agreed set of standards that would require all banks to use two methods of identifying Internet customers.

The Australian Bankers Association (ABA) and the FDIC are merely the first industry bodies to acknowledge that the current password-based system of online authentication is comprehensively broken.

Even discounting the threat from organized crime rings, password overload long ago rendered the current system unworkable. How many of us have dormant online accounts because we can no longer remember the codes we were given at the first time of sign-up?

All banks need to face up to the problem and begin exploring costings and techniques for upgrading security to encompass two-factor authentication. Interim measures based around the use of virtual keyboards to protect from keyloggers, or ever-more convoluted online Q&A sessions, will prove ineffective long-term as customers eventually tire of jumping through hoops to get online.

Private polling research by the ABA indicates that consumers are not yet ready to use biometric devices for authentication purposes because of privacy concerns.

Alternatives include SMS messaging, token-based random number generators, or personal smart card reader systems.

Although superficially appealing from a cost perspective, mobile messaging systems are likely to prove burdensome to administer as the phones themselves are prone to theft, loss and high customer churn.

Token-based systems, such as those available from RSA, Vasco and ActivCard, are proven in the field, but they are also bolt-on solutions with limited applicability beyond online banking.

In Finextra's opinion, pocket-sized EMV-compliant smart card readers incorporating a challenge/response capability offer the most promising long-term answer to online authentication problems. Not only do the readers leverage the considerable investment by the banking industry in chip card migration, but they can also be extended in scope to cover other forms of card not present fraud.

Recent statistic from Apacs show that the UK banking industry lost �12 million to online banking fraud in 2004. This sum was dwarfed by the �504.8 million losses attributable to card fraud. Of this, card-not-present fraud (CNP) was up 24% to �150.8m in 2004 and continues to be the biggest category of fraud.

With consumer trust in bank security crumbling, the industry would be advised to co-operate on the development of standards for online banking access. To encourage fast adoption, Finextra believes that banks should swallow the cost of token/reader development and deployment to customers.

The payback will be material, in encouraging more transactions and enquiries through low-cost automated channels, and in reinvigorating the trusted relationship between consumer and financial services provider.

March 16, 2005 at 07:51 AM in Security | Permalink | TrackBack (5) | Top of page | Blog Home

Electronic Crime Scene Investigation: A Guide for First Responders

http://www.ncjrs.org/txtfiles1/nij/187736.txt

Foreword The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property. Whether the crime involves attacks against computer systems, the information they contain, or more traditional crimes such as murder, money laundering, trafficking, or fraud, electronic evidence increasingly is involved. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and prosecutions that involve electronic evidence.

Title: Electronic Crime Scene Investigation: A Guide for First Responders
Series: NIJ Guide
Author: National Institute of Justice
Published: July 2001
Subject: Criminal investigation
98 pages
132 bytes

Figures, charts, forms, and tables are not included in this ASCII plain-text file.
To view this document in its entirety, download the Adobe Acrobat graphic file
available from this Web site or order a print copy from NCJRS at 800-851-
3420 (877-712-9279 For TTY users).

---------------------------

U.S. Department of Justice
Office of Justice Programs
National Institute of Justice

Electronic Crime Scene Investigation:
A Guide for First Responders

NIJ Guide

---------------------------

U.S. Department of Justice
Office of Justice Programs
810 Seventh Street N.W.
Washington, DC 20531

John Ashcroft
Attorney General

Office of Justice Programs
World Wide Web Site
http://www.ojp.usdoj.gov

National Institute of Justice
World Wide Web Site
http://www.ojp.usdoj.gov/nij

---------------------------
Electronic Crime Scene Investigation:
A Guide for First Responders

Written and Approved by the
Technical Working Group for
Electronic Crime Scene Investigation

July 2001

---------------------------

U.S. Department of Justice
Office of Justice Programs
National Institute of Justice

This document is not intended to create, does not create, and may not be relied
upon to create any rights, substantive or procedural, enforceable at law by any
party in any matter civil or criminal.

Opinions or points of view expressed in this document represent a consensus of
the authors and do not necessarily represent the official position or policies of
the U.S. Department of Justice. The products and manufacturers discussed in
this document are presented for informational purposes only and do not
constitute product approval or endorsement by the U.S. Department of Justice.

NCJ 187736

The National Institute of Justice is a component of the Office of Justice
Programs, which also includes the Bureau of Justice Assistance, the Bureau of
Justice Statistics, the Office of Juvenile Justice and Delinquency Prevention, and
the Office for Victims of Crime.

---------------------------

Foreword

The Internet, computer networks, and automated data systems present an
enormous new opportunity for committing criminal activity. Computers and
other electronic devices are being used increasingly to commit, enable, or
support crimes perpetrated against persons, organizations, or property.
Whether the crime involves attacks against computer systems, the information
they contain, or more traditional crimes such as murder, money laundering,
trafficking, or fraud, electronic evidence increasingly is involved. It is no
surprise that law enforcement and criminal justice officials are being
overwhelmed by the volume of investigations and prosecutions that involve
electronic evidence.

To assist State and local law enforcement agencies and prosecutorial offices
with the growing volume of electronic crime, a series of reference guides
regarding practices, procedures, and decisionmaking processes for investigating
electronic crime is being prepared by technical working groups of practitioners
and subject matter experts who are knowledgeable about electronic crime. The
practitioners and experts are from Federal, State, and local law enforcement
agencies; criminal justice agencies; offices of prosecutors and district attorneys
general; and academic, commercial, and professional organizations.

The series of guides will address the investigation process from the crime scene
first responder, to the laboratory, to the courtroom. Specifically, the series of
guides will address:

o Crime scene investigations by first responders.
o Examination of digital evidence.
o Investigative uses of technology.
o Investigating electronic technology crimes.
o Creating a digital evidence forensic unit.
o Courtroom presentation of digital evidence.

Due to the rapidly changing nature of electronic and computer technologies and
of electronic crime, efforts will be periodically undertaken to update the
information contained within each of the guides. The guides, and any
subsequent updates that are made to them, will be made available on the
National Institute of Justice's World Wide Web site
(http://www.ojp.usdoj.gov/nij).

---------------------------

Technical Working Group for Electronic Crime Scene Investigation

The Technical Working Group for Electronic Crime Scene Investigation
(TWGECSI) was a multidisciplinary group of practitioners and subject matter
experts from across the United States and other nations. Each of the individual
participants is experienced in the intricacies involved with electronic evidence in
relation to recognition, documentation, collection, and packaging. To initiate the
working group, a planning panel composed of a limited number of participants
was selected to define the scope and breadth of the work. A series of guides
was proposed in which each guide will focus on a different aspect of the
discipline.

The panel chose crime scene investigation as the first topic for incorporation
into a guide.

Planning Panel

Susan Ballou
Program Manager for Forensic Sciences
Office of Law Enforcement Standards
National Institute of Standards and Technology
Gaithersburg, Maryland

Jaime Carazo
Special Agent
United States Secret Service
Electronic Crimes Branch
Washington, D.C.

Bill Crane
Assistant Director
Computer Crime Section
National White Collar Crime Center
Fairmont, West Virginia

Fred Demma
National Law Enforcement and Corrections Technology Center-Northeast
Rome, New York

Grant Gottfried
Special Projects
National Center for Forensic Science
Orlando, Florida

Sam Guttman
Assistant Inspector in Charge
Forensic and Technical Services
U.S. Postal Inspection Service
Dulles, Virginia

Jeffrey Herig
Special Agent
Florida Department of Law Enforcement
Florida Computer Crime Center
Tallahassee, Florida

Tim Hutchison
Sheriff
Knox County Sheriff's Office
Knoxville, Tennessee

David Icove
Manager, Special Projects
U.S. TVA Police
Knoxville, Tennessee

Bob Jarzen
Sacramento County
Laboratory of Forensic Science
Sacramento, California

Tom Johnson
Dean
School of Public Safety and Professional Studies
University of New Haven
West Haven, Connecticut

Karen Matthews
DOE Computer Forensic Laboratory
Bolling AFB
Washington, D.C.

Mark Pollitt
Unit Chief
FBI-CART
Washington, D.C.

David Poole
Director
DoD Computer Forensics Laboratory
Linthicum, Maryland

Mary Riley
Price Waterhouse Coopers, LLP
Washington, D.C.

Kurt Schmid
Director
National HIDTA Program
Washington, D.C.

Howard A. Schmidt
Corporate Security Officer
Microsoft Corp.
Redmond, Washington

Raemarie Schmidt
Computer Crime Specialist
National White Collar Crime Center Computer Crime Section
Fairmont, West Virginia

Carl Selavka
Massachusetts State Police Crime Laboratory
Sudbury, Massachusetts

Steve Sepulveda
United States Secret Service
Washington, D.C.

Todd Shipley
Detective Sergeant
Reno Police Department
Financial/Computer Crimes Unit
Reno, Nevada

Chris Stippich
Computer Crime Specialist
Computer Crime Section
National White Collar Crime Center
Fairmont, West Virginia

Carrie Morgan Whitcomb
Director
National Center for Forensic Science
Orlando, Florida

Wayne Williams
Sr. Litigation Counsel
Computer Crime and Intellectual Property Section
Criminal Division
U.S. Department of Justice
Washington, D.C.

TWGECSI Members

Additional members were then incorporated into TWGECSI to provide a full
technical working group. The individuals listed below, along with those
participants on the planning panel, worked together to produce this guide for
electronic crime scene first responders.

Abigail Abraham
Assistant State's Attorney
Cook County State's Attorney's Office
Chicago, Illinois

Keith Ackerman
Head of CID
Police HQ
Hampshire Constabulary
Winchester, Hants
United Kingdom

Michael Anderson
President
New Technologies, Inc
Gresham, Oregon

Bill Baugh
CEO
Savannah Technology Group
Savannah, Georgia

Randy Bishop
Special Agent in Charge
U.S. Department of Energy
Office of Inspector General
Technology Crime Section
Washington, D.C.

Steve Branigan
Vice President of Product Development
Lucent Technologies
Murray Hill, New Jersey

Paul Brown
CyberEvidence, Inc.
The Woodlands, Texas

Carleton Bryant
Staff Attorney
Knox County Sheriff's Office
Knoxville, Tennessee

Christopher Bubb
Deputy Attorney General
New Jersey Division of Criminal Justice
Trenton, New Jersey

Don Buchwald
Project Engineer
National Law Enforcement and Corrections Technology Center-West
The Aerospace Corporation
Los Angeles, California

Cheri Carr
Computer Forensic Lab Chief
NASA Office of the Inspector General Network and Advanced Technology
Protections Office
Washington, D.C.

Nick Cartwright
Manager
Canadian Police Research Centre
Ottawa, Ontario
Canada

Ken Citarella
Chief
High Tech Crimes Bureau
Westchester County District Attorney
White Plains, New York

Chuck Coe
Director of Technical Services
NASA Office of the Inspector General
Network and Advanced Technology Protections Office
Washington, D.C.

Fred Cohen
Sandia National Laboratories
Cyber Defender Program
Livermore, California

Fred Cotton
Director of Training Services
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California

Tony Crisp
Lieutenant
Maryville Police Department
Maryville, Tennessee

Mark Dale
New York State Police
Forensic Investigation Center
Albany, New York

Claude Davenport
Senior SA
United States Customs Service
Sterling, Virginia

David Davies
Photographic Examiner
Federal Bureau of Investigation
Washington, D.C.

Michael Donhauser
Maryland State Police
Columbia, Maryland

James Doyle
Sergeant
Detective Bureau
New York City Police Department
New York, New York

Michael Duncan
Sergeant
Royal Canadian Mounted Police
Economic Crime Branch
Technological Crime Section
Ottawa, Ontario
Canada

Jim Dunne
Group Supervisor
Drug Enforcement Agency
St. Louis, Missouri

Chris Duque
Detective
Honolulu Police Department
White Collar Crime Unit
Honolulu, Hawaii

Doug Elrick
Iowa DCI Crime Lab
Des Moines, Iowa

Paul French
Computer Forensics Lab Manager
New Technologies Armor, Inc.
Gresham, Oregon

Gerald Friesen
Electronic Search Coordinator
Industry Canada
Hull, Quebec
Canada

Pat Gilmore, CISSP
Director
Information Security
Atomic Tangerine
San Francisco, California

Gary Gordon
Professor
Economic Crime Programs
Utica College
WetStone Technologies
Utica, New York

Dan Henry
Chief Deputy
Marion County Sheriff's Department
Ocala, Florida

Jeff Hormann
Special Agent In Charge
Computer Crime Resident Agency
U.S. Army CID
Ft. Belvoir, Virginia

Mary Horvath
Program Manager
FBI-CART
Washington, D.C.

Mel Joiner
Officer
Arizona Department of Public Safety
Phoenix, Arizona

Nigel Jones
Detective Sergeant
Computer Crime Unit
Police Headquarters
Kent County Constabulary
Maidstone, Kent
United Kingdom

Jamie Kerr
SGT/Project Manager
RCMP Headquarters

Training Directorate
Ottawa, Ontario
Canada

Alan Kestner
Assistant Attorney General
Wisconsin Department of Justice
Madison, Wisconsin

Phil Kiracofe
Sergeant
Tallahassee Police Department
Tallahassee, Florida

Roland Lascola
Program Manager
FBI-CART
Washington, D.C.

Barry Leese
Detective Sergeant
Maryland State Police
Computer Crimes Unit
Columbia, Maryland

Glenn Lewis
Computer Specialist
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California

Chris Malinowski
Forensic Computer Investigation
University of New Haven
West Haven, Connecticut

Kevin Manson
Director
Cybercop.org
St. Simons Island, Georgia

Brenda Maples
Lieutenant
Memphis Police Department
Memphis, Tennessee

Tim McAuliffe
New York State Police
Forensic Investigation Center
Albany, New York

Michael McCartney
Investigator
New York State Attorney General's Office
Criminal Prosecution Bureau Organized Crime Task Force
Buffalo, New York

Alan McDonald
SSA
Washington, D.C.

Mark Menz
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California

Dave Merkel
AOL Investigations
Reston, Virginia

Bill Moylan
Detective
Nassau County PD
Computer Crime Section
Crimes Against Property Squad
Westbury, New York

Steve Nesbitt
Director of Operations
NASA Office of the Inspector General
Network and Advanced Technology Protections Office
Washington, D.C.

Glen Nick
Program Manager
U.S. Customs Service
Cyber Smuggling Center
Fairfax, Virginia

Robert O'Leary
Detective
New Jersey State Police
High Technology Crimes & Investigations Support Unit
West Trenton, New Jersey

Matt Parsons
Special Agent/Division Chief
Naval Criminal Investigative Service
Washington, D.C.

Mike Phelan
Chief
Computer Forensics Unit
DEA Special Testing and Research Lab
Lorton, Virginia

Henry R. Reeve
General Counsel/Deputy D.A.
Denver District Attorney's Office
Denver, Colorado

Jim Riccardi, Jr.
Electronic Crime Specialist
National Law Enforcement and Corrections Technology Center-Northeast
Rome, New York

David Roberts
Deputy Executive Director
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California

Leslie Russell
Forensic Science Service
Lambeth
London, England
United Kingdom

Greg Schmidt
Sr. Investigator
EDS-Investigations/Technical
Plano, Texas

George Sidor
Law Enforcement Security Consultant
Jaws Technologies Inc.
St. Albert, Alberta
Canada

William Spernow
CISSP
Research Director
Information Security Strategies Group
Gartner, Inc.
Suwanee, Georgia

Ronald Stevens
Senior Investigator
New York State Police
Forensic Investigation Center
Albany, New York

Gail Thackeray
Special Counsel-Technology Crimes
Arizona Attorney General's Office
Phoenix, Arizona

Dwight Van de Vate
Chief Deputy
Knox County Sheriff's Office
Knoxville, Tennessee

Jay Verhorevoort
Lieutenant
Davenport Police Department
Davenport, Iowa

Richard Vorder Bruegge
Photographic Examiner
Federal Bureau of Investigation
Washington, D.C.

Robert B. Wallace
U.S. Department of Energy
Germantown, Maryland

Craig Wilson
Detective Sergeant
Computer Crime Unit
Police Headquarters
Kent County Constabulary
Maidstone, Kent
United Kingdom

Brian Zwit
Chief Counsel (former)
Environment, Science, and Technology
National Association of Attorneys General
Washington, D.C.

Chronology

In May 1998, the National Cybercrime Training Partnership (NCTP), the
Office of Law Enforcement Standards (OLES), and the National Institute of
Justice (NIJ) collaborated on possible resources that could be implemented to
counter electronic crime. Continuing meetings generated a desire to formulate
one set of protocols that would address the process of electronic evidence from
the crime scene through court presentations. NIJ selected the technical working
group process as the way to achieve this goal but with the intent to create a
publication flexible enough to allow implementation with any State and local law
enforcement policy. Using its "template for technical working groups," NIJ
established the Technical Working Group for Electronic Crime Scene
Investigation (TWGECSI) to identify, define, and establish basic criteria to
assist agencies with electronic investigations and prosecutions.

In January 1999, planning panel members met at the National Institute of
Standards and Technology (NIST) in Gaithersburg, Maryland, to review the
fast-paced arena of electronic crime and prepare the scope, intent, and
objectives of the project. During this meeting, the scope was determined to be
too vast for incorporation into one guide. Thus evolved a plan for several
guides, each targeting separate issues. Crime scene investigation was selected
as the topic for the first guide.

The initial meeting of the full TWGECSI took place March 1999 at NIST.
After outlining tasks in a general meeting, the group separated into subgroups to
draft the context of the chapters as identified by the planning panel. These
chapters were Electronic Devices: Types and Potential Evidence; Investigative
Tools and Equipment; Securing and Evaluating the Scene; Documenting the
Scene; Evidence Collection; Packaging, Transportation, and Storage; and
Forensic Examination by Crime Category. The volume of work involved in
preparing the text of these chapters required additional TWGECSI meetings.

The planning panel did not convene again until May 2000. Due to the amount of
time that had transpired between meetings, the planning panel reviewed the
draft content and compared it with changes that had occurred in the electronic
crime environment. These revisions to the draft were then sent to the full
TWGECSI in anticipation of the next meeting. The full TWGECSI met again at
NIST in August 2000, and through 2 days of intense discussion, edited most of
the draft to represent the current status of electronic crime investigation. With a
few more sections requiring attention, the planning panel met in Seattle,
Washington, during September 2000 to continue the editing process. These
final changes, the glossary, and appendixes were then critiqued and voted on by
the whole TWGECSI during the final meeting in November 2000 at NIST.

The final draft was then sent for content and editorial review to more than 80
organizations having expertise and knowledge in the electronic crime
environment. The returned comments were evaluated and incorporated into the
document when possible. The first chapter, Electronic Devices: Types and
Potential Evidence, incorporates photographic representations of highlighted
terms as a visual associative guide. At the end of the document are appendixes
containing a glossary, legal resources, technical resources, training resources,
and references, followed by a list of the organizations to which a draft copy of
the document was sent.

---------------------------

Acknowledgments

The National Institute of Justice (NIJ) wishes to thank the members of the
Technical Working Group for Electronic Crime Scene Investigation
(TWGECSI) for their tireless dedication. There was a constant turnover of
individuals involved, mainly as a result of job commitments and career changes.
This dynamic environment resulted in a total of 94 individuals supplying their
knowledge and expertise to the creation of the guide. All participants were
keenly aware of the constant changes occurring in the field of electronics and
strove to update information during each respective meeting. This demonstrated
the strong desire of the working group to produce a guide that could be flexible
and serve as a backbone for future efforts to upgrade the guide. In addition,
NIJ offers a sincere thank you to each agency and organization represented by
the working group members. The work loss to each agency during the absence
of key personnel is evidence of management's commitment and understanding
of the importance of standardization in forensic science.

NIJ also wishes to thank Kathleen Higgins, Director, and Susan Ballou,
Program Manager, of the Office of Law Enforcement Standards, for providing
management and guidance in bringing the project to completion.

NIJ would like to express appreciation for the input and support that Dr. David
G. Boyd, Director of NIJ's Office of Science and Technology (OS&T), and
Trent DePersia, Dr. Ray Downs, Dr. Richard Rau, Saralyn Borrowman, Amon
Young, and James McNeil, all of OS&T, gave the meetings and the document.
A special thanks is extended to Aspen Systems Corporation, specifically to
Michele Coppola, the assigned editor, for her patience and skill in dealing with
instantaneous transcription.

In addition, NIJ wishes to thank the law enforcement agencies, academic
institutions, and commercial organizations worldwide that supplied contact
information, reference materials, and editorial suggestions. Particular thanks
goes to Michael R. Anderson, President of New Technologies, Inc., for
contacting agencies knowledgeable in electronic evidence for inclusion in the
appendix on technical resources.

---------------------------

Contents
Foreword
Technical Working Group for Electronic Crime Scene Investigation
Acknowledgments
Overview
--The Law Enforcement Response to Electronic Evidence
--The Latent Nature of Electronic Evidence
--The Forensic Process
Introduction
--Who Is the Intended Audience for This Guide?
--What is Electronic Evidence?
--How Is Electronic Evidence Handled at the Crime Scene?
--Is Your Agency Prepared to Handle Electronic Evidence?
Chapter 1. Electronic Devices: Types and Potential Evidence
--Computer Systems
--Components
--Access Control Devices
--Answering Machines
--Digital Cameras
--Handheld Devices (Personal Digital Assistants [PDAs], Electronic
Organizers)
--Hard Drives
--Memory Cards
--Modems
--Network Components
--Pagers
--Printers
--Removable Storage Devices and Media
--Scanners
--Telephones
--Miscellaneous Electronic Items
Chapter 2. Investigative Tools and Equipment
--Tool Kit
Chapter 3. Securing and Evaluating the Scene
Chapter 4. Documenting the Scene
Chapter 5. Evidence Collection
--Nonelectronic Evidence
--Stand-Alone and Laptop Computer Evidence
--Computers in a Complex Environment
--Other Electronic Devices and Peripheral Evidence
Chapter 6. Packaging, Transportation, and Storage
Chapter 7. Forensic Examination by Crime Category
--Auction Fraud (Online)
--Child Exploitation/Abuse
--Computer Intrusion
--Death Investigation
--Domestic Violence
--Economic Fraud (Including Online Fraud, Counterfeiting)
--E-Mail Threats/Harassment/Stalking
--Extortion
--Gambling
--Identity Theft
--Narcotics
--Prostitution
--Software Piracy
--Telecommunications Fraud
Appendix A. Glossary
Appendix B. Legal Resources List
Appendix C. Technical Resources List
Appendix D. Training Resources List
Appendix E. References
Appendix F. List of Organizations

---------------------------

Overview

Computers and other electronic devices are present in every aspect of modern
life. At one time, a single computer filled an entire room; today, a computer can
fit in the palm of your hand. The same technological advances that have helped
law enforcement are being exploited by criminals.

Computers can be used to commit crime, can contain evidence of crime, and
can even be targets of crime. Understanding the role and nature of electronic
evidence that might be found, how to process a crime scene containing potential
electronic evidence, and how an agency might respond to such situations are
crucial issues. This guide represents the collected experience of the law
enforcement community, academia, and the private sector in the recognition,
collection, and preservation of electronic evidence in a variety of crime scenes.

The Law Enforcement Response to Electronic Evidence

The law enforcement response to electronic evidence requires that officers,
investigators, forensic examiners, and managers all play a role. This document
serves as a guide for the first responder. A first responder may be responsible
for the recognition, collection, preservation, transportation, and/or storage of
electronic evidence. In today's world, this can include almost everyone in the
law enforcement profession. Officers may encounter electronic devices during
their day-to-day duties. Investigators may direct the collection of electronic
evidence, or may perform the collection themselves. Forensic examiners may
provide assistance at crime scenes and will perform examinations on the
evidence. Managers have the responsibility of ensuring that personnel under
their direction are adequately trained and equipped to properly handle
electronic evidence.

Each responder must understand the fragile nature of electronic evidence and
the principles and procedures associated with its collection and preservation.
Actions that have the potential to alter, damage, or destroy original evidence
may be closely scrutinized by the courts.

Procedures should be in effect that promote electronic crime scene
investigation. Managers should determine who will provide particular levels of
services and how these services will be funded. Personnel should be provided
with initial and ongoing technical training. Oftentimes, certain cases will demand
a higher level of expertise, training, or equipment, and managers should have a
plan in place regarding how to respond to these cases. The demand for
responses to electronic evidence is expected to increase for the foreseeable
future. Such services require that dedicated resources be allocated for these
purposes.

The Latent Nature of Electronic Evidence

Electronic evidence is information and data of investigative value that is stored
on or transmitted by an electronic device. As such, electronic evidence is latent
evidence in the same sense that fingerprints or DNA (deoxyribonucleic acid)
evidence are latent. In its natural state, we cannot "see" what is contained in the
physical object that holds our evidence. Equipment and software are required
to make the evidence visible. Testimony may be required to explain the
examination process and any process limitations.

Electronic evidence is, by its very nature, fragile. It can be altered, damaged, or
destroyed by improper handling or improper examination. For this reason,
special precautions should be taken to document, collect, preserve, and
examine this type of evidence. Failure to do so may render it unusable or lead
to an inaccurate conclusion. This guide suggests methods that will help preserve
the integrity of such evidence.

The Forensic Process

The nature of electronic evidence is such that it poses special challenges for its
admissibility in court. To meet these challenges, follow proper forensic
procedures. These procedures include, but are not limited to, four phases:
collection, examination, analysis, and reporting. Although this guide
concentrates on the collection phase, the nature of the other three phases and
what happens in each are also important to understand.

The collection phase involves the search for, recognition of, collection of, and
documentation of electronic evidence. The collection phase can involve
real-time and stored information that may be lost unless precautions are taken
at the scene.

The examination process helps to make the evidence visible and explain its
origin and significance. This process should accomplish several things. First, it
should document the content and state of the evidence in its totality. Such
documentation allows all parties to discover what is contained in the evidence.
Included in this process is the search for information that may be hidden or
obscured. Once all the information is visible, the process of data reduction can
begin, thereby separating the "wheat" from the "chaff." Given the tremendous
amount of information that can be stored on computer storage media, this part
of the examination is critical.

Analysis differs from examination in that it looks at the product of the
examination for its significance and probative value to the case. Examination is a
technical review that is the province of the forensic practitioner, while analysis is
performed by the investigative team. In some agencies, the same person or
group will perform both these roles.

A written report that outlines the examination process and the pertinent data
recovered completes an examination. Examination notes must be preserved for
discovery or testimony purposes. An examiner may need to testify about not
only the conduct of the examination but also the validity of the procedure and
his or her qualifications to conduct the examination.

---------------------------

Introduction

This guide is intended for use by law enforcement and other responders who
have the responsibility for protecting an electronic crime scene and for the
recognition, collection, and preservation of electronic evidence. It is not
all-inclusive. Rather, it deals with the most common situations encountered with
electronic evidence. Technology is advancing at such a rapid rate that the
suggestions in this guide must be examined through the prism of current
technology and the practices adjusted as appropriate. It is recognized that all
crime scenes are unique and the judgment of the first responder/investigator
should be given deference in the implementation of this guide. Furthermore,
those responsible officers or support personnel with special training should also
adjust their practices as the circumstances (including their level of experience,
conditions, and available equipment) warrant. This publication is not intended to
address forensic analysis. Circumstances of individual cases and Federal, State,
and local laws/rules may require actions other than those described in this
guide.

When dealing with electronic evidence, general forensic and procedural
principles should be applied:

o Actions taken to secure and collect electronic evidence should not change
that evidence.

o Persons conducting examination of electronic evidence should be trained for
the purpose.

o Activity relating to the seizure, examination, storage, or --transfer of
electronic evidence should be fully documented, --preserved, and available for
review.

Who Is the Intended Audience for This Guide?

o Anyone encountering a crime scene that might contain electronic evidence.
o Anyone processing a crime scene that involves electronic evidence.
o Anyone supervising someone who processes such a crime scene.
o Anyone managing an organization that processes such a crime scene.

Without having the necessary skills and training, no responder should attempt to
explore the contents or recover data from a computer (e.g., do not touch the
keyboard or click the mouse) or other electronic device other than to record
what is visible on its display.

What Is Electronic Evidence?

Electronic evidence is information and data of investigative value that is stored
on or transmitted by an electronic device. Such evidence is acquired when data
or physical items are collected and stored for examination purposes.

Electronic evidence:

o Is often latent in the same sense as fingerprints or DNA evidence.
o Can transcend borders with ease and speed.
o Is fragile and can be easily altered, damaged, or destroyed.
o Is sometimes time-sensitive.

How Is Electronic Evidence Handled at the Crime Scene?

Precautions must be taken in the collection, preservation, and examination of
electronic evidence.

Handling electronic evidence at the crime scene normally consists of the
following steps:

o Recognition and identification of the evidence.
o Documentation of the crime scene.
o Collection and preservation of the evidence.
o Packaging and transportation of the evidence.

The information in this document assumes that:

o The necessary legal authority to search for and seize the suspected evidence
has been obtained.

o The crime scene has been secured and documented (photographically and/or
by sketch or notes).

o Crime scene protective equipment (gloves, etc.) is being used as necessary.

Note: First responders should use caution when seizing electronic devices. The
improper access of data stored in electronic devices may violate provisions of
certain Federal laws, including the Electronic Communications Privacy Act.
Additional legal process may be necessary. Please consult your local
prosecutor before accessing stored data on a device. Because of the fragile
nature of electronic evidence, examination should be done by appropriate
personnel.

Is Your Agency Prepared to Handle Electronic Evidence?

This document recommends that every agency identify local computer experts
before they are needed. These experts should be "on call" for situations that are
beyond the technical expertise of the first responder or department. (Similar
services are in place for toxic waste emergencies.) It is also recommended that
investigative plans be developed in compliance with departmental policy and
Federal, State, and local laws. In particular, under the Privacy Protection Act,
with certain exceptions, it is unlawful for an agent to search for or seize certain
materials possessed by a person reasonably believed to have a purpose of
disseminating information to the public. For example, seizure of First
Amendment materials such as drafts of newsletters or Web pages may
implicate the Privacy Protection Act.

This document may help in:

o Assessing resources.
o Developing procedures.
o Assigning roles and tasks.
o Considering officer safety.
o Identifying and documenting equipment and supplies to bring to the scene.

---------------------------

Chapter 1. Electronic Devices: Types and Potential Evidence

Electronic evidence can be found in many of the new types of electronic
devices available to today's consumers. This chapter displays a wide variety of
the types of electronic devices commonly encountered in crime scenes,
provides a general description of each type of device, and describes its
common uses. In addition, it presents the potential evidence that may be found
in each type of equipment.

Many electronic devices contain memory that requires continuous power to
maintain the information, such as a battery or AC power. Data can be easily
lost by unplugging the power source or allowing the battery to discharge. (Note:
After determining the mode of collection, collect and store the power supply
adaptor or cable, if present, with the recovered device.)

Computer Systems

Description: A computer system typically consists of a main base unit,
sometimes called a central processing unit (CPU), data storage devices, a
monitor, keyboard, and mouse. It may be a standalone or it may be connected
to a network. There are many types of computer systems such as laptops,
desktops, tower systems, modular rack-mounted systems, minicomputers, and
mainframe computers. Additional components include modems, printers,
scanners, docking stations, and external data storage devices. For example, a
desktop is a computer system consisting of a case, motherboard, CPU, and
data storage, with an external keyboard and mouse.

Primary Uses: For all types of computing functions and information storage,
including word processing, calculations, communications, and graphics.

Potential Evidence: Evidence is most commonly found in files that are stored on
hard drives and storage devices and media. Examples are:

User-Created Files

User-created files may contain important evidence of criminal activity such as
address books and database files that may prove criminal association, still or
moving pictures that may be evidence of pedophile activity, and
communications between criminals such as by e-mail or letters. Also, drug deal
lists may often be found in spreadsheets.

o Address books.
o Audio/video files.
o Calendars.
o Database files.
o Documents or text files.
o E-mail files.
o Image/graphics files.
o Internet bookmarks/favorites.
o Spreadsheet files.

User-Protected Files

Users have the opportunity to hide evidence in a variety of forms. For example,
they may encrypt or password-protect data that are important to them. They
may also hide files on a hard disk or within other files or deliberately hide
incriminating evidence files under an innocuous name.

o Compressed files.
o Encrypted files.
o Hidden files.
o Misnamed files.
o Password-protected files.
o Steganography.

Evidence can also be found in files and other data areas created as a routine
function of the computer's operating system. In many cases, the user is not
aware that data are being written to these areas. Passwords, Internet activity,
and temporary backup files are examples of data that can often be recovered
and examined.

Note: There are components of files that may have evidentiary value including
the date and time of creation, modification, deletion, access, user name or
identification, and file attributes. Even turning the system on can modify some of
this information.

Computer-Created Files

o Backup files.
o Configuration files.
o Cookies.
o Hidden files.
o History files.
o Log files.
o Printer spool files.
o Swap files.
o System files.
o Temporary files.

Other Data Areas

o Bad clusters.
o Computer date, time, and password.
o Deleted files.
o Free space.
o Hidden partitions.
o Lost clusters.
o Metadata.
o Other partitions.
o Reserved areas.
o Slack space.
o Software registration information.
o System areas.
o Unallocated space.

Components

Central Processing Units (CPUs)

Description: Often called the "chip," it is a microprocessor located inside the
computer. The microprocessor is located in the main computer box on a
printed circuit board with other electronic components.

Primary Uses: Performs all arithmetic and logical functions in the computer.
Controls the operation of the computer.

Potential Evidence: The device itself may be evidence of component theft,
counterfeiting, or remarking.

Memory

Description: Removable circuit board(s) inside the computer. Information
stored here is usually not retained when the computer is powered down.

Primary Uses: Stores user's programs and data while computer is in operation.

Potential Evidence: The device itself may be evidence of component theft,
counterfeiting, or remarking.

Access Control Devices

Smart Cards, Dongles, Biometric Scanners

Description: A smart card is a small handheld device that contains a
microprocessor that is capable of storing a monetary value, encryption key or
authentication information (password), digital certificate, or other information. A
dongle is a small device that plugs into a computer port that contains types of
information similar to information on a smart card. A biometric scanner is a
device connected to a computer system that recognizes physical characteristics
of an individual (e.g., fingerprint, voice, retina).

Primary Uses: Provides access control to computers or programs or functions
as an encryption key.

Potential Evidence: Identification/authentication information of the card and the
user, level of access, configurations, permissions, and the device itself.

Answering Machines

Description: An electronic device that is part of a telephone or connected
between a telephone and the landline connection. Some models use a magnetic
tape or tapes, while others use an electronic (digital) recording system.

Primary Uses: Records voice messages from callers when the called party is
unavailable or chooses not to answer a telephone call. Usually plays a message
from the called party before recording the message.

Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.

Potential Evidence: Answering machines can store voice messages and, in some
cases, time and date information about when the message was left. They may
also contain other voice recordings.

o Caller identification information.
o Deleted messages.
o Last number called.
o Memo.
o Phone numbers and names.
o Tapes.

Digital Cameras

Description: Camera, digital recording device for images and video, with related
storage media and conversion hardware capable of transferring images and
video to computer media.

Primary Uses: Digital cameras capture images and/or video in a digital format
that is easily transferred to computer storage media for viewing and/or editing.

Potential Evidence:

o Images.
o Removable cartridges.
o Sound.
o Time and date stamp.
o Video.

Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organizers)

Description: A personal digital assistant (PDA) is a small device that can include
computing, telephone/fax, paging, networking, and other features. It is typically
used as a personal organizer. A handheld computer approaches the full
functionality of a desktop computer system. Some do not contain disk drives,
but may contain PC card slots that can hold a modem, hard drive, or other
device. They usually include the ability to synchronize their data with other
computer systems, most commonly by a connection in a cradle (see photo). If a
cradle is present, attempt to locate the associated handheld device.

Primary Uses: Handheld computing, storage, and communication devices
capable of storage of information.

Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.

Potential Evidence:

o Address book.
o Appointment calendars/information.
o Documents.
o E-mail.
o Handwriting.
o Password.
o Phone book.
o Text messages.
o Voice messages.

Hard Drives

Description: A sealed box containing rigid platters (disks) coated with a
substance capable of storing data magnetically. Can be encountered in the case
of a PC as well as externally in a standalone case.

Primary Uses: Storage of information such as computer programs, text,
pictures, video, multimedia files, etc.

Potential Evidence: See potential evidence under computer systems.

Memory Cards

Description: Removable electronic storage devices, which do not lose the
information when power is removed from the card. It may even be possible to
recover erased images from memory cards. Memory cards can store hundreds
of images in a credit card-size module. Used in a variety of devices, including
computers, digital cameras, and PDAs. Examples are memory sticks, smart
cards, flash memory, and flash cards.

Primary Uses: Provides additional, removable methods of storing and
transporting information.

Potential Evidence: See potential evidence under computer systems.

Modems

Description: Modems, internal and external (analog, DSL, ISDN, cable),
wireless modems, PC cards.

Primary Uses: A modem is used to facilitate electronic communication by
allowing the computer to access other computers and/or networks via a
telephone line, wireless, or other communications medium.

Network Components

Local Area Network (LAN) Card or Network Interface Card (NIC)

Note: These components are indicative of a computer network. See discussion
on network system evidence in chapter 5 before handling the computer system
or any connected devices.

Description: Network cards, associated cables. Network cards also can be
wireless.

Primary Uses: A LAN/NIC card is used to connect computers. Cards allow
for the exchange of information and resource sharing.

Potential Evidence: The device itself, MAC (media access control) access
address.

Routers, Hubs, and Switches

Description: These electronic devices are used in networked computer systems.
Routers, switches, and hubs provide a means of connecting different computers
or networks. They can frequently be recognized by the presence of multiple
cable connections.

Primary Uses: Equipment used to distribute and facilitate the distribution of data
through networks.

Potential Evidence: The devices themselves. Also, for routers, configuration
files.

Servers

Description: A server is a computer that provides some service for other
computers connected to it via a network. Any computer, including a laptop, can
be configured as a server.

Primary Uses: Provides shared resources such as e-mail, file storage, Web
page services, and print services for a network.

Potential Evidence: See potential evidence under computer systems.

Network Cables and Connectors

Description: Network cables can be different colors, thicknesses, and shapes
and have different connectors, depending on the components they are
connected to.

Primary Uses: Connects components of a computer network.

Potential Evidence: The devices themselves.

Pagers

Description: A handheld, portable electronic device that can contain volatile
evidence (telephone numbers, voice mail, e-mail). Cell phones and personal
digital assistants also can be used as paging devices.

Primary Uses: For sending and receiving electronic messages, numeric (phone
numbers, etc.) and alphanumeric (text, often including e-mail).

Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.

Potential Evidence:

o Address information.
o E-mail.
o Phone numbers.
o Text messages.
o Voice messages.

Printers

Description: One of a variety of printing systems, including thermal, laser, inkjet,
and impact, connected to the computer via a cable (serial, parallel, universal
serial bus (USB), firewire) or accessed via an infrared port. Some printers
contain a memory buffer, allowing them to receive and store multiple page
documents while they are printing. Some models may also contain a hard drive.

Primary Uses: Print text, images, etc., from the computer to paper.

Potential Evidence: Printers may maintain usage logs, time and date information,
and, if attached to a network, they may store network identity information. In
addition, unique characteristics may allow for identification of a printer.

o Documents.
o Hard drive.
o Ink cartridges.
o Network identity/information.
o Superimposed images on the roller.
o Time and date stamp.
o User usage log.

Removable Storage Devices and Media

Description: Media used to store electrical, magnetic, or digital information
(e.g., floppy disks, CDs, DVDs, cartridges, tape).

Primary Uses: Portable devices that can store computer programs, text,
pictures, video, multimedia files, etc.

New types of storage devices and media come on the market frequently; these
are a few examples of how they appear.

Potential Evidence: See potential evidence under computer systems.

Scanners

Description: An optical device connected to a computer, which passes a
document past a scanning device (or vice versa) and sends it to the computer
as a file.

Primary Uses: Converts documents, pictures, etc., to electronic files, which can
then be viewed, manipulated, or transmitted on a computer.

Potential Evidence: The device itself may be evidence. Having the capability to
scan may help prove illegal activity (e.g., child pornography, check fraud,
counterfeiting, identity theft). In addition, imperfections such as marks on the
glass may allow for unique identification of a scanner used to process
documents.

Telephones

Description: A handset either by itself (as with cell phones), or a remote base
station (cordless), or connected directly to the landline system. Draws power
from an internal battery, electrical plug-in, or directly from the telephone
system.

Primary Uses: Two-way communication from one instrument to another, using
land lines, radio transmission, cellular systems, or a combination. Phones are
capable of storing information.

Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.

Potential Evidence: Many telephones can store names, phone numbers, and
caller identification information. Additionally, some cellular telephones can store
appointment information, receive electronic mail and pages, and may act as a
voice recorder.

o Appointment calendars/information.
o Caller identification information.
o Electronic serial number.
o E-mail.
o Memo.
o Password.
o Phone book.
o Text messages.
o Voice mail.
o Web browsers.

Miscellaneous Electronic Items

There are many additional types of electronic equipment that are too numerous
to be listed that might be found at a crime scene. However, there are many
nontraditional devices that can be an excellent source of investigative
information and/or evidence. Examples are credit card skimmers, cell phone
cloning equipment, caller ID boxes, audio recorders, and Web TV. Fax
machines, copiers, and multifunction machines may have internal storage
devices and may contain information of evidentiary value.

REMINDER: The search of this type of evidence may require a search
warrant. See note in the Introduction, page 7.

Copiers

Some copiers maintain user access records and history of copies made.
Copiers with the scan once/print many feature allow documents to be scanned
once into memory, and then printed later.

Potential Evidence:

o Documents.
o Time and date stamp.
o User usage log.

Credit Card Skimmers

Credit card skimmers are used to read information contained on the magnetic
stripe on plastic cards.

Potential Evidence: Cardholder information contained on the tracks of the
magnetic stripe includes:

o Card expiration date.
o Credit card numbers.
o User's address.
o User's name.

Digital Watches

There are several types of digital watches available that can function as pagers
that store digital messages. They may store additional information such as
address books, appointment calendars, e-mail, and notes. Some also have the
capability of synchronizing information with computers.

Potential Evidence:

o Address book.
o Appointment calendars.
o E-mail.
o Notes.
o Phone numbers.

Facsimile Machines

Facsimile (fax) machines can store preprogrammed phone numbers and a
history of transmitted and received documents. In addition, some contain
memory allowing multiple-page faxes to be scanned in and sent at a later time
as well as allowing incoming faxes to be held in memory and printed later.
Some may store hundreds of pages of incoming and/or outgoing faxes.

Potential Evidence:

o Documents.
o Film cartridge.
o Phone numbers.
o Send/receive log.

Global Positioning Systems (GPS)

Global Positioning Systems can provide information on previous travel via
destination information, way points, and routes. Some automatically store the
previous destinations and include travel logs.

Potential Evidence:

o Home.
o Previous destinations.
o Travel logs.
o Way point coordinates.
o Way point name.

---------------------------

Chapter 2. Investigative Tools and Equipment

Principle: Special tools and equipment may be required to collect electronic
evidence. Experience has shown that advances in technology may dictate
changes in the tools and equipment required.

Policy: There should be access to the tools and equipment necessary to
document, disconnect, remove, package, and transport electronic evidence.

Procedure: Preparations should be made to acquire the equipment required to
collect electronic evidence. The needed tools and equipment are dictated by
each aspect of the process: documentation, collection, packaging, and
transportation.

Tool Kit

Departments should have general crime scene processing tools (e.g., cameras,
notepads, sketchpads, evidence forms, crime scene tape, markers). The
following are additional items that may be useful at an electronic crime scene.

Documentation Tools

o Cable tags.
o Indelible felt tip markers.
o Stick-on labels.

Disassembly and Removal Tools

A variety of nonmagnetic sizes and types of:

o Flat-blade and Philips-type screwdrivers.
o Hex-nut drivers.
o Needle-nose pliers.
o Secure-bit drivers.
o Small tweezers.
o Specialized screwdrivers (manufacturer-specific, e.g., Compaq, Macintosh).
o Standard pliers.
o Star-type nut drivers.
o Wire cutters.

Package and Transport Supplies

o Antistatic bags.
o Antistatic bubble wrap.
o Cable ties.
o Evidence bags.
o Evidence tape.
o Packing materials (avoid materials that can produce static electricity such as
styrofoam or styrofoam peanuts).
o Packing tape.
o Sturdy boxes of various sizes.

Other Items

Items that also should be included within a department's tool kit are:

o Gloves.
o Hand truck.
o Large rubber bands.
o List of contact telephone numbers for assistance.
o Magnifying glass.
o Printer paper.
o Seizure disk.
o Small flashlight.
o Unused floppy diskettes (3 � and 5 1/4 inch).

---------------------------

Chapter 3. Securing and Evaluating the Scene

Principle: The first responder should take steps to ensure the safety of all
persons at the scene and to protect the integrity of all evidence, both traditional
and electronic.

Policy: All activities should be in compliance with departmental policy and
Federal, State, and local laws. (Additional resources are referenced in
appendix B.)

Procedure: After securing the scene and all persons on the scene, the first
responder should visually identify potential evidence, both conventional
(physical) and electronic, and determine if perishable evidence exists. The first
responder should evaluate the scene and formulate a search plan.

Secure and evaluate the scene:

o Follow jurisdictional policy for securing the crime scene. This would include
ensuring that all persons are removed from the immediate area from which
evidence is to be collected. At this point in the investigation do not alter the
condition of any electronic devices: If it is off, leave it off. If it is on, leave it on.

o Protect perishable data physically and electronically. Perishable data may be
found on pagers, caller ID boxes, electronic organizers, cell phones, and other
similar devices. The first responder should always keep in mind that any device
containing perishable data should be immediately secured, documented, and/or
photographed.

o Identify telephone lines attached to devices such as modems and caller ID
boxes. Document, disconnect, and label each telephone line from the wall
rather than the device, when possible. There may also be other communications
lines present for LAN/ethernet connections. Consult appropriate
personnel/agency in these cases.

Keyboards, the computer mouse, diskettes, CDs, or other components may
have latent fingerprints or other physical evidence that should be preserved.
Chemicals used in processing latent prints can damage equipment and data.
Therefore, latent prints should be collected after electronic evidence recovery is
complete.

Conduct preliminary interviews:

o Separate and identify all persons (witnesses, subjects, or others) at the scene
and record their location at time of entry.

o Consistent with departmental policy and applicable law, obtain from these
individuals information such as:

--Owners and/or users of electronic devices found at the scene, as well as
passwords (see below), user names, and Internet service provider.

--Passwords. Any passwords required to access the system, software, or data.
(An individual may have multiple passwords, e.g., BIOS, system login, network
or ISP, application files, encryption pass phrase, e-mail, access token,
scheduler, or contact list.)

--Purpose of the system.

--Any unique security schemes or destructive devices.

--Any offsite data storage.

--Any documentation explaining the hardware or software installed on the
system.

---------------------------

Chapter 4. Documenting the Scene

Principle: Documentation of the scene creates a permanent historical record of
the scene. Documentation is an ongoing process throughout the investigation. It
is important to accurately record the location and condition of computers,
storage media, other electronic devices, and conventional evidence.

Policy: Documentation of the scene should be created and maintained in
compliance with departmental policy and Federal, State, and local laws.

Procedure: The scene should be documented in detail.

Initial documentation of the physical scene:

o Observe and document the physical scene, such as the position of the mouse
and the location of components relative to each other (e.g., a mouse on the left
side of the computer may indicate a left-handed user).

o Document the condition and location of the computer system, including
power status of the computer (on, off, or in sleep mode). Most computers have
status lights that indicate the computer is on. Likewise, if fan noise is heard, the
system is probably on. Furthermore, if the computer system is warm, that may
also indicate that it is on or was recently turned off.

o Identify and document related electronic components that will not be
collected.

o Photograph the entire scene to create a visual record as noted by the first
responder. The complete room should be recorded with 360 degrees of
coverage, when possible.

o Photograph the front of the computer as well as the monitor screen and other
components. Also take written notes on what appears on the monitor screen.
Active programs may require videotaping or more extensive documentation of
monitor screen activity.

Note: Movement of a computer system while the system is running may cause
changes to system data. Therefore, the system should not be moved until it has
been safely powered down as described in chapter 5.

o Additional documentation of the system will be performed during the
collection phase.

---------------------------

Chapter 5. Evidence Collection

REMINDER: The search for and collection of evidence at an electronic crime
scene may require a search warrant. See note in the Introduction, page 7.

Principle: Computer evidence, like all other evidence, must be handled carefully
and in a manner that preserves its evidentiary value. This relates not just to the
physical integrity of an item or device, but also to the electronic data it contains.
Certain types of computer evidence, therefore, require special collection,
packaging, and transportation. Consideration should be given to protect data
that may be susceptible to damage or alteration from electromagnetic fields
such as those generated by static electricity, magnets, radio transmitters, and
other devices.

Policy: Electronic evidence should be collected according to departmental
guidelines. In the absence of departmental guidelines outlining procedures for
electronic evidence collection, the following procedures are suggested.

Note: Prior to collection of evidence, it is assumed that locating and
documenting has been done as described in chapters 3 and 4. Recognize that
other types of evidence such as trace, biological, or latent prints may exist.
Follow your agency's protocol regarding evidence collection. Destructive
techniques (e.g., use of fingerprint processing chemicals) should be postponed
until after electronic evidence recovery is done.

Nonelectronic Evidence

Recovery of nonelectronic evidence can be crucial in the investigation of
electronic crime. Proper care should be taken to ensure that such evidence is
recovered and preserved. Items relevant to subsequent examination of
electronic evidence may exist in other forms (e.g., written passwords and other
handwritten notes, blank pads of paper with indented writing, hardware and
software manuals, calendars, literature, text or graphical computer printouts,
and photographs) and should be secured and preserved for future analysis.
These items frequently are in close proximity to the computer or related
hardware items. All evidence should be identified, secured, and preserved in
compliance with departmental policies.

Stand-Alone and Laptop Computer Evidence

CAUTION: Multiple computers may indicate a computer network. Likewise,
computers located at businesses are often networked. In these situations,
specialized knowledge about the system is required to effectively recover
evidence and reduce your potential for civil liability. When a computer network
is encountered, contact the forensic computer expert in your department or
outside consultant identified by your department for assistance. Computer
systems in a complex environment are addressed later in this chapter.

A "stand-alone" personal computer is a computer not connected to a network
or other computer. Stand-alones may be desktop machines or laptops.

Laptops incorporate a computer, monitor, keyboard, and mouse into a single
portable unit. Laptops differ from other computers in that they can be powered
by electricity or a battery source. Therefore, they require the removal of the
battery in addition to stand-alone power-down procedures.

If the computer is on, document existing conditions and call your expert or
consultant. If an expert or consultant is not available, continue with the following
procedure:

Procedure:

After securing the scene per chapter 3, read all steps below before taking any
action (or evidentiary data may be altered).

a. Record in notes all actions you take and any changes that you observe in the
monitor, computer, printer, or other peripherals that result from your actions.

b. Observe the monitor and determine if it is on, off, or in sleep mode. Then
decide which of the following situations applies and follow the steps for that
situation.

Situation 1: Monitor is on and work product and/or desktop is visible.

1. Photograph screen and record information displayed.
2. Proceed to step c.

Situation 2: Monitor is on and screen is blank (sleep mode) or screen saver
(picture) is visible.

1. Move the mouse slightly (without pushing buttons). The screen should
change and show work product or request a password.

2. If mouse movement does not cause a change in the screen, DO NOT
perform any other keystrokes or mouse operations.

3. Photograph the screen and record the information displayed.

4. Proceed to step c.

Situation 3: Monitor is off.

1. Make a note of "off" status.

2. Turn the monitor on, then determine if the monitor status is as described in
either situation 1 or 2 above and follow those steps.

c. Regardless of the power state of the computer (on, off, or sleep mode),
remove the power source cable from the computer-NOT from the wall outlet.
If dealing with a laptop, in addition to removing the power cord, remove the
battery pack. The battery is removed to prevent any power to the system.
Some laptops have a second battery in the multipurpose bay instead of a floppy
drive or CD drive. Check for this possibility and remove that battery as well.

d. Check for outside connectivity (e.g., telephone modem, cable, ISDN, DSL).
If a telephone connection is present, attempt to identify the telephone number.

e. To avoid damage to potential evidence, remove any floppy disks that are
present, package the disk separately, and label the package. If available, insert
either a seizure disk or a blank floppy disk. Do NOT remove CDs or touch the
CD drive.

f. Place tape over all the drive slots and over the power connector.

g. Record make, model, and serial numbers.

h. Photograph and diagram the connections of the computer and the
corresponding cables.

i. Label all connectors and cable ends (including connections to peripheral
devices) to allow for exact reassembly at a later time. Label unused connection
ports as "unused." Identify laptop computer docking stations in an effort to
identify other storage media.

j. Record or log evidence according to departmental procedures.

k. If transport is required, package the components as fragile cargo (see
chapter 6).

Computers in a Complex Environment

Business environments frequently have multiple computers connected to each
other, to a central server, or both. Securing and processing a crime scene
where the computer systems are networked poses special problems, as
improper shutdown may destroy data. This can result in loss of evidence and
potential severe civil liability. When investigating criminal activity in a known
business environment, the presence of a computer network should be planned
for in advance, if possible, and appropriate expert assistance obtained. It
should be noted that computer networks can also be found in a home
environment and the same concerns exist.

The possibility of various operating systems and complex hardware
configurations requiring different shutdown procedures make the processing of
a network crime scene beyond the scope of this guide. However, it is important
that computer networks be recognized and identified, so that expert assistance
can be obtained if one is encountered. Appendix C provides a list of technical
resources that can be contacted for assistance.

Indications that a computer network may be present include:

o The presence of multiple computer systems.

o The presence of cables and connectors, such as those depicted in the pictures
at left, running between computers or central devices such as hubs.

o Information provided by informants or individuals at the scene.

o The presence of network components as depicted in chapter 1.

Other Electronic Devices and Peripheral Evidence

The electronic devices such as the ones in the list below may contain potential
evidence associated with criminal activity. Unless an emergency exists, the
device should not be operated. Should it be necessary to access information
from the device, all actions associated with the manipulation of the device
should be documented to preserve the authenticity of the information. Many of
the items listed below may contain data that could be lost if not handled
properly. For more detailed information on these devices, see chapter 1.

Examples of other electronic devices (including computer peripherals):

o Audio recorders.
o Answering machines.
o Cables.
o Caller ID devices.
o Cellular telephones.
o Chips. (When components such as chips are found in quantity, it may be
indicative of chip theft.)
o Copy machines.
o Databank/Organizer digital.
o Digital cameras (still and video).
o Dongle or other hardware protection devices (keys) for software.
o Drive duplicators.
o External drives.
o Fax machines.
o Flash memory cards.
o Floppies, diskettes,CD-ROMs.
o GPS

February 16, 2005 at 07:42 AM in Security | Permalink | TrackBack (94) | Top of page | Blog Home

Government 'vulnerable' to cyber attacks

TheStar.com - Government 'vulnerable' to cyber attacks

Digital security lax: Auditor-general
Issue not taken seriously, Fraser says

BRUCE CAMPION-SMITH
OTTAWA BUREAU

OTTAWA—The warning is simple — leave your back door open every night and eventually there'll be a break-in.

That's the message Auditor-General Sheila Fraser has for the federal government and for Canadians after describing lax digital security that leaves its computers full of personal information vulnerable to hackers.

"Sensitive data, including information on the privacy of Canadians, payroll and financial transactions, program information ... are at increased risk of unauthorized disclosure, modification, or loss � possibly without being detected," the auditor-general's report warns.

"In some cases the weaknesses had been exploited and gone undetected."

Citing the growing number of "cyber incidents," Fraser suggests that only luck has spared the government from a major breach of its computer systems.

She expressed frustration that almost three years after it was flagged as a problem, many government computers still don't meet minimum levels of security. "I'm really disappointed this issue isn't being taken more seriously," Fraser said yesterday at a news conference. "It's not just getting the attention it should be within government."

But she stressed that a government that collects a host of sensitive personal information on everything from passports to income tax to employment insurance needs to take action immediately to close the loopholes.

"This is serious and needs to be dealt with," Fraser said. She refused to single out what departments are most vulnerable but cited the government's own survey of 90 departments � 46 responded and only one met standards. Fraser notes how the government's own "vulnerability assessments" revealed "significant weaknesses that could be exploited."

Treasury Board President Reg Alcock said later there are attacks on a "regular basis... everything from minor hackers trying to attack websites through to people coming in at databases.

"We don't know of any ... serious breaches," Alcock said.

He said the government is working on new procedures to ensure departments comply with security standards.

In her report released yesterday, Fraser gave Ottawa passing grades for making improvements on everything from reforming its management of human resources to the licensing and regulation of nuclear reactors.

It was a marked change for Fraser who a year ago used words like "shocking" and "blatant misuse" to lay bare the sponsorship scandal.

Fraser did serve up some tough words yesterday, criticizing the way the government has funnelled billions of dollars to arm's-length foundations that aren't subject to adequate oversight.

And she said the government has been slow to improve the governance of Crown corporations. She found that 15 large Crown corporations reported that more than one-third of board members' terms had expired � some for more than one year. "Recent developments in the private sector have raised the bar for corporate governance and this area will require much more attention," Fraser said.

Alcock later said yesterday that he plans to unveil changes tomorrow to improve the way crown corporations are run.

Fraser also scolded Transport Canada for dragging its feet in its review of the rent it charges the operators of airports, such as Pearson airport. She said the review, launched back in 2001 and still not finished, could have significant financial implications for airports, airlines and even passengers, who could benefit if rents are rolled back.

"It's taken too long to get resolved," she said.

She also raised flags about the way aid money is spent at a time when the federal government is set to hand out tens of millions for tsunami relief.

The Canadian International Development Agency, responsible for handing out $2.6 billion a year in assistance, has moved toward giving grants with little control over how the money is spent, Fraser revealed yesterday.

"Grant payments are usually given with few conditions," the report said.

February 16, 2005 at 07:27 AM in Security | Permalink | TrackBack (9) | Top of page | Blog Home

Wozniak's Wheels of Zeus Tackles Enterprise Data Encryption

Wozniak's Wheels of Zeus Tackles Enterprise Data Encryption

December 2, 2004
By Ryan Naraine

Steve Wozniak's Wheels of Zeus is beginning to roll, and enterprise data protection is one destination on the Apple Computer Inc. co-founder's mind.

Wozniak offered a peek into his vision for the company on Ziff Davis Media's Security Virtual Tradeshow, where he introduced "wOz Location-Based Encryption," an application that uses GPS tracking within a wireless hub to encrypt and decrypt sensitive data for large businesses.

Wheels of Zeus, which launched in 2001 with backing from three big-name venture capital firms, has developed a wireless platform to power a range of location-based monitoring and notification services, and Wozniak believes data protection is a natural extension of the company's business.

"Hundreds of thousands of notebooks and laptops are stolen or lost every year and, when that happens, sensitive corporate data is gone out the door," Wozniak said, citing FBI statistics that show that 98 percent of all stolen laptops are never recovered.

With wOz Location-Based Encryption, Wozniak said companies can guard against the unauthorized removal of data outside of safe zones by using GPS tracking tied to the proprietary wOzNet, which serves as a local wireless network.

The application involves the use of a dongle attached to the laptop that communicates wirelessly with a base station controlled by an enterprise IT department.

According to Wozniak's vision, the IT department sets specific "safe zones" where the laptop/device can be used, allowing an environment where the location of the laptop is known at all times and where access can be denied entirely if a safe zone is breached.

When the employee logs in, the device automatically requests valid zone information from the dongle. Once the preset zones are approved, the dongle regularly requests GPS positioning as a key to decrypting data to allow access. All the while, Wozniak said the internal base station is continually checking with the dongle for disconnect.

Once everything clears approval, the dongle decrypts the data based on the preset zone data. This, Wozniak explained, would automatically block an employee or a thief from picking up a laptop and moving out of a building without the IT department's approval.

He said the true value of the application kicks in when there is unauthorized removal of a device containing corporate secrets. "Remember, the dongle is constantly requesting GPS positioning, so once there's an out-of-zone reading, it triggers an automatic encryption of data, and alerts are sent to on-site security or to relevant authorities.

"The dongle can be programmed to delete data or shut down sections of the device. Once the computer is removed from the physical zone, the keys are lost or unavailable, and the hard disk is gibberish," Wozniak added.

Next Page: No dongle, no critical data.

What if the dongle is removed? "It is automatically detected by the base station and reported immediately. Decryption of the data is done through the dongle, so no dongle means no use of critical data," Wozniak explained.

Using device-location history, a cookie-crumb trail will help with retrieval of the stolen or lost laptop, he said.

In highly sensitive environments, the application can be integrated with audio alerts and sensors to trigger early warnings, said Wozniak, who is president and chief technology officer of the Los Gatos, Calif.-based Wheels of Zeus.

PointerFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

"The biggest benefit of this is very simplified usage," he said. "The company defines where the computer can or can't be used. You set up the PC to operate in one location, but not others, and you can also approve operation in multiple environments, all based on GPS tracking."

Throughout the entire process, Wozniak said the encryption key is controlled in a central location through a secure transmission. Because the wOz Platform and the wOzNet network are proprietary, he said it is not open to Wi-Fi spoofing or password sniffing.

eWEEK.com Special Report: Cyber-CrimeFor companies with mobile work forces that move from location to location with laptops, he said the application may require multiple base stations.

Wozniak did not provide details on pricing for the application or a timeline for release. Company officials could not be reached to discuss commercial rollout.

Wheels of Zeus already has a deal with Motorola Inc. to develop devices and services for location-based monitoring of pets and other important possessions, but not much is known about the types of devices being created.

PointerCheck out eWEEK.com's Security Center for the latest security news, reviews and analysis.
Copyright (c) 2004 Ziff Davis Media Inc. All Rights Reserved.

December 2, 2004 at 09:23 PM in Security | Permalink | TrackBack (24) | Top of page | Blog Home

U.S. Cybersecurity Chief Abruptly Resigns

Yahoo! News - U.S. Cybersecurity Chief Abruptly Resigns

Fri Oct 1, 6:58 PM ET

Add to My Yahoo! Technology - AP

By TED BRIDIS, AP Technology Writer

WASHINGTON - The government's cybersecurity chief has abruptly resigned from the Homeland Security Department amid a concerted campaign by the technology industry and some lawmakers to persuade the Bush administration to give him more authority and money for protection programs.

Amit Yoran, a former software executive from Symantec Corp., made his resignation effective Thursday as director of the National Cyber Security Division, giving a single's day notice of his intention to leave. He kept the job one year.

Yoran has privately confided to industry colleagues his frustrations in recent months over what he considers the department's lack of attention paid to computer security issues, according to lobbyists and others who recounted these conversations on condition they not be identified because the talks were personal.

Yoran said Friday he "felt the timing was right to pursue other opportunities." It was unclear immediately who might succeed him even temporarily. Yoran's deputy is Donald A. "Andy" Purdy, a former White House adviser on cybersecurity.

A department spokeswoman, Tasia Scolinos, praised Yoran as a valuable contributor. "Cybersecurity will continue to be a priority of the Department of Homeland Security, and we plan to move quickly to fill the position with someone who has demonstrated leadership in this important field," she said.

As cybersecurity chief, Yoran and his division � with an $80 million budget and 60 employees � were responsible for carrying out dozens of recommendations in the Bush administration's "National Strategy to Secure Cyberspace," a set of proposals to better protect computer networks.

Yoran's position as a director � at least bureaucratic three steps below Homeland Security Secretary Tom Ridge � has irritated the technology industry and even some lawmakers. They have pressed unsuccessfully in recent months to elevate Yoran's role to that of an assistant secretary, which could mean broader authority and more money for programs.

Rep. Zoe Lofgren (news, bio, voting record), D-Calif., complained that Yoran's surprise departure was "yet another setback in the effort to protect our nation's cyber infrastructure," and described the efforts as "in complete disarray." Lofgren and Rep. Mac Thornberry, R-Texas, leaders on the House Homeland Security Subcommittee on Cybersecurity, have introduced a bill � now stalled in Congress � to make Yoran's job an assistant secretary's position.

Senior department officials consider equally important the protection of the nation's physical structures, such as bridges and buildings, and computer networks, which regulate the flow of electricity, phone calls, finances and other information. They maintain that gauging risks to physical structures and computers separately is inefficient and expensive because common problems threaten both.

Under Yoran, Homeland Security established a cyber alert system, which sends urgent e-mails to subscribers about major virus outbreaks and other Internet attacks as they occur, along with detailed instructions to help computer users protect themselves.

It also mapped the government's universe of connected electronic devices, the first step toward scanning them systematically for weaknesses that could be exploited by hackers or foreign governments. And it began routinely identifying U.S. computers and networks that were victims of break-ins.

"Amit's departure provides a challenge for industry and its relationship with the department on cybersecurity," said Shannon Kellogg, director of government affairs for RSA Security Inc., a leading security firm. "He knew how to get the job done."

Yoran effectively took over some responsibilities once assigned to Richard Clarke, a special adviser to President Bush (news - web sites), and to Howard Schmidt, who succeeded Clarke but left government during the formation of the Homeland Security Department to work as chief security officer at eBay Inc.

Yoran cofounded Riptech Inc. of Alexandria, Va., in March 1998, which monitored government and corporate computers around the world with an elaborate sensor network to protect against attacks. He sold the firm in July 2002 to Symantec for $145 million and stayed on as vice president for managed security services.

___

On the Net:

Homeland Security: www.dhs.gov

October 3, 2004 at 07:01 PM in Security | Permalink | TrackBack (24) | Top of page | Blog Home

Americans 'misjudge online risks'

BBC NEWS | Technology | Americans 'misjudge online risks'

US computers users know more about Janet Jackson's breasts than about security software on their own PC.

A survey found that 90% of those asked could remember when Ms Jackson suffered her "wardrobe malfunction".

But only 60% recalled when they last updated anti-virus, firewall and operating system software on their PC.

The survey, by a US security group, found people were getting more worried about computer security but some vastly under-estimated how at risk they were.

Risky business

Commissioned by the National Cyber Security Alliance (NCSA), the survey found that 30% of people believed they had more chance of getting struck by lightning, being audited by the tax man or winning the lottery than they did of falling victim to a computer security problem.

PC users aged under 25 were even more sure.

40% thought they would get hit by lightning, or suffer one of the other events, before being caught out by a computer security breach.

In fact, said the NCSA, people are far more likely to be struck by a hack attack than atmospheric discharge.

According to the US National Weather Service, Americans have a 0.0000102% chance of being hit by lightning.

By contrast the chances of falling victim to a computer virus, phishing attack, malicious hack attempt or other cyber security dangers are currently running at 70%, according to statistics gathered for the E-Crime Watch Survey.

"Cyber-security should become second nature, just like brushing our teeth," said Ken Watson, chairman of the NCSA.

The majority of people did pick out computer security as the biggest risk of the four choices they were given.

The NCSA has declared October to be National Cyber Security Awareness month in the US and is running a series of events to warn home users, small firms, educators and parents about the true scale of the threats they face.

Mr Watson said 91% of PCs were infected with spyware programs that spy on browsing habits and report what they see to spammers and others.

The NCSA is planning an in-depth follow-up study to its survey in late October that will conduct technical examinations of home PCs to see how well protected they are and what risks they face.

October 3, 2004 at 03:36 PM in Security | Permalink | TrackBack (15) | Top of page | Blog Home

Hackers Deface Al-Qaeda Web Site

Security Pipeline | News | Hackers Deface Al-Qaeda Web Site

Courtesy of TechWeb News

A group of hackers calling themselves TeAmZ USA on Tuesday attacked the Web site of a Qaeda-linked group that has claimed responsibility for numerous kidnappings and beheadings of Westerners in Iraq.

The hackers shunted requests for the site of the Tawhid and Jihad Group of Al-Qaeda ally Abu Musab al-Zarqawi to a page showing a machine-gun toting penguin, smashed monitor, and the warning, "Host them and your [sic] next."

The message refers to the free hosting firm that serves up the site. By early Wednesday, the Web site had returned to normal. Islamic militants have taken to using the Web for propaganda purposes, often closing sites and shifting providers on short notice.

al-Zarqawi's group beheaded two American captives, Eugene Armstrong and Jack Hensley, last week, and is threatening a third, a British citizen named Kenneth Bigley. The Web site has been used to post videos of the hostages pleading for their lives, and footage of the beheadings.

The TeAmZ USA group has hit the Tawhid and Jihad Group site before. In late August, it tagged the site with a graphic of a large American flag and a photo of Osama bin Laden in crosshairs.

An image of the TeAmZ USA penguin hack can be found on several bloggers' Web sites, including this one.

September 29, 2004 at 05:10 PM in Security | Permalink | TrackBack (69) | Top of page | Blog Home

US payments firm hit by online attack

Finextra: US payments firm hit by online attack

Authorize.net, a US provider of online payments processing services, is struggling to remain online after being repeatedly hit by distributed denial of service attacks.

According to press reports, Authorize.net has been pounded by malicious online attacks since last week. Glen Zimmerman, a spokesman for Authorize.net's parent company Lightbridge, told the Boston Globe that the company had received an extortion letter from hackers and was now working with law enforcement agencies to track the attackers.

In a statement Authorize.Net says it continues to experience intermittent distributed denial of service attacks, adding that its system engineers have minimised the impact of each attack and have restored services to affected merchants.

The firm says its is working with industry experts to restore and maintain the transaction processing service.

UK-based online merchant payments operator WorldPay was hit by a malicious denial of service attack last November when vandals bombarded its payments and administration networks with computer-generated requests.

September 24, 2004 at 06:40 AM in Security | Permalink | TrackBack (12) | Top of page | Blog Home

Quantum leap in encryption

Globetechnology

By THEO EMERY
Associated Press

E-mail this Article
Print this Article

Advertisement

CAMBRIDGE, Mass. — It's a hacker's nightmare but a dream for bankers and spies: A computer network so secure that even the simplest attempts to eavesdrop will interrupt the flow of data and alert administrators to the snooping.

The work by researchers at Harvard University, Boston University and BBN Technologies is the closest scientists have come to a real-world quantum encryption system that uses light particles called photons to lock and unlock information instead of random-number "keys."

Using the technology, the scientists can swap data, send e-mail and visit one another's websites as their data is protected.

Researchers are still exploring its practical applications, but some say it could one day replace the encryption now used for most secure Internet traffic, and shield financial or government communications.

"It is really a futuristic technology," said Harvard project scientist John M. Myers. "Its applications are going to be a lot like the laser and the transistor, in that early people could not think of all the possible applications and uses of it."

Quantum cryptography depends on a defining discovery in physics: that subatomic particles can exist in multiple states at once until something interacts with them. Thus, even observing photons used in quantum encryption changes them, ruining the codes.

The project, funded with about $4-million (U.S.) from the Pentagon's Defense Advanced Research Projects Agency, is far from alone in developing quantum cryptography. A New York-based company, MagiQ Technologies, has begun selling units for commercial use while a group in Europe recently made the first quantum-encrypted bank transaction.

But the Boston network � though limited to the three locations � is believed to be first Internet-integrated system that runs continuously between multiple distant locations.

BBN, the company that created the Internet predecessor called ARPANET, has been sending quantum keys for two years. Harvard was linked to the BBN network in May, and Boston University in June.

Quantum encryption has its roots in the "one-time pad" system used by spies in World War II. These were identical pads of random numbers, each page a different key for encoding and decoding messages. A code could be unscrambled only if the recipient had the same page as the sender.

On the quantum network, a laser separates individual photons, and sends them to a device called a modulator. The modulator pumps them out to other network nodes on fiber optic cable. The photons are encoded by sending them out at different intervals: a long gap indicates one bit of information, and a shorter one a different bit.

On the receiving end, another device accepts the photons and recognizes how they're modulated. If the sequence matches what was originally sent, then the keys are stored and used to unscramble data sent through conventional means between the different network nodes, such as over the Internet.

Eavesdropping on the photons, such as setting up a photo detector to read the code, disrupts them, making the codes unusable and alerting the network to the snooper.

The Boston researchers converge weekly at BBN, close to where one pair of transmitters and receivers � named "Alice and Bob" � are spread out on two tables in a lab, hooked together with cables draping from the ceiling. The campus nodes, which are more compact, are kept on movable racks.

At a recent meeting, they talked about network bugs, a power outage and progress on adding new equipment. The group already has a team of in-house hackers trying try to infiltrate the system.

Mr. Myers, the Harvard project scientist, said that the research involves "lots of things to delight the heart of a physicist," but it's too early to know exactly where it's heading. It could eventually come into commercial use, he said, but for now, cost and complexity will likely limit it to high-budget users, such as governments.

If scientists were to develop a now-hypothetical quantum supercomputer, hackers could use it to easily crack existing encryption standards, said Carl J. Williams, a physicist with the National Institute of Standards and Technology, which is doing its own research into high-speed quantum cryptography.

Theoretically, quantum computers could one day become as common as desktop computers are today.

And BBN chief scientist Chip Elliott said there's no technical barrier to the widespread use of quantum cryptography.

For him, it's a question of when, not if.

"This is what every teenager wants: Instant messaging protected by quantum cryptography," he said. "Don't tell my daughter."

September 15, 2004 at 07:47 PM in Security | Permalink | TrackBack (4) | Top of page | Blog Home

Brazil is world 'hacking capital'

BBC NEWS | Americas | Brazil is world 'hacking capital'

By Tom Gibb
BBC, Sao Paulo

Hacking itself is not a crime in Brazil
Brazil has become the global capital for computer hacking and internet fraud, according to experts meeting in the country's capital, Brasilia.

Some 500 experts from around the world are attending the first international conference to combat electronic crime.

Brazil is home to eight out of 10 of the world's hackers, according to federal police at the conference.

Within Brazil, the amount of money lost in internet financial fraud outstrips that lost through bank robberies.

Roughly two-thirds of the internet's child pornography pages are also said to originate in the country.

These statistics are supported by security experts from other countries who say some 96,000 hacking attacks were launched from Brazil last year - six times more than any other country.

Intellectual challenge

Many of the hackers work in groups with names like Breaking Your Security or Virtual Hell.

The explosion in hacking is blamed, in part, on weak legislation.

Hacking itself is not a crime in Brazil so police have to prove fraud has taken place in order to prosecute.

Brazilian hackers often do not consider themselves criminals, saying they break into sites for the intellectual challenge rather than to steal.

Last year, websites in the US were the target of the huge majority of hacking attacks.

September 14, 2004 at 11:18 PM in Security | Permalink | TrackBack (10) | Top of page | Blog Home

Maths holy grail could bring disaster for internet

Guardian Unlimited | The Guardian | Maths holy grail could bring disaster for internet

Two of the seven million dollar challenges that have baffled for more than a century may be close to being solved

Tim Radford, science editor
Tuesday September 7, 2004
The Guardian

Mathematicians could be on the verge of solving two separate million dollar problems. If they are right - still a big if - and somebody really has cracked the so-called Riemann hypothesis, financial disaster might follow. Suddenly all cryptic codes could be breakable. No internet transaction would be safe.

On the other hand, if somebody has already sorted out the so-called Poincar� conjecture, then scientists will understand something profound about the nature of spacetime, experts told the British Association science festival in Exeter yesterday.

Both problems have stood for a century or more. Each is almost dizzyingly arcane: the problems themselves are beyond simple explanation, and the candidate answers published on the internet are so intractable that they could baffle the biggest brains in the business for many months.

They are two of the seven "millennium problems" and four years ago the Clay Mathematics Institute in the US offered $1m (�563,000) to anyone who could solve even one of these seven. The hypothesis formulated by Georg Friedrich Bernhard Riemann in 1859, according to Marcus du Sautoy of Oxford University, is the holy grail of mathematics. "Most mathematicians would trade their soul with Mephistopheles for a proof," he said.

The Riemann hypothesis would explain the apparently random pattern of prime numbers - numbers such as 3, 17 and 31, for instance, are all prime numbers: they are divisible only by themselves and one. Prime numbers are the atoms of arithmetic. They are also the key to internet cryptography: in effect they keep banks safe and credit cards secure.

This year Louis de Branges, a French-born mathematician now at Purdue University in the US, claimed a proof of the Riemann hypothesis. So far, his colleagues are not convinced. They were not convinced, years ago, when de Branges produced an answer to another famous mathematical challenge, but in time they accepted his reasoning. This time, the mathematical community remains even more sceptical.

"The proof he has announced is rather incomprehensible. Now mathematicians are less sure that the million has been won," Prof du Sautoy said.

"The whole of e-commerce depends on prime numbers. I have described the primes as atoms: what mathematicians are missing is a kind of mathematical prime spectrometer. Chemists have a machine that, if you give it a molecule, will tell you the atoms that it is built from. Mathematicians haven't invented a mathematical version of this. That is what we are after. If the Riemann hypothesis is true, it won't produce a prime number spectrometer. But the proof should give us more understanding of how the primes work, and therefore the proof might be translated into something that might produce this prime spectrometer. If it does, it will bring the whole of e-commerce to its knees, overnight. So there are very big implications."

The Poincar� conjecture depends on the almost mind-numbing problem of understanding the shapes of spaces: mathematicians call it topology. Bernhard Riemann and other 19th century scholars wrapped up the mathematical problems of two-dimensional surfaces of three dimensional objects - the leather around a football, for instance, or the distortions of a rubber sheet. But Henri Poincar� raised the awkward question of objects with three dimensions, existing in the fourth dimension of time. He had already done groundbreaking work in optics, thermodynamics, celestial mechanics, quantum theory and even special relativity and he almost anticipated Einstein. And then in 1904 he asked the most fundamental question of all: what is the shape of the space in which we live? It turned out to be possible to prove the Poincar� conjecture in unimaginable worlds, where objects have four or five or more dimensions, but not with three.

"The one case that is really of interest because it connects with physics, is the one case where the Poincar� conjecture hasn't been solved," said Keith Devlin, of Stanford University in California.

In 2002 a Russian mathematician called Grigori Perelman posted the first of a series of internet papers. He had worked in the US, and was known to American mathematicians before he returned to St Petersburg. His proof - he called it only a sketch of a proof - was very similar in some ways to that of Fermat's last theorem, cracked by the Briton Andrew Wiles in the last decade.

Like Wiles, Perelman is claiming to have proved a much more complicated general problem and in the course of it may have solved a special one that has tantalised mathematicians for a century. But his papers made not a single reference to Poincar� or his conjecture. Even so, mathematicians the world over understood that he tackled the essential challenge. Once again the jury is still out: this time, however, his fellow mathematicians believe he may be onto something big.

The plus: the multidimensional topology of space in three dimensions will seem simple at last and a million dollar reward will be there for the asking. The minus: the solver does not claim to have found a solution, he doesn't want the reward, and he certainly doesn't want to talk to the media.

"There is good reason to think the kind of approach Perelman is taking is correct. However there are some problems. He is very reclusive, won't talk to the press, has shown no indication of publishing this as a paper, which you would have to do if you wanted to get the prize from the Clay Institute, and has shown no interest in the prize whatsoever," Dr Devlin said.

"Has it been proved? We don't know. We have good reason to assume it has been and within the next 12 months, in the inner core of experts in differential geometry, which is the field we are speaking about, people will start to say, yes, OK, this looks right. But there is not going to be a golden moment."

The implications of a proof of the Poincar� conjecture would be enormous, but like the problem itself, very difficult to explain, he said. "It can't fail to have huge ramifications: not only the result, but the methods as well. At that level of abstraction, that level of connection, so much can follow. Differential geometry is the subject that is really underneath understanding everything about space and spacetime."

Seven baffling pillars of wisdom

1 Birch and Swinnerton-Dyer conjecture Euclid geometry for the 21st century, involving things called abelian points and zeta functions and both finite and infinite answers to algebraic equations

2 Poincar� conjecture The surface of an apple is simply connected. But the surface of a doughnut is not. How do you start from the idea of simple connectivity and then characterise space in three dimensions?

3 Navier-Stokes equation The answers to wave and breeze turbulence lie somewhere in the solutions to these equations

4 P vs NP problem Some problems are just too big: you can quickly check if an answer is right, but it might take the lifetime of a universe to solve it from scratch. Can you prove which questions are truly hard, which not?

5 Riemann hypothesis Involving zeta functions, and an assertion that all "interesting" solutions to an equation lie on a straight line. It seems to be true for the first 1,500 million solutions, but does that mean it is true for them all?

6 Hodge conjecture At the frontier of algebra and geometry, involving the technical problems of building shapes by "gluing" geometric blocks together

7 Yang-Mills and Mass gap A problem that involves quantum mechanics and elementary particles. Physicists know it, computers have simulated it but nobody has found a theory to explain it.

September 6, 2004 at 07:51 PM in Security | Permalink | TrackBack (15) | Top of page | Blog Home

Trust and security in IT are a critical area for debate, says DTI

vnunet.com - Trust and security in IT are a critical area for debate, says DTI

Government offers grants to help debate on emerging science and technology
Bryan Glick, Computing 06 Sep 2004

Trust and security in IT and the internet is one of the critical areas for debate on emerging science and technology, according to the Department of Trade and Industry (DTI).

Lord Sainsbury, minister for science and innovation, has launched a �1.2m grant scheme to increase debate on six key areas by funding projects that help the public and scientists to work together.

Alongside trust and security, the DTI has identified nanotechnology and increasingly intelligent computer systems as IT-related subjects for discussion.

Sainsbury says new technologies have ethical, safety, wealth and environmental complications that need to be considered before they come to the market.

'New technologies create new exciting opportunities but can also raise concerns and fears,' he said.

'We have the opportunity to harness the potential of new science and technology for the good of all but there is understandable public unease about the rapid introduction of new technologies and their regulation.

'We need much greater consideration and debate by scientists, industry and government and the public of the regulatory issues raised by new technologies.'

The grant scheme forms part of a 10-year science and society agenda, which is on element of the DTI's Science and Innovation Framework 2004-2014, published in July.

What do you think? Email feedback@computing.co.uk

September 6, 2004 at 11:35 AM in Security | Permalink | TrackBack (8) | Top of page | Blog Home

Digital signatures 'could be forged'

Digital signatures 'could be forged'

By Declan McCullagh, CNET News.com
Computer scientists have uncovered flaws in an algorithm often used to encode digital signatures
Encryption circles are buzzing with news that mathematical functions embedded in common security applications have previously unknown weaknesses.

The excitement began Thursday with an announcement that French computer scientist Antoine Joux had uncovered a flaw in a popular algorithm called MD5, often used with digital signatures. Then four Chinese researchers released a paper that reported a way to circumvent a second algorithm, SHA-0.

While their results are preliminary, these discoveries could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature -- unless a different, more secure algorithm is used.

A third announcement, which was even more anticipated, took place on Tuesday evening at the Crypto 2004 conference in California. The other papers also were presented at the conference.

Eli Biham and Rafi Chen, researchers at the Israel Institute of Technology, originally were scheduled to present a paper identifying ways to assail the security in the SHA-0 "Secure Hash Algorithm," which was known to have imperfections. In a presentation on Tuesday evening, however, Biham reported some early work toward identifying vulnerabilities in the SHA-1 algorithm, which is believed to be secure.

Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives.

Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It's certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the US government's Digital Signature Standard. SHA-1 yields a 160-bit output, which is longer than MD5's 128-bit output and is considered more secure.

Jim Hughes, general chairman of the Crypto 2004 conference, said on Tuesday morning that the news was sufficiently important that he was organising the first Webcast in the conference's 24-year history. "There are three significant rump session papers on hash collisions that will be presented," including an update on Joux's findings, Hughes said in a message to a cryptography-related mailing list.

Unique fingerprints
"If you could find two contracts that hash out to the same signature, you could replace one with the other and in a court of law there would be at least an ambiguity about which one is valid," Hughes, a senior fellow at StorageTek, said in a telephone interview. "That's a very significant possibility."

The MD5, SHA-0, and SHA-1 algorithms are known to computer scientists as hash functions. They take all kinds of input, from an email message to an operating-system kernel, and generate what's supposed to be a unique fingerprint. Changing even one letter in the input file results in a completely different fingerprint.

Security applications rely on these fingerprints being unique. But if a malicious attacker could generate the same fingerprint with a different input stream, the cloned fingerprint -- known as a hash collision -- would certify that software with a back door is safe to download and execute. It would help a crook who wanted to falsely sign an email instructing that someone's bank account be emptied.

Because researchers have long known that no practical encryption algorithm can be completely secure, they attempt to design ones that take an inordinately long time to generate duplicate fingerprints. SHA-1 is regarded as secure because it is not possible to knowingly generate hash collisions using existing techniques.

The SHA-1 algorithm relies on a computer executing a routine 80 times in an attempt to create a unique fingerprint. Biham said that he had been able to duplicate the fingerprint for 36 of those 80 rounds.

If vulnerabilities similar to those identified in SHA-0 are eventually discovered in SHA-1, that would mean that attempts to forge a fingerprint would be accelerated by about 500 million times -- putting it within theoretical reach of a network of fast PCs.

The weakness in the MD5 algorithm may be the more immediate threat. The open-source Apache Web server product uses MD5 hashes to assure the public that source code on dozens of mirror sites is not modified and is safe to run. So does Sun Microsystems' Solaris Fingerprint Database, which the company says can "verify that a true file in an official binary distribution is being used, and not an altered version that compromises system security".

MD5's flaws that have been identified in the past few days mean that an attacker can generate one hash collision in a few hours on a standard PC. To write a specific backdoor and cloak it with the same hash collision may be much more time-intensive.

Still, Hughes says that programmers should start moving away from MD5. "Right now the algorithm has been shown to be weak," he said. "Before useful (attacks) can be done, it's time to migrate away from it."

August 18, 2004 at 03:00 PM in Security | Permalink | TrackBack (13) | Top of page | Blog Home

Biometrics Creeping Into Everyday Life

Yahoo! News - Biometrics Creeping Into Everyday Life

Thu Aug 12, 2:04 PMBy BRIAN BERGSTEIN, AP Technology Writer
NEW YORK - Stuffing something in a public locker usually isn't a memorable experience. You drop a coin, take the key and move on. But at the Statue of Liberty, recently reopened after a two-year closure, stashing a package offers a glimpse into the future. To rent, close and reopen lockers, visitors touch an electronic reader that scans fingerprints.

"It's easy," Taiwanese visitor Yu-Sheng Lee, 26, said after stowing a bag. "I think it's good. I don't have to worry about a key or something like that."

Like nearly every other tourist at the statue that day, this was Lee's first experience with biometrics � the identification of an individual based on personal characteristics like fingerprints, facial features or iris patterns.

While the technology is not new, having seen use for years to restrict access in corporate and military settings, it is only now creeping into everyday life. Over the next few years, people currently unfamiliar with the technology will be asked to use it in everything from travel settings to financial transactions.

The Nine Zero, an upscale hotel in Boston, recently began letting guests in its $3,000-a-night Cloud Nine suite enter and exit by looking into a camera that analyzes their iris patterns. Piggly Wiggly Co. grocery stores in the South just launched a pay-by-fingerprint system, though pilot tests elsewhere have had lukewarm results.

"All these customer-facing applications, they're emerging," said Joseph Kim, a consultant with the International Biometric Group, which follows the industry. "We'll be seeing a lot more very, very soon. Whether that sticks or not depends on how customers feel about it."

Feelings seemed mixed about the lockers at the Statue of Liberty on a muggy New York afternoon last week.

Some people were befuddled by the system and had to put their fingers on the reader several times before a scan was properly made. Others forgot their locker number upon their return, or didn't remember which finger they had used to check it out. One young woman accidentally put her ticket to the statue in the locker, requiring her to open it and then re-register it all over again with another finger scan.

With all the confusion, lines at the three touchscreen kiosks that control the bank of 170 lockers frequently stretched six or seven people deep, requiring a five-minute wait.

"I think it's overly complicated. It takes too much time," said Stephen Chemsak, 26, who lives in Japan. To him the old-fashioned key system would have been much better.

The lockers were made necessary by new security measures at the statue that include a ban on large packages. Brad Hill, whose family business, Evelyn Hill Inc., has run the island's concessions for 73 years, decided that the usual public lockers would be problematic because people often lose the keys. And that seemed to become even more likely now that tourists have to empty their pockets for a metal detector on their way into the statue.

"Biometrics seemed the most logical choice," he said. After all, he added with a laugh, people "don't lose their finger."

Hill expects visitors will find the lockers easier once they get used to them. Representatives from the locker maker, Smarte Carte Inc., say the biometric aspect often requires a fair amount of coaching, especially for people who aren't very familiar with computers.

Smarte Carte's fingerprint lockers were introduced two years ago at the Minneapolis-St. Paul airport, and also can be found in Chicago's Union Station and the Universal Studios and Islands of Adventure theme parks in Florida.

The company adopted the biometric system for the airport lockers to assure the Transportation Security Administration that the bins could not be rented by one person then opened by someone else.

Fingerprint biometric systems generally work by reducing the image of a print to a template, a mathematic algorithm that gets stored in a database and can be checked when the person returns for later scans. In applications like the biometric lockers, the print itself is not stored or sent to authorities.

However, prints are being run through terrorist watch lists in the biggest deployment of biometrics yet � the federal government's new system for tracking foreign travelers.

Now in its early stages, the program, known as US-VISIT, calls for visitors to go through biometric scans to ensure that they are who their visa or passport says they are. Passports issued by the United States and other countries are getting new chips that will have facial-recognition data, and other biometrics might be added.

Separately, iris-scanning systems have cropped up in European airports as a way to speed immigration controls.

But you won't have to be a jet-setter to encounter biometrics more and more. For one, it's increasingly being used to control access to computers.

And scattered grocery stores have tested systems that let consumers check out with a touch of a fingerprint scanner. Piggly Wiggly recently installed such a system at four South Carolina stores and expects to expand it to 116 other outlets, saying it offers speed, convenience and protection against credit card theft.

Other pay-by-fingerprint systems, including one tested several years ago at a McDonald's in Fresno, Calif., haven't met with much enthusiasm.

But that could change now that credit card fraud and identity theft have emerged as bigger problems, said Dean Douglas, a services vice president at IBM Corp., which is handling the back-end technology for Piggly Wiggly's finger-scanning system.

"Within the next five to 10 years," Douglas predicted, "we're going to see biometrics play an increasingly large part of consumer transactions."

___

On the Net:

http://www.smartecarte.com/lockers

http://www.biometricgroup.com

August 13, 2004 at 08:18 AM in Security | Permalink | TrackBack (150) | Top of page | Blog Home

Report Faults Cyber-Security

Yahoo! News - Report Faults Cyber-Security

Fri Jul 23,10:39 AM By Jonathan Krim, Washington Post Staff Writer
The Department of Homeland Security's efforts to battle computer-network and Internet attacks by hackers and other cyber-criminals suffer from a lack of coordination, poor communication and a failure to set priorities, according to an internal report released yesterday.

The report, by the department's inspector general, said the shortcomings of the National Cyber Security Division leave the country vulnerable to more than mere inconvenience to businesses and consumers.

The division "must address these issues to reduce the risk that the critical infrastructure may fail due to cyber attacks," the report said. "The resulting widespread disruption of essential services after a cyber attack could delay the notification of emergency services, damage our economy and put public safety at risk."

Among the report's recommendations is that the division develop a process for overseeing efforts of federal, state and local governments to better protect their systems.

The report cited progress in some areas since the division was formed in June 2003 as part of the federal reorganization that created the DHS. It praised the creation of a cyber-security coordination center called US-CERT, and an alert system that includes a Web site and automated notification to tech-security professionals of security threats making their way through cyberspace.

But the report comes at a time of heightened frustration among technology company executives and members of Congress that cyber-security is not getting enough attention and is poorly understood by some senior department officials. The issue is not just the possibility of a broad cyber-terrorist attack, those people say, but the daily attacks that are costing U.S. businesses and computer users hundreds of millions of dollars a year and countless hours of lost productivity.

"If we are at war, as Bush and [Homeland Security Secretary Tom] Ridge say we are . . . based on this report, we are clearly not on a war footing on cyber-security, or in DHS," said F. William Conner, chief executive of Entrust Inc., a Texas cyber-security company. "I read about the progress, but they've got the wrong measuring stick. Progress has to be measured against external risk."

Especially irksome to some executives and security experts is that the department has not adopted some of the practices they argue that government agencies, companies and organizations should employ to reduce the risk of cyber-attacks.

"The department as a whole isn't leading by example," said Alan Paller, head of the SANS Institute in Bethesda, a computer security research group. Paller, who praises some of the cyber division's work, said the department should take the lead in using its buying power to demand that software vendors make their products more secure. Paller said the agency is not doing so.

Paul Kurtz, head of the recently formed Computer Security Industry Alliance, a corporate trade group, said the HS was reluctant to participate in a cyber-security exercise sponsored by Dartmouth University, and did so only after pressure from the White House.

Kurtz added that follow-through has been poor on the government's highly touted public-private partnership with industry to address security issues. That effort was part of a White House directive on cyberspace that mandated tighter controls for federal agencies but called for a voluntary plan for the private sector. After a meeting late last year, the partnership yielded five major reports and dozens of recommendations, but little in the way of further action.

"Not enough is happening" even to fulfill the Bush directive, said Rep. Zoe Lofgren (D-Calif)., who represents Silicon Valley.

To try to increase attention on cyber-security, several industry groups are supporting a bill co-sponsored by Lofgren and Rep. William M. "Mac" Thornberry (R-Tex.) that would elevate the director of the cyber division, currently Amit Yoran, to assistant secretary with more direct access to top DHS officials.

But Robert P. Liscouski, assistant secretary for information analysis and infrastructure protection, who oversees the Cyber Security Division, said the notion of separating attention on cyber-threats from overall infrastructure protection would be bad policy.

"Cyber . . . is a very key priority for us," said Liscouski, a former police officer and Coca-Cola Co. security executive. But elevating it to special status "is a step back," he said, arguing that physical and cyber-security are closely connected.

Thornberry said that philosophy is "kind of a dumbing down of our cyber-security efforts. Cyber has some unique features."

Liscouski said he also has to focus on where the greatest threat lies and that overall he thinks the division is making progress.

"The fact that I'm not on the bully pulpit is more a reflection of where our threat is," he said, referring to tech industry's desire that the Homeland Security Department take a lead role in pushing companies to make cyber-security a top priority. "The dominant threat has been a physical threat."

He acknowledged the department's initial reluctance to participate in the Dartmouth exercise because the division was still organizing itself and might not have been able to "engage in a meaningful way." But he said it was highly valuable in the end.

Industry executives say that if, as the administration has said, it wants to rely on their expertise to help formulate cyber-security policy, it should heed their advice now.

Harris N. Miller, head of the Information Technology Association of America, said his group "continues to be concerned that DHS does not have adequate resources devoted to cyber-security and that the cyber-security head does not have adequate visibility within the bureaucracy. Improvements are coming, but slowly. The question is whether the nation can afford to wait."

July 23, 2004 at 10:48 PM in Security | Permalink | TrackBack (20) | Top of page | Blog Home

Body movement to create music

BBC NEWS | Technology | Body movement to create music

By Jane Wakefield
BBC News Online technology staff
Sound engineers could ditch their mixing desks if the work of researchers at Leeds University becomes reality.

Scientists are developing ways of capturing human movement in three dimensions which would allow music to be created with the gesture of an arm.

It would eliminate the need for music technicians to twiddle hundreds of knobs to achieve the perfect sound.

The technique could also be used for scrolling a webpage, especially useful for people with limited mobility.

Tiny balls

The system is being developed at the school of music in the University of Leeds.

Dr Kia Ng of the Interdisciplinary Centre for Scientific Research in Music is leading the project, which captures 3D movements using infra-red light.

The light is projected onto tiny reflective balls attached to clothing and monitored by 12 cameras.

The computer recognises the changing positions of the balls and turns different gestures into instructions for music software.

Musical moves

"Effectively a person could play a note by blinking an eye or moving a foot. The possibility is for anybody to control a musical composition," Dr Ng told the BBC programme Go Digital.

Of course there are risks that the wrong gesture could lead to a bum note, so the system is also going to have a more pre-composed system that can intelligently guess what a series of gestures represents.

"The biggest challenge is to train the system to anticipate movement," said Dr Ng.

"To make sense of a gesture it need to know not only where an object has been and where it is, but also where it will be," he added.

He is hopeful that the system can be put to the test at a live concert by the end of next year.

You can hear more about the research on the BBC World Service programme, Go Digital

July 19, 2004 at 08:22 PM in Security | Permalink | TrackBack (7) | Top of page | Blog Home

UK companies in 'blissful ignorance' over spyware threat

UK companies in 'blissful ignorance' over spyware threat

By Munir Kotadia, ZDNet UK
Survey: Fewer than one in seven UK companies recognise that malicious emails could expose their networks to a corporate spy, say MessageLabs

UK companies are finally wising up to the importance of deploying software patches and keeping their antivirus signatures up to date, but the increasing threats from Trojans and spyware have still not sunk in, according to a survey conducted by email security services firm MessageLabs.

According to the survey, only one in five companies say the theft of confidential or sensitive information is their main email-based security threat, and just one in seven firms say email provides the potential for industrial espionage.

Natasha Staley, information security analyst at MessageLabs, said companies seem to be missing the link between spam and industrial espionage. She said that although companies know that viruses and spam can be dangerous, they don't see them as a security breech.

"When it comes to industrial espionage and the leakage of confidential information, companies seem to be saying 'I don't think it is going to happen to me. It is something I read about and it sounds pretty terrible, but I'm fairly certain I'm okay'," said Staley.

Graham Cluley, senior technical consultant at antivirus firm Sophos, said the volume of spyware is increasing and much of it is arriving on the corporate desktop thanks to a helping hand from more traditional malware.

"There is a lot of spyware out there and a lot of viruses, worms and Trojans that are interested in spying and collecting information. Email is an avenue for data to leak out and this type of malicious code to get in," Cluley said.

Mark Sunner, chief technology officer at MessageLabs, said this convergence of various email threats has created a "more damaging and complex breed of email security threat", which he believes could "mortally damage" email.

"Almost without exception, every virus we have seen during 2004 has compromised infected machines and allowed them to be remotely commandeered," said Sunner.

However, Sophos' Cluley said the main victims of spyware will be smaller companies that do not have "teams of people dedicated to protecting their computers".

July 15, 2004 at 10:54 PM in Security | Permalink | TrackBack (8) | Top of page | Blog Home

Wachovia rolls out RSA Security's digital certificate management software

finextra news: Wachovia rolls out RSA Security's digital certificate management software

17 May 2004 - US bank Wachovia has implemented RSA Security's Keon digital certificate management software to secure access to its customers' personal and financial information.

Wachovia uses digital certificates as a form of electronic identification to ensure the identity of customers and employees who need to access financial data. The bank has installed RSA's Keon software to automate and centralise the administration of its digital certificate management policies and procedures.

The system enables Wachovia to distribute certificates inhouse to create digital signatures, which are applied to electronic versions of customers' contracts and orders. The software also enables the bank to quickly update and alter certificates as needed and issue new certificate authorities immediately.

Keon also includes a OneStep feature which is designed to automatically approve and issue certificates to authenticated users. RSA's professional services team will embed certificates with the RSA Keon OneStep software feature to meet Wachovia's authentication requirements.

"We needed to ensure our customers that information stored within our applications and on our servers was being accessed securely and exclusively by Wachovia employees," says Tony Suarez, vice president of Wachovia Encryption Technologies. "RSA Keon software allows us to effectively manage and control secure access to business-critical information within Wachovia."

July 8, 2004 at 08:05 AM in Security | Permalink | TrackBack (24) | Top of page | Blog Home

National Australia Bank to use SMS to beat phishers

finextra news: National Australia Bank to use SMS to beat phishers

06 July 2004 - National Australia Bank is to use SMS messaging to provide PIN-protected access to Internet banking services for online customers.

Under the scheme, NAB customers will be invited to register their mobile phone numbers with the bank. Each time a registered user tries to log on to their accounts, the bank will send a unique PIN-entry code by SMS to their mobile.

The bank plans a pilot of the programme in September and full roll-out to its one million online banking customers next year.

This two-factor authentication system is intended to crack down on phishing fraud, which has plagued banks down under.

NAB is not alone in evaluating new schemes to beat the fraudsters. Bendigo Bank has also announced plans to offer its 70,000 Internet banking customers keyring-sized authentication tokens which generate a new password every time a customer logs on to the Net.

The bank says it has yet to decide who will foot the bill for the devices, which are expected to cost up to A$15 each.

July 7, 2004 at 02:41 PM in Security | Permalink | TrackBack (25) | Top of page | Blog Home

Tackling the threat from portable storage devices

Tackling the threat from portable storage devices - ZDNet UK Insight
Ruggero Contu
Gartner
July 05, 2004, 17:10 BST
USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data

Analysis
Businesses are increasingly putting themselves at risk by allowing the unauthorised and uncontrolled use of portable storage devices. We show which strategies and technologies organisations should adopt to manage them securely.

What are the security concerns?
The use of unauthorised portable storage devices poses many dangers, not least for the malicious code that they can introduce. High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world.

This underlying vulnerability has existed since the release of Microsoft Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically.

Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems' DiskOnKey. They also include disk-based MP3 players, such as Apple's iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.

The devices pose two kinds of threat.

Intentionally or unintentionally, users can bypass perimeter defences like firewalls and antivirus at mailserver, and introduce malware such as Trojan horses or viruses that, if not discovered, can cause serious damage.
Companies are at risk of losing intellectual property and other critical corporate data. Portable storage devices are ideal for anyone intending to steal sensitive and valuable data. Employees may also be responsible for losing data if they inadvertently mislay these devices.

USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data.

The impact of the latter goes beyond the commercial value of the data for two reasons.

There are different privacy laws in different countries. This means there is more risk of legal action if personal information � belonging to corporate clients or employees � ends up in the hands of an unauthorised third party.
Companies' reputations may be damaged as a consequence of information leaks. This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.

What are company requirements and strategies for deploying these devices in the workplace?

Companies should forbid the use of uncontrolled, privately owned devices with corporate PCs. The prohibition should extend to employees, and external contractors with direct access to corporate networks.
Portable storage devices can undoubtedly provide very good practical benefits to a company and its workforce. And, in many cases, it would be unpractical and counterproductive to ban their use outright.
A controlled approach would be a safer option. This would involve adopting certain security measures in terms of overall organisation (policy) and specific tools (technology).

What are the best practices in managing these devices?

These general security recommendations can apply to a whole range of portable storage devices.
Adopt a suitable security policy on using portable storage devices
Create a specific policy to help outline company guidelines on using portable storage devices by specifying if, and when, they can be used.

Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data. This will also help mitigate risks from loss or theft.

Make provision for training to increase awareness of the need for security in this area. A security-conscious workforce will be less likely to unwittingly leak sensitive information, by misplacing a storage device, for instance.
Use tools to help manage port access of USBs and FireWire.

USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data

Adopt personal firewalls to limit what can be done on USB ports. Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec. For a more detailed marketplace and product evaluation, see "Magic Quadrant for Personal Firewalls, 1H03".
Look at other products that can control ports selectively. SecureWave offers a host-based security solution, where administrators can create rules on the use of PCs to control applications and devices. This allows only authorised devices to be used and bars access to unauthorised ones.
Use more traditional, host-based intrusion prevention products to assure compliance. This is a less straightforward process, but the system can be set to generate alerts when portable devices connect to a system. In this way, user activity is monitored so that individual access rights can be adhered to.
Consider employing mobile data protection products to encrypt corporate or sensitive data. The Encrypting File System is a widely available product within Microsoft Windows operating system. Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions. For a more detailed insight into the mobile data encryption marketplace, see "Magic Quadrant for Mobile Data Protection, 1H04" and "Mobile Data Protection Magic Quadrant Criteria, 1H04".
Consider using digital rights management technology as part of a wider protection strategy for proprietary information

On a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution. Vendors like Microsoft, Authentica, Liquid Machines and SealedMedia offer products that protect documents and files sent via email, or are generally shared across the wide company network.

As a general security best practice, managers should implement a desktop lockdown policy. They should also consider disabling universal plug and play, after pre-installing any desired drivers to permit the use of only authorised devices.

Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB "keychain" drives. This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation.

Key issues
How can enterprises comply with international and local regulations for security and personal data privacy, and how can IT security policies be tailored for specific regulatory entities?

July 7, 2004 at 08:20 AM in Security | Permalink | TrackBack (19) | Top of page | Blog Home

Japan's E-Airport Plan Includes Biometrics

International Government Navigator

JAL to pilot e-check-in
Early next year Japan Airlines will pilot test an "e-check-in" system at Tokyo's Narita Airport using biometric technology, including facial recognition, according to an article in Aviationnow.com. JAL will be joined in the test by the New Tokyo International Airport Authority, NTT Docomo and Matsushita Electrical Industries.

July 6, 2004 at 10:14 PM in Security | Permalink | TrackBack (18) | Top of page | Blog Home

UK cardholders flout PIN security guidelines

finextra news: UK cardholders flout PIN security guidelines

05 July 2004 - Two per cent of cardholders in the UK - approximately 700,000 consumers - carry PIN numbers together with their payments cards, according to research by NOP World Financial on behalf of Halifax Card Services.

Furthermore, Halifax says a couple of those interviewed admitted to writing their PIN number on their actual card.

Commenting on the research, Ian Corfield, head of Halifax Card Services, says: "It's important that once you have your PIN number you either store it in a secure place or destroy it completely. If you're having trouble remembering your PIN you can easily change it to a number you can remember."

The survey also showed that 41% of respondents carried enough information in their wallets to allow their identity to be stolen. According to the research two out of five consumers carry some form of identification in the same place as their payment cards - usually in the form of a drivers licence.

Corfield adds: "Our research showed that a worrying number of us carried more than enough information in our wallets to allow would-be thieves to steal our identity. Fraudsters only need a few pieces of information and carrying it all in one place can therefore be very risky."

The bank recommends that consumers keep forms of identification - such as drivers licences - in a separate place to their payments cards and to take receipts home, check them against statements and then destroy them.

July 6, 2004 at 07:48 AM in Security | Permalink | TrackBack (7) | Top of page | Blog Home

Pop up malware labelled 'huge threat' to financial industry

finextra news: Pop up malware labelled 'huge threat' to financial industry

01 July 2004 - A malicious item of code that exploits unpatched security flaws in Internet Explorer to intercept online banking passwords has been found on Web pop-up ads.

The malware, which has been identified by the Sans Institute, is programmed to pass on data from secure sessions between user PCs and the urls of up to 50 banking Websites worldwide. The trojan grabs any oubound data from within IE before it is encrypted by SSL and feeds it back to a Web server in Estonia.

The file is automatically dowloaded to user PCs under the guise of a compressed image from pop up ads delivered by third party Web servers that appear to have been hacked.

Sans analyst Tom Liston comments: "I believe that this particular type of malware represents a huge threat to the online financial industry. As the proliferation of ad/spyware shows, installing executable software on user�s machines is far too easy."

The latest warning comes less than a week after it was discovered that certain Web sites running Microsoft Internet Information Server 5.0 had been hacked and programmed to install similar keylogging spyware on passing browsers.

Both scams exploit an as yet unpatched flaw in Microsoft's Internet Explorer Web browser. Web surfers are being advised to switch to alternative browsers such as Mozilla and Opera until Microsoft releases a new set of patches.

July 6, 2004 at 07:47 AM in Security | Permalink | TrackBack (16) | Top of page | Blog Home

Web is terror's tool � and trap

TheStar.com - Web is terror's tool — and trap

Internet spreads a motherlode of data for police

ANICK JESDANUN
ASSOCIATED PRESS

NEW YORK—Al-Qaida-linked terror groups and their sympathizers have in recent months made a big splash on the Internet, making it their communications channel of choice.

They're benefiting from free discussion boards, e-mail accounts and other online forums for propaganda, recruitment, fund-raising and even planning.

If law enforcement has done little to squelch these outlets, it's only in part because of the difficulty of catching moving targets. More importantly, these online soapboxes can provide investigators with crucial leads.

"It's a game of cat and mouse in which the cat is always going to be behind," said Michael Vatis, former cybersecurity director at the FBI. "It's a more effective strategy to actually use these sites for gathering intelligence rather than engaging in a futile effort to shut them down.''

Mark Rasch, a former U.S. justice department computer crimes prosecutor, said he wouldn't be surprised if law enforcement agencies set up some of these forums � much as undercover investigators create phony businesses to lure mobsters.

When such sites do get shut down, it's generally the work of hackers or the private Web hosting companies that unwittingly allow them to publish online, said Gabriel Weimann, who studies terrorism online at the U.S. Institute of Peace.

In recent weeks, sites and discussion boards carrying gruesome images and video of beheaded Americans quickly went offline. At one, a message from the kidnappers of Paul M. Johnson Jr. was replaced by a disclaimer saying the hosting company does not support terrorism and had removed the material for violating its use policies.

But it doesn't take long for word to spread through chat rooms and discussion boards about new locations. By the time an extremist venue closes, its messages have likely been duplicated at many other forums.

A discussion forum that went down shortly after the appearance of images of Johnson's beheading in Saudi Arabia re-emerged later with new links to the images as well as those of a slain Korean captive in Iraq.

FBI officials in Washington declined requests for interviews for this story, citing continuing investigations. Saudi authorities also would not talk about their efforts to monitor Internet discussions, including those connected to Johnson's kidnappers.

Separate research conducted by Weimann, Dartmouth College and The Associated Press found terrorists to be using the Internet in several ways:

Propaganda. Terrorists make demands, try to elicit sympathy, attempt to instill fear and chaos and to explain themselves. The Web lets them offer up gruesome video images that broadcasters would reject.

Recruitment. Chat rooms are monitored and questionnaires sent to prospects, though recruits must often pass many tests online and offline before they are accepted.

Fund-raising. Sites solicit donations to charities that may serve as fronts for terror groups, in many cases by providing mailing addresses and wire-transfer accounts.

Planning. Free e-mail accounts connect members around the world. Messages are often encrypted, and Dartmouth researchers say online manuals even discuss ways to avoid detection. Following a security crackdown in Saudi Arabia, one poster warned "fighters'' to avoid a certain geographical location.

"Politicians and, of course, commercial interests effectively use the Internet to convey their message, appeal for support and attract ... financial contributions," said Brian Jenkins, a terrorism expert at the Rand Corp. "These (terror) groups behave in the same way.''

It is difficult to tell when online extremists are active fighters or simply sympathizers but it's clear that many hitch on to free resources that anyone can sign up for and where legitimate discussions also take place.

Dia'a Rashwan, a Cairo-based expert on Islamic groups, said the mushrooming of extremist sites and forums indicates the vast pool of sympathizers that such groups have attracted, with some seeing technology as their contribution to the cause.

Rather than directly seeking to incite violence, many of the extremist postings online are general declarations that may be laced with hatred and anti-American slurs but are not in themselves illegal.

The U.S. justice department scrutinizes such sites but takes action only when one is directly linked to known terror groups or conducts money laundering or other illegal activities, said Marcus Sachs, a former White House counterterrorism official.

Jenkins said that rather than try to remove online links to fund-raising efforts by terrorist groups, law enforcement resources may be better spent trying to shut down such groups directly.

In Idaho, federal prosecutors recently went after the Webmaster of some forums, rather than individual posters. His lawyers argued that he was a Muslim volunteer who had little to do with the creation of postings, and a jury acquitted him June 10 of charges that he used his computer expertise to foster terrorism.

Allowing extremist forums to thrive may risk helping terror groups advance their goals.

"But again, there are so many ways for them to communicate,'' said Vatis, the former FBI official. "To try to shut down every Web site and e-mail address they might use is just futile. I can go to Yahoo! or Hotmail right now and create 10 new IDs in a minute.''

June 28, 2004 at 08:17 AM in Security | Permalink | TrackBack (4) | Top of page | Blog Home

Russian website spreading 'malicious' program shut down: Microsoft

Yahoo! News - Russian website spreading 'malicious' program shut down: Microsoft

Sun Jun 27, 2:18 PM ETAdd Technology - AFP to My Yahoo!

WASHINGTON (AFP) - A Russian website that spread a "malicious" Internet (news - web sites) program has been shut down, software giant Microsoft said, adding that users of Internet Explorer are no longer at risk.

"Internet service providers and law enforcement, working together with Microsoft, identified the origination point of the attack in Russia and shut it down on Thursday," Microsoft said in a statement released late Saturday.

The Download.Ject program was not a virus or computer worm, Microsoft said, describing it as a "targeted manual attack by individuals or entities towards a specific server."

Unlike viruses that spread by e-mail, this infection was propagated simply by visiting an infected website, which can install a so-called trojan or keystroke logger that allows hackers access to the PCs, security experts said Friday.

Security (news - web sites) experts warned that the program could be used to steal financial information and e-mail passwords.

The company, owned by billionaire founder Bill Gates (news - web sites), said the program "exploited a vulnerability in Internet Explorer to deliver malicious code to visitors of an affected Web site."

"Working (news - web sites) with customers and partners worldwide, Microsoft is unaware of any widespread customer impact based on Download.Ject," said the company based in the northwestern state of Washington.

"The originating Web site of attack has been taken offline," Microsoft said.

"Internet Explorer customers are no longer at risk from that particular attack source as of Thursday evening."

Users of Microsoft's "IIS 5.0 Servers (news - web sites) that have not been updated with security update MS04-011 are susceptible to this attack," the company said.

Microsoft recommended that customers go to www.microsoft.com/protect to shield their personal computers from infection.

Microsoft said it is working with authorities and other companies to "bring those responsible for this criminal act to justice."

June 27, 2004 at 11:01 PM in Security | Permalink | TrackBack (19) | Top of page | Blog Home

PKI Practices Are Maturing Says Study

PKI Practices Are Maturing Says Study

ComputerWire Staff
Some signs of improved security practices are to be found in the results of a latest survey of Public Key Infrastructure deployment across Europe.

More organizations say they are issuing certificates to business partners and slightly more than two-thirds of organizations polled for the study were found to be using separate signing and encryption keys, a 20% rise against the situation back in 2002.

The status report stems from an annual audit of sentiment towards PKI carried out by the European Electronic Messaging Association, a group that includes businesses like AIB Bank, Cargill and Unilever, government bodies such as the European Commission and the UK Ministry of Defence, and a number of IT vendors including HP, MessageLabs, Siemens, and Utimaco.

Management attention for PKI has increased, the study suggests, with the number of organizations viewing PKI as a strategic requirement increasing from 74% to 92% during 2003. Of those organizations upgrading their own Certification Authority, most expect to move to the use of an external trust contractor. CA technology helps in the deployment of a PKI that will scale by automating and centralizing the management of cryptographic keys and digital certificates.

June 21, 2004 at 08:55 PM in Security | Permalink | TrackBack (4) | Top of page | Blog Home

Attack Knocks Major Web Sites Offline

Yahoo! News - Attack Knocks Major Web Sites Offline

By Brian Krebs, Special to The Washington Post
A widespread electronic attack on a company that handles traffic for some of the world's most-visited Web sites knocked several prominent sites offline for at least 45 minutes early yesterday.

The attack targeted Internet servers run by Cambridge, Mass.-based Akamai Technologies Inc., which distributes and manages Web data for companies such as Microsoft Corp., Yahoo Inc. (Nasdaq:YHOO - news), Federal Express Corp. and Xerox Corp. It also handles traffic for the FBI (news - web sites) and washingtonpost.com.

Akamai spokesman Jeff Young said the attack interrupted service to the Web sites around 9 a.m. and lasted for just under an hour.

Young said the attack was targeted at Internet networks on a broad scale, adding that "we have no reason to believe that the attack was directed solely at Akamai."

Amit Yoran, chief cybersecurity officer for the U.S. Department of Homeland Security, said federal authorities are working with Akamai and the companies that operate the Internet's underlying infrastructure to determine the source of the attack.

Akamai manages high-traffic Web sites by storing its 1,100 customers' Web content on thousands of Internet servers around the world. It manages approximately 15 percent of the traffic on the Internet.

Young said that most of the sites that were affected are search engines that use Akamai's services.

The company's role makes it an attractive target for hackers who attempt to overwhelm computers and Web sites by flooding them with huge bursts of data. Often, such attacks originate from computers that have been infected with a worm or virus designed to launch an assault at a set time.

Security experts have been warning about the growing number of computers infected with such programs. One of the most aggressive and powerful such programs, called Phatbot, has already spread to millions of machines over the past several months.

Russ Cooper, chief scientist at TruSecure Corp. in Herndon, said the attack probably involved "at least tens of thousands of systems that would be needed to busy Akamai's network so much."

Cooper said the attackers also might have targeted a previously unknown design flaw in Akamai's software.

Young said the attack seemed to have been designed to interfere with the company's domain-name system (DNS) servers, machines that convert numerical Internet addresses into more recognizable names such as "www.microsoft.com."

The company said that a similar incident last month was caused by a software flaw in one of its Web-site management programs.

Computer security experts and law enforcement authorities said it is often extremely difficult to find out who is responsible for denial-of-service attacks.

In October 2002, a denial-of-service attack disabled most of the 13 root servers that provide the primary road map for almost all Internet communications. The Department of Homeland Security is still trying to find out who launched that attack, Yoran said.

Krebs is a staff writer for washingtonpost.com.

June 16, 2004 at 08:14 AM in Security | Permalink | TrackBack (93) | Top of page | Blog Home

Major Internet sites attacked

This story smacks of "keeping things quiet". My home page "my yahoo" was down longer than indicated here. I suspect this was a very big deal.

TheStar.com - Major Internet sites attacked

SAN JOSE, Calif.—Several major Web sites, including Yahoo, Microsoft and Google, were inaccessible at times early yesterday due to what the company that distributes them online called an attack.

The problem began about 9 a.m. Eastern and lasted less than two hours, said Jeff Young, a spokesperson for Akamai Technologies Inc., whose network of servers mirror some of the Web's top destinations to improve their performance.

Young called it a "large scale, international attack on Internet infrastructure." However, there was no evidence that non-Akamai infrastructure was affected.

Amit Yoran, head of the U.S. department of homeland security's cyber security division, declined to comment on the alleged attack and its scope, deferring questions to Akamai. The government-funded CERT network emergency response team did not immediately return a call seeking comment.

Keynote Systems Inc., a Web performance measurement service, said the only sites where it saw trouble yesterday were those served by Akamai.

Young said he had no immediate information on the nature of the alleged attack, nor did he know where it originated or other Internet infrastructure companies that might have been targeted. Keynote said the availability of the top 40 sites it monitors dropped from 100 per cent to just over 80 per cent during the outage.

associated press

June 16, 2004 at 07:56 AM in @ My Views @, Security | Permalink | TrackBack (13) | Top of page | Blog Home

Linux seen as secure option as banks replace mainframes with PC servers

finextra news: Linux seen as secure option as banks replace mainframes with PC servers

15 June 2004 - Banks are increasingly using PC servers instead of mainframe computers to handle data management functions, despite concerns about security, according to research by UK market data technology vendor CMS Webview.

Of the 50 financial data managers surveyed for the research, 61% reported that their banks had already moved from mainframes to PC servers in certain key areas.

However 73% felt that over-reliance on Windows-based systems could leave banks vulnerable to security breaches and, because of this, 86% would consider using an alternative operating system such as Linux (65%) which is also seen as more cost-effective.

Furthermore, nearly two-thirds of respondents (65%) were concerned about the dominance of Windows-based systems and the lack of competition in the marketplace (33%), as well as about costs and lack of quality assurance.

According to the survey the move towards PC servers is a recent trend in investment banking - more than half of those surveyed (54%) say it's only in the last three years that PC servers have started to replace mainframes.

CMS says the move is driven partly by cost, but also by PC servers offering scalability as well as flexibility, which was cited by 74% of data managers as the most compelling reason for replacing mainframes.

A large majority of respondents (89%) said PC servers provided enough flexibility to enable them to react to changing patterns in user demand, while 87% felt functions such as data warehousing could be run on PC servers.

Commenting on the research, Bob Antell, chief executive, CMS, says: "Modern PC servers can handle comfortably the vast amounts of data in real time that global banks must process, store and analyse 24 hours a day, every day of the week.

"The results of this survey correlate strongly with our day-to-day experience of financial institutions increasingly being prepared to consider PC server based products."

June 16, 2004 at 07:33 AM in Security | Permalink | TrackBack (10) | Top of page | Blog Home

Hacking Sparks Need for Complex Passwords

Yahoo! News - Hacking Sparks Need for Complex Passwords

Tue Jun 1, 7:55 PM ETAdd Technology - AP to My Yahoo!

By ANICK JESDANUN, AP Internet Writer
As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems.

To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.

For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out.

Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.

"A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix Inc., a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs."

When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname.

Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements.

In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.

"This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York.

But it's difficult to remember dozens of strong passwords � so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet � practices security experts also deem unsafe.

Software such as Symantec Corp.'s Norton Password Manager and Apple Computer Inc.'s Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone.

Many sites, meanwhile, will e-mail passwords insecurely � without encryption � if you forget. A site called BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers.

The tools of password harvesting are many:

Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. There are computer viruses programmed to harvest passwords as well as software that guesses passwords by running through words in dictionaries.

Though analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks.

With two-factor authentication, having a password alone is useless.

"We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International Inc.

The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site.

Someone who steals your device won't have your password; someone who steals your password won't have your device.

MasterCard International Inc. has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants.

In Singapore, bank customers wishing to designate new accounts for fund transfers must likewise obtain a second password � through a phone call, e-mail or mobile text messaging.

Biometric systems are similar, except a fingerprint or iris scan replaces one or both passwords.

In the United States, use of two-factor authentication remains limited. RSA Security Inc. has several products, including RSA SecurID, but they are primarily issued to employees for remote network access and to customers with high-value portfolios.

"There's a delicate balance between maintaining security but also providing customers with ease of use," said Doug Johnson, senior policy analyst at the American Bankers Association.

Gartner analyst Avivah Litan said banks are "all afraid of making the first step. They don't want consumers going to other banks because it's too hard."

U.S. banks and e-commerce companies have focused, for now, on making sure passwords are strong. EBay, for instance, now rejects attempts to create passwords such as "ebay" or "password."

Before two-factor authentication becomes commonplace, laptops must come standard with biometric readers, or manufacturers must bring down costs for password-generating devices.

Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud (news - web sites) for those customers amounts to "tens of thousands at most," said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said.

Companies also need to set standards.

Though Jubran enjoys her bank's scratch-off passwords, she wouldn't want the Amazon.coms of the world all adopting them as well.

"It would be too complicated to have 10 different cards you scrape off," the 24-year-old medical student said.

Jason Lewis, vice president of product management at RSA Security, figures companies will have to create services so a single device can work on multiple sites.

Nordea and other Scandinavian banks already have partnered with government agencies and utilities, and an identity-management coalition called the Liberty Alliance Project has begun to explore standards.

People will pay more attention to security as they keep more of their lives online, said Robert Chesnut, eBay's vice president for rules, trust and safety. He offered this analogy: "The more stuff you have in your house, the better the deadbolt lock you have."

___

Anick Jesdanun can be reached at netwriter(at)ap.org.

June 2, 2004 at 12:27 AM in Security | Permalink | TrackBack (25) | Top of page | Blog Home

Egg combats Chip and PIN memory fears with online recall

finextra news: Egg combats Chip and PIN memory fears with online recall

24 May 2004 - UK Internet bank Egg has launched the world's first 'PIN browser', so that forgetful customers can securely view their credit card personal information number online.

Customers logging on to Egg can now call up their PIN by entering the three-digit security code on the back of their cards. The new service is being launched amid fears that a UK-wide conversion to PIN-based transactions at the point-of-sale could be stymied by consumers suffering from information overload.
Jerry Toher, marketing director at Egg comments: "With the vast amount of information consumers are required to remember there is a great temptation to write (PINs) down however this is not advisable.

In an Egg-commissioned survey of over 1000 adults conducted in February, ICM found that 41% of people admitted to being more forgetful now then they used to be, with nearly a quarter (22%) attributing this to the increasing number of passwords or codes they need to remember. Nearly a third (31%) admitted to forgetting one of their pass codes every month.

The research found that nearly all Brits (92%) use access codes at least on a weekly basis and a nearly a third (28%) use them several times a day.

Commenting, Professor Evan Heit, Warwick University says: "Whether a fact will actually be remembered will depend on other psychological factors such as whether it is personally relevant or meaningful, and whether it will be confused with other information. So, for example, a person would not be able to learn a lot of different passwords because these would be meaningless and easily confused."

The latest research tallies with an earlier survey commissioned by Visa, which found that two thirds of consumers in the UK have problems remembering multiple PIN codes.

May 25, 2004 at 07:37 AM in Security | Permalink | TrackBack (21) | Top of page | Blog Home

Asia Pacific VPN market seen reaching 5.15 billion dollars in 2009

Asia Pacific VPN market seen reaching 5.15 billion dollars in 2009

SINGAPORE (AFP) - The Asia Pacific market for Internet virtual private networks (VPN) is expected to reach 5.15 billion dollars in 2009, up more than 200 percent from 2003, an industry research firm said.
Frost and Sullivan said the market should grow 25.7 percent to more than two billion dollars this year from 1.687 billion dollaras last year.

Last year's growth was primarily driven by Japan, Australia and China.

The segment is seen to be the fastest growing telecommunications services market, with a projected compounded annual growth rate at 20.4 percent between 2003 and 2009, it said in a report Thursday.

A virtual private network is a method to connect computer systems using public wires. VPNs include security features such as encryption to help ensure that access is granted only to authorised users and that data cannot be intercepted.

It allows users to access their private or office networks from anywhere where there is Internet access at much lower charges. In contrast, users of Internet dial-up services pay costly international telephone charges.

Japan was the main market in 2003, accounting for 60 percent of revenues, while Australia came in second with 21 percent, Frost and Sullivan said.

However, by the end of 2009, China and India were forecast to be the main growth drivers for VPN growth.

May 6, 2004 at 07:23 PM in Security | Permalink | TrackBack (34) | Top of page | Blog Home

Email trails lead to DRM

Email trails lead to DRM - ZDNet UK Insight

David Becker
CNET News.com
April 20, 2004, 12:45 BST
Chief executives have found to their cost that keeping a lid on inflammatory business documents remains extremely difficult

An ancient email message embarrasses Microsoft in a key legal case. A leaked memo has Linux antagonist SCO Group scrambling to explain apparently secret Microsoft connections. A leaked message from RealNetworks chief executive Rob Glaser reveals his behind-the-scenes manoeuvring to get a stake in Apple Computer's booming iPod business.

All it takes is a quick run through the headlines to see why some software makers might think there's a market for products that lock down common types of business documents by restricting access to authorised recipients.

But the market for such tools remains small and fragmented, despite recent entries by high-profile players Microsoft and Adobe Systems. Analysts expect the market to grow slowly for at least the next few years, as companies wait for the technology to mature and for IT budgets to loosen.

The relative youth of this technology is evidenced by the fact that it doesn't have an agreed-upon name yet. Various software makers use "enterprise rights management," "document rights management" and "information rights management" to refer to similar technology. Others simply use the blanket term "digital rights management" (DRM), though that is more commonly linked with technology employed to prevent unauthorised copying of movies, music and other published content.

"Right now, you're talking about technology that's very immature and doesn't really work very well," said Scott Lundstrom, senior vice president of AMR Research. "I have yet to see security implemented in (an enterprise DRM) system that hasn't been able to be circumvented in a week."

He likens the existing technology to a hook latch on a screen door. "It'll keep your neighbour out, but it won't keep out a burglar. It's just enough to keep an honest person honest," Lundstrom said.

Whatever you call them, the various enterprise DRM products are inspired and enabled by similar forces. Ubiquitous email has made it easier than ever to pass around documents. At the same time, ever-present Internet access has made it feasible to use server-based software to restrict access to corporate documents.

Enterprise DRM packages from Microsoft, Adobe and specialists such as Authentica use a central server to generate and store information on permissions for documents, email messages and other corporate content. Those permissions restrict who is able to open an item and what they can do with it -- copy and paste, edit, forward, print, and so forth. Documents can also become inaccessible after a set expiration date or if a more up-to-date version becomes available.

Such restrictions are meant to solve an array of corporate problems, from big-ticket headaches like leaked documents that can expose company secrets or pose legal liabilities to the challenge of making sure everyone's working from the current price list.

Selena Wilson, Microsoft's director of Windows security product management, said there's little trouble convincing businesspeople of the value of enterprise DRM. Microsoft entered the market late last year with Rights Management Services (RMS), an add-on to Windows Server 2003 meant to handle access restrictions for a wide range of corporate data. Office 2003, the latest version of Microsoft's widespread productivity package, allows RMS-based restrictions to be built into common types of documents.

"Every time we present RMS to business decision-makers, they just immediately get it," Wilson said.

One Authentica customer that's gotten it is San Francisco-based CaseCentral, which provides Internet-based depository management for complex litigation.

CaseCentral used Authentica technology to create secure, online versions of the "data rooms" companies typically maintain during merger and acquisition negotiations to provide controlled access to financial reports and other sensitive documents. With Authentica's DRM, electronic versions of such documents can be embedded with restrictions that permit only limited access by authorised parties, explained CaseCentral chief executive Christopher Kruse.

The upshot is that corporate lawyers can access the documents they need without time-consuming travel or worrying about information falling into the wrong hands. It's an approach that can only work with a sturdy DRM system, Kruse said.

"There really isn't much more confidential stuff in the business world than what we protect," he said. "We make sure people can't copy or even take a screenshot of a document. And the minute someone drops out of the bidding, we can shut off all their access to documents."

Lack of interest
But businesses like CaseCentral are still a tiny minority. Outside heavily regulated sectors such as banking, which have already developed industry-specific approaches to document security, there's been little visible interest to date in enterprise DRM.

Reasons include the relative immaturity of the market. Microsoft's product has been available for only four months, and Adobe won't introduce its Policy Server until late this year. That leaves a handful of specialists, led by Liquid Machines, Sealed Media and Authentica.

Even for businesses that do start to think about document security, their huge collections of content, often stored on individual hard drives, can make it tough to develop a comprehensive approach to enterprise DRM, said Joshua Duhl, an analyst for research firm IDC.

"People don't want to admit there's a content problem," he said. "And if they do, people have to have a sense of what's worth securing and what isn't, which can be very difficult to sort out."

The scope of material an enterprise DRM system secures can also make companies reluctant to commit to a software maker. Microsoft's entry into the field sparked fears the company could use secure document format to lock out competing productivity products and other applications.

"I've heard some concerns that (RMS) would make it a requirement to upgrade applications, that you could lock down formats in some way so third-party applications wouldn't be able to open and view them," said Ray Wagner, an analyst for research firm Gartner.

Such concerns have many businesses waiting for a more open approach to enterprise DRM. Lundstrom doesn't expect the field to take off until there are open standards for encryption and other security components.

"DRM could be one of the first big open-source wins" for enterprise applications, he said. "Customers would really see value in open, standards-based robust encryption... When you get into security and encryption as an intellectual discipline, the people driving that forward are completely focused on open source and peer review."

Even for businesses that are OK with a proprietary approach to enterprise DRM, it can be tough to sort out the different approaches offered by current suppliers, IDC's Duhl said.

"There's limitations to every one of these vendors," he said. "Whether its company size or viability questions or just the fact it's Microsoft, there are lots of issues that people have to sort through."

Then customers must determine which offering matches their particular business needs. "It's like looking at horses -- if you're going to pull a beer wagon, you want a Clydesdale," Duhl said. "If you're going to run a race, you want a thoroughbred."

Key differentiators include the manner in which an enterprise DRM product links up with other applications. Microsoft intends RMS to be a platform product, Wilson said, linked with the Windows Server operating system and capable of securing everything from memos to information in back-end databases. "Our technology is content- and format-agnostic," she said. "Customers can apply the same template, whether it's a document or a line-of-business application."

For now, however, RMS only works with documents generated by Office 2003, a significant factor for the vast majority of Microsoft customers that take their time in updating to the latest versions of key applications.

Adobe's Policy Server will be limited too, working only with documents based on the company's Portable Document Format (PDF). Adobe executives have said the product builds on several key advantages of the widespread PDF format, including its ability to ensure document fidelity and compatibility with a wide range of operating systems.

"The cross-platform aspect is very important to the clients we talked with," said John Landwehr, group manager for security solutions and strategy at Adobe. "They really want a system that will integrate well into a heterogeneous environment."

But for companies that haven't already adopted PDF and Adobe's accompanying Acrobat products for document distribution, Policy Server is a non-starter, said Gartner's Wagner.

"They have a pretty nice set of tools if you're willing to modify your whole system to be PDF-based," he said. "That's been a limiting factor for DRM all along -- people aren't going to change the way they work just to accommodate a security solution... You want this to be as minimally intrusive on the user as possible."

Specialty players
Aside from the big guys, enterprise DRM has a handful of specialty players whose products typically work with most common document formats -- from email messages to AutoCAD architectural drawings.

Variables include how a system deals with workers when they don't have Internet access. Microsoft's RMS requires at least an initial check-in with the rights server, while products such as Liquid Machines' self-titled server software allow document creators to set offline permissions.

"We find most people want to raise their level of security, but they don't want to make it difficult for people to do their jobs in a mobile work force," said Ed Gaudet, vice president of product strategy and marketing for Liquid Machines.

Competing products also differ in how much you can do with a document once it leaves the author's desktop. Authentica promises some of the most detailed control, allowing authors to change permissions for a document while somebody else is using it.

"We give very granular control," said Authentica chief executive John Bruce. "I can watch on my desktop and see how someone is interacting with a document once they get it. And if I decide I don't like what they're doing, I can change the settings then and there."

Another variable in enterprise DRM products is policy settings that IT administrators can employ to ensure a basic level of security for all documents. Policies are important to ensure that enterprise DRM doesn't get in the way of workers doing their jobs, said George Everhardt, chief executive of Sealed Media. At the same time, detailed controls need to be available to workers who want to get more involved. The key is finding the right balance for a particular business.

"Our fundamental premise is that there is no magic technology button you press and then everything's secure," Everhart said. "Any good security process involves people. The process has to be easy to use and totally secure. If it's intrusive, workers will figure a way to get around it. If it's too easy, the bad guys will figure out ways to get around it."

Everhart and executives of other enterprise DRM specialists said they aren't worried about major players such as Microsoft and Adobe entering the market. Instead, they see the moves as bolstering their position with potential customers who don't want to be restricted to working with particular types of documents or authoring applications.

"It's been like a validation," said Authentica's Bruce. "For the longest time, I've talked to folks about DRM and they keep asking, 'is there a business there?' Now we've got two major vendors standing alongside us and saying, 'this is important.' It's nice to find the world is turning in our direction."

Attention from Adobe and Microsoft helps, agreed Mark Patton, Sealed Media's vice president of marketing. So does support from content management software makers such as market leader Documentum, a Sealed Media partner. But the biggest incentive may be the type of incidents that have caused embarrassment and legal headaches for Microsoft and others.

"All it takes is for a chief executive to get burned one time on a leaked document, and their interest level in this kind of technology goes way up," Patton said.

April 29, 2004 at 01:38 AM in Security | Permalink | TrackBack (16) | Top of page | Blog Home

MPs ponder whether 'benign' hacking should be legal

MPs ponder whether 'benign' hacking should be legal - ZDNet UK News

ZDNet UK
April 26, 2004, 17:25 BST

With Britain's Computer Misuse Act heading for a revision, some MPs want to explore whether ethical hacking should be allowed

Should UK citizens ever should have the right to launch a hack attack against a computer or a network?

A group of tech-savvy MPs are poised to consider this question, as the All-Party Internet Group (APIG) launches an investigation into Britain's cybercrime laws.

APIG has recognised that the Computer Misuse Act (CMA), which came into law in 1990, needs to be updated to cover attacks upon the Internet and on other computer networks. Like many experts, the group is concerned that the existing legislation may not apply to denial-of-service attacks -- where a network is driven offline by a flood of Web traffic.

"As it stands, the Computer Misuse Act suffers from a lack of a network focus. Today, the primary threat from hackers is to the network, rather than to individual computers, and if the network goes down we've got problems," said Richard Allan MP, joint vice-chairman of APIG.

APIG has already received written evidence from interested parties, and is taking further oral evidence at a session in parliament on Thursday. The Home Office has said it is revising the CMA at present, and APIG wants to feed the views of the UK IT industry into this process.

And while Allan is adamant that tough action is needed against denial of service attacks, he's also keen to examine whether ethical hacking should be protected in law. He cited the law on criminal damage, where a defendant can claim that they acted to avoid a worse event taking place.

"If a successor to David Blunkett was going to introduce tough censorship laws on the use of the Internet in the UK, should someone be able to justify a hacking attack against the IT involved because they opposed that censorship," asked Allan, who is the liberal democrat MP for Sheffield Hallam.

The idea of a draconian home secretary smashing our human rights may be far-fetched -- or not, depending on your take on the ID Card issue -- but Allan points out that such suppression is already thriving in other parts of the world.

"When the Chinese government blocked access to the BBC Web site, people very rightly sought to subvert that censorship. As a legislator, am I prepared to support legislation that says benign hacking can result in several years in prison?"

Other issues that should be covered at this Thursday's oral evidence session are whether the CMA should be revised to meet Britain's international treaty obligations with other countries, and whether the level of penalties within the CMA are sufficient to deter today's criminals. The rise in organised e-crime makes these issues increasingly relevant.

E-envoy Andrew Pinder is due to attend this session, as are representatives from the home office and the ISP industry, as well as legal experts and security providers.

April 29, 2004 at 01:30 AM in Security | Permalink | TrackBack (164) | Top of page | Blog Home

Security policies fall behind Internet adoption

Security policies fall behind Internet adoption - ZDNet UK News

Munir Kotadia
ZDNet UK
April 20, 2004, 12:00 BST
More UK firms are offering employees access to the Internet but many are failing to sort out security policies until it's too late

Most UK companies now provide their employees with Internet and email facilities but this has led to more employees abusing their cyberspace privileges, because firms are not enforcing a security policy, according to a survey carried out on behalf of the Department of Trade and Industry.

The DTI's Information Security Breaches Survey found that 89 percent of employees now have access to the Internet, up from 69 percent two years ago. But, worryingly, the number of companies that restrict access to inappropriate Web sites has fallen from 34 percent to 15 percent. Additionally, only 16 percent of respondents said that they blocked or quarantined email. Two years ago, this figure was 57 percent.

Chris Potter, a partner at PricewaterhouseCoopers, said that most companies -- especially small- and medium-sized businesses -- are waiting until they experience a "major breach" in security before putting "effective controls" in place.

"Only one in three companies that suffered an incident involving Internet abuse already had a contingency plan in place to deal with it. Where such plans did exist, however, most proved very effective at handling the problem," he said.

Johanna Severinsson, marketing director of EMEA at Internet management company Websense, said that providing unrestricted Internet access is not only a distraction for employees but raises "serious security implications" for companies.

"Every company with Internet access has a responsibility to ensure it is managed in order to protect both their shareholder value and their employees," she said.

The survey was compiled from about 1,000 telephone interviews carried out by PricewaterhouseCoopers, funded by Microsoft, Computer Associates and Entrust, among others. The full results will be published during the InfoSecurity Europe conference in London next week.

April 29, 2004 at 01:27 AM in Security | Permalink | TrackBack (27) | Top of page | Blog Home

UK firms still don't get security

UK firms still don't get security

By Graeme Wearden, ZDNet UK
Too many companies are committing too little of their IT budget to security, according to the government.

Viruses, hackers and spam are a growing problem for UK firms because many are failing to pay enough attention to IT security, according to the DTI Information Security Breaches Survey 2004 (ISBS 2004), which was published on Tuesday.

ISBS 2004 found that the majority of companies spend less than 1 percent of their IT budget on security systems. This, according to the authors of the report, isn't enough to guarantee effective security.

"This really needs to shift upwards if businesses are to protect themselves properly going forward," said Chris Potter, information security assurance partner at PricewaterhouseCooper.

ISBS 2004 also found that many companies have failed to improve their performance on IT security issues that were flagged up in a previous survey in 2002.

For example, fewer than one in ten companies have tested their disaster recovery plans to see if they actually work.

"This is a shockingly poor result, given the post-9/11 furore about contingency plans and disaster recovery," said Potter.

According to one antivirus vendor, there is still plenty of education to be done with smaller British companies about the importance of IT security.

"Some firms think that spending less on IT security is a good thing. They need to think about the return on investment, and assess the cost of their systems being offline for an hour or a day," said Roger Levenhagen, Trend Micro's managing director for UK and Ireland.

ISBS 2004 also found that only one in ten companies employ staff who have formal IT security qualifications, and that just one in two corporate wireless networks have specific security controls.

Most firms also believe that IT security problems are set to increase. Just 10 percent of large businesses said they expected fewer security incidents during the coming year, compared to 75 percent who predicted more -- a pessimistic view that the government shares.

"Things are going to get worse before they get better," warned a DTI official.

April 29, 2004 at 01:26 AM in Security | Permalink | TrackBack (19) | Top of page | Blog Home

Senior Execs Must Tackle Cyber-Security -US Report

Yahoo! News - Senior Execs Must Tackle Cyber-Security -US Report

By Andy Sullivan
WASHINGTON (Reuters) - Corporate chieftains must take responsibility for their computer networks to secure them from viruses, worms and other online attacks, an industry task force said on Monday.

Long the domain of network administrators, computer security must command the attention of those in the boardroom as well, said the task force, which developed its report under the guidance of the Department of Homeland Security.

"Executives must make information security an integral part of core business operations," the task force said. "There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance."

Online attacks can clog computer networks, knock vital Web sites offline and expose customer records to prying eyes. Viruses and worms like SoBig and Slammer have cost businesses billions of dollars in lost productivity.

The U.S. government released a strategy last year to improve the security of the nation's computer networks, but it contained few hard-and-fast rules for the private companies that control 85 percent of the Internet.

Instead, industry officials working with the Department of Homeland Security have released a flurry of reports this spring outlining voluntary ways that companies can improve security.

The task force presented a framework companies can use to assess their exposure, based on plans developed by the U.S. government and an international standards organization.

CEOs should examine their networks annually and present their findings to the board of directors, the report said.

The framework should help executives measure their progress on computer security and pinpoint areas of high risk, task force members said.

"What is coming out of this body of work is the distillation of eight and a half feet of reports stacked on top of each other into something a board and an executive can get their head around," said Entrust Inc. CEO Bill Conner, a task force co-chair.

"A lot of it is common sense. We did not reinvent the wheel here," said RSA Security Inc. CEO Art Coviello, another task force co-chair.

Orson Swindle, a commissioner with the Federal Trade Commission who has been active on cyber-security matters, said companies that don't take steps to improve their security might quickly stand out in an unfavorable light.

"I think you'll see industry join this because you'll become famous if you don't," said Swindle, who noted that most businesses have voluntarily adopted consumer privacy protections rather than wait for government regulation.

April 12, 2004 at 08:03 PM in Security | Permalink | TrackBack (9) | Top of page | Blog Home