Clips December 9, 2003

[Lillie Coney <lillie.coney@xxxxxxx>]

Clips December 9,
2003

ARTICLES

Spam Bill Passes House 
Voting-Machine Makers To Fight Security Criticism 
U.S. Edges Out Finland in Info Technology Rankings
Experts Worried After Worm Hits Windows-Based ATMs [Diebold]
Gov't Computer Security Lagging - Report 

*******************************
Washington Post
Spam Bill Passes House 
Tuesday, December 9, 2003; Page E02 

The House gave final approval to a bill designed to crack down on
billions of unsolicited "spam" e-mails, sending it to President
Bush to sign it into law. The legislation, approved by the Senate two
weeks ago, is the first federal move to fight spam. The bill sets fines
and prison terms for sending unwanted e-mail that peddles pornography,
virility pills or cheap loans. It would authorize the Federal Trade
Commission to set up a "do-not-spam" registry similar to the
"do-not-call" list the agency launched this year to enable
consumers to block unwanted telephone sales pitches. 
*******************************
Washington Post
Voting-Machine Makers To Fight Security Criticism 
By Jonathan Krim
Tuesday, December 9, 2003; Page A02 

Electronic-voting-machine companies announced yesterday that they are
banding together to counter mounting concerns about whether their
machines are secure enough to withstand tampering by hackers.

Although less than 20 percent of the nation's counties use electronic
voting machines, their use is growing in the wake of the problems with
punch-card ballots in Florida that threw the 2000 presidential election
into turmoil. Last year Congress passed the Help America Vote Act, which
provides funds for states and localities to modernize their election
systems.

But several academic and cyber-security experts argue that the new
machines, which let voters make their choices on video screens, have
disturbing security flaws.

In July, researchers at Johns Hopkins University and Rice University
identified potential security holes that would allow vote tampering in
systems made by industry leader Diebold Election Systems Inc. 

That report led Maryland state officials to delay purchasing $55 million
in systems from Diebold, although Gov. Robert L. Ehrlich Jr. (R)
ultimately decided to move ahead. 

Critics argue that at minimum, the machines should be equipped to provide
companion paper records of the votes as a check against simple
malfunctions, someone commandeering the operating systems and voting
multiple times, or causing others' votes to be lost.

Last month California said it would require a paper verification system.

The leading voting-machine companies, which argue that their systems are
safe, have yet to put forward any proposals on addressing the concerns.
But under the umbrella leadership of the Information Technology
Association of America, the industry hopes to foster conversation that
includes security experts, academics, local elections officials, and the
National Institute of Standards and Technology, the federal agency
overseeing technical standards.

"This is an an inflection point in the history of voting in this
country," said Harris N. Miller, president of the IT association and
a former Democratic Party chairman in Fairfax County. "There's a
certain amount of controversy . . . the companies have decided they want
to deal with that controversy positively."

Bill Stotesbery, vice president of Hart InterCivic Inc., which has 25,000
machines in use in Virginia and several other states, said the electronic
voting systems are not connected to the Internet, which would be a prime
avenue for hackers.

He said his company and others have the capability to provide printed
verification of an individual's vote, which would at least allow the
voter to determine whether the machine properly recorded his or her
choices.

But he said that many local jurisdictions have not yet demanded such a
capability, nor have they prescribed technical standards. Paper printers
could add $500 to the cost of each machine.

But the Johns Hopkins study, and others, said the systems could be
compromised by preprogrammed "smart cards" that each voter uses
to activate the machines, or other tampering.

Security experts also worry about mischievous insiders at the
voting-machine companies. That fear was fanned when Walden W. O'Dell,
chief executive of Diebold Inc., told Republicans in an Aug. 14
fundraising letter that he is "committed to helping Ohio deliver its
electoral votes to the president."

The company also has angered critics by suing two Swarthmore College
students who posted on the Internet internal Diebold memos indicating the
company's awareness of security flaws.

A Diebold spokesman said the firm has dropped the legal action.
*******************************
Associated Press
U.S. Edges Out Finland in Info Technology Rankings
Mon Dec 8, 7:02 PM ET

GENEVA (Reuters) - The United States edged out Finland to become the
top-ranked country for the way it uses information technology like the
Internet to speed economic development, according to a report released on
Tuesday.


The business group World Economic Forum (news - web sites) said the
United States led the 2003-3004 ranking of so-called 'networked
readiness' from among 102 nations due to its advanced use of information
technology in business and government. 


"The country also remains the most innovative in the world, which
has allowed it to maintain its leadership in the rankings over the last
three years," the report. 


Singapore moved up the ranking to second from third last year, reflecting
the success of its public-private partnerships to promote use of
information and communication technologies. 


Finland slipped to third place but continued to outperform other
developed nations along with Nordic neighbors Sweden, ranked number four,
Denmark at number five and Norway at number eight. 


Another conclusion reached by the report's authors was that developing
nations are narrowing the so-called digital divide between rich and poor
countries. 


Closing the divide is a goal of many developing nations who hope that
economic growth can be fostered through the use of information
technology, much the way IT spurred growth in industrialized nations like
the United States. 


Chad, Ethiopia and Haiti were at the bottom of the ranking.
*******************************
Reuters
Experts Worried After Worm Hits Windows-Based ATMs
Mon Dec 8, 7:55 PM ET
By Elinor Mills Abreu 

SAN FRANCISCO (Reuters) - Automatic teller machines at two banks running
Microsoft's popular Windows software were infected by a computer virus in
August, the maker of the machines said on Monday.

The ATM infections, first reported by SecurityFocus.com, are believed to
be the first of a computer virus wiggling directly onto cash machines.

Computer security experts predicted more problems to come as Windows
migrates to critical systems consumers rely on. 

An unknown number of ATMs running Windows XP (news - web sites) Embedded
were shut down during the spread of the so-called "Nachi" worm,
said officials at Diebold Inc., which made the ATMs and refused to name
the customers affected. 

The Nachi worm, also called "Welchia," was written to clean up
after the MSBlast, or Blaster, worm. Instead it crippled or congested
networks around the world, including the check-in system at Air Canada.
Both worms spread through a hole in Windows XP, 2000, NT and Server 2003.

In January, the SQL Slammer worm led to technical problems that
temporarily kept Bank of America Corp.'s customers from their cash, but
did not directly cause the ATM outage. 

"It's a harbinger of things to come," said Bruce Schneier,
chief technical officer of network monitoring firm Counterpane Internet
Security. 

"Specific purpose machines, like microwave ovens and until now ATM
machines, never got viruses," said Schneier, author of "Beyond
Fear." "Now that they are using a general purpose operating
system, Diebold should expect a lot more of this in the future."
'HORRENDOUS SECURITY MISTAKE' 

John Pescatore, an analyst at Gartner, agreed. 

"It's a horrendous security mistake," he said, of
specific-purpose machines like ATMs running Windows, written for general
purpose computers and for which Microsoft Corp. releases security fixes
on a regular basis. "I'm a lot more worried about my money than I
was before this." 

Diebold switched from using IBM's OS/2 on its ATMs because banks were
requesting Windows, said Steve Grzymkowski, senior product marketing
manager at Diebold. 

"They have been asking us to ship ATMs with Windows because of the
graphics capabilities. They want a common look between the ATMs and Web
banking sites," he said. "Another advantage is they are
familiar with Windows." 

To help prevent future problems Diebold is shipping ATMs with firewall
software designed to block out viruses and other attacks, he said.

"As far as it happening again, I wouldn't want to speculate on
that," Grzymkowski said. 

Schneier and Pescatore said they were worried about the security of other
Windows-based Diebold appliances -- voting machines, which run Windows
CE. 

But a Diebold spokeswoman said the company's voting machines are not used
on a network, so "that is currently not an issue."
*******************************
Internet Reports
UK Police Switchboard Swamped by iPod E-Mail Scam
Mon Dec 8, 1:27 PM ET

LONDON (Reuters) - Cambridgeshire police said on Monday a wave of phone
calls from irate consumers swamped the police switchboard late last week
and through the weekend after the department got hit by an e-mail hoax.


According to a statement posted on the Cambridgeshire Police Web site, a
spam e-mail message surfaced last week alerting people that their credit
card had been charged 399 pounds ($693) for a new Apple (Nasdaq:AAPL -
news) iPod portable music player. 


To settle the matter, the e-mail advised, the recipient should ring a
designated phone number -- the Cambridgeshire police switchboard, the
police said in the statement. 


"This appears to be a deliberate attempt to affect the service
provided by the force," said Deputy Chief Constable Alan Given in
the statement. 


The message purported to come from a company called "UK Cards,"
police said. 


The UK's new anti-spam legislation kicks in Thursday, slapping a 5,000
pound fine on anyone who sends unsolicited e-mail marketing messages to
home-based Internet users. 


The law has come under attack from anti-spam crusaders who argue the
penalty is not severe enough to act as a deterrent.
*******************************
Washington Post
Gov't Computer Security Lagging - Report 
By Brian Krebs
Tuesday, December 9, 2003; 10:00 AM 

Most U.S. government agencies have not taken enough action to secure
their computer networks this year despite a rapid proliferation of
destructive Internet attacks, according to a report released today by a
congressional oversight committee.

The Department of Homeland Security, which is in charge of a government
program to strengthen Internet security, led the list of seven federal
agencies that earned an "F" grade for their own network
security efforts in 2003.

Also earning an "F" was the Justice Department, the agency
charged with investigating and prosecuting many cases involving hacking
and other forms of cybercrime.

The grades were determined by the House Government Reform subcommittee on
technology, which has doled out many failing marks for federal agency
cybersecurity since 1999 when former Chairman Stephen Horn (R-Calif.)
raised concerns about computer security in light of the anticipated Year
2000 bug.

The dismal assessment of government computer security in 2003 comes at a
time when Internet attacks are at an all-time high. Attacks increased by
40 percent in the first three quarters of this year, according to the
CERT Coordination Center, a government-funded cybersecurity monitoring
agency at Carnegie Mellon University in Pittsburgh.

Thirteen agencies improved their scores slightly this year, nudging the
overall government grade up to a "D" from the "F" it
received last year. NASA fared worse this year, dropping from a
"D" to a "D-minus."

The computer security grades were based on data that federal agencies
submitted to the White House Office of Management and Budget as required
under a law passed in 1999 and renewed in 2002.

Agency scores were based on numerous criteria including system software
security and employee training. Agencies also were graded based on how
well they met established security procedures such as limiting access to
privileged data and eliminating easily guessed passwords.

Despite the poor scores, several agencies made real progress in the past
year, according to the report. For the first time ever, two federal
agencies -- the Nuclear Regulatory Commission and the National Science
Foundation (NSF) -- earned "A" grades. Last year's highest
grade was a "B-minus," awarded to the Social Security
Administration.

The NSF improved the most over the past year, up from a D-minus in last
year's report.

Here is a partial list of other agency grades:

A or A-minus: Nuclear Regulatory Commission, National Science
Foundation.

B or B-plus: Department of Labor and the Social Security
Administration.

C-minus, C or C-plus: Agency for International Development, Environmental
Protection Agency, Small Business Administration, departments of
Commerce, Education and Veterans Affairs.

D-minus, D or D-plus: General Services Administration, NASA and the
Office of Personnel Management, as well as the departments of Defense,
Treasury and Transportation.

F: Departments of Agriculture, Energy, Homeland Security, Health and
Human Services, Housing and Urban Development, Interior and 
Justice.
*******************************