***************************************************** Edupage is a service of EDUCAUSE, a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. *****************************************************
TOP STORIES FOR MONDAY, JULY 25, 2005 Software Hides Passwords from Phishers CU Computers Hacked Paying Hackers for Bugs Hackers Finding New Targets GAO Says TSA Cleaning Up Secure Flight SOFTWARE HIDES PASSWORDS FROM PHISHERS Two professors at Stanford University are set to unveil software designed to foil phishers by scrambling passwords entered into Web sites. John Mitchell and Dan Boneh developed the software, called PwdHash, to deal with the growing problem of Web sites that lure computer users into disclosing personal information. The software creates a unique password for each Web site a user visits. If the user goes to a bogus version of a legitimate Web site, the software creates a separate password, leaving the operator of the bogus site with a password that will not work at the real site. Previously, the pair of professors have written software that tries to identify fraudulent Web sites and notifies the user when such a site is suspected. San Jose Mercury News, 25 July 2005 http://www.siliconvalley.com/mld/siliconvalley/12218576.htm CU COMPUTERS HACKED Officials at the University of Colorado said hackers gained access to two servers at the university, possibly exposing personal information on nearly 43,000 students and employees of the institution. One server, at the College of Architecture, contained data on 900 individuals; the other, at the university's health center, included information for another 42,000 people. The servers included names, Social Security numbers, addresses, and dates of birth, according to the university, but neither included credit card information. Still, university officials are advising those affected to monitor their credit reports for suspicious activity, and the university has set up a Web site and a hot line to answer questions. Investigators looking into the situation said that one hacker came through a server in France, while the other came through a server in Eastern Europe. University officials have no information so far that any of the personal data on the servers has been misused. The Denver Channel, 22 July 2005 http://www.thedenverchannel.com/technology/4757407/detail.html PAYING HACKERS FOR BUGS Computer-security firm TippingPoint has begun a program to pay rewards to individuals who report computer vulnerabilities. Not unlike similar programs from other companies, the TippingPoint deal offers a variable amount of money if a reported bug proves valid. The company will use the information to update its own protection software and will notify the maker of the vulnerable product about the problem. David Endler, director of security research at TippingPoint, said the reward program is intended to "reward and encourage independent security research" and to "ensure responsible disclosure of vulnerabilities." Not all security companies believe in bounties. Internet Security Systems, for one, said that paying for such bug reports amounts to having hackers do a company's research for it. An official from Internet Security Systems also noted that the bugs reported in such programs are typically very low-level problems, saying that the more extreme vulnerabilities are worth much more when used for hacking than if turned in to security companies. CNET, 24 July 2005 http://news.com.com/2100-7350_3-5802411.html HACKERS FINDING NEW TARGETS According to a new report from the SANS Institute, the number of computer hacking incidents is rising, and the targets of such hacks are increasingly software applications rather than operating systems. The organization found that the number of vulnerabilities reported was up 11 percent from the first quarter of the year to the second, and up nearly 20 percent from a year earlier. Alan Paller, SANS's research director, said the situation is getting worse. As operating systems become more secure, hackers are turning to applications, such as Apple's iTunes and RealNetworks's RealPlayer. Hackers are also focusing efforts on backup systems, particularly those of Computer Associates and Veritas Software. Because backup systems typically contain vast amounts of confidential corporate data, they represent an attractive target. SANS noted that the best way to avoid such hacking threats is to install all software patches, keep antivirus tools up to date, and be prudent in opening e-mail attachments. Wall Street Journal, 25 July 2005 (sub. req'd) http://online.wsj.com/article/0,,SB112224497897894400,00.html GAO SAYS TSA CLEANING UP SECURE FLIGHT According to the Government Accountability Office (GAO), the Transportation Security Administration (TSA) has adequately addressed concerns raised by the GAO over privacy violations in the Secure Flight program. The program is designed to safeguard the nation's air travel system by identifying suspected terrorists and preventing them from boarding planes. During a test of the program, TSA collected commercial information on air passengers, violating its privacy policy, according to the GAO. TSA used the commercial data in conjunction with passenger information to increase the reliability of the Secure Flight system, but the result was that air passengers were unable to know what information about them was being collected and how it was being used. In a report, the GAO said that after being notified of the problems, TSA acted immediately to address the issues raised. Aside from not using commercial data in the Secure Flight program, TSA also said its chief privacy officer and general counsel would ensure that activities related to the Secure Flight program would be explicitly detailed in its privacy notices. Federal Computer Week, 22 July 2005 http://www.fcw.com/article89670-07-22-05-Web ***************************************************** EDUPAGE INFORMATION To subscribe, unsubscribe, change your settings, or access the Edupage archive, visit http://www.educause.edu/Edupage/639 Or, you can subscribe or unsubscribe by sending e-mail to [EMAIL PROTECTED] To SUBSCRIBE, in the body of the message type: SUBSCRIBE Edupage YourFirstName YourLastName To UNSUBSCRIBE, in the body of the message type: SIGNOFF Edupage If you have subscription problems, send e-mail to [EMAIL PROTECTED] ***************************************************** OTHER EDUCAUSE RESOURCES The EDUCAUSE Resource Center is a repository for information concerning use and management of IT in higher education. To access resources including articles, books, conference sessions, contracts, effective practices, plans, policies, position descriptions, and blog content, go to http://www.educause.edu/resources ***************************************************** CONFERENCES For information on all EDUCAUSE learning and networking opportunities, see http://www.educause.edu/31 ***************************************************** COPYRIGHT Edupage copyright (c) 2005, EDUCAUSE
