[ISN] Hanford workers warned about security breach
http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html By SHANNON DININNY THE ASSOCIATED PRESS June 13, 2006 The U.S. Energy Department has warned about 4,000 current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. The discovery marks the second time in less than a week that the Energy Department has warned employees and its contractors' employees that their personal information may have been compromised. Police in Yakima discovered the list while investigating an unrelated criminal matter, the Energy Department said, adding that the list included the names of people who worked for a former Hanford contractor, Westinghouse Hanford, who were transferring to Fluor Hanford or companies under contract to Fluor Hanford in 1996. The Energy Department awarded Fluor Hanford the contract to clean up the highly contaminated nuclear site in December 1996. The list also included workers' Social Security numbers and birthdates, as well as work titles, assignments and telephone numbers. The department began notifying workers about the discovery Sunday. Employees at seven companies were warned to monitor their financial accounts and billing statements for any suspicious activity. There was no indication that Hanford's computer network was compromised. The Energy Department and Fluor Hanford were working with law enforcement officials to determine how the list was obtained and why it was in the home, the Energy Department said in a statement Monday. "We, along with Fluor, are taking this very seriously," said Karen Lutz, an Energy Department spokeswoman at the south-central Washington site. "Obviously, there's a concern to get the word out, because so many workers transfer to other contractors and other federal sites." Also on Monday, Energy Department officials began contacting 1,502 individuals by phone to inform them that their Social Security numbers and other information might have been compromised when a hacker gained entry to a department computer system eight months ago. The workers, mostly contract employees, worked for the National Nuclear Security Administration, a semiautonomous agency within the department that deals with the government's nuclear weapons programs. The computer theft occurred last September, but Energy Secretary Samuel Bodman and his deputy, Clay Sell, were not informed of it until last week. It was first publicly disclosed at a congressional hearing on Friday. Following the Hanford report Monday, Sen. Maria Cantwell, D-Wash., demanded corrective actions to ensure that federal employees' personal information remains secure. "Today's news that the personal information of 4,000 Hanford workers has been floating around in the open shows that we still have a long way to go when it comes to keeping sensitive information out of the wrong hands," Cantwell said. Workers from the following companies were urged to check their financial statements: Fluor Daniel Hanford, Lockheed Martin Hanford, Rust Federal Services of Hanford, B&W Hanford, Numatec Hanford, DynCorp Tri-Cities Services and Duke Engineering and Services Hanford. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Elections hacks don't guard us against hackers
http://www.miami.com/mld/miamiherald/14803773.htm By FRED GRIMM fgrimm at MiamiHerald.com Jun. 13, 2006 For a county supervisor of elections needing someone to test the vulnerabilities of his voting system, Dan Wallach's the man. Wallach, who runs the security computer lab at Rice University, is a nationally regarded expert on computer network security and voting system vulnerabilities. He's associate director of ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). Besides, his parents live in Lauderdale-by-the-Sea. He is a perfect choice. But not in Florida. Wallach and his associates at ACCURATE may represent academia's leading experts on voting system security, but under the new rules promulgated by the Florida Secretary of State, they don't qualify. Any security test, the secretary of state's office insists, must be performed by someone certified by the American Software Testing Qualifications Board, the American Society for Quality or the EC (E-Commerce) Council. Not only is Wallach not certified by the three organizations, ''I've never heard of them,'' he says. TRAINING COURSE Actually, the first two organizations are concerned with the overall quality of manufactured software, not security. The EC Council website offers a five-day training course into something called ''ethical hacking.'' Five days of training, under the new rules, would trump the most sophisticated résumés in computer science. Computer professor David Dill, of Stanford University, who served on California's Ad Hoc Task Force on Touch Screen Voting, and whose degree -- not the five-day kind -- comes from MIT, added his apprehensions to the comments on the proposed rules the Florida Secretary of State's office collected Monday. He said they would ``would exclude the most competent evaluators, such as those who have found most of the reported security holes in existing voting systems. ''I have checked with several computer security experts, who not only do not have these qualifications, but, like me, have never heard of them. A little research on the Web reveals these certifications to be of dubious relevance to voting system evaluation,'' Dill wrote. Other rules would require that the voting-machine vendors and the secretary's office get advance notice of any security test. And a supervisor of elections contemplating a security test must first take special pains to protect the machine manufacturer's secret operating code. CERTIFIED HACKERS Wallach and Dill seemed puzzled. Wallach noted that a voting machine ought to be secure no matter who tries to hack the system. The notion that a would-be hacker must first be properly certified and possess special qualifications (like a five-day online course), and the vendors need advance notice becomes utterly irrelevant in cyberspace. ''If someone is malicious and his goal is to throw the election, they're not going to ask permission.'' Wallach said. Of course, the new rules aren't really about protecting the integrity of elections. Only one Florida supervisor of elections allowed outside experts to test his voting system security. And when Ion Sancho's hackers discovered they could alter the outcome of an election and wipe out all trace of the tampering last year, it was a huge embarrassment to the Secretary of State's office. Instead of trying to fix the flaws, state officials and Diebold -- a maker of voting machines -- went after Sancho, disparaging his findings and suggested that he ought to be tossed from office. Then California -- not Florida -- directed a panel of computer science experts to look into the Leon County findings. The panel found the same flaws and more. Florida election bureaucrats were humiliated. ''The new rules are designed to make sure that they're never embarrassed again, '' Sancho said Monday. Florida first priority is to protect the vendors. We'll let California worry about the damn voters. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Computer Security Market to Grow 13%
http://times.hankooki.com/lpage/biz/200606/kt2006061320215011910.htm 06-13-2006 SEOUL (Yonhap) - South Korea¡¯s computer security market is forecast to grow 13 percent annually over the next five years as spending on Internet security software rises in both the public and private sectors, a report indicated on Tuesday. The country¡¯s digital security market is predicted to rise to 815 billion won ($850) by 2010, and the security appliance market is projected to post an annual growth rate of 17.6 percent, according to the report compiled by the South Korean unit of the International Data Corp. IDC Korea said the country¡¯s computer security market posted 8.5 percent growth last year reaching 443 billion won. The security appliance sector, in particular, is expected to grow sharply in the future, the report said. adding that more and more public institutions and private companies in the country are trying to keep their computer networks safe from burgeoning cyber threats. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] KDDI suffers massive data breach
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001150 Martyn Williams June 13, 2006 IDG News Service Personal data on almost 4 million customers of Japanese telecom carrier KDDI Corp. has been breached, the company said Tuesday. The data includes the name, address and telephone number of 3,996,789 people who had applied for accounts with KDDI's Dion Internet provider service up to Dec. 18, 2003, KDDI said. Additionally the gender, birthday and e-mail addresses of some of the people was also leaked. KDDI is Japan's second largest telecommunications carrier. It operates fixed line, dial-up Internet, broadband and cellular services through a number of different companies. The carrier became aware of the leak on May 31 this year when it received a phone call from someone claiming to possess a CD-ROM of the data, said Yoko Watanabe, a spokeswoman for the Tokyo-based carrier. The original source of the data has yet to be determined and Watanabe declined to comment on other aspects of the case, which is being investigated by the police, she said. The leak is just the latest of several to hit the headlines in Japan this year. Personal information has been leaked by companies a number of times onto the Internet through viruses that infect PCs running file sharing programs. While the source of the data lost by KDDI is not yet clear, the episode is likely to increase fears of identity theft and other fraud in Japan. In recent years the number of frauds committed against consumers using such information has been on the rise. Armed with the name and address or telephone number of a consumer, fraudsters can send out bills or make calls demanding payment for services that were never delivered. The slick frauds often dupe consumers into sending money before they realize they have been tricked. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ...and now a word from one of our long time sponsors
http://attrition.org/news/content/06-06-13.001.html Cliff Notes: If you drink Coca-Cola products, email the 'coke reward' code to [EMAIL PROTECTED] to support a bunch of wack job heathens How many times have you thought, "If everyone sent me one penny, i'd be rich!?" In the case of attrition staff, maybe you thought "If everyone sent me one beer, i'd need a new liver in three months!" Attrition has been going strong for almost eight years now. In that time we haven't plagued the site with ad banners, pop-ups, or even the cute little google ad-words. We've accepted PayPal donations for several years and raked in a whopping 250 bucks (which we are honestly very thankful for). Our Amazon wishlists are never used, half the mail we get is mindless drivel complaining about insipid crap that is usually answered by actually reading the web pages. The box has been fully replaced two times due to hardware problems, payments are routinely made to our landlord for the bandwidth abuse and to keep him too drunk to find our power plug. In short, this isn't a site based around profit or self reward. We're more like those monks that inflict self pain thinking it brings them closer to a higher power. Misguided, pain-ridden, stupid monks. Since we've long been fans of the sci-fi idea of 'micro payments', and no system is in place for such a beast to really work, we've come up with one. Now you too can actually support the site without sending us money or hate mail. Chances are, you are a cracked-out coke fiend like most of us. I prefer the hard-core street drug they call "Coke Zero" these days, moving on from the weak suburban "Diet Coke" or that old-folks home "Caffeine Free Diet Coke" that Munge sips on between shots of Everclear. If you support Coca-Cola like a true patriot, and not those Pepsi jerks like a terrorist would, then you are in the perfect position to contribute. Coca-Cola is running a promotion where you receive a code for each purchase you make. With those codes, you register on one of their web sites and type in the codes to earn points. Enough points and you can earn various prizes, most of which are not worth the time to read about on the web site. If you click around enough, you get to the distant "10,000+ Points" reward list, and things become brighter. In this "pipe dream" category is a pretty swell Sony LCD HDTV that would be a nice reward for the pain and suffering we're put through. So, next time you are getting your fix, take a few seconds to type in the coke code and mail it to us. Only takes a minute of your time and you can spend the rest of the day bragging about how you supported a non-profit site on the intarweb. The codes can be found inside the bottle caps of 2 liter, 1 liter or 20oz bottles, or in the tear off flap of 12-pack cases. They can be found in just about every variety of Coca-Cola products and look something like BNMW7 Y49XR 4X7VJ. This is it net denizens. Some 100,000,000 of you out there, and all it takes is 2,000 of you to mail in the code from a single 12-pack to reach our goal. You would be showing a small token of appreciation for eight years of hard work and it doesn't even require a visit to the post office. If you send in 100 points worth of codes (ten cases, or 33 bottles), we'll hook you up with private access to the old image gallery we used to make available (shut down long ago due to bandwidth abuse), which is up to 5,263 unique images of all varieties, and zero advertisements. That's it, simple and possibly rewarding. [EMAIL PROTECTED] Cut this out and post it at your work lounge! .--. | | | E-mail Coca-Cola Reward Code | |to the heathens at| | [EMAIL PROTECTED] | | | `--' _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ADSM endorses XBRL technology
http://www.itp.net/business/news/details.php?id=21007 By David Ingham 13 June 2006 Abu Dhabi Securities Market (ADSM) has recently taken further steps to boost market transparency and improve its information technology systems. ADSM has declared its aim to become ISO 17799 compliant and has thrown its weight behind the XBRL information reporting standard. EXtensible business reporting language (XBRL) enables computer-readable tags to be applied to individual items of financial data in business reports. This helps to turn them from blocks of text into information that can be understood and processed by computer software. "XBRL complements ADSM's programme to adopt international best practise standards of regulation and governance throughout the UAE markets," said Rashed Al Baloushi, acting director general of ADSM. "It will give investors better access to a company's financial information, allowing them to make more informed decisions. "Furthermore, analysts will be able to compare detailed data more efficiently and with increased accuracy. Under the current system, it can be difficult to benchmark data efficiently." ADSM said it will encourage all listed companies to adopt the technology, which it says can reduce data processing costs in addition to improving transparency. It has already held one educational seminar, which was attended by listed UAE companies and representatives from other markets in the region. Separately, ADSM has said that it plans to become the first UAE bourse to achieve ISO 17799 certification. ISO 17799 is a set of procedures designed to help companies improve their level of information security. It covers ten aspects of e-security, including policies & procedures, access control and business continuity. Company and Cybertrust have been appointed to help ADSM benchmark its systems against the ISO 17799 requirements. "Since ADSM was established, we have been constantly reviewing and updating our security systems in line with our growth," said Khalfan Al Mazrouei, IT manager of ADSM. "But, in order to bring our systems up to an international standards we need ISO 17799 certification." _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] PCs to developing world 'fuel malware'
http://www.theregister.co.uk/2006/06/13/pc_donation_peril/ By John Leyden 13th June 2006 Programs to send PCs to third world countries might inadvertently fuel the development of malware for hire scams, an anti-virus guru warns. Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, cautions that developing nations have become leading centres for virus development. Sending cheap PCs to countries with active virus writing cliques might therefore have unintended negative consequences, he suggests. "A particular cause for concern is programs which advocate 'cheap computers for poor third world countries'," Kaspersky writes. "These further encourage criminal activity on the internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind." But what about all the positive uses in education, for example, possible through the use of second-hand PCs in developing nations? We reckon these more than outweigh the possible misuse of some computers at the fringes of such programs. We wanted to quiz Kaspersky more closely on his comments but he wasn't available to speak to us at the time of going to press. A spokesman for Kaspersky Labs agreed that PC donation programs have benefits but maintained that in countries with "fewer legitimate openings" for work the possibility of "unintended side effects" can't be overlooked. He said that Eugene Kaspersky's comments should be viewed in the context of a wider discussion of criminal virus writing, contained in an essay on the anti-virus industry here. ® _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Black Hat Speakers + 2005 Content on-line
Forwarded from: Jeff Moss <[EMAIL PROTECTED]> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello ISN readers, I have a brief announcement I would like to make. The speaker selection for Black Hat USA 2006 is now complete. We have a fantastic line up of Briefings presentations and our largest selection of Training this year. Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html For the first time in four years, we have been able to expand our speaking line. This is due to Caesars Palace has expanded their conference space, and Black Hat will be getting the entire fourth floor to ourselves! This means that for the first time in four years, we were able to expand the number of presentation tracks, panels as well as offer more opportunities for networking in our Human Network area. Some notes from the schedule: *A Root-kit focused track draws attention to the amount of work, and the speed of advancement, going into this field. *Ajax to Fuzzers--web app sec is taken to a new level. The largest number of talks dealing with web application security ever delivered at a Black Hat. As the web moves to a more interactive "web 2.0" model of participation it is only natural for there to be more risks involved. *A Windows Vista Security track which has been garnering a lot of press lately... this will be an unprecedented first comprehensive look at Vista security issues *Jim Christie is bringing his "Meet the Fed" panel over from DEF CON, and the Hacker Court is back along with panels on Disclosure, a Public Forum on Corporate Spyware Threats hosted by The Center for Democracy and Technology Anti-Spyware Coalition, and a new challenge will be presented by the Jericho Forum. Remember, prices increase July 1st for both the Briefings and Trainings. Register now to get the best rates! http://www.blackhat.com/html/bh-registration/bh-registration.html#us Other News: Black Hat is pleased to release the presentations from last years Black Hat 2005 Briefings in both audio and video format. Also a first they will be available for download in both H.264 .mp4 format (iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the Black Hat .rss feed to get them, but in the coming weeks we will make them available through the past conventions archive page. http://www.blackhat.com/BlackHatRSS.xml Black Hat would like to welcome the ISSA as a world wide supporting association. http://www.issa.org/ Thank you, Jeff Moss -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBRI9L4kqsDNqTZ/G1AQKjlQgAnLKMSLL6Uc4BznLQ+sGkCf+v4kBXmSR2 ogJYZ8eciZxwJMrAFGhXGhJOHGQJxp2U/HEnISNhg+3W6TGhyl9rVO62z+2aBSfw bvb+RSWWgMitiQqZcsRO8LkPorJlnpHSLzNxpH1GaVLFyJ17YwSCm1a/n2QPv+Pq 4nlC3KLKwgmFXY6uAkg95InvOeLly5uIelAGEllzIZ676A4fp5VMBeXtT/PDJwbs 49nZE8IPmxFPL1d9V47eWmjNpqMZBtNHuTaEhBhpWc1YbY0oE7Txv0EFWY2HGBLZ S4XnlJCO9rbD1y0fbd1qof3BKVGW/nXaBG9SBOnctbFSDeyEVUTD3w== =++JQ -END PGP SIGNATURE- _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Stolen computer server sparks ID theft fears
http://msnbc.msn.com/id/13327187/ By Jim Popkin, Tim Sandler & the NBC Investigative Unit NBC News June 14, 2006 WASHINGTON - A thief recently stole a computer server belonging to a major U.S. insurance company, and company officials now fear that the personal data of nearly 1 million people could be at risk, insurance industry sources tell NBC News. The computer server contains personal electronic data for 930,000 Americans, including names, Social Security numbers and tens of thousands of medical records. The server was stolen on March 31, along with a camcorder and other office equipment, during a break-in at a Midwest office of American Insurance Group (AIG), company officials confirm. An AIG spokesman says that there's no evidence that the thief has accessed the personal data on the server or used it for any illicit purpose. The server is password protected, the AIG spokesman adds. The server contains detailed personal data from 930,000 prospective AIG customers, whose information had been forwarded to the insurance firm from 690 insurance brokers around the country. The potential customers' employers were shopping with AIG for rates for excess medical coverage, the spokesman says, when they forwarded the personal data to AIG. AIG has not yet notified any of the people whose personal data are on the stolen server. AIG security officials have been conducting a forensic analysis of the theft, and warned the 690 insurance brokers of the problem on May 26. The AIG spokesman tells NBC: "There is no indication that the thieves were seeking data, rather than valuable hardwareTo date, we are unaware of any of this information being compromised." In a police report on the incident, officers in the Midwestern city state that the stolen server was worth $10,000. The police write that the thief "came through the ceiling, going into their [AIG's] server room." NBC News is not identifying the city at the company's request, so as to not tip off the thief who may not realize he/she has valuable personal information. AIG describes itself as "the leading international insurance organization with operations in more than 130 countries and jurisdictions." Ironically, an AIG member company announced earlier this year that it now offers identity-theft insurance coverage. © 2006 MSNBC Interactive _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Intelligence can be pretty dumb
http://www.theinquirer.net/?article=32411 By Nick Booth 14 June 2006 SECURITY FIRMS must be ruthlessly cunning and intelligent to stay ahead of the fiendish legions of hackers, crackers and cunning con artists they constantly warn us about. Or so you'd think. But not if this recent example of 'intelligence' is typical. All companies keep tabs on the opposition. Usually, they employ competitive intelligence companies, who use all kinds of dirty tricks to find out about rival's products, their marketing strategies and the incentives offered to resellers. A typically fiendish scam would be to set up a phoney head hunting agency, then invite everyone that matters, at the target firm, for an "off the record" interview. Flattered by the attention, most CTOs and marketing directors are only too pleased to boast of the projects they're working on, the budgets they're in charge of and how many people are under them. This information is all tabulated, and sold for hundreds of thousands of dollars, to the client. Clients like to outsource this furtive behaviour so they can distance themselves from it if they get caught. Very cunning. Some security firms are slightly less sophisticated, it seems. When security vendor Countersnipe launched its latest product, it expected a few bogus enquiries from its rivals. But a request from an outfit calling themselves Ychange seemed genuine enough. 'Jeff' from Ychange saw a demo and was so impressed he promised to show the product to Superluminal, his financial services client, which was just gagging to place a multi-million dollar order. But a quick Whois check revealed that Superluminal's web site was owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire didn't think anyone else would know about this new-fangled Internet thing. "This has to be the least sophisticated attempt at spying I've ever seen," laughed Countersnipe's Amar Rathore, "I wouldn't mind, but they're a security firm, for God's sake. You'd think they'd know some cleverer tricks than that." Sourcefire was unavailable for comment. µ _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Spam Is Good for Antispam Vendors
This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. St. Bernard Software http://list.windowsitpro.com/t?ctl=2E774:4FB69 Patchlink http://list.windowsitpro.com/t?ctl=2E786:4FB69 CrossTec http://list.windowsitpro.com/t?ctl=2E76E:4FB69 1. In Focus: Spam Is Good for Antispam Vendors 2. Security News and Features - Recent Security Vulnerabilities - Microsoft Releases Rebranded Antigen Products - 180solutions Merges with Hotbar, Renames Company Zango - Two-Factor Authentication Tokens 3. Security Toolkit - Security Matters Blog - FAQ - Share Your Security Tips 4. New and Improved - Host-Based IPS Monitors Application Behavior Sponsor: St. Bernard Software Get the #1 Ranked Internet Filtering Appliance Free iPrism, ranked #1 by IDC, gives you comprehensive protection from Web-based threats at the perimeter - spyware, IM and P2P are stopped before they can invade your networks. Now, get the appliance at no charge when you purchase a multi-year subscription. This is a limited- time offer, so get a Quick Quote today. http://list.windowsitpro.com/t?ctl=2E774:4FB69 1. In Focus: Spam Is Good for Antispam Vendors by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about Okopipi--the current successor to Blue Security's Blue Frog antispam service. In closing that article, I described a dream situation in which Microsoft philanthropically backs the Okopipi project and bundles the antispam solution with every copy of Windows. This week, I'll point out some statistics and financial figures that show why I think that dream will never become a reality-- not with Microsoft or any other major antispam-solution provider. First, let's look at the cost of spam for businesses: In February 2005, Ferris Research said, "Lost productivity and other expenses associated with spam will cost US businesses $17 billion in 2005 Worldwide costs could reach $50 billion, primarily because of lost employee productivity. Not included in these figures are immeasurable items, such as the missed opportunity cost of a new customer order that's incorrectly discarded as spam." That's a lot of incentive for businesses to implement antispam solutions. http://list.windowsitpro.com/t?ctl=2E77B:4FB69 Next, let's look at antispam-solution revenue figures: Also in February 2005, IDC predicted that "...worldwide revenue for antispam solutions will exceed $1.7 billion in 2008, far surpassing the $300 million generated in 2003 [The] development of spam from a mere nuisance to an increasingly serious problem [is] the driver for explosive revenue growth, innovation, and investment in the antispam market. The worldwide revenue for antispam solutions will experience a compound annual growth rate (CAGR) of 42% through 2008." http://list.windowsitpro.com/t?ctl=2E77A:4FB69 Now let's look at email usage and spam volume growth: In January 2006, the Radicati Group estimated that there were more than 1.2 billion active email accounts. Worldwide email traffic per day was about 135 billion messages, of which 67 percent were spam. Then in May 2006, Radicati estimated that there were nearly 1.4 billion active email accounts and worldwide email traffic per day of about 171 billion messages, of which 71 percent were spam. http://list.windowsitpro.com/t?ctl=2E771:4FB69 http://list.windowsitpro.com/t?ctl=2E775:4FB69 Summarizing Radicati's data, the number of mailboxes increased by 200 million, the volume of email traffic increased by 36 million messages, and the volume of spam increased by 31 million messages--all in less than half a year! The increases represent a tremendous gain in potential customers for antispam vendors, which of course can readily equate to huge increases in revenue. The spam problem has given birth to a billion-dollar market for antispam-solution providers. If we keep in mind that most companies exist for the primary purpose of generating income for their owners and investors, then we can easily see that no current antispam vendor has the impetus to stamp out spam because doing so would run counter to its fiduciary responsibility. Therefore, the Okopipi project will probably not be seen in a good light by any antispam-solution provider, except of course one that finds a way to profit from the ultimate antispam solution of stamping out spam completely. Sponsor: PatchLink Does your patch management solution automatically track and re-deploy to ensure network security? 20% of patches unknowingly become un-patched. Learn more about automating the analysis, distri
[ISN] Hacker disrupts state disaster site
http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060614/NEWS01/606140312 By Stephen D. Price CAPITOL BUREAU June 14, 2006 As Tropical Storm Alberto barreled toward Florida, a computer hacker disrupted public access to the state's emergency Web site for about 20 minutes Tuesday morning, but the glitch did not affect emergency workers, officials said. The Web site, www.floridadisaster.org, is set up by the Division of Emergency Management and allows Floridians to access information about emergency situations. The problem delayed a briefing by emergency workers. "Someone intentionally did this," said Carla Boyce, plans chief for the Division of Services Management. "Loopholes get discovered and hackers take advantage of them." The Florida Department of Law Enforcement is investigating the incident. At 7:30 Tuesday morning, emergency workers noticed the site showed error messages, said David Halstead, State Emergency Response Team chief. He said a similar problem happened a week ago. "It takes someone with good computer skills to do this," Halstead said. Boyce said workers are reviewing logs and network tools for clues to learn who did the hacking and from where. The problem was fixed, and extra precautions are being taken so it doesn't happen again, she said. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] VA IT security gaps extend to contractors
http://www.gcn.com/online/vol1_no1/41035-1.html By Mary Mosquera GCN Staff 06/14/06 The Veterans Affairs Department said today that it has been investigating allegations that an offshore medical transcription subcontractor last year threatened to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with a VA contractor. The VA assistant inspector general referred to the investigation during questioning in a congressional hearing on VA's data security environment in the wake of the theft of sensitive data of 26.5 million veterans, active duty military and reserves officers. The medical transcription incident highlights how gaps in information security also extend to contractors, said Michael Staley, VA's assistant inspector general for auditing. Some VA medical transcription contractors have used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act, according to an audit released today. "Contracts do not specify criteria for how to protect information," Staley told the House Veterans Affairs Committee. Staley enumerated audits of information management security under the Federal Information Security Management Act, the Consolidated Financial Statement and Combined Assessment Program that revealed significant vulnerabilities. These include VA not controlling and monitoring employee access, not restricting users to only the data they need and not terminating accounts of departing employees in a timely manner. In last year's FISMA review, the IG provided 16 recommendations, including addressing security vulnerabilities of unauthorized access and misuse of sensitive information and data throughout VA demonstrated during its field testing. All 16 recommendations remain open, he said. Audits also found instances where out-based employees send veterans' medical information to the VA regional office through unencrypted e-mail; monitoring remote network access and usage does not routinely occur; and off-duty users' access to VA computer systems and sensitive information is not restricted. "VA has implemented some recommendations for specific locations identified but has not made corrections VA-wide," he said. From fiscal years 2000 to 2005, the IG identified IT and security deficiencies in 141, or 78 percent, of 181 Veterans Health Administration facilities reviewed, and 37, or 67 percent, of the 55 Veterans Benefits Administration facilities reviewed. "We recommended that VA pursue a more centralized approach, apply appropriate resources and establish a clear chain of command and accountability structure to implement and enforce IT internal controls," Staley said. The underlying situation is the VA's department CIO does not have authority to enforce compliance with data security and information management and recommendations from GAO, said Veterans Affairs Committee chairman Steve Buyer (R-Ind.). Buyer traced problems in security enforcement to a memo dated April 2004 from the general counsel that said the department CIO did not have enforcement authority. The CIO, undersecretaries who lead VA's benefits, health and burial administrations, and the VA secretary share responsibility for enforcement, said Gregory Wilshusen, director of information security issues for the Government Accountability Office. "Information security is a governmentwide problem, and we have talked with OMB about that," said Linda Koontz, director of GAO's information management issues. Buyer expressed frustration that there are no consequences for "recalcitrant" agencies that do not correct problems that GAO has repeatedly highlighted. He cited the Privacy Act, which has been strengthened with consequences. "If you have a bureaucracy so strong in the department that the secretary or political bodies are unable to act, don't you think the president or vice president or OMB needs to know that because there are monetary consequences behind that inaction? I'm bothered that GAO doesn't have the higher authority to which they can turn," Buyer said after the hearing. After several more hearings this month, Buyer and his committee will make recommendations or craft legislation. He suggested that Congress consider looking at strengthening FISMA. "We can even come up with that in our language, but we're not going to have jurisdiction over that. We'll have to work with Mr. Davis [House Government Reform Committee chairman Tom Davis (R-Va.)] and his committee. I'd be more than happy to do that," he said. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] FBI loses 400 pieces of equipment
http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060614-024108-3918r 6/14/2006 WASHINGTON, June 14 (UPI) -- The U.S. FBI may have lost 400 pieces of equipment, National Journal's Technology Daily reported Monday. The Federal Bureau of Investigation still has not told the Government Accountability Office what has happened to hundreds of pieces of equipment that were supposed to be part of a failed department-wide case-management system. "The FBI also has not provided any additional explanation for the remaining roughly 400 missing assets," Linda Calbom, the GAO's director of financial management and assurance wrote in a letter. The letter, dated Friday, was addressed to Senate Judiciary Committee Chairman Arlen Specter, R-Pa., and addressed many of the follow-up questions that the committee had for GAO. The GAO released a report in May detailing the flaws in the FBI's Trilogy system, Technology Daily said. It reported that the FBI could not locate more than 1,200 pieces of equipment, valued at about $7.6 million. The FBI responded by saying that it had accounted for 800 of those items, but GAO could not verify that claim, Calbom wrote, the report said. © Copyright 2006 United Press International, Inc. All Rights Reserved _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Money lost to cybercrime down--again
http://news.com.com/2100-7349_3-6083860.html By Joris Evers Staff Writer, CNET News.com June 14, 2006 SCOTTSDALE, Ariz.--While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey. For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey's findings in a presentation at the CSI NetSec conference here Wednesday. Respondents in the 2005 survey reported an average of $204,000 in cybercrime losses, Richardson said. This year, that's down to $168,000, about an 18 percent drop, he added. Compared with 2004, the average loss is down 68 percent. "How do you go about reconciling the sense of things getting worse with the respondents who are saying they are losing less money?" Richardson asked. The 2006 survey, a final version of which is slated to be released next month, could provide some answers. Most important, perhaps, the 615 U.S. CSI members who responded to this year's survey reported fewer security incidents. Viruses, laptop theft and insider abuse of Net access are still the most reported threats, but all have decreased compared with last year. "The danger of insiders may be somewhat overstated, according to the survey group," Richardson said. About a third of respondents said they had no losses at all due to insider threats, another 29 percent said less than one-fifth of overall losses came from insider threats. Consistent use of security technology may also contribute to the improvements, with essentially all of the respondents stating that they use firewall and antivirus software, not much of a change from last year. This year, eight out of 10 said they also use spyware protection, a category not listed a year ago. "Overall, you have a picture that is pretty good in many ways," Richardson said. "We're seeing fewer of some of the attacks that have been such a plague for us in many years, and respondents are using less and less money." That "less money" may be good for companies, but not for security vendors. It refers to the percentage of IT budgets spent on security. In the 2006 survey, nearly half of the respondents said less than 2 percent of the budget is spent on security. Last year that percentage was 35 percent. When it comes to cybercrime losses, consumers might be bearing the brunt of them, and they are not covered by the survey, Richardson suggested. "Consumers are the low-hanging fruit," he said. Costs related to identity theft, for example, fall largely back onto the consumer, he added, even if it did start with a data breach at an enterprise. Copyright ©1995-2006 CNET Networks, Inc. All rights reserved. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Exploits for Microsoft flaws circulating
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001182 By Jaikumar Vijayan Computerworld June 14, 2006 Security firms are warning about the availability of attack code targeting some of the flaws for which Microsoft Corp. released patches yesterday (see "Microsoft releases fixes for 21 vulnerabilities" [1]). Most of the exploits target flaws that were previously known but for which patches became available only as part of Microsoft's June monthly security update. But at least two publicly available exploits are directed at newly disclosed flaws in the company's products. "Exploit code had already existed for three of the vulnerabilities prior to yesterday, as they were already public issues," said Michael Sutton, director of VeriSign Inc.'s iDefense Labs. "Beyond that, we're seeing public exploit code emerge for some of the new vulnerabilities and are hearing rumors of private code existing for others." The availability of such exploits heightens the risk for companies that have not yet been able to patch their systems and are important factors to consider when deciding which systems to patch first, he said. "We believe that it is far more beneficial to withhold proof-of-concept code for an amount of time so that customers can get the vulnerabilities patched," said Stephen Toulouse, security program manager at Microsoft's security response center. "The public broadcasting of code so quickly after a bulletin release, we believe, tends to help attackers." Microsoft is telling its cusomers to pay special attention to three key updates -- MS06-021, MS06-022 and MS06-023 -- because they could be particularly easy to exploit using Internet Explorer. "There are methods by which if you just browse to a Web site, there could be code execution," Toulouse said. According to iDefense, some form of exploit code is publicly available against the cross-domain information disclosure vulnerability described in bulletins MS06-021, the address bar spoofing flaw in MS06-021 and the Word malformed object pointer vulnerability described in MS06-027. All three were previously known flaws and were given a severity rating of "critical" by Microsoft. In addition, exploits have also become publicly available for both of the newly disclosed server message block vulnerabilities in MS06-030, according to iDefense. The SANS Internet Storm Center this morning posted a note also listing exploits released by penetration-testing vendors to customers. One of the exploits was directed against the Windows Media Player flaw in MS06-024, while the other was targeted at the routing and remote-access vulnerability in MS06-025. Denial-of-service attack codes are also privately available for a TCP/IP flaw in MS06-032, according to SANS. Outside of the Word malware, which began circulating last month, Microsoft has not yet seen any of these exploits used by attackers, Toulouse said. The availability of exploit code once again shows that there is no longer any "patching window" for companies, said Johannes Ullrich, chief research officer at the Internet Storm Center. "Companies don't have the luxury of sitting back and waiting," Ullrich said. "They have to expect that public exploits will become available the day after vulnerabilities are disclosed, and they have to expedite the patching process," despite the challenges involved, he said. Robert McMillan of the IDG News service contributed to this report. [1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001163 _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com