[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Clips July 30, 2003
- To: "Lillie Coney":;, Gene Spafford <spaf@xxxxxxxxxxxxxxxxx>;, John White <white@xxxxxxxxxx>;, Jeff Grove <jeff_grove@xxxxxxx>;, goodman@xxxxxxxxxxxxx;, David Farber <dave@xxxxxxxxxx>;, glee@xxxxxxxxxxxxx;, Andrew Grosso<Agrosso@xxxxxxxxxxxxxxxx>;, ver@xxxxxxxxx;, lillie.coney@xxxxxxx;, v_gold@xxxxxxx;, harsha@xxxxxxx;, KathrynKL@xxxxxxx;, computer_security_day@xxxxxxx;, waspray@xxxxxxxxxxx;, BDean@xxxxxxx;, mguitonxlt@xxxxxxxxxxx;
- Subject: Clips July 30, 2003
- From: Lillie Coney <lillie.coney@xxxxxxx>
- Date: Wed, 30 Jul 2003 15:46:34 -0400
Clips July 30, 2003
ARTICLES
Legislatures Move Closer To Online Sales Tax Collection
FBI targets Net phoning
Indonesia imposes copyright law
Internet song swappers say legal threats won't stop them
Zimmermann: Public too slow to adopt encryption
Kentucky shakes up systems after large-scale hacking
Proposal would link agencies' funding to privacy protections
Security officials discuss efforts to combat computer crime
Exploit code posted for Windows hole
*******************************
Associated Press
Legislatures Move Closer To Online Sales Tax Collection
Wed Jul 30, 3:35 AM ET
Eric Chabrow, Information Week
A system that will let states collect sales tax from online purchasers should become operational next year. More than enough state legislatures have passed laws this year to implement the Streamlined Sales Tax Project, said Dianne Hardt, project co-chair and Wisconsin's tax administrator, at a briefing Tuesday.
Legislatures in 20 states, representing about a third of the population of the 41 states participating in the project, have enacted laws to conform with provisions of the tax-collection program. An agreement approved by the states' tax officials last year calls for execution of the sales-tax collection system once 10 states representing 20% of the population of sales-tax-collecting states approve the project.
Though that threshold has been reached, Hardt said, it will take months to verify if each state's law conforms with project standards. She expects the program to become effective either April 1 or July 1.
Many online businesses don't collect sales tax from buyers who live in states where the companies aren't based. Legally, buyers are required to pay a sales tax, known as a use tax, to the state in which they reside, but few do so unless sellers collect the levies. States lose an estimated $200 million a year in uncollected sales taxes from online purchases. The system devised by Streamlined Sales Tax Project establishes processes in which the taxes are collected and distributed to the states.
Businesses have three choices of the technology they can use to collect and disperse sales tax: contract with a project-certified service provider, purchase and deploy project-certified software, or have tax authorities certify a homegrown system.
States participating in the project must agree to the same definitions for taxed items. For instance, fruit juice is defined as a beverage containing at least 50% or more fruit juice. Wisconsin exempts fruit juices only if they contain 100% fruit juice. If the state wants to participate in the project, it would have to agree to exempt fruit juice as defined by the project. Having a single definition for an item makes it easier for businesses serving customers in multiple states to know what to tax.
Though the project has defined for tax purposes most commodities and services, it's still working out definitions for digital property such as downloaded music.
Hardt said businesses will benefit once the tax-collection mechanisms take effect because it will simplify the tax structure, provide greater accuracy for tax calculations, indemnify business from errors, and reduce the scope of potential audits. Because of these benefits, Hardt said, "the business community will put pressure on states that aren't participating to participate."
*******************************
CNET News.com
FBI targets Net phoning
By Declan McCullagh
July 29, 2003, 4:00 AM PT
Internet telephone calls are fast becoming a national security threat that must be countered with new police wiretap rules, according to an FBI proposal presented quietly to regulators this month.
Representatives of the FBI's Electronic Surveillance Technology Section in Chantilly, Va., have met at least twice in the past three weeks with senior officials of the Federal Communications Commission to lobby for proposed new Internet eavesdropping rules. The FBI-drafted plan seeks to force broadband providers to provide more efficient, standardized surveillance facilities and could substantially change the way that cable modem and DSL (digital subscriber line) companies operate.
The new rules are necessary, because terrorists could otherwise frustrate legitimate wiretaps by placing phone calls over the Internet, warns a summary of a July 10 meeting with the FCC that the FBI prepared. "Broadband networks may ultimately replace narrowband networks," the summary says. "This trend offers increasing opportunities for terrorists, spies and criminals to evade lawful electronic surveillance."
In the last year, Internet telephony (also called voice over Internet Protocol, or VOIP) has grown increasingly popular among consumers and businesses with high-speed connections. Flat-rate plans cost between $20 and $40 a month for unlimited local and long-distance calls. One of the smaller VOIP providers, Vonage, recently said it has about 34,000 customers and expects to have 1 million by late 2004.
According to the proposal that the FCC is considering, any company offering cable modem or DSL service to residences or businesses would be required to comply with a thicket of federal regulations that would establish a central hub for police surveillance of their customers. The proposal has alarmed civil libertarians who fear that it might jeopardize privacy and warn that the existence of such hubs could facilitate broad surveillance of other Internet communications such as e-mail, Web browsing and instant messaging.
Under existing federal wiretapping laws, the FBI already has the ability to seek a court order to conduct surveillance of any broadband user though its DCS1000 system, previously called Carnivore. But the bureau worries that unless Internet providers offer surveillance hubs based on common standards, lawbreakers can evade or, at the very least, complicate surveillance by using VOIP providers such as Vonage, Time Warner Cable, Net2Phone, 8X8, deltathree and DigitalVoice.
Digital wiretapping
The origins of this debate date back nine years, to when the FBI persuaded Congress to enact a controversial law called the Communications Assistance for Law Enforcement Act, or CALEA. Louis Freeh, FBI director at the time, testified in 1994 that emerging technologies such as call forwarding, call waiting and cellular phones had frustrated surveillance efforts.
Congress responded to the FBI's concern by requiring that telecommunications services rewire their networks to provide police with guaranteed access for wiretaps. Legislators also granted the FCC substantial leeway in defining what types of companies must comply. So far, the FCC has interpreted CALEA's wiretap-ready requirements to cover only traditional analog and wireless telephone service.
"I think the FCC has a lot of room here," said Stewart Baker, a partner at Steptoe & Johnson who represents Internet service providers. "CALEA was written knowing that there would be new technologies for telecommunications." Baker, the former general counsel of the National Security Agency, said it was not clear whether the FBI had yet been frustrated by problems when wiretapping VOIP calls.
Derek Khlopin, regulatory counsel at the Telecommunications Industry Association, whose members include Cisco Systems, Ericsson, Lucent Technologies, Motorola and Nortel Networks, said what the FBI is "worried about is, when you have voice over DSL, if there's a way someone could say they're not subject to CALEA."
In a letter to the FCC, the FBI wrote: "CALEA applies to telecommunications carriers providing DSL and other types of wire line broadband access."
Some members of Khlopin's trade association, such as Cisco, already manufacture products that follow CALEA guidelines. Khlopin said his group did not have a position on the FBI's request, but suggested that "CALEA is not the only way that law enforcement can get the bad guys."
The FBI's proposal has drawn criticism in regard to privacy issues.
A representative of DSL provider Speakeasy said the company "does not support the extension of CALEA to ISPs, because the proposal appears to run counter to our commitment to protect our subscribers' privacy first and foremost. We certainly will be closely monitoring the progression of this particular proposal."
Barry Steinhardt, director of the American Civil Liberties Union (ACLU)'s technology and liberty program, said the FCC could not legally extend CALEA to cover the Internet without additional action by Congress. "CALEA does not apply to 'information services,' which was the then term of art for the Internet," Steinhardt said. "Voice over IP is just that, a voice service over the Net. CALEA should not, and so far has not, applied to VOIP."
The FBI proposal is before the FCC, which has jurisdiction over DSL and cable modem providers and is expected to rule on the matter this fall. "It's pending before the commission, and we plan to address the question," an FCC spokesman said.
How to follow the law
It's unclear what a broadband provider must do if the FCC extends CALEA's reach, and the regulations survive a possible court challenge from privacy groups such as the ACLU or network providers who do not wish to comply.
Martin King, an attorney in the FBI's general counsel's office who attended the July 10 meeting, said the bureau would not elaborate on its request to the FCC. "On this particular matter, we are going to decline to comment," King said.
Colleen Boothby, a former FCC official who is now a partner at Levine, Blaszak, Block & Boothby, said the implications of the FBI's proposal would vary based on how a broadband provider's system is configured.
"It's going to depend on what facilities they have," Boothby said. "When designing systems and configuring software and hardware, they have to preserve the government's ability to eavesdrop. Does it mean physical electrical closets? Does it mean an extra server in a secure room? It means as many varied things as there are variations in network design."
Lawrence Plumb, a spokesman for Verizon Communications, said: "How does a service provider architect its broadband network and equipment to be CALEA-compliant? The exact answer to 'how' isn't known."
Companies would be reimbursed for their costs to comply with CALEA. When enacting the law, Congress earmarked $500 million to reimburse telephone and cellular providers for their expenses.
Police encountered similar problems when wiretaps on customers using data services such as mMode from AT&T Wireless and PCS Vision from Sprint PCS could intercept only voice communications. Earlier this year, VeriSign, Cisco and other members of an industry consortium announced a set of products that would permit police to eavesdrop on wireless data transmissions.
FBI meetings
The FBI appears to have first presented its proposal to the FCC last year. But in the July 10 and July 22 meetings, the bureau extended it to say that if broadband providers cannot isolate specific VOIP calls to and from individual users, they must give police access to the "full pipe"--which, by including the complete simultaneous communications of hundreds or thousands of customers, could raise substantial privacy concerns.
A summary of the meeting prepared by the FBI said the FCC could "require carriers to make the full pipe available and leave law enforcement to perform the required minimization. This approach is already used when ISPs provide non-CALEA technical assistance for lawfully ordered electronic surveillance."
The July 22 meeting at the FCC included John Pignataro, deputy superintendent of Maryland's state police force, two attorneys for the FBI's Electronic Surveillance Technology Section, and Leslie Szwajkowski, the head of that section's policy unit. They met with a senior advisor to FCC Commissioner Kevin Martin. During the July 11 meeting, FBI representatives met with 10 officials from the FCC's Wireline Competition Bureau, its Media Bureau and the Office of Strategic Planning and Policy Analysis.
The meetings, according to summaries prepared by the FBI, stressed that "broadband telephony involves packet-mode communications, which are more difficult to intercept than circuit-mode communications. The need for CALEA-standardized broadband intercept capabilities is especially urgent in light of today's heightened threats to homeland security and the ongoing tendency of criminals to use the most clandestine modes of communication."
In an interview, however, a Vonage representative said the VOIP provider had never received a request from a police agency to do a live voice interception, though the company has been served with subpoenas for stored customer information. "We have been subpoenaed, I believe, several times for call records and call data," Vonage's Brooke Schulz said. "We've responded to those subpoenas very, very quickly. Because of the way our service is set up, we have all this data on hand, and it's very easy to do."
Schulz said if Vonage were to receive a proper request to perform a live voice interception, it would be trivial to comply with, because all the company's VOIP calls flow through central servers. "We are able to copy the data stream and send it in tandem to another location," Schulz said. "You can essentially send it to the law enforcement agency you need to send it to, as long as they have the proper equipment and the proper interconnect."
Because Vonage's network already is accessible to police armed with a legal wiretap order, Schulz said she was mystified by the FBI's proposal to the FCC. "We really don't know where it's coming from," she said.
Why the proposal?
The FBI declined to elaborate on the justification for its proposal. An FBI agent who attended the pair of meetings and spoke on condition of anonymity said that "if it's pending, we don't want to be talking about it."
One explanation for the proposal is that not all VOIP networks flow through a service that can be readily wiretapped. For instance, Pulver.com's Free World Dialup connects about 38,000 subscribers in 150 countries who typically use Cisco ATA-186 and Cisco 7960 VOIP phones to talk to each other directly.
The best place to intercept those types of VOIP calls would likely be at the user's broadband provider.
A second explanation for the FBI's proposal is that, by requiring broadband providers to comply with CALEA, police would have an easier time wiretapping other types of Internet communications such as e-mail, Web browsing and instant-messaging services.
David Sobel, general counsel of the Electronic Privacy Information Center, said: "It seems that current practices are providing the government with full access" to VOIP calls.
Baker, the CALEA attorney at Steptoe and Johnson, said: "It would be very difficult to set up a network so that you could only intercept voice packets and not the others. The likely result here is that you'll have modifications that are useful for law enforcement not just for voice packets but for other packets as well."
Yet another reason for the FBI's proposal, Baker said, is that the bureau is very interested in details about a VOIP phone call, not just the conversation itself. Those details, such as who was on the call, are called "punch list items" according to CALEA. "It's not about content but about getting call-identifying information or traffic analysis," Baker said. "Who was on the line, how long they stayed on, who did they put on hold--things like that. The FBI has always wanted to get that information served up very neatly, promptly and conveniently."
Some Internet providers have welcomed the FBI as an ally on this issue, which has arisen as part of an FCC proceeding over broadband deregulation and how to classify Internet access. By lobbying the FCC, the bureau is essentially seeking to expand the scope of CALEA, which says telecommunications services must ensure that their equipment and facilities are capable of "expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization," to intercept all communications from a specific customer.
FCC Chairman Michael Powell has indicated that he would like to move more Internet access services into the category of "information services," which have fewer regulations and likely would not be subject to CALEA. That alarms DSL providers such as EarthLink, which fear that deregulation means that former Baby Bells such as Verizon and BellSouth will raise their rates for access to the copper wire that runs to telephone subscribers' homes.
"The FBI is really an ally of sorts," said David Baker, EarthLink's vice president for law and public policy. "They're saying to the FCC, look, you guys are thinking of classifying everything as an information service, but you have to be aware of the implications."
EarthLink's Baker said "we're already seeing anticompetitive activities on the part of the phone companies even under the current rules. You do away with those rules, and you're ensuring that customers will have no choice but DSL provided by the phone company." Unless the FBI's proposal succeeds, he said, "everything that travels over a DSL connection, be it voice or e-mail, would be out of the reach of law enforcement. That would be a tremendous loophole and a breach of national security."
*******************************
Australian IT
Indonesia imposes copyright law
Correspondents in Jakarta
JULY 30, 2003
A NEW law providing for fines and jail terms for copyright violators went into force in Indonesia but a minister admitted problems in cracking down on pirated goods.
The imposition of the law, which provides for jail terms of between one month and seven years and fines of up to five billion rupiah ($US584,000), was announced Tuesday by Justice Minister Yusril Ihza Mahendra.
Despite the new law, it was difficult to crack down on piracy in Indonesia due to "the lack of public awareness" about the need to respect copyrights, Mr Mahendra said.
Mr Mahendra, copyright officials and Jakarta police last week warned shopping mall owners they could face jail and fines for allowing the sale of pirated goods.
Pirated music CDs, computer programs and DVDs are easily available on street stalls and shops across Indonesia.
Shopkeepers sometimes collude with police by paying a "rent fee" to keep their businesses afloat.
A street vendor quoted by the Jakarta Post said he would wait and see how serious the crackdown is.
"If the law is enforced, I'll shut down my business for good. However, if the government is less than serious, thwen I can carry on with my business," he was quoted as saying.
Several international donors, including the International Monetary Fund and the World Bank, have identified weak enforcement of copyright law as an impediment to foreign investment.
Agence France-Presse
*******************************
USA Today
Internet song swappers say legal threats won't stop them
By Edward C. Baig USA TODAY
NEW YORK Online song swappers say the fear of getting hammered with a hefty lawsuit has had little effect on their habits at least for now.
Just 17% of swappers ages 18 and over say they have cut back on file sharing because of the potential legal consequences, according to a survey released by Jupiter Research at the company's annual Plug.IN digital music conference Monday. And 43% see nothing wrong with online file trading; only 15% say it's wrong.
The survey was completed after the recording industry began issuing a flood of subpoenas in an attempt to discover the identities of illicit song traders. Measurements have since shown traffic slowing on some of the most popular file-swap services on the Net.
But conference participants expect it will take a number of tactics to make a difference. "There should be a combination of a stick and a carrot," says Tsvi Gal, chief information officer at Warner Music. "The likes of (Apple's) iTunes proved that there is a market for people who want to be honest."
Adds Jonathan Potter, executive director of the Digital Media Association, a trade group: "Cable service theft stopped when you saw your neighbor walking down the street with silver handcuffs and an orange jumpsuit. How many subpoenas will they have to (serve) to grandparents and parents until the parent says to the kid, 'What are you doing on my computer?' They'll shut it off fast."
Overall, Jupiter remains bullish on the state of online music in the long haul, though it has slashed its forecasts because of industry doldrums. The "digital channel is still in its infancy," Jupiter analyst Lee Black says. The online music market is expected to reach $3.3 billion in 2008, about a fourth of the total U.S. consumers will spend on music that year, and quadruple the amount consumers are currently spending online.
Other predictions:
CDs will not be replaced anytime soon. But offline sales will continue to sag as consumers increasingly move online to shop and retailers make room on store shelves for DVDs and video games at the expense of compact discs.
File sharing will become marginalized as consumers are put off by poor quality, "spyware" and ads.
Online sales will slowly shift from discs to digital downloads. That's because downloads are cheaper and more immediate, and buyers can pick individual tracks.
*******************************
Government Computer News
07/30/03
Zimmermann: Public too slow to adopt encryption
By William Jackson
LAS VEGASThe reported use of encryption by terrorists has not shaken Philip Zimmermann?s faith in having strong encryption in the hands of the public.
Zimmermann, the creator of Pretty Good Privacy software for protecting e-mail, spoke today at the Black Hat Briefings about the struggle to commercialize the software and his three-year battle with the government over export restrictions.
?That was the central argument argument in the debate,? he said. ?At no time did I deny that criminals would use PGP. But we came to the decision that society is better off with strong encryption than without it, even though criminals would use it.?
PGP is a public-key encryption scheme without a supporting infrastructure of certificates and trusted authorities. It is a standalone product that depends on trust between users.
Zimmermann said he originally began PGP ?as a human rights project. I got the idea in the 1980s when I was a peace activist.? The idea was to provide a tool to protect the privacy of organizations and individuals around the world who were being investigated by their governments.
But the U.S. government banned the export of most encryption without permission, and accused Zimmermann of violating export controls when PGP was distributed worldwide.
?We beat them in the 1990s,? he said. ?They tried to stop us domestically and with export controls, and we won.?
But he said civil liberties have begun to erode in this country since Sept. 11 and offered a warning to government officials in his audience: ?Don?t throw out the baby with the bath water in our zeal to stop terrorists.?
Despite concerns about civil liberties, Zimmermann doubts that government will make efforts to limit the use of encryption in the name of security.
?I don?t think that is going to reach critical mass in Congress,? he said. ?Things have changed too much? since the 1990s.
Zimmermann said he is disappointed at the slow speed with which the public has adopted cryptology. Most people are not using standalone products such as PGP and other commercial software based on the Open PGP standard to encrypt e-mail, he said. And efforts to establish large public-key infrastructures have failed. PKI makes sense in hierarchical organizations such as the Defense Department, which is deploying it with its Common Access Card, but it is proving too inflexible to be widely adopted elsewhere, Zimmerman said.
The exception, he said, is in schemes such as Secure Sockets Layer, which transparently encrypts communications between browsers and servers. Zimmermann said such user-friendly schemes are the future of cryptography.
*******************************
Government Computer News
07/30/03
Kentucky shakes up systems after large-scale hacking
By Wilson P. Dizard III
Kentucky officials have reassigned some network management duties after discovering a ?monstrous? systems intrusion in which hackers, apparently from France, used Transportation Cabinet computers to store large quantities of pirated movies, music, games and books.
The state has shifted responsibility for the cabinet?s routers to the Governor?s Office for Technology. Auditor of Public Accounts Ed Hackett referred information about the hacking incident, as well his office?s discovery of employees? use of state computers to access porn sites, to state and federal prosecutors.
State officials met today to cope with the aftermath of the hacking incident, which began in April 2003, according to a statement from Hackett.
State CIO Aldona Valicenti said her office is working with state auditors and Transportation Cabinet officials to preserve evidence that may be needed by prosecutors. According to the auditor?s staff, the hackers may have committed the crimes of theft of services and illegal access to a state computer.
B.J. Bellamy, CIO of Hackett?s office, said the hackers had started penetrating a proxy server in the Transportation Cabinet on April 2, according to a log they left behind in the system. The hacking incident continued until late last week, Bellamy said, when computer specialists in the auditor?s office discovered that the server had been penetrated. When the auditors realized the scale of the intrusion, he said, they discontinued their security audit work and informed the cabinet and the Governor?s Office for Technology of their findings and recommendations on how to cope with the intrusion.
?Part of those recommendations was to cut off the communication flow to the exploited services,? Bellamy said. ?The hackers had set up a File Transfer Protocol server to upload and download large files and an Internet relay chat bot,? he said. ?It was monstrous,? Bellamy said, comprising many gigabytes of information. "Most of it was computer games, movies and that type of thing.?
Bellamy said the auditor?s team realized that the hackers did their work from France because they left behind a log of their own activity that recorded French addresses. ?Also the configuration files and some of the software were actually in French,? he said. ?There was also a note from the original hacker saying ?I was the one who did this.??
Valicenti said, ?I would say this is definitely the most visible hacking incident? Kentucky has ever experienced. She said the lack of passwords to protect routers in the cabinet was one of the factors that allowed the incident to happen.
GOT computer specialists will take over some tasks formerly carried out by cabinet employees, such as running the cabinet?s routers, Valicenti said.
?Obviously we didn?t do as good a job of password protection as we should have,? Valicenti said.
?As of last Monday, July 21, we have put a whole new security architecture in place,? she said. ?GOT is going to managing all the state firewalls. ? These firewalls will be run centrally where we can monitor intrusions.?
Mark Pfeiffer, director of public affairs for the cabinet, said, ?We will take steps to remedy? the hacking problem. ?We do dispute one claim the auditor made, that public records pertaining to driver?s licenses and vehicle licensing could potentially be jeopardized.? He said those records are on a different network.
Pfeiffer said the auditor?s staff found that between 30 and 35 computers owned by the cabinet had been used to access porn sites, which is a violation of state policy. ?We already have an investigation to look into [those] possible abuses,? he said. The cabinet has about 6,000 employees, Pfeiffer said.
*******************************
Government Computer News
07/30/03
Security group issues compromise plan for vulnerability reporting
By William Jackson
GCN Staff
LAS VEGASThe Organization for Internet Safety has released a guide for reporting and responding to software security vulnerabilities, hoping to bring some order to the continual struggle between code makers and code breakers.
The voluntary guidelines, available on the OIS Website at www.oisafety.org, are an effort to balance the public?s right to know about possible problems against the need for vendors to correct those problems before they are made public. They call for:
cooperation between the discoverer of a flaw and the software vendor
a waiting period, typically 30 days, to let a vendor to correct a problem before it is publicly announced
a 30-day grace period to let users to fix their systems before technical details that could help attackers are released.
?I don?t think it?s going to be anything earth-shattering in the short term,? said Scott Blake, vice president of information security for BindView Corp. of Houston and chairman of the OIS communications committee. ?We?re hoping to change the environment a little bit, codifying what a lot of people are already doing.?
Blake was in Las Vegas to take part in a panel discussion of the new guidelines at the Black Hat Briefings security conference. Other participants were Scott Culp, senior security strategist for Microsoft Corp.; Andre Frech, X-Force research team lead at Internet Security Systems of Atlanta; Rajiv Sinha, manager of security compliance for Oracle Corp.; Vincent Weafer, senior director of Symantec Corp. of Cupertino, Calif.; and Chris Wysopal, director of R&D for @Stake Inc. of Cambridge, Mass.
The issue of vulnerability reporting has been a contentious one in security circles. Hackers assert that the only way to ensure that software makers fix problems is to publicly expose them.
?Historically, they had a case,? Blake said. Many software makers fixed holes only because ?they got tired of being dinged in the press and by their customers.? Much of the progress made in software security has been a result of hacker-exposed vulnerabilities. ?But the hackers have been slow to realize we?ve won. It?s time to stop hitting them with the stick.?
Blake gave major software makers good grades for their cooperation in fixing security problems, although some vendors still resist publicly acknowledging and addressing flaws. Over the past several years a consensus has developed that makers should be given a chance to fix problems before they are exposed.
A case in point is a buffer overrun in the remote procedure call interface to Windows operating systems, which was announced earlier this month, Blake said. The Polish hacking group that discovered the problem contacted Microsoft privately and allowed the company to develop a patch before making the flaw public.
But that does not mean the security-hacking community is in complete agreement on the process of notification. The OIS guidelines call for a 30-day grace period beginning with the release of the remedy, during which technical details are released ?only to people and organizations that play a critical role in advancing the security of users, critical infrastructures and the Internet.?
Many in the community objected to what they see as favoritism that could put some users at a disadvantage because there is no way to ensure the details will not leak.
?There are some who argue that giving out any information constitutes a public release,? Blake said. ?We tried, for the most part unsuccessfully, to avoid that criticism? in the guidelines, which allow but do not require the limited release of technical details. ?A lot of our critics ignore that distinction.?
Blake said it is ?probably a false idea? that information released to a select group can be kept secret, citing the handling of the recent vulnerability in Cisco?s Internetworking Operating System. Cisco announced the flaw and released the patch to Tier 1 backbone operators three days before it planned to announce the flaw publicly, to give them a chance to fix their systems.
?It leaked so much after the Tier 1 release that they moved up the public release date by 24 hours,? Blake said. ?They discovered that 3,000 people can?t keep a secret.?
A related issue that Blake feels is inadequately addressed in the guidelines is how to deal with problems in software incorporated in products from many vendors.
?This is a major problem in handling vulnerability information, because it means a large prerelease community sharing complex and dangerous information,? he said. ?We have not come up with any brilliant solution to this, because I don?t think there is a brilliant solution.?
One issue not addressed at all is the role of government in the vulnerability reporting and response process. Government advisers have called public release of vulnerabilities irresponsible. Some indicated that government should play a role as an arbiter and disseminator of information.
?We specifically excluded government from the drafting process because we wanted to limit it to the finders and the vendors,? Blake said. ?We also felt that involving the U.S. government would limit the document?s international appeal.?
Although ?OIS takes no position on the government?s role in the process,? many companies participated in creating the guidelines in the hope of avoiding government regulation, Blake said.
A possible role for government is arbitrating disputes between the finder of a flaw and the software vendor when they disagree about the process to follow.
?Government parties have indicated a desire to have a role as coordinators or arbitrators,? Blake said. ?We would be happy to have anyone step into those roles, government included.?
*******************************
Government Computer News
07/30/03
To ease asset tracking, DOD will use standard ID tags
By Dawn S. Onley
Starting tomorrow, all Defense Department program managers must tag new equipment with a standard and universal identification code to track the items they buy.
Michael Wynne, acting under secretary of Defense for acquisition, technology and logistics, announced the new policy yesterday making it mandatory for Defense officials to mark tangible items with the ID tags.
The Unique ID program will help DOD improve asset visibility and lifecycle management, as well as produce clean audit reports and assure interoperability across systems, the policy said. The code plan was designed to achieve ?a globally interoperable network-centric architecture for the integrated management of tangible items,? Wynne said in the directive.
In turn, the ability to track assets DOD-wide will help the department in its drive to create a business enterprise architecture, according to the policy.
?The DOD vision for unique item identification is to create a policy that establishes a strategic imperative for uniquely identifying tangible items that relies to the maximum extend practical on commercial item markings and does not impose unique government data requirements,? the policy said. ?To that end, uniquely identified tangible items will facilitate item tracking in DOD business systems and provide reliable and accurate data for management, financial accountability and asset management purposes.?
The Wide Area Workflow electronic forms, created by the DOD, will be modified to capture the codes associated with each item, Wynne said.
The policy also establishes a joint implementation requirements board for the coding initiative. The board will focus on developing crosscutting business rules and integrated processes related to the use of the ID tags.
To read the policy online, go to www.acq.osd.mil/uid/
*******************************
Government Executive
July 29, 2003
Proposal would link agencies' funding to privacy protections
By William New, National Journal's Technology Daily
Sen. Ron Wyden, D-Ore., Tuesday introduced a bill that would make federal law enforcement and intelligence agencies' funding contingent upon reporting to Congress how they use citizens' private information. The measure also would prevent the use of that information for hypothetical counter-terrorist searches of commercial databases.
"I believe so strongly that it is possible to fight terrorism ferociously without gutting our civil liberties," Wyden said at a press conference.
Wyden said the congressional investigation of the Sept. 11, 2001, terrorist attacks makes clear that the focus of intelligence agencies should be on more efficient use of information than on conducting "virtual goose chases." Under his bill, searches would have to be based on suspicion, a point emphasized by the American Civil Liberties Union.
Wyden said the measure, which would require the reports within 60 days of the bill's enactment, also is necessary to prevent people from mistakenly being subjected to investigations based on erroneous information or outdated terrorist watch lists. Wyden intends to push the legislation in September, possibly as part of an appropriations measure, according to a Senate aide.
Wyden said he hopes the bill will enjoy the same kind of bipartisan support as similar language blocking funding for the Defense Department's Terrorism Information Awareness data-mining project. That Senate-passed language is part of the fiscal 2004 Defense appropriations bill now the subject of talks with House lawmakers.
Civil-liberties advocates hailed Wyden's new bill. "It would for the first time provide baseline information on the kinds of information the government is using, how it's being used and what procedures, if any, are in place to ensure that some measure of fair-information practices apply," said David Sobel of the Electronic Privacy Information Center (EPIC).
Sobel said government use of private-sector databases has increased 9,600 percent in the past 10 years. "Increasingly in recent years, government is not always collecting and maintaining the information it relies upon," he said.
"We all need to understand the scope of the problem before prescribing solutions," Sobel said. Since 2001, EPIC has been involved in a lawsuit with the Justice and Treasury departments over a Freedom of Information Act request it filed to learn more about government use of private data. The case is ongoing but has revealed information such as a $67 million government contract with the data-collection agency ChoicePoint, he said.
Jerry Berman of the Center for Democracy and Technology said, "Serious privacy concerns arise when law enforcement and intelligence agencies rely on information that was originally collected for commercial purposes but no one even knows what data the government is buying from the commercial warehouses, the marketers and credit agencies."
Lisa Dean, Washington policy liaison for the Electronic Freedom Foundation (EFF), said the main provision EFF is concerned about "calls for accountability standards."
People for the American Way President Ralph Neas said, "The greatest victory for terrorists would be for us to undermine the Constitution and the Bill of Rights." The Free Congress Foundation also supports the bill.
*******************************
Government Executive
July 28, 2003
Security officials discuss efforts to combat computer crime
By Chloe Albanesius, National Journal's Technology Daily
Research and development into cybersecurity is essential to combat computer crime, a security researcher said on Monday.
"Computer crime is rising in scope," said Andrew Macpherson, the technical program coordinator for Dartmouth University's Institute for Security Technology Studies. "I don't think we have any way of quantifying computer crime [at this point]."
To fend off cyberattacks, Macpherson and his technical analysis group at the institute have three projects in the works: intelligence reports on cybersecurity and the cyber capabilities of threat groups; an investigative contact list for cyberattacks; and a national R&D agenda for investigative tools and technologies related to such attacks.
"We're seeing a major shift in business' ability or desire to report computer crimes," Macpherson said.
"There's not really any law on the books that tells companies to turn over [information about cyberattacks], except in California," said Trent Teyema, a supervisory special agent with the FBI's squad for criminal computer intrusions.
"I like to call it the pain threshold," said Anthony Reyes of the New York City Police Department's unit on computer investigations and technology. "It depends on how much pain the companies can absorb" before they notify customers.
But failing to address vulnerabilities can open networks to terrorism, Macpherson said. "Terrorists are well aware of our prosecutorial thresholds," he said. "They do minor frauds but [do] many of them. Law enforcement has built its capability up in the past few years."
"[Training] is definitely a catch-up game," Reyes said. "Fortunately with the advent of some of the electronic-crime task forces ... there is a lot of networking that is going on. I can personally call someone in every state and find someone who has a basic understanding of cyberattacks."
Macpherson said his organization's plans for a contact list will help with that effort. "We thought it would be based on personal contacts, but indeed those officers have rotated so quickly in the past nine months, it's now more profitable to have a more organizational picture."
Still, "knowledge of tools is definitely not ubiquitous across law enforcement communities," Macpherson said. "This is another reason you want a [R&D] agenda out there. It provides scientists with detailed information and priorities when developing technologies for law enforcement."
The panelists do not believe federal legislation would solve the problem of cyber weaknesses. "The position recently [is] to avoid legislation and work with industry to self-regulate," Teyema said. "The states are being more aggressive and more restrictive than the feds."
"Everyone's doing their own thing," Reyes said of the states.
Teyema added that the most basic thing anyone can do if touched by cyber crime is to notify authorities. "Regardless of the intrusion, file a report," he said. "If you don't file a report, we don't know about it."
*******************************
Computerworld
Exploit code posted for Windows hole
At least three different versions of exploit code were posted on the Internet
By Tom Krazit, IDG News Service
JULY 29, 2003
Several independent coding groups have posted code on the Internet that can allow hackers to exploit a previously disclosed vulnerability in Microsoft Corp.'s Windows operating system.
The Windows flaw, which was rated "critical" by Microsoft when it was disclosed earlier this month, allows a hacker to gain control of a Windows system through a security hole in the Distributed Component Object Model interface (see story). Microsoft released a patch for Windows NT, Windows 2000, Windows XP and Windows Server 2003 in security bulletin MS03-026.
At least three different versions of exploit code have been posted on the Internet over the past few days, said Gunter Ollmann, manager of X-Force security assessment services for Europe, the Middle East and Africa at Internet Security Systems Inc. (ISS), which is based in Atlanta. Some of the code is "quite elegant" and can be run by just about anyone with a compiler and some programming savvy, he said.
Versions of the code have been posted for both Linux and Windows, he said.
The greatest threat to networks comes from individuals who use the code to create mass-mailer worms, the likes of which have created havoc on the Internet several times in recent years, Ollmann said. ISS hadn't detected any worms as of yesterday, but it had detected several attacks by hackers running the exploit code on their own machines, and the company expects a worm to appear shortly.
Security administrators who are following the recommended guidelines for defending their networks against attacks should have nothing to worry about, said Marty Lindner, team leader for incident handling at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
Patches were available for some of the worms that did the most damage to corporate networks, including the Nimda worm and the SQL Slammer worm, Lindner said. But the worms still had a big impact because many administrators didn't follow best practices, such as downloading security patches as soon as they are made available and blocking ports at the firewall, among other things, he said.
Microsoft strongly urges all customers to download the patch, which will protect them against attacks launched against the DCOM vulnerability using the published exploit codes, said Stephen Toulouse, security program manager with Microsoft's Security Response Center.
If a worm is released, corporations will be mostly threatened by code that is executed via e-mail attachments, or telecommuters who use virtual private network connections without firewalls to protect their home PCs, said Scott Blake, vice president of information security and international technical services at Bindview Corp. in Houston.
Blake also is the chairman of the communications committee at the Organization for Internet Security (OIS). The OIS is a group of vendors, including Microsoft and Oracle Corp., that works to establish vulnerability reporting guidelines to minimize the posting of exploit code before software vendors have a chance to develop a patch, he said.
In this case, the group that discovered the vulnerability, The Last Stage of Delirium Research Group, followed the OIS guidelines for reporting the vulnerability by holding onto its exploit code, Blake said. But since this vulnerability was particularly "juicy," several groups of coders rushed to discover their own exploit code, he added.
"The OIS is under no illusion that we can stop people from finding the holes," said Blake.
While there is nothing Microsoft can do to stop organizations from posting exploit code either, Toulouse noted that using that code to damage a company's network is a criminal act. "We continue to believe that the publication of exploit code is just not good for customers," he said.
Versions of the code have been posted to Metasploit.com, Xfocus.org, and the Full Disclosure mailing list, Ollmann said.
*******************************