Password-cracking chip causes security concerns

New Scientist's article, "Password-cracking chip causes security concerns," covers a patent that uses a graphical processing unit (GPU) to crack passwords.

Using an $800 graphics card from nVidia called the GeForce 8800 Ultra, Elcomsoft increased the speed of its password cracking by a factor of 25, according to the company's CEO, Vladimir Katalov.

The toughest passwords, including those used to log in to a Windows Vista computer, would normally take months of continuous computer processing time to crack using a computer's central processing unit (CPU). By harnessing a $150 GPU - less powerful than the nVidia 8800 card - Elcomsoft says they can cracked in just three to five days. Less complex passwords can be retrieved in minutes, rather than hours or days.

New Poll Shows Maryland Voters Favor Funding a Switch to Paper Ballots by More Than 2 to 1

VoteTrustUSA's article, "New Poll Shows Maryland Voters Favor Funding a Switch to Paper Ballots by More Than 2 to 1," discusses a poll that shows Maryland voters prefer funding a move towards paper ballots.

Conducted by Gonzales Research & Marketing Strategies last week, the telephone survey found that 64% of voters statewide think that Governor O’Malley should fund the change from touch-screen voting machines to a system that uses paper ballots counted by optical scanners.

Survey participants were asked: “Last spring Maryland's General Assembly voted unanimously to switch from touch screen voting machines to a less expensive system that uses paper ballots counted by optical scanners. This would ensure that votes are recorded as voters intend, and make recounts possible. The change will happen in 2010, but only if funded in next year's budget. Do you think the Governor should, or should not, provide funding for this change?”

ID thieves have a 50-50 chance of going to prison

Networkworld's article, "ID thieves have a 50-50 chance of going to prison," covers a report that summarizes case files from the U.S. Secret Service.

"Prosecutors had a slightly better chance of sending a convicted identity thief to prison than not (51%) and could expect to see the imprisoned offender sentenced to three years or less of incarceration," the report said.

See also Slashdot's article, "Identity Thieves Not Big On Technology," and an AP article that states that the internet was used in fewer than one fifth of the crimes.

To Maintain National Security, U.S. Policies Should Continue to Promote Open Exchange of Research

The National Academy of Sciences press release, "To Maintain National Security, U.S. Policies Should Continue to Promote Open Exchange of Research," states:

To strengthen the essential role that science and technology play in maintaining national and economic security, the United States should ensure the open exchange of unclassified research despite the small risk that it could be misused for harm by terrorists or rogue nations, says a new report by the National Research Council. Because science and technology are truly global pursuits, U.S. universities and research institutions must continue to welcome foreign-born science and engineering students, said the committee of former national security leaders and senior university researchers and administrators that wrote the report.

GAO Releases Report on Critical Infrastructure Protection

The U.S. Government Accountability Office (GAO) released a report on activities to secure the nation's critical infrastructure (e.g., electric power grid, oil and gas pipelines, chemical plants, water treatment facilities) and the risks to those assets and their control systems due to cyber threats, system vulnerabilities, and other attacks.

The report, CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, describes the cyber threats and vulnerabilities and their potential impact on critical infrastructure control systems, the challenges to securing critical infrastructure systems, private sector initiatives to securing critical infrastructure systems, and the adequacy of public sector initiatives to strengthen the cybersecurity of control systems. A number of initiatives by federal agencies and private sector organizations are cited and the report includes recommendations to address the federal government's lack of an overall strategy for coordinating public and private sector efforts and an efficient process for sharing sensitive information on vulnerabilities with private sector critical infrastructure owners.

Bill would let ID theft victims seek restitution

News.com is carrying Reuter's article, "Bill would let ID theft victims seek restitution."

The proposed Identity Theft Enforcement and Restitution Act - sponsored by Democrat Patrick Leahy of Vermont and Republican Arlen Specter of Pennsylvania - would enable federal prosecutors to seek restitution for the time and money that victims spend restoring their credit histories.

The balkanization of Storm Worm botnets

The Register article, "The balkanization of Storm Worm botnets," discusses how the Storm worm has changed in the past week:

PCs infected by Storm in the past week or so use a 40-byte key to encrypt traffic sent through Overnet, a peer-to-peer protocol that helps individual bots connect to other infected machines, according to Joe Stewart, a senior researcher with SecureWorks, a provider of security services and software.

The change effectively segments the Storm botnet, estimated by Stewart to contain from 250,000 to 1 million machines, into smaller networks because each node must know the password to unencrypt the Overnet traffic.

One fear is that the operators of the Storm worm are getting ready to sell the bots.

Privacy optouts: do not call, credit card offers, snail mail, Verizon

It's been five short years since www.donotcall.gov started up. The idea behind the do not call registery is that if your phone number is on the list, then telemarketers should not be calling you. There are some caveats though; after you register, there is a 31 day grace period. Also, political organizations, charities and telephone surveyors are exempt. If you registered five years ago, you will need to reregister your phone numbers as the registration expires after 5 years. See the Bangor News article for details.

Another place to consider registering is www.optoutprescreen.com, which will help prevent offers of preapproved credit cards from being sent to you. See Consumer Reports.

To reduce your junk snail mail, you can register online with the Direct Marketing Association, but it will cost you $1. Privacyrights.org has a good list of additional ways to reduce your junk snail mail.

Finally, if you have a Verizon cell phone, you may want to opt out of Verizon sharing your phone call info. See Slashdot.

Voting Machines Giving Florida New Headache

The NY Times article, "Voting Machines Giving Florida New Headache," reports that Florida is getting rid of its touchscreen voting computers. See also the Slashdot discussion.

In other voting computer news, VoteTrustUSA's blog, "E-Vote: Vendor May Have Sold Unauthorized Voting Machines to California Counties," reports that:

The California Secretary of State's Office will conduct a public hearing to examine whether Election Systems & Software Inc. (ES&S) sold unauthorized voting machines to as many as five California counties.

GTISC Releases Emerging Cyber Threats Forecast

The Georgia Tech Information Security Center (GTISC), released an Emerging Cyber Threats Forecast.

For 2008, GTISC is forecasting five key areas in which cyber security threats are expected to increase and evolve:
• Web 2.0 and Client-Side Attacks – including social networking attacks and new attacks that will exploit Web 2.0 vulnerabilities
• Targeted Messaging Attacks – including Instant Messaging attacks and malware propagation via online video-sharing
• Botnets – specifically the spread of botnet attacks to wireless and peer-to-peer networks
• Threats Targeting Mobile Convergence – including voice spam, vishing and smishing
• Threats to Radio Frequency Identification (RFID) Systems – evolving and varied threats in this emerging technology sector

Businesses spend 20% of IT budgets on security, survey shows

IT News Australia's article Businesses spend 20% of IT budgets on security, survey shows," covers a survey by CompTIA:

The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004

A Year's Worth of Phish Phacts

Brian Krebs' blog, A Year's Worth of Phish Phacts," covers phishtank.com, a volunteer site that accepts possible phishing email and sites from users and analyzes the information. It appears that most phishing sites are hosted on US based computers that have been compromised. An annual report is available.

More E-Voting Tests Slated in Contested Fla. Voting District

Computerworld's article, "More E-Voting Tests Slated in Contested Fla. Voting District," discusses plans by a House of Representatives task force to examine machines used in a contested Florida election where 18,000 undervotes occurred. The tests are:

Firmware testing to verify that the firmware in the iVotronic machines used in Sarasota County matched the certified version of the firmware approved by election officials.

Ballot testing of the iVotronic machines using more than 112 scenarios, including casting votes, changing votes, changing votes again and other combinations, to confirm correct operation of the units.

Miscalibrating the iVotronic units to see if that has any effect on the undervote counts.

BotHunter: SRI International Scientists take on Spam Zombies

The San Francisco Chronicle article, "Techies take on spam zombies discusses BotHunter, a "is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter." BotHunter is for use by ISPs and was created by Phil Porras and Vinod Yegneswaran, computer scientists at SRI International.

CERT Advances Secure Coding Standards

Dark Reading's article, "CERT Advances Secure Coding Standards," discusses CERT's C and C++ Secure Coding Standard, which is being translated to run on Fortify's Source Code Analysis tool.

Microsoft Rolls Out Personal Health Records

The NY Times article, "Microsoft Rolls Out Personal Health Records," covers Microsoft's HealthVault product.

"Microsoft does not expect most individuals to type in much of their own health information into the Web-based record. Instead, the company hopes that individuals will give doctors, clinics and hospitals permission to directly send into their HealthVault record information like medicines prescribed or, say, test results showing blood pressure and cholesterol levels."

See also the Slashdot discussion.

Carnegie Mellon Researchers Fight Phishing Attacks with Phishing Tactics

CMU's article, "Carnegie Mellon Researchers Fight Phishing Attacks with Phishing Tactics," discusses experiments where researches posed as phishers and used phishing to lure experimental subjects to websites that contained educational information about phishing. This work is part of the eCrime conference.

Stopping Spam: We can do better

Eweek's article, "Stopping Spam: We Can Do Better," discusses a three pronged spam defense system: "(i) the current approach plus (ii) authentication of e-mail senders and/or (iii) anonymous bonds bundled with e-mails, payable by e-mail senders and redeemable by e-mail recipients—also allows an easier and less risky transition to a better e-mail environment."

A different approach is described in Slashdot's article, " Novel Method for Universal Email Authentication," which describes using SPF to create a database of authenticated machines.

USC Student's Computer Program Enlisted in Security Efforts at LAX

The LA Times article, "USC Student's Computer Program Enlisted in Security Efforts at LAX," discusses how the thesis of Praveen Paruchuri is being used to "keep potential terrorists and criminals constantly uncertain about where, when and how often vehicles will be searched at airport entrances". See also the Slashdot discussion.