- Email: [email protected]
FTC investigates wireless privacy
news However, whether spurious or not, the denial-of-service hype is certainly not as bad as last year’s effort with Y2K… The advisory is available at www.npic.gov/warnings/advisories/2000/00-063.htm.
Indian teens to police Net India’s National Cyber Cop Committee has chosen to be advised by 19 hackers aged between 14 and 19. President of the National Association of Software and Service Companies, Dewang Mehta told a New Delhi news conference, “If you want to catch a hacker, you need the brains of a hacker.” He boasted that the teenagers had told him they could crack the Indian defence ministry website in a matter of five minutes. “They will tell us where our soft spots are — where Government and industry websites are most vulnerable, thus helping us strengthen our E-security,” said Mehta. Although too young to have a thorough grounding in engineering, the teenagers are said to be technically adept, bright and creative individuals. None of them has a criminal record. The youths will advise the panel who will in turn teach police and the authorities how to differentiate between various forms of cyber-attacks. The committee will also devise ways of protecting government websites from hackers. Mehta said, “Hacking, spreading viruses are much bigger criminal offenses in cyber-terrorism than pornography.” The youths were recruited after several of them came
4
forward to report security holes in Government systems. They will not be paid for their services, but will be recommended for security jobs when they have finished their education. The youngest, 14, is still at school.
STANDARDS NEWS
Security on scale of 1 to 10 A new security group, the Center for Internet Security (CIS), is starting out by developing a benchmarking system to rate systems security on a scale of one to ten. A rating of ten means your servers are impermeable while a rating of one means they are an open invitation to the unscrupulous. Alan Paller from CIS — as well as director of research at SANS — explained, “Our members are just saying that they would like to see global benchmarks.” The ratings are due out in March 2001 and will cover Windows 2000, Linux and Solaris. But there has been early criticism from some pundits. Weld Pond from @stake warns, “It finds only well known problems in the most mainstream of software”. He explains that the idea is analogous to that used for assessing the security of safes — a number representing the number of hours it would take an expert cracker to break in — but is unsuitable for the complexities of computer security. However, Weld Pond believes that the consciousness raising resulting from the standard can only be a good thing. Paller commented that the government and banks are
keen to adopt such a benchmarking system and so, “The centre’s work is a guide that people will use.” Applications for the CIS ratings include governments proscribing standards to financial institutions, or insurance firms assessments when providing insurance against cybercrime. The CIS was formed on 1 November and its membership, 71 institutions, are very impressive. They include the Department of Defense, National Institute of Standards and Technology, AT&T, Visa and Intel. System vendors have not been invited to become involved because of fears that they might “hijack the process,” according to Paller. Visit the CIS website at www.cisecurity.org.
FTC investigates wireless privacy Wireless devices are under the spotlight as Federal Trade Commission (FTC) are now trying to determine the personal privacy implications of the technology. The FTC held a workshop in December with the aim of learning about the privacy, security and consumer protection issues raised by M-commerce. A major bone of contention is the ability of wireless devices to gather location specific information in great detail. “There are huge, looming privacy issues in the wireless space because of the collection and aggregation of new information,” said Alan Davidson of privacy group, the Center for Democracy and Technology.
There is wrangling over whether disclosure of location information should be ‘opt-in’ — you must specify that you want the information to be given out — or ‘opt-out’, data will be given out unless you say otherwise. A spokesman from privacy group, the Electronic Privacy Information Center said, “We seem to be moving toward an agreement...that the standard should be ‘opt-in’.” This seems to be in the public interest. The FTC agree that there should be some standard, but made it clear that they “are very big fans of self-regulation...it makes our lives easier,” said Joel Winston from the FTC’s consumer protection arm. Sobel argued that in the past regulation has not “worked all that well”, and that there should be imposed standards. On the other hand, marketers raised the point that if users choose to utilize a personalized, targeted service they should be able to do that. They warned that without appropriate information, there is a risk of spamming. The newly formed Wireless Location Industry Association said, “A consumer simply isn’t going to use a system or a service that they can’t trust.” They argue that this gives businesses the incentive to protect privacy. Consumers do tend to use services without weighing up the privacy implications. Interestingly, federal law now requires 95% of handsets to be capable of broadcasting location by December 2005. This rule is to enable ‘911’ callers to be easily found by the emergency services.
Indian teens to police Net India’s National Cyber Cop Committee has chosen to be advised by 19 hackers aged between 14 and 19. President of the National Association of Software and Service Companies, Dewang Mehta told a New Delhi news conference, “If you want to catch a hacker, you need the brains of a hacker.” He boasted that the teenagers had told him they could crack the Indian defence ministry website in a matter of five minutes. “They will tell us where our soft spots are — where Government and industry websites are most vulnerable, thus helping us strengthen our E-security,” said Mehta. Although too young to have a thorough grounding in engineering, the teenagers are said to be technically adept, bright and creative individuals. None of them has a criminal record. The youths will advise the panel who will in turn teach police and the authorities how to differentiate between various forms of cyber-attacks. The committee will also devise ways of protecting government websites from hackers. Mehta said, “Hacking, spreading viruses are much bigger criminal offenses in cyber-terrorism than pornography.” The youths were recruited after several of them came
4
forward to report security holes in Government systems. They will not be paid for their services, but will be recommended for security jobs when they have finished their education. The youngest, 14, is still at school.
STANDARDS NEWS
Security on scale of 1 to 10 A new security group, the Center for Internet Security (CIS), is starting out by developing a benchmarking system to rate systems security on a scale of one to ten. A rating of ten means your servers are impermeable while a rating of one means they are an open invitation to the unscrupulous. Alan Paller from CIS — as well as director of research at SANS — explained, “Our members are just saying that they would like to see global benchmarks.” The ratings are due out in March 2001 and will cover Windows 2000, Linux and Solaris. But there has been early criticism from some pundits. Weld Pond from @stake warns, “It finds only well known problems in the most mainstream of software”. He explains that the idea is analogous to that used for assessing the security of safes — a number representing the number of hours it would take an expert cracker to break in — but is unsuitable for the complexities of computer security. However, Weld Pond believes that the consciousness raising resulting from the standard can only be a good thing. Paller commented that the government and banks are
keen to adopt such a benchmarking system and so, “The centre’s work is a guide that people will use.” Applications for the CIS ratings include governments proscribing standards to financial institutions, or insurance firms assessments when providing insurance against cybercrime. The CIS was formed on 1 November and its membership, 71 institutions, are very impressive. They include the Department of Defense, National Institute of Standards and Technology, AT&T, Visa and Intel. System vendors have not been invited to become involved because of fears that they might “hijack the process,” according to Paller. Visit the CIS website at www.cisecurity.org.
FTC investigates wireless privacy Wireless devices are under the spotlight as Federal Trade Commission (FTC) are now trying to determine the personal privacy implications of the technology. The FTC held a workshop in December with the aim of learning about the privacy, security and consumer protection issues raised by M-commerce. A major bone of contention is the ability of wireless devices to gather location specific information in great detail. “There are huge, looming privacy issues in the wireless space because of the collection and aggregation of new information,” said Alan Davidson of privacy group, the Center for Democracy and Technology.
There is wrangling over whether disclosure of location information should be ‘opt-in’ — you must specify that you want the information to be given out — or ‘opt-out’, data will be given out unless you say otherwise. A spokesman from privacy group, the Electronic Privacy Information Center said, “We seem to be moving toward an agreement...that the standard should be ‘opt-in’.” This seems to be in the public interest. The FTC agree that there should be some standard, but made it clear that they “are very big fans of self-regulation...it makes our lives easier,” said Joel Winston from the FTC’s consumer protection arm. Sobel argued that in the past regulation has not “worked all that well”, and that there should be imposed standards. On the other hand, marketers raised the point that if users choose to utilize a personalized, targeted service they should be able to do that. They warned that without appropriate information, there is a risk of spamming. The newly formed Wireless Location Industry Association said, “A consumer simply isn’t going to use a system or a service that they can’t trust.” They argue that this gives businesses the incentive to protect privacy. Consumers do tend to use services without weighing up the privacy implications. Interestingly, federal law now requires 95% of handsets to be capable of broadcasting location by December 2005. This rule is to enable ‘911’ callers to be easily found by the emergency services.