Friday, December 21, 2007

Colorado Decertifies E-voting Machines

Colorado's top election official, Secretary of State Mike Coffman, decertified election equipment used by 64 Colorado counties this week. In an article published on TheDenverChannel.com, Coffman cites security or accuracy problems in the decertified machines.

For more information and a link to Coffman's report detailing myriad problems with the machines, see Slashdot.

Thursday, December 20, 2007

3.2 Billion Dollars Lost to Phishing in 2007

A survey conducted by Gartner on Monday showed that phishing attacks escalated in 2007, amounting to more than $3 Billion. Debit cards emerged as the primary target by most fraudsters.

"Phishing attacks are becoming more surreptitious and are often designed to drop malware that steals user credentials and sensitive information from consumer desktops," said Avivah Litan, vice president and distinguished analyst at Gartner.

A summary of the survey findings can be found at Slashdot .

Tuesday, December 18, 2007

Encryption Passphrase Protected by the 5th Amendment

A post in Slashdot last weekend notes that Federal Judge Jerome Niedermeier ruled that prosecutors cannot force a defendant to disclose the encryption passphrase for his laptop in a case in Vermont since he's protected by the Fifth Amendment.

Niedermeier tossed out a grand jury's subpoena directing defendant Sebastien Boucher to provide "any passwords" used with his laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29th but not noticed until this week.

For details on what could become a landmark case, especially if appealed, see cnetNEWS.com.

Monday, December 17, 2007

'We're All at Risk' of Attack, Cyber Chief Says

ACM Technews reported an article published last week about Homeland Security assistant secretary Greg Garcia speaking to the New York City Metro InfraGard Alliance about the significance of cybersecurity. Infragard is an alliance between the FBI, local law enforcement, and the private sector.

Garcia pointed out that more than 85 percent of the nation's critical infrastructures are owned and operated by private industry. He said that partnership is especially significant given that hackers are becoming more sophisticated where malicious code and software can be had very cheaply now on the internet.

"Unfortunately, none of this is going to dissipate if we don't have the same level of coordination and organization our adversaries have against us," Garcia said.

See the complete article at GOVERNMENT EXECUTIVE.com

Thursday, December 13, 2007

Will Privacy Sell?

Ask.com is working on a service called "AskEraser" that will allow users to make their searches more private. Search engines like Ask.com, Google, Yahoo, etc. typically keep track of search terms typed in by users. linking them to a computer's Internet address and/or the user. If "AskEraser" is turned on, it discards all that information, the company says. "It works like a light switch," said Doug Leeds Senior vice president for product management at Ask.com.

For more details, see article in the Technology section of the December 10th New York Times .

Wednesday, December 12, 2007

Ohio Plans To Encrypt After Data Breach

Slashdot reports that in response to the theft of a backup tape containing personal information on nearly 130,000 residents, current and former employees and businesses in Ohio was stolen from the car of a government intern last June, the Ohio state government has agreed to buy 60,000 licenses of McAfee Inc's SafeBoot encryption software.

Details on the distribution of the encryption software and the financial impact of the loss of the data to the state are given in an article published yesterday in COMPUTERWORLD.

Tuesday, December 11, 2007

California Testers Find Flaws in Voting Machines

An article published on December 5th in Ars Technica describes the success of Red Team security testers in easily circumventing the physical security of the Polling Ballot Counter (PBC).

"In the physical security testing, the wire- and tamper-proof paper seals were easily removed without damage to the seals using simple household chemicals and tools and could be replaced without detection," the test report says. "Once the seals are bypassed, simple tools or easy modifications to simple tools could be used to access the computer and its components. The key lock for the Transfer Device was unlocked using a common office item without the special 'key' and the seal removed."

A summary of the report results can be found in Slashdot.

Monday, December 10, 2007

Most in US Have False Sense of Online Security

Slashdot posted an article about a study revealing that most Americans have a false send of online security.

Verizon conducted the study finding that while the majority of participants thought they were safe, more than halve were actually vulnerable to a variety of online attacks.

See HELP NET SECURITY for details.

Thursday, December 06, 2007

The Next Generation of Security Threats

ACM Technews references a CNET article on how hackers are now focusing on areas other than operating systems.

Robert Hensing, Microsoft security engineer, posed a question to hundreds of his colleagues, fellow developers, and invited hackers about whether a person's PC could become infected with a rootkit by merely opening a PowerPoint file.

Some developers raised their hands. In an adjacent room, the entire table of hackers that had been invited to speak at the conference raised their hands.

"That's the one thing I want you to take away from this," Hensing told the developers. "Applications are dangerous."

For more information and how applications have supplanted operating systems as targets, see the complete article in cnet NEWS.com.

Wednesday, December 05, 2007

Facebook Beacon Privacy Issues Worse Than Previously Thought?

According to an article in PC World, Facebook's online ad system, called "Beacon" is even more intrusive concerning privacy issues than was originally thought. A Senior Research Engineer at Computer Associates' Threat Research Group, Stefan Berteau, published findings that show that Beacon reports member activities on third-party partner sites even when Facebook users are not logged in or have declined to opt in to the Beacon program.

"It can happen completely without their knowledge," Berteau says in his report. "The bottom line is that Facebook is materially misrepresenting the privacy impact of their Beacon program, and presenting users with the appearance of control of their information when in fact they have almost none."

See full story at NEWSFACTOR NETWORK.

Tuesday, December 04, 2007

Firefox Security Head Says Microsoft Obscures OS Holes

A Slashdot article from yesterday mentions that when Security Director at Microsoft Jeff Jones decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, publishing a study showing that Internet Explorer was more secure, he seems to have forgotten that the Head Security Strategist of Mozilla was a former MS employee. Moreover, he (Window Snyder)had been the security lead for the Service pack of Windows XP and Server.

Snyder rebuts Jones' study saying that only a small subset of all vulnerabilities fixed internally are publicly acknowledged. Snyder writes "...vulnerabilities that are found through the QA process and the vulnerabilities that are found by the security folks they engage as contractors to perform penetration testing are fixed in service packs and major updates. For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update."

The problem for Microsoft users with this policy is that they have to wait sometimes a year or more to get the benefit of this endeavor. Mozilla fixes their bugs openly and ships fixes regularly. Says Snyder "We're not building fixes for our PR team, we're building them for our users."

For a detailed description of the problem with Microsoft's metric, see Snyder's entry on Mozilla's Security Blog

Monday, December 03, 2007

News Organizations Propose Tighter Search Engine Rules

According to an online article in the Washington Post, leading news organizations and publishers have launched a revision in the 13-year-old technology for how search engines index and display web sites.

At present, major search engines like Google and Yahoo voluntarily respect a given website's wishes as described in a file called "robots.txt." The crawler (a search engines' indexing software) looks for this particular file on a website.

Although it was claimed that "fair use" provision of copyright laws applied, news publishers have complained and even sued Google for expanding search engine services that can include scanning printed books.

New proposed extensions for access to websites, known as Automated Content Access Protocol (ACAP) has, to some degree, grown out of such disputes. The Associated Press is one of many organizations that have joined ACAP, whose new rules allow a site to block indexing of specific directories, the entire site, or individual websites.

"ACAP was born, in part at least, against a growing backdrop of mistrust", said Gavin O'Reilly, president of the World Association of Newspapers. AP's chief executive Tom Curley says that the news cooperative spends millions of dollars annually covering the world, where its employees often risk their lives, making technologies like ACAP important in protecting AP's original news reports from being distributed without permission.

For a link to the complete article and a summary of the story, see Slashdot.