[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Clips May 1, 2002

To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, CSSP <cssp@xxxxxxx>;, glee@xxxxxxxxxxxxx;, Charlie Oriez <coriez@xxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, computer_security_day@xxxxxxx;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;;
Subject: Clips May 1, 2002
From: Lillie Coney <lillie.coney@xxxxxxx>
Date: Wed, 01 May 2002 11:03:53 -0400

Clips May 1, 2002

ARTICLES

Cyber bills find support
Agencies lack infosec resources
Air Force software chief to retire
Navy adopts Web app to schedule ships
Rep. Davis proposes quicker review of security technology
Despite lack of new funding, e-gov projects to move forward
Edmonton connection to alleged $53M ripoff
XP Updates Start to P.O. Users
Heart Docs to Make Mouse Calls
Hotmail at Risk to Cookie Thieves
Crooks Cause Chilean Car Chaos
Google to power AOL searches
Bill would deregulate high-speed Net services
Raise your hand if you remember all your passwords
.US address raises red-white-blue flap
Millers Fight For Family Domain on Web
Surveillance cameras to predict behaviour
UK could lose out on faster broadband
EU works to decrease digital divide
MPEG working on new standard
PIN codes and line blocks to stop porn and call dumping
Safety concerns prompts Nokia modem recall

********************
Federal Computer Week
Cyber bills find support

A Senate panel April 24 endorsed two pieces of security legislation: one bill that would boost cybersecurity research and development, and another that would create a volunteer corps of computer experts who would respond swiftly in the event of a computer emergency, such as a cyberattack.

The panel praised the Cyber Security Research and Development Act, which would earmark $878 million to correct chronic underfunding in the field of computer security research. The bill passed the House in February.

Witnesses also endorsed the Science and Technology Emergency Mobilization Act introduced by Sen. Ron Wyden (D-Ore.) to create a National Emergency Technology Guard, or NET Guard, composed of experts and companies who agree to respond immediately with technological know-how and equipment to counter an attack.

"The nation's best scientific minds, technology experts and technology companies will be invited to participate," Wyden said at the Commerce, Science and Transportation Committee's Science, Technology and Space Subcommittee hearing.

While endorsing the idea, Ronil Hira of the Institute of Electrical and Electronics Engineers Inc. cautioned that calling in a squad of willing scientists might not always be the right response to computer-related emergencies.

"It is important to recognize that communication and other technological systems can be extremely complicated," he said. Such detailed knowledge "may only be available in the company and its vendors that installed the system originally." Intervention by outsiders however brilliant might do more harm than good, he said.

Hira had no similar reservations about the Cyber Security Research and Development Act. He praised the legislation for promising financial support for research by industry as well as by universities and government entities.

More research funding is essential for improving cybersecurity, agreed Lance Hoffman, a computer science professor at George Washington University. Students and faculty have generally not pursued cybersecurity research because funding has been scarce, he said.

The aim is to fund research as "a long-term strategy to counter cyberterrorism," said Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee and primary author of the bill.

Wyden said he expects a committee vote on the two bills by mid-May.

********************
Federal Computer Week
Agencies lack infosec resources

Federal agencies have the tools necessary to find and fix information security weaknesses but are struggling to find the appropriate resources and personnel to follow through, the General Accounting Office said April 16.

GAO's further assessment of agencies' security capabilities came in a letter to the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee, in response to questions raised at a March 6 hearing held by Rep. Stephen Horn (R-Calif.), the subcommittee chairman. The hearing focused on the first reports issued under the Government Information Security Reform Act, which requires agencies to perform annual independent and self-assessments of their security practices.

"In past years, most reviews of information security controls were performed as part of agency financial statement audits and, thus, focused on financial systems," Robert Dacey, GAO's director for information security issues, wrote in the letter. "It is the extent of the weaknesses for [the] nonfinancial systems that are still not fully identified."

Agencies' inspectors general have GAO's Federal Information System Controls Audit Manual. However, performing these audits and assessments on all systems "will place a significant new burden on the existing audit capabilities of agency inspectors general and will require that they have appropriate resources to either perform or contract for the needed work," Dacey wrote.

Two significant barriers to agencies improving their security are obtaining appropriate security funding and finding personnel with the necessary technical expertise to select, implement and maintain security controls, Dacey wrote.

********************
Government Computer News
Air Force software chief to retire
By Dawn S. Onley

Robert Frye, executive director of the Standard Systems Group, plans to retire in September.

He has spent more than three decades with the Air Force, in both active-duty and civil service positions. Since 1995, Frye has headed the 2,400-person Standard Systems Group at the Gunter Annex Maxwell of Air Force Base in Montgomery, Ala.

As the service?s chief software shop, SSG acquires, develops and maintains combat support information systems for the Air Force and the Defense Department.

The group, under Frye, helped the Air Force build its Internet portal in less than 60 days. He was also instrumental in helping build a secret portal for the service in the days after the Sept. 11 attacks. That portal took 65 hours to come online.

Frye joined the service in 1969. He worked in many systems design positions in active duty before joining the Air Force Reserve and taking a civilian post with the service. Before he took over the helm at SSG, Frye was director of the Communications-Computer Systems Directorate at Hanscom Air Force Base, Mass.

Frye said he plans to stay in Montgomery and start a consulting business.

Frank P. Weber, deputy director for logistics and business operations for the U.S. Transportation Command at Scott Air Force Base, Ill., will replace Frye at SSG.
********************
Government Computer News
Navy adopts Web app to schedule ships
By Thomas R. Temin
GCN Staff

WebSked sounds like a snazzy online scheduling or travel program. It is online, it is for scheduling, and it sports cool graphics. But WebSked, an application for scheduling Navy ships, is the newest module of the Global Command and Control System-Maritime.

Don?t go to the Web to take a look. Like all GCCS applications, it runs only on the Defense Department?s Secret IP Router Network.

According to Steven G. Bullard, a product development manager at the Space and Naval Warfare Systems Command, WebSked will be deployed by the Atlantic Fleet in June and by the Pacific Fleet later in the summer.

Bullard said the advantage to a scheduling program on the Web is that it will let the Navy maintain two authoritative sources of data on ships, one on the East Coast and one on the West. Because every Navy organization must maintain a copy of ship scheduling data, the result is a constant synchronization headache.

FGM Inc. of Dulles, Va., and SPAWAR?s Systems Center in San Diego developed WebSked using Lotus Domino. SPAWAR used a commercial graphics artist to design the app?s appearance. The Web program will replace a client-server version developed in Visual Basic.

With a single click, a deployment plan exports into a Microsoft Excel spreadsheet, which users can e-mail anywhere on SIPRnet.
********************
Government Executive
Rep. Davis proposes quicker review of security technology
By Liza Porteus, National Journal's Technology Daily

Rep. Tom Davis, R-Va., plans to introduce legislation this week to help organize and speed the federal government's evaluation and implementation of various technologies for homeland security and anti-terrorism efforts.

Davis, who chairs the House Government Reform Technology and Procurement Policy Subcommittee, said he will introduce a bill Wednesday to establish a program at the Office of Federal Procurement Policy (OFPP) to help the government leverage security innovations.

Private-sector leaders such as Siebel Systems CEO Thomas Siebel and government leaders have said there is not enough staff or an established process for reviewing the ideas flooding into the White House Office of Homeland Security and security agencies. Many tech firms have told Davis they are having trouble getting audiences to showcase their products, Davis said Tuesday during a press conference on the 2002 Networked Economy Summit.

"The reality is clear: Because of a lack of staffing expertise, many of these proposals have been sitting unevaluated, perhaps denying the government the breakthrough technology it needs to better protect Americans and our nation," Davis said.

The legislation would create an interagency team of experts to seek innovative anti-terrorism solutions, evaluate proposals and send them to the proper agencies for action. Such a team would consist of the OFPP administrator and representatives from the Office of Management and Budget, and the Defense, Energy, Commerce, Transportation and Treasury departments. A technical assistance team would assess the merits and feasibility of the proposals.

The bill also would launch a program to provide monetary awards for industry excellence in terror-fighting solutions. The awards would be capped at $20,000 for individual awards and $500,000 for total awards, with at least one-quarter of the money going to small businesses.

The bill also would establish a pilot program to encourage acquisition professionals in agencies to creatively use existing means to acquire commercial, off-the-shelf technology solutions.

Davis spokesman David Marin said OFPP and the Office of Homeland Security "like the concept" of the bill. The measure would go to Davis' subcommittee for consideration.

On another front, Davis said a cyber-security measure he co-sponsored with Rep. James Moran, D-Va., could move through the House soon. The bill, H.R. 2435, would exempt businesses from certain provisions of the Freedom of Information Act, antitrust prosecution and lawsuits when they voluntary disclose to the government the vulnerabilities in their technology networks.

The legislation has a Senate companion bill, S. 1456. Davis said he is sure his bill could win House approval but added, "I never know what will happen in the Senate."

Marin later told reporters that the antitrust provisions could be removed to bypass the House Judiciary Committee, which has been focused on reform of the Immigration and Naturalization Service. If the bill bypasses Judiciary, the antitrust provisions could be revived in conference.

Separately, Davis and Moran plan to introduce legislation this week to combat the proliferation of fake state-issued drivers' licenses by calling for universal standards and biometric technologies.
******************
Government Executive
Despite lack of new funding, e-gov projects to move forward
By Joshua Dean
jdean@xxxxxxxxxxx

The Office of Management and Budget has provided almost $5 million in funding for only a few of 24 electronic government projects, but the remaining projects will still move ahead, the Bush administration?s e-gov chief said Monday.

OMB has marshaled a total of $6 billion to support its 24 e-gov projects, allowing each project to move forward this year, Mark Forman, OMB's associate director for information technology and e-government, said Monday at the launch of GovBenefits.gov, the first of OMB?s 24 e-gov projects to debut.

The $6 billion figure is not new funding. Rather, it includes staffing, reprogrammed funding, IT support and related office support. Last week, OMB handed out most of the $5 million in its e-gov fund to five projects. Only three of the funded projects were included on the original list of 24 projects the administration said it would pursue when it launched a roadmap for its e-gov initiative in February.

?All 24 e-government initiatives are proceeding,? a statement from OMB said. ?That some initiatives did not receive initial support from the e-government fund does not place them in a different status. The realignment of the large amount of redundant spending on activities related to the 24 e-government initiatives has enabled these initiatives to continue moving forward. The projects that received initial support from the e-government fund were components of the initiatives that could not be addressed by redirecting redundant funding.?

Forman said recent expenditures from the $5 million fund were focused solely on projects that integrated information across several agencies, such as GovBenefits, FirstGov.gov and the Small Business Administration?s BusinessLaw.gov Web site. Also included in the recent round of funding was the General Services Administration?s e-authentication initiative, which is working to create a federal public key infrastructure.

A brief survey of the projects shows a variety of initiatives at different stages of development and funding:

SBA received $740,000 from the e-gov fund for BusinessLaw.gov. The site helps small businesses determine whether they are in compliance with federal, state and local regulations. ?Our success is measured in terms of our ability to answer five questions for the businesses,? said Jim Van Wert, SBA?s senior adviser for policy, planning and e-government. ?These are: What laws pertain to where I live? Where do I find these laws and how do I understand them? Do I comply with these laws in my current state? If not, how do I learn to comply? And if complying requires some action such as a registration, license or permit, how do I do it online?? Van Wert said the project requires considerable teamwork across all levels of government.

The Office of Personnel Management is moving ahead with its five e-gov projects, though officials aren?t sure where the funding is going to come from yet. Some money may come from OMB, some from OPM funds and some from other agencies, said OPM Chief Information Officer Janet Barnes. The five projects are an electronic training portal, a one-stop federal recruitment site, an online security clearance process for federal workers, a human resources data standardization project and a payroll consolidation project. OPM has completed preliminary business cases for the first four projects and expects to complete the payroll project?s business case by the end of the month.

Interior?s two projects are Web portals aimed at breaking down barriers between federal, state and local agencies, and both will draw funding from participating agencies. The first is the Recreation One-Stop, a $4.1 million, five-year project to turn the existing Recreation.gov site, which currently has information about outdoor recreation opportunities on federal lands, into a compendium of information on recreation sites on federal, state and local lands, and maybe even privately owned sites.

Interior is also trying to develop working groups with state and local governments on its second e-gov project, the Geospatial One-Stop site. The $20 million, seven-year project will draw its funding from participating agencies and aims to create a portal for online mapping tools that people can use to analyze a host of issues, ranging from overpopulation to housing to water resources. Interior also wants to develop common standards for mapping data.
******************
Government Executive
Information-sharing bill on fast track in House

By Bara Vaida, National Journal's Technology Daily

Rep. Jane Harman on Tuesday predicted that legislation to boost information sharing among federal agencies and state and local governments would be ready for House floor action within the next several weeks.

The bill, H.R. 4598, would direct federal intelligence agencies such as the FBI and CIA to share information about possible terrorist attacks with the nation's governors, mayors, law enforcement personnel and "first responders" to emergencies. It has the support of the White House Office of Homeland Security, Harman said, and is likely to be considered under "suspension of the rules," a procedure designed to expedite House action.

"This bill will give real heft to [Homeland Security Director Tom] Ridge's color-coding system," Harman, D-Calif., said at a Brookings Institution media briefing on Brookings' new homeland security report. The color-coding system alerts state and local law enforcement to the level of a security threat.

Harman also said that this Thursday, she and Rep. Mac Thornberry, R-Texas, as well Sens. Joseph Lieberman, D-Conn., and Arlen Specter, R-Pa., will file revised legislation to establish a Cabinet-level homeland security department. The aim of the measure is to give Ridge the legal authority to testify to Congress on funding for homeland security efforts and to formally establish his authority over other agencies.

Harman noted that a consistent problem with tackling security is that Congress and the Bush administration have been considering security in a "piecemeal fashion," without a broad strategy for finding terrorists and thwarting their actions. She said that approach also makes Congress' job difficult because it cannot adequately consider where to allocate funds. Ridge's office has targeted July 1 as the day to release its national strategy on homeland security.
********************
CNEWS
Edmonton connection to alleged $53M ripoff
By RAQUEL EXNER -- Edmonton Sun

One of the people involved in an alleged $53-million Internet scam that apparently bilked people from around the world pleaded guilty in an American court yesterday.

Cary Waage, 26, the son of the man cops claim is the Albertan mastermind behind the alleged investment scam, pleaded guilty in Sacramento, California, to mail fraud and conspiring to commit money laundering.

The maximum sentence for the first count is five years in jail while the second charge carries a maximum penalty of 20 years. Other charges against Cary Waage were dropped.

He will be sentenced July 8. Factors that will affect his sentence are the number of alleged victims, the amount of money involved and how sophisticated the alleged scam was.

"Our investigation into the actions of Tri-West is progressing," said a pleased assistant U.S. attorney Chris Sonderby.

"Mr. Waage's guilty plea is a positive step in our efforts to recover assets for the victims."

FBI special agent Nick Rossi added they "were pleased with the guilty plea and we look forward to the successful conclusion of the investigation and prosecutions."

In early September, Alyn Richard Waage, 55, of Nisku, was arrested by Costa Rican authorities on charges of mail and securities fraud in the United States.

He still has to be extradited, along with American Web site designer James Michael Webb, 39.

FBI documents claim Alyn Waage is the mastermind behind an alleged $53-million Internet scam that bilked 13,000 investors from 57 countries over the past two years.

Tri-West Investment Club allegedly promised members a high return on their money, bonuses for finding new members and no risk on their original investment.

Officials say the alleged setup is a Ponzi scheme where funds from recent investors are used to make payments to earlier investors, leading some investors into the false belief that the program is paying off.

When investors heard about the guilty plea yesterday, their views were mixed.

"I feel really good that he pleaded guilty," said Cheryl Eburne, 54, from her home in Coquitlam, B.C. "I feel justified that at least he may have to pay for what he did."

Peter Knudson, of Spokane, Washington, said Tri-West "was a good deal, until the government got involved."

However, Knudson said he would still like to recover his investments.

Sonderby said some property and millions of dollars were seized in Costa Rica, so the victims should be compensated. Eburne lost $14,000, while Knudson lost $36,000.

Documents filed in California court show Cary Waage assisted with day-to-day management, computer programming, data entry and money laundering.

His living expenses were taken care of, he was paid $2,500 every two weeks and was promised a $1-million bonus at the conclusion of the alleged scheme, say the documents.

Michelle Higgins, 42 - the alleged mastermind's wife - and family friend Evan Theodore Smith Pryor have also been charged in connection with the case. They are still at large.
******************
Wired News
XP Updates Start to P.O. Users

One of the purported user-friendly features of Microsoft's new operating system is turning out to be user-annoying.

As many as three times a week, on average, XP users see a little window pop-up at the bottom of their computer screens announcing the availability of another new update for their system. This plethora of patches has left many users wondering whether their hard drives are big enough to handle "Trustworthy Computing."

Users also complain that several of the patches made their systems unstable. And some were annoyed by the many-megabytes worth of available patches for what they feel are unimportant applications such as games and file-sharing applications, believing that Microsoft should instead focus on fixes for crucial security holes.

Security experts say that the auto-update feature is good in theory, but doesn't work as well as it should. In some cases, the updates have even interfered with previously installed security patches, leaving supposedly protected machines open to malicious hackers.

Experts also confirm that many serious holes in Microsoft programs remain unpatched and wonder when the much-touted Trustworthy Computing initiative will have measurable real-world results.

Microsoft itself is having problems keeping up with its cavalcade of patches. Programmer Thor Larholm notes that a patch MS02-018, which Microsoft deemed "critical" and released at the beginning of April, had not been applied to the company's own Hotmail and Hotmail Passport servers.

A Microsoft spokesperson confirmed that the servers had not been patched.

"MSN is working to implement this patch as quickly as possible," the spokeswoman said. "Given that MSN Hotmail serves over 110 million customers, it is an ongoing process and it does take some time to update each MSN Hotmail server."

Larholm said the unpatched servers leave Hotmail accounts open to several serious hack attacks. The spokeswoman said that as far as Microsoft knows, no customer information has been compromised.

Larholm has posted a list on his website of 14 other yet-unpatched vulnerabilities in Microsoft applications. He said in late March there were only two vulnerabilities on the list, but since then the number has grown steadily.

In response to Larholm's list, a Microsoft spokesman said the company feels that "promoting alleged vulnerabilities may put computer users at risk -- or at the very least, could cause needless confusion and apprehension."

Larholm was amused by that response.

"The last time I read the exact phrase 'or at the very least, could cause needless confusion and apprehension' was three days ago in a Microsoft response to another security related article. It's their new shrink-wrap response."

Larholm said that all the vulnerabilities listed on his page, discovered by various security experts, went through rigorous testing and acknowledgment by Microsoft before they were published by their disgruntled discoverers.

"You can be sure that any vulnerability listed is already being actively used," Larholm said. "The list itself exists to put pressure on Microsoft, in the tiny hope that they may patch these holes. I also do my best to assure that each issue on the list is provided with temporary solutions that can be applied immediately. Microsoft seems to think that customers prefer to stay exploitable for months while waiting for a patch."

Experts also confirm that many serious holes in Microsoft programs remain unpatched and wonder when the much-touted Trustworthy Computing initiative will have measurable real-world results.

A Microsoft spokesperson confirmed that the servers had not been patched.

Larholm said the unpatched servers leave Hotmail accounts open to several serious hack attacks. The spokeswoman said that as far as Microsoft knows, no customer information has been compromised.

Larholm was amused by that response.

A new monitor that will keep track of implantable cardiac devices means heart patients might be able to visit their doctors in a virtual way.

The device, CareLink, can transfer information about the patient's implanted cardioverter-defibrillator (ICD) on a phone line so that a doctor can access the information anywhere an Internet connection is handy.

Thousands of patients may benefit from using the monitor because existing ICDs don't require adjusting.

"There are around 100,000 Medtronic ICDs out there and about twice as many in total (in the United States)," said Chuck Yerich, business director at Medtronic, the company that developed the monitor.

ICDs monitor the heart's electrical system for dangerous acceleration patterns. They can deliver electrical impulses to stop fast heart rates, protecting patients from sudden cardiac arrest.

Of course, some patients may continue to do it the old-fashioned way, by seeing their doctors in person.

"Patients like to come and see their doctors," said Stephen Ehrlich, director of electrophysiology at Mission Internal Medical Group.

Yerich, however, said the patients in the trial -- 59 in all -- were very happy with the monitor.

"The patients are pretty excited about it," Yerich said. "The monitor gives people the freedom and the comfort to know they can travel but have this lifeline or connection to their physician.

"They feel in control."

The monitor, about the size of a telephone answering machine, uses battery power and is plugged into the phone jack.

During a checkup, the patient holds a mouse-sized antenna over one's ICD. And, at the click of a button, the monitor downloads information about how the device is operating, its battery level, and the patient's heart rhythms.

"It's the same information that the doctor would get with a visit," Yerich said.

Then a pre-programmed number is automatically dialed, and the information is sent to the server.

"It takes between 20 seconds and five minutes to download the information, depending on how much information is there," Yerich said.

Both patient and doctor can then access this information through a password-secured website.

While the monitor will not eliminate the need for doctor visits, it will reduce them and give physicians access to important information that will help them decide when patients need to be seen.

"We see patients based on their condition," said Dr. Gregory Feld, professor of medicine and director of the cardiac electrophysiology program at the University of California, San Diego's Department of Medicine.

"If they are stable and if the batteries are reliable then, with this monitor, we wouldn't have to see them as frequently to check on their well-being."

James Thompson, a pacemaker owner, said he would be quite happy to use a monitor like this one when it becomes available.

"I would probably use it," Thompson said. "It's fine if I don't see the doctor all the time."

Thompson had no concerns about relying on technology to transfer the information.

"If it is some yahoo of a cardiologist, I would probably place more trust in the machine," Thompson said.

The CareLink monitor, which will be marketed on a subscription basis and will cost around $200 per patient, per year, will be ready for market in May.

Currently it can only be used with Medtronic implants and only with certain ICDs but, Yerich said, over time it could be adapted for use with all Medtronic ICDs, pacemakers and heart failure devices.
***************
Wired News
Hotmail at Risk to Cookie Thieves

MSN Hotmail users, guard your cookies. A simple technique for accessing Microsoft's free e-mail service without a password is in the wild and apparently being exploited.

The trick involves capturing a copy of the victim's browser cookies file. Once the perpetrator gains two key Hotmail cookies, there's no way to lock him out because at Hotmail, cookies trump even passwords.

"What's scary about this is that once they have your cookies, they have your account forever. Even if you change your password, they can still get in," said Eric Glover, a New Jersey-based programmer who has a doctorate in computer science from the University of Michigan.

Glover said he unearthed the Hotmail cookie problem when a friend's former boss started accessing the friend's Hotmail account -- and continued to use the account even after the pal repeatedly changed her password.

After studying Hotmail's sign-on process, Glover concluded that the snoopy manager likely had grabbed a copy of the Hotmail cookies from the friend's work computer or a back-up tape and had been using them to digitally unlock her Web mail account.

Microsoft officials said Thursday that the Hotmail service offers users several tools to limit what the company terms "cookie-based replay attacks" but added that Microsoft is "always looking at ways to protect users further, as well as giving them more control over their online experience."

Security experts, however, said today that the Hotmail vulnerability exposes the risks of relying on browser cookies as the digital keys to Internet sites.

Cookies, the small data files placed on an Internet user's computer when visiting websites, are primarily used to identify visitors for the purpose of customizing content such as advertising. But many sites, including Hotmail, also rely on cookies for more serious authentication purposes.

For such sites, the cookie is akin to an ATM banking card that doesn't also require the holder to provide a password. Lose the "card" and you may give up your security.

"Cookies were never designed to be an authentication mechanism. But anyone trying to deploy a Web application today doesn't really have much choice," said Marc Slemko, a Seattle-based security expert who has previously discovered cookie-related security problems at Microsoft's Passport service.

Without physical access to a PC, how big a hurdle is stealing Hotmail cookies? "Trivial," said Slemko, who pointed out years ago how cross-site scripting flaws can be exploited to perform attacks such as pilfering cookies.

What's more, security bugs in Internet Explorer make robbing a remote user of his Hotmail cookies a snap, according to Thor Larholm, a Danish programmer and security specialist who has compiled a list of IE browser flaws, many of which allow cookie-snatching exploits.

"I would say that a malicious programmer's day-to-day chances at successfully stealing the target's cookies lie between very easy and easy," said Larholm, noting that browser cookies are stored unencrypted and in a fixed location.

According to Slemko, most sites that rely on cookies to authenticate users -- including online banks, brokerages, and e-commerce sites -- typically design the tokens to expire after users have been logged in and inactive for a few minutes.

But in an apparent effort to boost convenience for its users, Hotmail allows users to make their authentication cookies practically permanent.

At the Web-mail service, a half dozen cookies are written to the hard disk when the user clicks the "keep me signed in" option while logging in to the service. The option is designed to relieve Hotmail users of being nagged for a password each time they check their mail throughout the day.

Two of the cookies, set by MSN.com and named "MSPAuth" and "MSPProf," are the digital keys that allow an attacker to access the interior pages of a Hotmail account without being prompted to sign in, and to read and send messages from the account and change the account holder's preferences.

In tests by Wired News, the Hotmail cookies appeared to stay on the PC unless the user clicked the "Sign Out .NET" button or re-booted the computer. Merely closing the browser did not delete them.

According to Slemko, the Hotmail cookie problem could stem from a bug in an optional feature offered by the service. Hotmail enables users to configure a "session expiration" option that promises to "automatically end" the user's session after a specified time interval.

But even with the expiration option enabled at its most secure setting, testing by Wired News showed that a cookie could be exported to another computer and still used to authenticate a password-less Hotmail login 24 hours later.

Aside from correcting the session expiration bug, Slemko said there's little Microsoft can do to guard Hotmail users against cookie attacks.

"They are balancing convenience and security. If they added, for example, another layer of checks with the central Passport servers, the whole system would become even slower and more unreliable," Slemko said.

Since Hotmail is designed to allow users to access their accounts from any computer anywhere, the service's authentication cookies do not appear to constrain access based on a user's Internet Protocol address, according to Glover.

A Hotmail user's best defense against cookie robbers, Glover said, is to shun the "keep me signed in" option, and to follow Microsoft's advice and click the service's sign-out icon when finished with a Hotmail session. But Glover said such tactics will require a change of habits for Hotmail users.

"I hypothesize that the majority of them sign on first thing in the morning and stay logged in to their Hotmail accounts all day. I don't think they realize this is setting them up to have their identities stolen," he said.
******************
Wired News
Crooks Cause Chilean Car Chaos

New Yorkers think they have traffic jams, but sorting them out is child's play compared to what Chilean commuters awoke to on Thursday -- a morning of mayhem and chaos.

In Santiago de Chile, 800 of the city's 1,800 traffic lights went haywire after thieves stole 15 PCs and 2 servers from the Unidad Operativa de Control de Tránsito ( UOCT), the office that manages the traffic flow of the city.

Without the computer system, the traffic lights continued working but at their own pace, losing all synchronization between one crossroad and the others. Five million citizens were in fear of crossing the streets, whether on foot or by car.

The thieves that broke into the offices of the UOCT, late at night last Wednesday, seem to have had a good knowledge of the place. They entered the building through the kitchen in the backyard, deactivated the alarm system and disconnected security cameras.

But while stealing the goods, valued at US$90,000, they took their time. According to police reports, these peculiar robbers smoked some cigarettes, ate a snack, and drank a few cups of joe, taking it easy before leaving the scene of the crime.

The motives behind the theft remain unknown.

It was a thorough job: After they loaded the computers into a van, the alarm was also taken. The only equipment they left in the UOCT were the live cameras that show the way the traffic moves - or, rather, does not move.

Although police are re-routing vehicles around the city, traffic is far from becoming organized.

Long queues of cars were observed all over Santiago, especially in the wealthy neighborhoods of the southern and western parts of the city, where most of the derelict traffic lights are installed.

Patricio Tambolini, subsecretary of transportation, told the local media that drivers should not expect a normal green light until Monday, when things may be straightened out. About half of the 800 derelict traffic lights were operational by Thursday evening, thanks to a backup version of the software that controls the lights, but no word on when the job will be completed.

Luckily, this will occur during the weekend, so Santiago should not expect even more trouble as the traffic lights synchronization software is tested.

"We thought we had deployed all normal security measures," Tambolini said. "You never know if you've covered all security holes until this kind of thing happens." He also pleaded to the almost 1 million befuddled drivers for some patience and understanding.

In an effort to lower the number of circulating cars and calm down bewildered drivers, the authorities are urging citizens to take public transportation and the subway, even when buses now take three times as long to complete their journey.

Local newspaper La Tercera reported that Javier Etcheberry, minister of transport and telecommunications, announced that even though installing a back-up traffic control system would be expensive, the government is giving the proposal some serious thought.
*****************
USA Today
Google to power AOL searches

NEW YORK (Reuters) AOL Time Warner will use the popular search engine Google across its Internet properties, AOL said Wednesday.

The news comes a day after Overture Services said its U.S. search distribution relationship with AOL had ended. Shares of Overture tumbled to $26.50 on Instinet in pre-opening trade, from a Tuesday close of $34.19 on the Nasdaq.

Google, which responds to more than 150 million search queries a day, will now power the search capabilities of America Online, which has more than 34 million worldwide users, as well AOL properties CompuServe, AOL.com and Netscape.

Founded in 1998, Google says it offers its users direct access to 2 billion Web pages, 700 million message board postings, and 330 million images
******************
USA Today
Bill would deregulate high-speed Net services

WASHINGTON (Reuters) Senators seeking to encourage high-speed Internet access introduced a bill on Tuesday that would subject all services to the same regulatory constraints, regardless of how they are delivered.

The bill, drafted by Louisiana Democrat John Breaux and Oklahoma Republican Don Nickles, seeks to boost competition by easing regulations on digital subscriber line, or DSL, services, which provide speedy Internet connections over telephone lines.

Unlike other services that deliver high-speed, or "broadband," Internet connections over cable-TV lines, satellites, or wireless antennas, DSL and other telephone services are highly regulated at both the state and local level.

The Breaux-Nickles bill would direct the Federal Communications Commission to revise its regulations so that all services would face the same low regulatory hurdles.

The move would benefit large local-phone companies such as Verizon Communications and SBC Communications, which would be free to expand DSL service without making their new facilities available to competitors, as they must do with their existing networks.

Unlike a controversial bill that passed the House earlier this year, the Senate bill would not deregulate long-distance voice services, or allow local-phone companies to shut out rivals from their existing networks.

"I think this bill is a simple way that says, 'We should have parity when it comes to the regulation of broadband,"' Nickles said.

The bill would allow an ailing telecommunications industry to compete on a level playing field with the cable-modem operators who currently control 68% of the broadband market, Breaux said.

Local-phone giants, known as the "Baby Bells," and telecommunications equipment makers praised the bill, but independent providers said it would enable the Bells to shut them out of the market entirely because Internet and voice traffic often use the same network.

"This bill would reduce consumer choice and create a deregulated monopoly or duopoly over all local telecom services," said John D. Windhausen, president of the Association for Local Telecommunications Services, which represents independent local-phone networks.

Senate Commerce Committee Chairman Ernest Hollings will hold a hearing on the bill, Breaux said.
******************
USA Today
Raise your hand if you remember all your passwords
By Craig Wilson, USA TODAY

The fine folks who run the computer operations here at the newspaper sent out an e-mail the other day informing me that I had to change the password I use to get into my laptop every morning. Increased security concerns and all.

Why anyone would want to get into my computer is beyond me, but my mom warned me years ago that there are unstable people out there, and you can never be too careful. Evidently her message has reached our tech staff.

Not only did they tell me I had to change my password, they told me I couldn't change it to just anything I wanted, like something I might be able to remember. No, that would be too simple. My new password had to have at least eight characters and could not be a word found in the dictionary. We, who make our living with words, are not allowed to use one to begin our day.

Anyway, I am convinced this is yet another not-too-subtle plot to elimi-nate those of us old enough to remember the comforting hum of an IBM Selectric. I have confessed before that my memory isn't what it used to be, that I can hardly remember my own name, and now the modern world is demanding that I remember a plethora of passwords.

Like my friend Melinda, I can't even find the valuables I hid before I went on vacation last summer. Forget keeping them hidden from any would-be burglars they are now hidden from me, too. But I will stumble across them one of these days and be pleasantly surprised at how clever I was to put them where I did.

But this changing of my password, which can no longer be my dog's name what it's been for years is far more serious. Even on my darkest of mornings, I could remember MURPHY.

No longer.

There was a time not too long ago when the only number you needed to know was your phone number, and you didn't really need to know that because you rarely called yourself.

Now, millions of us can't get into our cars or homes without a number, a password, a code. One of my neighbors, who wisely shared her security code number with us, calls frequently to ask what it is so she can go in and shut off her system before the police come calling. We love her.

I stood at the ATM machine for five minutes the other day, waiting for my four-digit password to float from my brain down to my fingertips so they could dance across the little keypad and give me money for the weekend. It finally surfaced, but not before the people behind me were convinced I'd either had a stroke right there in the line, or I was using someone else's card, punching numbers at random in hopes of hitting the jackpot.

It gets worse. Not long ago, I was on assignment in Utah and was calling back to the office on the 800 number. It's a number I have dialed for more than a decade. Could I remember it once I got beyond the 800? No. My mind went blank. I blamed it on the thin mountain air.

And the password to get into my 401(k) account? I don't have a clue, but I do know I tucked it away somewhere in my desk at home. It's just a matter of finding it.

With any luck, that will be before I retire.
********************
USA Today
.US address raises red-white-blue flap

By Janet Kornblum, USA TODAY

We all know about dot-coms. But many had no idea that the United States has its very own Internet name: .US. It has been around for 17 years but was used mostly by government offices. That changed last week when the public got its first chance to grab a name the only one that officially gives a U.S. address on the Internet. More than 200,000 names were scooped up.

The government gave the contract to manage the .US name registration to a company, NeuStar, which set aside about 52,000 names for use by government entities many of them cities to keep entrepreneurs from claiming them as their own.

But not everyone is happy. Three public interest groups contend that publicity about the domain-name rollout was lacking and that the list still didn't protect some important sites.

Sen. Conrad Burns, R-Mont., and Rep. Edward Markey, D-Mass., said Tuesday that they want congressional hearings. The Center for Democracy and Technology, Common Cause and the Media Access Project charge that NeuStar failed to reserve important names for U.S. interests, such as Yellowstone.US. They also charge that NeuStar did a bad job of publicizing the availability of the names.

"This is a unique and singularly American space," says Alan Davidson of the Center for Democracy and Technology. "There has been basically no outreach."

NeuStar denies both charges, saying it worked with the Department of Commerce to come up with the 52,000 names and advertised the availability of the new names on the Web, the radio and in such newspapers as USA TODAY and The New York Times.

"This has been, by no means, a secret rushed process," says NeuStar's James Casey.
*********************
New York Times
Millers Fight For Family Domain on Web
By THE ASSOCIATED PRESS

SAN FRANCISCO (AP) -- ``It's Miller Time'' is a popular slogan used by Miller Brewing Co. to market its lager, but it was the Miller family of San Mateo County that had first dibs on the phrase as an Internet domain.

Repeated efforts by the Milwaukee brewer to force the family to give up millertime.com prompted Mark Miller and his family to file a complaint against Miller Brewing in U.S. district court.

The Millers want the court to block the National Arbitration Forum from forcing them to give up the domain name, which they've owned since 1995, according to register.com.

Miller Brewing has held a federal trademark on the phrase ``It's Miller Time'' since 2001 and ``Miller Time, Miller Beer'' since 1993, and has used variations of the saying to market its brews since 1972, giving the company a common law trademark, said spokesman Scott Bussen.

``We understand that the Miller family is trying to create a family Web site here, but we would hope that they would have understood as well that this is an integral part of our business and that we have invested a considerable number of years making that phrase mean something to people,'' Bussen said.

Calls and e-mails to Mark Miller and his attorney were not immediately returned Tuesday.

The Millers have used their Web site to post pictures of themselves and discuss their careers, achievements and hobbies. Mark Miller is executive director of the Miller Institute for Learning With Technology, a nonprofit consulting organization that works with schools.

In 1999, Congress passed the Anti-cybersquatting Consumer Protection Act, which established that the use of a registered trademark as a domain name may constitute trademark infringement.

In 2001, Miller Brewing wrote to Mark Miller, asking he cease using millertime.com under the act. When he refused, Miller Brewing filed a complaint with the National Arbitration Forum to resolve the debate.

On April 15, an arbitrator also agreed Mark Miller should give up the domain name, prompting him Monday to file the complaint in federal court.

Miller claims his family's site is making ``legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.''

That means the site would be in accordance with dispute policy rules issued by the Internet Corporation for Assigned Names and Numbers. ICANN is recognized by the U.S. Department of Commerce as the governing body for the assignment of Internet addresses, the complaint says.

Millertime.com currently directs visitors to millerlite.com if they are looking for the brewing company, with no other mention of beer. Miller Brewing Co. owns the ``millertime'' domain name for several other popular suffixes, including .biz.
*******************
BBC
Surveillance cameras to predict behaviour

CCTV cameras that can predict behaviour could play a vital role in the fight against crime.
The software, dubbed Cromatica, is being developed at London's Kingston University to improve security on public transport systems but it could be used on a wider scale.

It works by detecting differences in the images shown on the screen.

For example background changes indicate a crowd of people and possible congestion. If there is a lot of movement in the images it could indicate a fight.

Preventing suicide

"It could detect unattended bags, people who are loitering or even predict if someone is going to commit suicide by throwing themselves on the track," said its inventor Dr Sergio Velastin.

The UK has the largest percentage of the 25 million CCTV cameras worldwide, with 2.5 million cameras watching citizens in town centres, car parks and train stations.

The biggest advantage of Cromatica is that is allows the watchers to sift the evidence more efficiently.

"The more cameras you have, the less you can see. One person could be looking after 25 cameras," said Dr Velastin.

"An automatic inspection alerts them to what they want to pick up," he added.

Regulation needed

Critics argue that existing CCTV cameras are failing to stop crime and merely move it to areas that are not covered by cameras.

Civil rights organisation Liberty is concerned that such systems will not be properly regulated.

"It is not so much the technology but how it is used that concerns us, and how to keep the balance between protecting safety and protecting privacy," said a spokesperson for Liberty.

"If software is going to be looking at behavioural patterns, who defines what behaviour merits further attention?" he asked.

Dr Velastin insists that Cromatica is "not about Big Brother" but admits that it could become a political hot potato.

"Decisions will have to be made at a political level as to what the right balance is but the police cannot stop you unless they have good reasons to do so," he said.

Public polls largely support the use of CCTV cameras and it is therefore inevitable that surveillance will get more sophisticated points out Dr Velastin.

People power

The cameras do not always have to be pointed at the citizen though.

According to Dr Velastin, discussions are ongoing as to how cameras can be used by citizens, for example to watch the progress of their train when they are waiting at a station or to see who is on a tube late at night.

"It is a very simple thing to do. Companies just haven't got their act together to do it," said Dr Velastin.

Transport systems across Europe have expressed interest in the advance warning software and Cromatica has already been tested at London's Liverpool Street station.
****************
BBC
UK could lose out on faster broadband

This is the view of networking firm Cisco, which supplies European countries with Ethernet and fibre connections that are 20 times faster that the current speed of broadband access.

While France has already obtained a grant from Europe to build Ethernet networks and the Irish Government is spending £185m on connecting its cities to super-fast broadband, the UK is still relying on ADSL and cable connections.

Director of marketing for Cisco Nigel Moulton believes this is due in part to lack of organisation in the UK.

"I'm not sure the UK Government has a co-ordinated approach to applying for EU funding," he said.

Utility partners

Such funding is vital in the current economic climate where venture capitalists are less likely to invest in the telecoms market and carriers are also more cautious.

The fibre that needs to be laid to carry the networks will also depend on building relationships with utility companies as an alternative to using the telephone networks of incumbents such as BT.

In Italy, internet service provider FastWeb is delivering high-speed access to apartment blocks in Milan. As well as offering customers 20 times the speed of current ADSL services, it also offers low cost internet telephony and video-on-demand for a monthly fee of around £13.

Cheap taste of broadband

In the UK, recent price reductions have improved the take-up of ADSL services.

But this has yet to have an impact on the latest statistics compiled by telecoms watchdog Oftel.

Its figures show that nearly half of UK homes now have an internet connection but the majority are still relying on unmetered services with only 3% connected to broadband.

In an attempt to make its impact on the market, cable operator Telewest is offering consumers a cheap taster of broadband.

From 1 May anyone with dial-up access can sign up for a three month trial of its blueyonder broadband service for a cut-price £13.48.

If users do not want the service after the trial they can claim back the £50 installation fee. Otherwise the service will cost £29.99 per month or £25 if taken with Telewest's TV or phone service.
****************
Nando Times
China to get tough with 'harmful' Internet content
Copyright © 2002
Agence France-Presse

E-mail this story

Agence France-Presse

BEIJING (May 1, 2002 9:47 a.m. EDT) - Chinese officials have vowed to crack down on "harmful" content on the Internet, saying they want to protect youth from being corrupted, state media reported Wednesday.
The decision to "put Internet content in order" was announced at a teleconference Tuesday among senior officials across the country, the Legal Daily reported.

Those present at the conference included representatives from the State Secrets Bureau, the Ministry of Public Security and the Ministry of State Security, the paper said.

"All kinds of harmful information occasionally gets disseminated on the domestic Internet," said Luo Gan, a communist party official in charge of law and order. "There is a rising trend online for illegal activities."

He warned that if illegal use of the Internet is not stopped, young people could be harmed and social stability could be at risk.

"The emergence of these problems seriously endangers the physical and mental health of young people," he said.

The paper did not specify what kind of illegal online content would be targeted, although it did say the campaign would be waged in a spirit of patriotism and respect for the law.

Beijing is well aware of the subversive potential of the Internet, and moves quickly to quell online attempts to erode the communist party's monopoly of power.

Two members of the outlawed China Democracy Party were convicted of subversion and jailed in December for posting their political views on the Internet.

Online rating service Nielsen/NetRatings said late last month that 56.6 million Chinese are living in Internet-connected homes, making China second only to the United States in the number of home Internet users.
*****************
Euromedia.net
EU works to decrease digital divide
01/05/2002 Editor: Tamsin McMahon

The public and private sectors should work together to establish a regulatory framework for developing new technologies in order to stop a widening digital divide, concluded a ministerial meeting between the European Union, Latin America and the Caribbean.

Technology should be seen as ?a tool, not a reward of development,? said the EU?s Enterprise and Information Society Commissioner, Erkki Liikanen.

The conference, in Seville, Spain, urged cooperation to foster information and communication technologies (ICT), including the emergence of new information resources, the acceleration of trade and improved public sector transparency.

?Access to ICTs is crucial in keeping citizens informed on laws and rights and is thereby a step along the road to ensuring good governance and human rights,? Liikanen said.

At the conference, the European Commission launched @LIS (Alliance for the information society), which it said should help create open dialogue on e-strategies and support policy development.
***************
Euromedia.net
MPEG working on new standard
24/04/2002

The Moving Pictures Expert Group (MPEG) said it is working toward another standard to build audio and video entertainment content.

MPEG-21, although still a work in progress, proposes an overarching standard that would combine the delivery technology and digital-rights protection for MPEG-based audio and video on any platform, for any device. But as is the case with MPEG-4 there is already some underlying doubt about industry acceptance.

?It?s really our effort to help the multimedia industry deploy the audio-visual standards in a logical and interoperable fashion,? said US MPEG Committee chairman Peter Schirling, senior consulting engineer at IBM. ?We saw so much divergence in end-to-end deployments, so what we are really trying to do is to help with the life cycle.?

It is understood that MPEG-21 will provide several tools to manage how digital objects such as audio, video or multimedia files are encoded, secured, transmitted and viewed. The tools offer means to identify content, manage how it is searched, cached, archived and retrieved, and manage how to adjust the display to fit myriad end-user devices.

MPEG-21 is designed to work with its predecessors, the group said. Elements of MPEG-21 archiving information can be included in an MPEG-2 stream, for example.

While MPEG-21 is wide-ranging, the element that has received the most notice is the Intellectual Property Management and Protection tool, which can set how and where content can be viewed. MPEG-2 and MPEG-4 both contained some conditional-access elements, but MPEG-21 provides a more universal framework for digital content protection, the group said.

First, MPEG-21 provides guides for protecting the content from being consumed at any point unless a user has the mechanism required to unlock it. Second, it offers a rights-expression language, so content providers can literally spell out how and where they want the content to be viewed.

For streaming-media giant RealNetworks, MPEG-21 is an interesting standards development, but there are still plenty of questions, said general manager of media-commerce applications Ji Shen.

?We want to see successful industry standards come out,? Shen said. ?However, the current path MPEG-21 goes down is leading to complex technology framework, and it is not royalty-free. Those combined, basically, in our opinion, do not facilitate a rapid adoption of Digital Rights Management technology.? MPEG-21?s elements are due to be completed in 2003 and 2004.
****************
Sydney Morning Herald
PIN codes and line blocks to stop porn and call dumping
May 1 2002

Downloading pornography from the internet will require a PIN and written approval from the householder under a government bid to crack down on premium rate phone services.

Communications Minister Richard Alston said he was concerned about consumers being slapped with unexpectedly high phone bills because someone in the household - often a child - rang 190 and 0011 numbers.

Internet surfers can also be caught when adult websites disconnect calls to a local service provider and reconnect customers to expensive 190 or 0011 numbers.

So-called internet dumping has sparked more than a thousand complaints to the telecommunications ombudsman over the past year but in most cases, consumers have had to fork out the money.

But under draft rules released for public comment today, the Australian Communications Authority would get new powers to protect consumers against high phone bills.

Internet users would also have to register to use premium rate services and provide a PIN before they could download pornography, in line with similar restrictions on phone sex lines.

Other options include:

capping or waiving liability for bills in some cases;

warning customers with high bills about premium rate services;

limiting advertisements for adult websites; and

barring or restricting access to 190 and 0011 numbers used for on-line adult services.

Figures from the Telecommunications Industry Ombudsman (TIO) show 1014 complaints about internet dumping were received in 2001, peaking at 259 in the last three months of the year.

But a TIO spokeswoman said investigations had not found any websites breaking the rules and failing to notify consumers of the higher charges.

"However, it is obvious from the level of complaint that many people have not read or understood the significance of these notices," she said.

"The TIO's advice to consumers is to block their phone lines' access to 190 (premium rate) numbers.

"At the moment this is the only way of ensuring that you don't unwittingly enter a site delivered over a premium rate line, and of making sure that children or other members of the household don't run up a high phone bill. "

Public comments on the draft rulers are invited by July 1 to the Department of Communications, Information Technology and the Arts.
****************
New Zealand News
Safety concerns prompts Nokia modem recall
May 1, .2002

A potentially serious safety hazard that can cause an electric shock has prompted Nokia to recall of a batch of modems manufactured before June 2001.

The recall, which affects Nokia M and MW 1122 series modems used with Telecom's Jetstream service, follows a safety warning in June last year which asked users to bring their modems to Next Electronics for testing and replacement if necessary.

Nokia spokesman Anthony Wilson would not say how many modems were affected, but said even though testing showed less than one per cent of the batch had the potential to fail, Nokia had decided to recall and replace the entire batch.

Customers have been sent letters asking to check serial numbers and to ring 0800 665 426. In faulty units if the modem's power cable is pulled out from the rear of the modem, one of the pins in the modem's power socket will remain in the modem's power plug.

The letter states: "This can cause an electric shock giving rise to serious injury or even death if the power plug is handled while the cord is still connected to the wall socket and power is on."
*******************

Lillie Coney
Public Policy Coordinator
U.S. Association for Computing Machinery
Suite 507
1100 Seventeenth Street, NW
Washington, D.C. 20036-4632
202-659-9711

Prev by Date: ACM TechNews - Monday, April 29, 2002
Next by Date: ACM TechNews - Wednesday, May 1, 2002
Previous by thread: ACM TechNews - Monday, April 29, 2002
Next by thread: ACM TechNews - Wednesday, May 1, 2002
Index(es):
- Date
- Thread