- Email: [email protected]
Big Brother watches Office
revise.qxd
9/25/00
3:38 PM
Page 1
October 2000 ISSN 1361-3723
“Hackers cost the US Government $25 billion in 1999” see page 3
Editor: Chloë Palmer American Editor: CHARLES CRESSON WOOD Baseline Software, Sausalito, California, USA Australasian Editor: BILL J. CAELLI Queensland University of Technology, Australia European Editor: KEN WONG Insight Consulting, London, UK Editorial Advisors: Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Silvano Ongetta, Italy; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand. Correspondents: Frank Rees, Melbourne, Australia; John Sterlicchi, California, USA; Paul Gannon, Brussels, Belgium. Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected] Subscription Price for one year: (12 issues) US$617/1215NLG/£375 including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2000 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Science Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: Http://www.elsevier.nl/locate/compfraud
Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report
Big Brother watches Office Chat rooms are buzzing with the news that MS Office documents can be tracked and even accessed using ‘web bugs’. A web bug is an image of one pixel wide and one pixel high that is invisible to the average browser. The image is stored on a thirdparty sever and each time the image is viewed, it can be tracked using the log file on that server. Such web bugs are used by banner advertisements in order to track the habits of an individual surfer over multiple sites; essentially the web bug phones home from each site it visits. This method of tracking works by using a cookie file. The difference between web tracking and document tracking is that the web variety only captures an IP address and possibly a username. The MS Office security hole may reveal far more. It is not yet clear whether this discovery constitutes a security threat or merely a privacy invasion. Privacy group, the Privacy Foundation, has released a ‘privacy advisory’ regarding web bugs and MS Office. Affected software includes Word, Excel and Powerpoint 2000 although any web-enabled application — by definition — is susceptible, not just those from Microsoft. Microsoft claims that the report is overstated and that Internet Explorer allows you to control the use of cookies so that a website can only put a
cookie on your machine if you let it. Microsoft’s website now contains a FAQ on the issue and they have also brought out a patch for Internet Explorer that brokers the use of cookies. The information from web bugs could have legitimate uses. For example, publishers could bug copyrighted text to track pirates, or public relations firms could bug their output to check if anyone has read it. It could also be used to detect and track leaks of confidential documents from a company. The real worry is the potential for illegal use of the information. Fears have been raised regarding the potential for hacker reconnaissance. A new wave of viruses in the form of macros attached to Word documents could potentially be engineered to send sensitive data to a hacker every time an infected document is opened. Further information regarding the Privacy Foundation is available on www.privacyfoundation.org/advisories/advwordbugs. html. Information regarding Microsoft’s advice for dealing with the problem can be found at ww.microsoft.com/technet/ security/cookie.asp.
Contents Marketing News Big Brother watches office The enemy within UK companies ignore online enquiries Pay-per-surf to be discontinued Internet bank eludes fraudsters Dutch tighten surveillance Chinese call for standards In cyberspace no one can hear you leave Putting security on the books
1 2 2 2 2 3 3 3 3
Hacking News Banks hacked on television Hackers to be hired by Feds Law firm suffers cloning
4 4 4
Virus News Worm targets children Who is watching your back in cyberspace Philippine legal loophole frees Love Bug creator Trojan targets Palm OS
4 5 5 5
Product News Hard-drive hygiene is key for corporate security 5 Sonopress release hacker proof Safedisc 5
Company News IBM and Baltimore team up 5 Sophos squashes seaside bugs 6 TRUSTe breaches own privacy policy 6
Reports US privacy organizations sink teeth into Carnivore 6 Mastercard delves into digital ID 7 Democrats and Republicans on security and privacy: virtually no difference8 Online credit card fraud outpaces physical world 9 Internet patents 10
Web Review A Storm you Really Need to Weather 11
Features Metatags — The Latest Developments An Unappreciated Reason Why Information Security Policies Fail Training for Cyber-War FBI’s Communications Surveillance Capabilities Widen
12 13 14 16
ShockwaveWriter If It’s Too Good To Be True, It Usually Is! 18
Events
20
9/25/00
3:38 PM
Page 1
October 2000 ISSN 1361-3723
“Hackers cost the US Government $25 billion in 1999” see page 3
Editor: Chloë Palmer American Editor: CHARLES CRESSON WOOD Baseline Software, Sausalito, California, USA Australasian Editor: BILL J. CAELLI Queensland University of Technology, Australia European Editor: KEN WONG Insight Consulting, London, UK Editorial Advisors: Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Silvano Ongetta, Italy; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand. Correspondents: Frank Rees, Melbourne, Australia; John Sterlicchi, California, USA; Paul Gannon, Brussels, Belgium. Editoral Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 E-mail: [email protected] Subscription Price for one year: (12 issues) US$617/1215NLG/£375 including first class airmail delivery subject to our prevailing exchange rate Price valid to end of 2000 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Science Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 E-mail: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 E-mail: [email protected] To order from our website: Http://www.elsevier.nl/locate/compfraud
Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report
Big Brother watches Office Chat rooms are buzzing with the news that MS Office documents can be tracked and even accessed using ‘web bugs’. A web bug is an image of one pixel wide and one pixel high that is invisible to the average browser. The image is stored on a thirdparty sever and each time the image is viewed, it can be tracked using the log file on that server. Such web bugs are used by banner advertisements in order to track the habits of an individual surfer over multiple sites; essentially the web bug phones home from each site it visits. This method of tracking works by using a cookie file. The difference between web tracking and document tracking is that the web variety only captures an IP address and possibly a username. The MS Office security hole may reveal far more. It is not yet clear whether this discovery constitutes a security threat or merely a privacy invasion. Privacy group, the Privacy Foundation, has released a ‘privacy advisory’ regarding web bugs and MS Office. Affected software includes Word, Excel and Powerpoint 2000 although any web-enabled application — by definition — is susceptible, not just those from Microsoft. Microsoft claims that the report is overstated and that Internet Explorer allows you to control the use of cookies so that a website can only put a
cookie on your machine if you let it. Microsoft’s website now contains a FAQ on the issue and they have also brought out a patch for Internet Explorer that brokers the use of cookies. The information from web bugs could have legitimate uses. For example, publishers could bug copyrighted text to track pirates, or public relations firms could bug their output to check if anyone has read it. It could also be used to detect and track leaks of confidential documents from a company. The real worry is the potential for illegal use of the information. Fears have been raised regarding the potential for hacker reconnaissance. A new wave of viruses in the form of macros attached to Word documents could potentially be engineered to send sensitive data to a hacker every time an infected document is opened. Further information regarding the Privacy Foundation is available on www.privacyfoundation.org/advisories/advwordbugs. html. Information regarding Microsoft’s advice for dealing with the problem can be found at ww.microsoft.com/technet/ security/cookie.asp.
Contents Marketing News Big Brother watches office The enemy within UK companies ignore online enquiries Pay-per-surf to be discontinued Internet bank eludes fraudsters Dutch tighten surveillance Chinese call for standards In cyberspace no one can hear you leave Putting security on the books
1 2 2 2 2 3 3 3 3
Hacking News Banks hacked on television Hackers to be hired by Feds Law firm suffers cloning
4 4 4
Virus News Worm targets children Who is watching your back in cyberspace Philippine legal loophole frees Love Bug creator Trojan targets Palm OS
4 5 5 5
Product News Hard-drive hygiene is key for corporate security 5 Sonopress release hacker proof Safedisc 5
Company News IBM and Baltimore team up 5 Sophos squashes seaside bugs 6 TRUSTe breaches own privacy policy 6
Reports US privacy organizations sink teeth into Carnivore 6 Mastercard delves into digital ID 7 Democrats and Republicans on security and privacy: virtually no difference8 Online credit card fraud outpaces physical world 9 Internet patents 10
Web Review A Storm you Really Need to Weather 11
Features Metatags — The Latest Developments An Unappreciated Reason Why Information Security Policies Fail Training for Cyber-War FBI’s Communications Surveillance Capabilities Widen
12 13 14 16
ShockwaveWriter If It’s Too Good To Be True, It Usually Is! 18
Events
20