Nonprofit for collecting info on SCADA & PCS security incidents

The Risks Digest has an item that refers to Stephanie Neil's article in "Managing Automation", 12 Sep 2009 that discusses the http://www.securityincidents.org, "a newly formed non-profit group that provides public access to its Repository of Industrial Security Incidents (RISI)". This group is targeted towards SCADA and process control security incidents.

How much are you worth on the black market?

Slashdot reports a new tool being developed by Symantec intended to raise consumer awareness about cybercrime. By answering a few questions about personal Internet use, the tool calculates your net worth on the black market calculations in three areas: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.

Norton's Online Risk Calculator is not intended to promote software or instill fear but to raise awareness about cybercrime, according to Marian Merritt, Internet security advocate for Symantec. Merritt pointed out that cybercrime is now larger than the international drug trade. Nearly 10 million people have reported identity theft in United States in the past 12 months and one in four households have already been victimized, she said.

Cybercrime is well reported in the IT space, but the message doesn't often reach the general public, according to Merritt. "You turn on the news and they are talking about capturing drug dealers going across the border, but they rarely show a hacker in handcuffs," she said.

See more in IT WORLD.

NIST Releases Security Standards for Federal Systems

The National Institute of Standards and Technology (NIST) released Special Publication 800-53, titled Recommended Security Controls for Federal Information Systems and Organizations. This document addresses information security standards and guidelines, including minimum requirements for federal information systems. Released as part of NIST’s statutory responsibilities under the Federal Information Security Management Act (FISMA), this publication is geared toward information system and information security professionals who develop, implement, operate, manage, or assess/monitor federal information systems.

Adobe Vulnerability Targeted in Drive-by Attacks

eWEEK.COM is running a story about a new zero-day vulnerability affecting Adobe's Flash Player software that is being exploited by attackers via drive-by downloads.

Adobe first warned about the vulnerability July 21, then issued an updated advisory the next night. The issue affects current versions of Flash Player on Windows, Mac and Linux platforms.

According to the U.S. Computer Emergency Response Team (US-CERT), an attacker can trigger an overflow by luring a user into opening a malicious Flash (SWF) file that is either hosted or embedded on a Web page or contained in a PDF file. Then the attacker could either trigger a system crash or take full control of a vulnerable system.

“There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows,” according to a post on the Adobe Product Security Incident Response Team blog. “We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009(the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh, and UNIX by July 31, 2009.”

“At the moment there (are) a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate Websites to create a drive-by attack, as expected,” according to SANS Internet Storm Center.

See full article at eWEEK.COM.

Google Book Search Settlement Inquiry Announced

ISEDB's article "Google Book Search Settlement Inquiry Announced" includes a link to Pam Samuelson's talk Reflections on the Google Book Search Settlement. See also her 4/17/09 guest blog "Legally Speaking: The Dead Souls of the Google Booksearch Settlement", where she says:

"In the short run, the Google Book Search settlement will unquestionably bring about greater access to books collected by major research libraries over the years. But it is very worrisome that this agreement, which was negotiated in secret by Google and a few lawyers working for the Authors Guild and AAP (who will, by the way, get up to $45.5 million in fees for their work on the settlement—more than all of the authors combined!), will create two complementary monopolies with exclusive rights over a research corpus of this magnitude. Monopolies are prone to engage in many abuses."

"The Book Search agreement is not really a settlement of a dispute over whether scanning books to index them is fair use. It is a major restructuring of the book industry’s future without meaningful government oversight. The market for digitized orphan books could be competitive, but will not be if this settlement is approved as is."

Professor Samuelson points out that "nothing in the settlement agreement speaks about privacy interests of users" and that this is very different than how libraries operate.

Announcement: 2nd Annual Privacy Law Scholar Conference, June 4-5 2009

The 2nd Annual Privacy Law Scholars Conference (PLSC) will be held at the Claremont Resort in Berkeley, CA, on June 4-5. PLSC is an academic paper workshop, and there are no panels of boring talking heads. Instead, we have two days of intense discussion about privacy issues.

If you have students who are interested in working in the privacy field, I strongly encourage you to pass on info about the event. It's free, and about 100 privacy academics (predominately law, but also econ and some computer science, including Peter Neumann, Chris Soghoian, and Jeff Jonas, the inventor of NORA) participate, as well as 50 leading legal practitioners. It's a wonderful opportunity to network, share ideas,etc.

Schedule and information

The password to all papers is plsc2009.

Send email to choofnagle at law.berkeley.edu if you would like to participate.

Mathematical Advances Strengthen IT Security

ACM TechNews is running an article about a new cryptography approach based on the mathematical theory of elliptic curves, a leading candidate to replace the widely used RSA public key security system.

Elliptic curves are equasions with two variables, e.g., x and y, including terms where both x and y are raised to powers of two or more. The possibilities for elliptic curves and other modern mathematical techniques were discussed at a recent workshop organized by the European Science Foundation (ESF).

“The impact of the elliptic curve method for integer factorisation (developed by my PhD advisor Hendrik Lenstra) has played a role in introducing elliptic curves to cryptographers, albeit for attacking the underlying problem on which RSA is based (the difficulty of factoring integers),” said David Kohel, convenor of the ESF workshop, from the Institut de Mathematiques de Luminy in Marseille, France.

Kohel describes the advantage of elliptic curve cryptography as its immunity to the specialized attacks that have degraded the strength of RSA (smaller keys can be used to provide the same levels of protection).

"In general, the cryptographer has the benefit over the cryptanalyst (the person attacking the cryptosystem) as he or she can select the key size for any desired level of security, provided everyone has the same base of knowledge of best attacks on the underlying cryptosystem," he says.

See details in European Science Foundation.

Chinese Hackers Targeting NYPD Computers

Slashdot prints an article about a network of mystery hackers, mostly based in China, making 70,000 attempts a day to break into the NYPD's sytem, according to Commissioner Raymond Kelly. He said he suspects that his department is being targeted by foreign hackers because it has beefed up operations in the international arena since the 9/11 attacks.

"We are constantly studying events worldwide and assessing their implications for New York," said Kelly, adding that the NYPD now has officers stationed in Abu Dhabi, Jordan, Great Britain, France, Spain, Canada and the Dominican Republic.

Kelly also said senior police officers have been attending lectures by foreign affairs and terrorism experts. The Commissioner's surprising revelations closely followed a Canadian report exposing a China-based electronic spy network that has invaded at least 1295 computers in 103 countries.

Dubbed "GhostNet", the group of hackers have targeted embassies, foreign ministries and the Dalai Lama's offices in India, Brussels, London and New York.

Toronto University's 10-month study suggests that the GhostNet is linked to Chinese government espionage agencies, which Chinese government officials deny.

See complete article in the New York Daily News.

Most electronic voting isn't secure, CIA expert says

The Risks Digest points to an article about a CIA agent testifying before the Election Assistance Commission. His position is that electronic votes are not secure and can be altered and further, are being altered already in some locales.

The CIA agent, a cybersecurity expert, suggested that Venezuelan President Hugo Chavez and his allies fixed a 2004 election recount, a pronouncement that could further agitate U.S. relations with the Latin leader.

In a presentation that could provide foreboding lessons for the United States, where electronic voting is becoming preeminent, Steve Stigall summarized what he described as attempts to use computers to undermine democratic elections in developing nations. Stigall told the Election Assistance Commission that computerized electoral systems can be manipulated at five stages, from altering voter registration lists to posting results.

"You heard the old adage 'follow the money,' " Stigall said, according to a transcript of his hour-long presentation that McClatchy obtained. "I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to . . . make bad things happen."

Stigall said that some countries had taken extraordinary steps that improved security. For example, he said internet systems that encrypt vote results so they're unrecognizable during transmission "greatly complicates malicious corruption."

After reviewing the agent's remarks, director of election reform for the citizens' lobby 'Common Cause, Susannah Goodman says they showed

"we can no longer ignore the fact that all of these risks are present right here at home . . . and must secure our election system by requiring every voter to have his or her vote recorded on a paper ballot."

See complete article in McClatchy Newspapers.

Obama Sides With Bush In Spy Case

Slashdot picked up a story in Wired about the Obama administration siding with the Bush administration when it urged a federal judge to set aside a ruling in a closely watched case examining whether a U.S. president may bypass Congress and establish warrantless wiretapping programs designed to spy on American citizens.

With just hours left in office, President George W. Bush asked U.S. District Judge Vaughn Walker late Monday to stay enforcement of a Jan.5 ruling admitting key evidence into the case. On Thursday, the Obama administration said in its filing with the court

"The Government's position remains that this case should be stayed"

marking the first time it was clear that the new president was in agreement with the Bush administration's reasoning in this case.

The legal hubbub concerns Walker's decision to admit a classified document as evidence that allegedly shows that two American lawyers for a now-defunct Saudi charity were electronically eavesdropped on without warrants in 2004.

The Obama administration is in agreement with the previous administration in its legal defense of July legislation that immunizes the nation's telecommunications companies from lawsuits accusing them of complicity in Bush's eavesdropping program, according to testimony last week by incoming Attorney General Eric Holder.

A separate case requiring a decision on the constitutionality of the immunity legislation (which Obama voted for as a U.S. Senator from Illinois) brought by the Electronic Frontier Foundation is pending before Judge Walker.

See details in Wired.

Privacy Groups Want Strong Security Measures for Electronic Health Records

SANS Institute summarizes an article about US privacy rights and civil liberties advocacy groups writing legislators and asking them to ensure that any adoption of electronic health records include substantial security measures. Such letters from the American Civil Liberties Union, the National Association of Social Workers and Patient Privacy rights request that patients have control over how their medical records are used and that they be protected from organizations that share and sell medical information.

"We all want to innovate and improve health care, but without privacy our system will crash as any system with a persistent and chronic virus will," Patient Privacy Rights executive director Ashley Katz said at a Capitol Hill briefing.

Chairman of Senate Health, Education, Labor and Pensions, Edward Kennedy and ranking member Michael Enzi submitted a bill in the 110th Congress and have worked with Judiciary Chairman Patrick Leahy to beef up its privacy provisions. However, Senate Small Business ranking member Olympia Snowe does not believe the measure went far enough, and together with Rep. Edward Markey, D-Mass., and Rep. Lloyd Doggett, D-Texas, offered letters of support for the privacy groups' call to action.

"Without robust safeguards, the health IT systems we are planning for today could turn the dream of integrated, seamless electronic health networks into a nightmare for consumers," Markey said in a statement.

For complete article, see nextgov.

CWE/SANS TOP 25 Most Dangerous Programming Errors

Yesterday, the SysAdmin, Audit, Network, Security (SANS) Institute announced that in Washington D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a list of the 25 most dangerous programming errors that bring about security bugs permitting cyber espionage and cyber crime. The project is a significant component of an overall national security initiative.

The impact of such errors is extensive, where just two errors led to more than 1.5 million web site security breaches in 2008. Those breaches then cascaded onto the computers of people who visited those websites.

The people and organizations that provided input to the project are among the most respected security experts, coming from an extensive range of leading organizations such as Symantec, Microsoft, DHS's National Cyber Security Division, and NSA's Information Assurance Division to the Japaneses IPA, to the University of California at Davis and Purdue University.

Remarkably, all the experts quickly came to agreement, despite some intense discussion.

"There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."

See complete Announcement in SANS.

State Secrets Defense Rejected in Wiretapping Case

Slashdot references a report in Ars Technica of a federal judge ruling that a lawsuit filed by an Islamic charity alleging illegal wiretapping by the National Security Agency may proceed.

The case, Al Haramain v. Bush, stands out in that unlike the Electronic Frontier's more widely publicized suits agains the NSA and cooperating telecoms, the plaintiffs here know that the directors of the charity were specifically subjected to warrantless surveillance, thanks to a government faux pas that put a classified memo in the hands of the charity's lawyers.

Judge Vaughn Walker, who has been handling a raft of suits concerning the NSA's super-secret Stellar Wind program decided that the charity could seek to show they'd been spied upon using public evidence.

"Without a doubt," he wrote, plaintiffs have alleged enough to plead 'aggrieved persons' status so as to proceed to the next step in proceedings."

The Justice Department repeatedly tried to try to block the suit by invoking national security concerns. At one point, Walker described the government's argument "without merit" and characterized another argument as "circular".

See complete report at Ars Technica.

Congress in the Cyber-Crosshairs

ACM TechNews points out the cover story of National Journal about what it will take to keep the next invader out of Congressional computers.

Two years ago, 15 House panels and members' offices were invaded by malware whose nature suggest the intrusions originated in China. One target, the office of House Representative Frank Wolf (R-Va) argued before the House that the fear of admitting vulnerability might be a reason underlying U.S. intelligence and national security's reluctance ro publicize the breaches sooner.

"I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones," he said.

While it appears that there is little interest from members of Congress in discussing cyber vulnerabilities, it is likely because they have little understanding of them. Former director the DHS' Cyber Security Division Amit Yoran says

"As a member of Congress, you have so many issues competing for your attention and, historically, cyber-security hasn't been one that's won out. It's not an issue that is particularly well tracked by their constituents."

In a recent study prepared by the Center for Strategic and International Studies concluded for President-elect Barack Obama that Congress is unsuited for managing executive-branch cybersecurity due to the inconsistency and fragmentation of its oversight. The study group recommended that Obama take charge of cybersecurity and establish a new office for cyberspace in the Executive Office of the President that would collaborate closely with the National Security Council, "managing the many aspects of securing our national networks while protecting privacy and civil liberties."

See complete article at National Journal Magazine.

U.S. Is Losing Global Cyberwar, Commission Says

ACM TechNews summarizes an article in Business Week about how ill prepared the United States is for the challenges of 21st century cybersecurity. This woeful conclusion comes from a new report issued by the U.S. Commission on Cybersecurity.

The damage from cyber attack is real," states the cybersecurity group's report, referring to intrusions last year at the departments of Defense, State, Homeland Security, and Commerce as well as at NASA and the Natoinal Defense University in 2007.

The report calls for the creation of a Center for Cybersecurity Operations that would act as a regulator of computer security in both the public and private sectors.

"We're playing a giant game of chess now and we're losing badly," says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.

See full story in BusinessWeek.

Who Protects the Internet?

Slashdot calls attention to an interview with General Kevin Chilton , U.S. STRATCOM commander and the head of all military cyberwarefare appearing in TechCrunch, a technical weblog that profiles and reviews Internet products and companies.

The interview brings to light the critical question: Is the internet actually protected? Who protects us?

"Basically no one", says Jonathan Zittrain, American law professor, researcher and author. "At most, a number of loose confederations of computer scientists and engineers who seek to devise better protocols and practices — unincorporated groups like the Internet Engineering Task Force and the North American Network Operators Group. But the fact remains that no one really owns security online, which leads to gated communities with firewalls — a highly unreliable and wasteful way to try to assure security."

See more in TechCrunch.

You're Leaving a Digital Trail. What About Privacy?

ACM TechNews picked up an article published in The New York Times on how new technologies and the Internet's incursion into every aspect of life is creating what is coming to be called 'collective intelligence'.

While collective intelligence offers powerful capabilities, such as improving the efficiency of advertising or giving community groups new organizational capabilities, it is clear to all that, if misused, collective intelligence tools could create an Orwellian future on an unprecedented scale. Collective intelligence could be used by insurance companies, for example, to covertly identify people suffering from a particular disease and then deny them insurance coverage. Or the government or law enforcement could identify members of a protest group by monitoring social networks.

“There are so many uses for this technology — from marketing to war fighting — that I can’t imagine it not pervading our lives in just the next few years,” says Steve Steinberg, a computer scientist who works for an investment firm in New York.

Steinberg argues in a well-known Web posting that there were significant chances it would be misused, "This is one of the most significant technology trends I have seen in years; it may also be one of the most pernicious.”

See more in The New York Times.

Obama Administration to Inherit Tough Cybersecurity Challenges

ACM TechNews remarks on the status of the initiatives launched in the current administration and what U.S. President-elect Barack Obama will need to take on to improve cybersecurity. Many of the current initiatives are still works in progress, including the Homeland Security Presidential Directive-12 (HSPD-12) which aspires to improve the security of government facilities and computer networks by requiring federal agencies to issue new smart card identity credentials to all employees and contractors by the end of October. Meeting that goal is at least two years away however.

The need is critical for the Obama administration to stop tying federal cybersecurity responses so closely to the post-9/11 war against terror, says analyst at Gartner Inc., John Pescatore.

"The terrorist attacks of 2001 sent the Bush administration in the wrong direction" on the cybersecurity front, Pescatore said. There's been too much of tendency to view cyberthreats in the same light as physical terrorism threats and to respond to them in the same manner. In the process, some of the more immediate threats to government data and networks have been somewhat overlooked, he said

.
See full story in COMPUTERWORLD.

Minnesota Senate Race Could Hinge on Scanning Machine Mistakes

ACM TechNews notes that according to an article in cnet news, the U.S. Senate race in Minnesota is yet undecided and that a hand recount could reveal that several thousand votes were mistakenly rejected by optical-scan voting machines. The outcome of the Senate race may depend on whether scanning machines made mistakes two weeks ago when tabulating ballots. Republican Senator Norm Coleman holds only a 200 vote lead over his opponent, Democrat Al Franken. With Coleman's lead being under a margin of 0.5 percent of the more than 2.9 million votes cast in the race on November 4th, the state automatically starts a hand recount of every ballot.

Director of governmental affairs for the Minnesota secretary of state's office Beth Fraser says the optical scanning machines used to read paper ballots could have mistakenly rejected enough ballots to affect the outcome of the race.

Although the optical scanning machines may have rejected some crucial votes, Fraser said the machines are still the best option for counting votes.

"It speeds up the counting but gives us the paper ballots to count on, so the results are fully auditable," she said.

See entire article in cnet news.

Feds Can Locate Cell Phones Without Telcos

Slashdot flags on Ars Technica report about the release of documents obtained under the Freedom of Information Act suggesting that "triggerfish" technology can be used to pinpoint cell phones without involving the cell phone providers at all. Triggerfish are cell-tower spoofing devices that can trick cell phones into giving up their location and other identifying information without notifying the carrier or the user. This may be significant because the legal rulings requiring law enforcement to meet a high "probable cause" standard before acquiring cell location records have so far pertained to requests for information from providers.


The Justice Department's electronic surveillance manual explicitly suggests that triggerfish may be used to avoid restrictions in statutes like CALEA (Communications Assistance for Law Enforcement Act) that bar the use of pen register or trap-and-trace devices...

It is therefore somewhat surprising that it is only with the passage of the USA PATRIOT Act in 2001 that the government has needed any kind of court order to use triggerfish. Although previously the statutory language governing pen register and trap-and-trace orders did not appear to include location tracking technology, the updated definition explicitly includes any "device or process which records or decodes dialing, routing, addressing, and signaling information."


See full story in Ars Technica.

Why Veins Could Replace Fingerprints and Retinas as Most Secure Form of ID

ACM TechNews mentions the fact that finger vein authentication is starting to gain traction in Europe. Widely introduced by Japanese banks in the past two years, it is claimed to be the fastest and most biometric method of authentication. Companies in Europe have also begun to roll out this advanced biometric system from Japan, which identifies people from the unique patterns of veins inside their fingers.

Hitachi developed the technology, which captures the pattern of blood vessels by transmitting near-infrared light at different angles through the finger, then turning it into a digital code to match it against preregistered profiles. Unlike fingerprints that can be "lifted" and retinas scanned without an individual realizing it, its is extremely unlikely that people's finger vein profiles can be taken withouth them being aware of it.

Easydentic Group in France says it will use finger vein security for door access systems in the United Kingdom and other European markets.

For full story, see London Times Online.

Obama, McCain Campaigns Both Hacked, FIles Compromised

Slashdot writes of post-election news coming out of both campaigns on what transpired behind closed doors. Apparently both Obama's and McCain's campaigns had their systems hacked over the summer -- and not by each other.

Technology experts detected what they initially thought was a case of "phishing" at the Obama headquarters in midsummer. However, by the next day both the FBI and Secret Service came to the campaign with an ominous warning:

"You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system."

Obama's aides were told by the Feds in late August that the McCain campaign's computer system and been similarly infiltrated.The campaign's computer system had been hacked and the FBI had become involved, as per the confirmation of a top McCain official to NEWSWEEK.

White House and FBI officials told the Obama campaign that they believed a foreign entity or organization had been seeking information on the evolution of both camps policy positions-information that might prove useful in negotiations with a future administration. Obama technical experts later speculated that the hackers were Russian or Chinese.

See Newsweek.

E-Voting Groups Are Watching a Handful of States

ACM TechNews summarizes an article on potential problems with electronic voting in several states. Pamela Smith, president of Verified Voting and long a critic of electronic voting machines, is more worried about the long lines on election day. Any sort of equipment failure in places like Pennsylvania and Virginia will create additional problems because they do not have polls open for early voting despite the record number of new voter registrations, particularly among Democrats.

Further, Pennsylvania and Virginia do not mandate paper-trail backups for their touch-screen electronic voting machines. Critics of e-voting say that without that paper trail, there is no way to audit the results of a touch-screen machine.

Several states do not have adequate numbers of voting machines in place to back up malfunctioning equipment.

As Smith points out

"This is an election that will sort of stress-test the [election] systems," she says. "Any problem that's going to come up is going to be amplified."

See full article in PCWorld.

A Really Secret Ballot

ACM TechNews highlights a voting and encryption article in The Economist about the search for a way of voting that is both reliable and trustworthy. Encrypting people's votes might achieve some trustworthiness.

Dr. Peter Ryan, computer scientist at the University of Newcastle upon Tyne in England may have found one way of doing this. Ryan calls his development "Pret a Voter". The gist of his approach is that paper ballots are used that are in two halves. The candidates' names are on one side and the the tick boxes are on the other. The voter ticks the boxes he wants and divides the paper, putting only the half with the tick boxes on it in the ballot box. The ballots are then scanned by optical reader. The 'trick' part is that the candidates are listed in random order on each ballot paper.

While anyone looking at the deposited half of the ballot paper cannot determine in whose interest the votes were cast, the machine can because each deposited half also carries a cryptographic cipher containing the candidate order on that particular ballot.

A second approach elaborates on Ryan's system. Ben Adida and Ron Rivest, of the Massachusetts Institute of Technology, have created what they call "Scratch & Vote". The ballot paper looks the same as that used in Ryan's 'Pret a Voter', but with an additional scratch-off area that acts as an extra level of security.

David Chaum, a computer scientist and cryptographer who, among other things, invented the idea of digital cash, has created a third idea called Scantegrity II. In this approach, a voter fills in an oval-shaped space instead marking an 'x' next to a candidate's name. With Scantegrity however, the voter uses a special pen whose "ink" reacts with a pattern of two chemicals that has been printed inside the oval-shaped space.

While none of these solutions has been widely tested yet meaning American voters will not see them in process for this election, there is a good chance they will be offered in the next election, especially if scandals emerge in the coming election.

For details on the 3 approaches, see full write-up in The Economist.

US's First Internet Votes To Be Cast This Friday

Slashdot is running an article today about the nation's first Internet-based voting system, which goes online this Friday.

Between Oct. 24 and Nov. 2, an estimated six to seven hundred U.S. citizens will use PCs with no hard drive and other disabled components (hardened laptops to remove security risks) located at specific kiosks in Germany, Japan and the U.K. to cast their votes for president. The Okaloosa Distance Ballot Piloting (ODBP) test program could help change the current bureaucratic obstacle course now affecting roughly 6 million overseas residents who must register earlier than other voters and whose mail-in absentee ballots could be mishandled.

Despite the favorable results of Director of the Security and Assurance in Information Technology (SAIT) Laboratory Alec Yasinac's security analysis, the mere fact that a wider computer security community has not been asked to evaluate the ODBP program has resulted in a multitude of unanswered questions.

"We should not go ahead until full details of the system have been disclosed," says David Dill, a professor of computer science at Stanford University, who has testified before Congress about electronic voting. Dill praises Okaloosa County's program for attempting to create a secure, verifiable system that includes the use of paper Voter Choice Records (VCRs) to allow for a 100 percent audit against the electronic votes. Other locations have adopted less secure alternatives for overseas voters, allowing them to send ballots in by fax or e-mail. Still, he believes the pitfalls outnumber the benefits. "If not for the VCRs, this entire proposal would be completely unacceptable," Dill says. "But if the goal is to hand count every one of them, that seems like a lot of overhead for what amounts to a complicated way to fill out paper absentee ballots. The way I look at it, the entire Internet voting part of this scheme is confusing and possibly harmful."

See more in Popular Mechanics.

Ohio Secretary of State's Web Site Hacked; voter suppression tactics

The Risks Digest reports today that the office of the Ohio Secretary of State Jennifer Brunner has cut back on the accessible functionality of its website after an apparent security breach was detected by technical staff. A statement from the office noted that "this is not the first instance of direct assault on the operations of the Secretary of State's office." It has been bombarded with phone calls and email "with menacing messages and even threats of harm or death," according to the statement.

"What we know is our IT department detected a situation with our Web site where there was somehow suspicious activity where someone could have gotten into our site and tried to move things around," a spokesman told The Cleveland Plain Dealer Monday afternoon.

Brunner and her office are in the midst of a bitter dispute with the state Republican Party which demanded that her office release a list of new voter registrations that don't match state and federal database records.

Ohio has 20 electoral votes and is a battleground state. Voter registration records this year in Ohio show record levels of registrations.

See article in wired.com.

Thousands Face Mix-Ups in Voter Registrations

ACM TechNews reports that new state voter registration systems throughout the United States are mistakenly rejecting voters and thus potentially disrupting the entire election process.

The problems are originating from the change from locally managed lists to statewide databases, a change required by the Help America Vote Act, passed in 2002 in the aftermath of the deadlocked presidential race 2 years earlier. While the switch is supposed to be a more efficient and accurate way to keep lists updated, the transition to the new state registration systems are incorrectly rejecting thousands of voters across the country. It is impossible to know how many voters are affected nationwide.

In Alabama, scores of voters are being labeled convicted felons based on erroneous lists. Michigan must restore thousands of names it illegally removed from voter rolls over residency questions. Tens of thousands of voters could be affected in Wisconsin since officials there admit that their database is wrong in one out of five times that it flags voters.

The electronic lists have been coming online gradually and for 31 states this will be the first time they are used in a presidential election. It is

"this season's big issue," said Wendy R. Weiser, who directs voting rights projects for the Brennan Center for Justice at New York University's School of Law, noting that efforts to keep names off the lists are "a new trend, not in the majority of states but in the battleground states."

See full article at washingtonpost.com.

E-Voting Report: Several States Still Vulnerable

ACM TechNews flagged an article in PCWorld about the inadequate assurance of the accuracy of electronic-voting machines, as per a report from three voting security advocacy groups. The report, released by Common Cause, Verified Voting, and the Brennan Center for Justice at the New York University School of Law, predicts that some voting systems will fail on election day.

Pamela Smith, president of Verified Voting said that state protections against voting fraud and e-voting machine failure have improved greatly since the last U.S. presidential election in 2004. Still, several states refuse to take basic precautions to protect the integrity of voting systems, she added.

"There are some folks who still don't get it," said Smith.

Colorado, Delaware, Kentucky, Louisiana, New Jersey, South Carolina, Tennessee, Texas, Utah, and Virginia all received failing grades in three of four voting security areas. Of the 24 states using direct-recording electronic machines, only California, Indiana, and Ohio received satisfactory grades in all four categories.

David Beirne, executive director of the Election Technology Council, a trade group representing e-voting machine vendors, says the report came too late for changes to be made this year.

For details, see PCWorld.

Tool To Allow ISPs To Scan Every File You Transmit

Slashdot posts a story about a tool developed by Brilliant Digital Entertainment, an Australian software company, that can scan every file that passes between an ISP and its customers. The new monitoring technology appearing simultaneously with changes in U.S. law are adding pressure to turn Internet service providers into cops examining all Internet traffic for child pornography.

Privacy advocates are objecting to such tools and say that monitoring all traffic would be an unconstitutional invasion.However, such monitoring just became easier with a law approved unanimously by Congress and signed on Monday by President Bush.

A PowerPoint slide show from Brilliant Digital Entertainment describing the technology was passed on to AOL last month by two powerful forces in the fight against child porn, the office of New York Attorney General Andrew M. Cuomo and Ernest E. Allen, president and CEO of the National Center for Missing and Exploited Children.

"This would be plainly illegal in the United States, whether or not a governmental official imposed this on an ISP or the ISP did this voluntarily," John Morris of the Center for Democracy and Technology said after viewing Brilliant Digital's slide show. "If I were the general counsel of an ISP, I wouldn't touch this with a 10-foot pole."

For more information, see MSNBC.

International Spam Ring Shut Down

Slashdot features a New York Times story about the imminent shutdown of an international spam ring with ties to Australia, New Zealand, China, India and the U.S. Using the CAN-SPAM Act of 2004, finances of the members in the U.S. are being frozen while the FBI pursues criminal charges.

The group, using several names but was known among spam-fighting organizations as HerbalKing, sent billions of unsolicited messages to Internet users of the last 20 months, promoting replica watches and an assortment of pharmaceuticals, including weight-loss drugs and herbal pills that supposedly provide enhancement of male anatomy. Officials and investigators say this spam operation was perhaps the most extensive encountered.

“They were sending extraordinary amounts of spam,” said Jon Leibowitz, an F.T.C. commissioner. “We are hoping at some level that this will help make a small dent in the amount of spam coming into consumers’ in-boxes.”

For full article, see the New York Times, as well as a press release from the Federal Trade Commission.