- Email: [email protected]
Security views
Computers & Security (2005) 24, 263e270
www.elsevier.com/locate/cose
Security views Malware update Numerous MSN Messenger-based worms continue to surface. Several are mutants of Bropia worm, whereas others are variants of the Kelvir and Sumom worms. The Kelvir and Sunom variants install a backdoor Trojan program, Backdoor.Rbot. The number of worms that spread through instant messaging (IM) continues to grow rapidly. Ten IM worms surfaced during the first month and a half this year; this number is substantially higher than during the same period in 2004. Fontal-A SIS, a Trojan horse that spreads via file sharing or Internet relay chat (IRC), recently emerged. It runs on Nokia Series 60 smart phones, attempting to install a corrupted file that causes infected phones to stop working the next time they are rebooted. It additionally corrupts the application manager, preventing this Trojan from being uninstalled. Phones infected by this Trojan need to be reformatted, something that results in the loss of all data that have been stored on them. The Mabir Trojan horse, which targets a wider variety of Series 60 smart phones than Nokias, also surfaced. This piece of malware replicates via MMS messages. As happened several years ago, the number of new worms and viruses and the amount of damage that they do appears to be substantially declining. Why? Some think that the most successful worms and viruses have been written by only a few very prolific authors, several of whom have recently been arrested. Not only have the activities of the arrested authors been suppressed, but the arrests that have occurred may also have scared other authors and potential authors from writing and releasing self-replicating programs. Others claim that massive deployment of anti-virus measures such as virus walls and host-based anti-virus software have finally caught up with today’s worms 0167-4048/$ - see front matter doi:10.1016/j.cose.2005.04.005
and viruses. Alternatively, perhaps the day of the conventional worm and virus, as represented by Netsky, Sobig, MyDoom and Beagle, is ending; IM worms and viruses may be the heirs apparent. Whatever the reason, it is once again time to catch a proverbial breath during the current lull in worm and virus activity. At the same time, however, it is important to realize that during this lull malware authors are devising new types of malicious code that is once again likely to catch the information security community by surprise.
Update on the war against cybercrime Csaba Richter, a Hungarian, faces industrial espionage charges for allegedly intruding into intranets owned by Sony Ericsson AB and Ericsson AB. Richter has stated that he hoped that Ericsson would be so impressed with his technical skills that they would offer him employment. He has already admitted to stealing documents from Ericsson. After a long investigation, Scottish law enforcement has arrested 28 people on the grounds that they participated in identity theft schemes. The accused allegedly rummaged through trash, engaged in shoulder surfing to obtain personal information, and launched phishing schemes. Individuals lost almost two million GBP as the result of the identity theft activity. Guillaume Tena, a French security researcher, has received a suspended fine of 5,000 euros because he posted proof-of-concept code for exploiting security flaws in an anti-virus product. He must pay the fine if he is found guilty of another offense within five years. The vendor of the antivirus product, Tegam International, has also initiated a nine million euro civil suit against Tena.
264 UK police arrested an ISP employee on the grounds that he pilfered credit card information. The employee, who worked for Zen Internet, is accused of using the information he obtained to set up Internet gaming accounts that he subsequently sold. Three men have admitted in a legal hearing that they were members of organized groups that have been selling illegal copies of video games. The arrests were the culmination of an international anti-piracy effort called ‘‘Operation Higher Education.’’ A student at the University of Arizona pleaded guilty to a felony charge for having illegal copies of intellectual property. Parvin Dhaliwal had stored digital copies of recent movies and music that may have been worth up to USD 50 million. He was sentenced to three months in prison, three years of probation, 200 h of community service, and a fine of USD 5400. He must also enroll in a university course that covers copyright issues. Brazilian law enforcement authorities have arrested suspected phishing ring leader Valdir Paulo de Almeidag. A phishing ring allegedly run by him pilfered USD 37 million from bank accounts, primarily by using a Trojan horse program planted in victims’ computers that sent emails containing personal information to the phishing ring. The compromised systems may have sent as many as three million emails daily. David Jeansonne of Louisiana, who several months ago pleaded guilty to endangering public safety and damaging computing systems, has received a sentence of six months of imprisonment and was ordered to pay Microsoft USD 27,100. He sent out a Trojan horse that made WebTV customers’ computing systems dial the 911 emergency number, causing false alarm emergency services responses. Jeansonne must additionally serve a half-year of home detention in connection with a two year supervised release plan. A former IT manager who broke into one of his former employer’s company’s computer systems read email messages, erased data, and downloaded a proprietary database after he was fired. He was recently sentenced to five months of imprisonment. Last year Mark Erfurt pleaded guilty to charges of unauthorized access to a Manufacturing Electronic Sales computer system and obstruction of justice for deleting backup tapes. He must also serve five months of home detention and three years of supervised release. He must also pay restitution of USD 45,000. Daniel Baas, a former system manager for a company that performed data analyses for Acxiom Corp., received a sentence to 45 months
E. Schultz of imprisonment for gaining unauthorized access to Acxiom’s computer systems and also for stealing Acxiom password files. He accessed files on a number of Acxiom systems, downloading the files to disks at his house. There is no evidence that he ever misused or shared the stolen information, however. Law enforcement authorities in Estonia have arrested a yet unnamed 24-year-old man on the grounds that he allegedly pilfered money from bank accounts. The suspect allegedly sent email that, once opened, installed malware in victims’ systems. The email appeared to contain information concerning job opportunities, but the malware stole personal information such as account names and credit card numbers to be used in connection with identity theft attempts. Interestingly, this malicious code circumvented detection by anti-virus software and deleted all traces of itself once it gleaned the information that it was programmed to find. Thanks to Microsoft, Jeffrey Lee Parson, the man who wrote a mutant of the MSBlaster worm, received a lighter sentence than he might have. Microsoft requested that he serve 225 h of community service instead of having to pay a fine of USD 500,000 to Microsoft. Microsoft’s request was granted. Parson’s community service must not in any way include using the Internet or computing systems. Additionally, he must still serve an 18-month prison sentence. Two people have been charged with launching a denial-of-service attack against a business competitor. Jason Arabo of Michigan, one of the accused, allegedly hired an unnamed 17-yearold, the other defendant, to disrupt the Jerseyjoe.com Web site. The 17 year-old allegedly set up a botnet to do the damage, which unexpectedly spread out of control, eventually disrupting approximately 100 different Web sites. The financial toll was estimated as up to USD 2.5 million. Arabo faces as many as five years in jail and a fine of up to twice the amount of financial loss that the attack caused. Sumitomo bank announced that perpetrators unsuccessfully attempted to steal GBP 220 million from some of its systems in London. The perpetrators utilized keystroke logging in an effort to transfer money to multiple accounts around the globe and then withdraw the money. Yeron Bolondi was arrested by Israeli law enforcement authorities after he allegedly attempted to transfer nearly GBP 14 million into his own business account. He reportedly will face charges of money laundering and deception. Sumitomo bank later declared that it did not lose any money, but it would not offer
Security views more details until the current investigation is complete. The UK’s National High Tech Crime Unit published an alert that cautioned large banks to be wary of the keystroke logging threat. US-based games developer Valve suffered a compromise of the source code to its newest version of its game, Half-Life. A virus or worm installed a keystroke recorder program into the computer of the founder of this company. The cybercrime-related story that most caught my attention this time was the one in which Microsoft recommended some degree of leniency in Jeffrey Lee Parson’s sentence. What were Microsoft’s motives for doing this? Perhaps Microsoft figured that Parson would never be able to pay a fine of USD 500,000. Or was Microsoft simply ‘‘trying to look like the good guy?’’ Whatever the motive, sentences for cybercriminals tend to be rather light in proportion to the severity of the crime; making things easier for criminals is thus not exactly doing the fight against cybercrime any good. The story of the arrest of the 24-year old Estonian man draws attention to the techniques that today’s breed of cybercriminals are increasingly using. Tricking naı¨ve users into opening attachments is nothing new, nor are malicious programs that anti-virus software cannot recognize anything out of the ordinary. What is instead noteworthy about this case is that malware that erased itself after it obtained what it was programmed to collect was useddsomething that would severely impede forensics efforts in systems in which this kind of software resided. I would, unfortunately, count on cybercriminals not only developing and using more software of this nature, but also on using an increasing diverse set of methods for infecting systems with it.
Cybercrime legislation update US legislators recently introduced the Anti-Phishing Act of 2005. This act would prohibit phishing and would prescribe a maximum prison time of five years and a maximum fine of USD 250,000 for individuals who create bogus Web sites with the intention to pilfer money, credit card numbers, and other personal and financial data. The current bill is comparable to one that did not pass last year, but the current bill has some additional provisions. For one thing, it specifies the same penalties for pharming as for phishing. In pharming perpetrators redirect users’ browsers to bogus bank or e-business sites. Satire Web sites are exempt from the provisions of the Anti-Phishing Act.
265 US legislators have proposed legislation that will restrict data brokers such as ChoicePoint concerning the types of personal data that they are allowed to gather and sell. These legislators have drafted the Information Privacy and Security Act, which would necessitate that the US Federal Trade Commission define rules for data broker operations, including rules concerning securing personal data, provisions for people to determine if their personal information is in the possession of data brokers, and methods for people to correct errors in their personal data. Reactions from representatives of several data brokers were mixed. On the one hand, they stated that they were in favor of data privacy legislation as well as national legislation that mandates that corporations notify individuals whose personal data have fallen into unauthorized hands. Representatives also stated that they favored increased penalties for identity theft perpetrators. Additionally, they stated that they support an FTC proposal that would extend data safeguard requirements of the Gramm-LeachBliley Act that pertains to financial institutions to also apply to data brokers. They asserted, however, that methods that they use are already regulated by the US Fair Credit Reporting Act, which enables people to examine their credit records and to ask credit agencies to make corrections. Member of Parliament Derek Wyatt, who serves as Chairman of the All Party Parliamentary Internet Group (APIG), is trying to get the UK Computer Misuse Act updated to increase penalties for those who gain unauthorized access to systems and data and to make launching denial-of-service (DoS) attacks a crime. The mandatory jail sentence for unauthorized access to systems when no data modifications or further malfeasance occurs would be boosted from six months to two years. The sentence for unauthorized access in which damage occurs would be increased to a maximum of five years of imprisonment. States within the US are also considering new cybercrime-related legislation. Some of it, such as bills introduced in New Jersey and North Dakota, would put these states on par with California, which requires that residents of this state whose personal information has been compromised or may possibly have been compromised must be promptly notified. In Missouri a bill that would regulate the unauthorized acquisition of electronic data has been introduced. Additional much needed legislation, however overdue, is on its way. The US legislation that would prescribe constraints on data brokers is particularly critical given recent events. The massive compromises of personal information at
266 ChoicePoint (see story below) are undoubtedly only the tip of the iceberg; many other such widespread compromises are bound to surface soon. There is now serious doubt whether data brokers are committed to handling personal and financial information responsibly. One thing is for suredwithout proper legislation, data brokers and other companies that gather and store data about people will continue to act as they have in the past. Getting effective anti-phishing legislation is also necessary; without it, those who perpetrate phishing schemes will be tried on the basis of statutes that do not specifically apply to phishing per se, making obtaining convictions more difficult. Additionally, it is good to see that efforts in the UK to expand the definition of computer misuse and to get more realistic punishment for it are underway. DoS attacks should not be taken lightly, after all; they are often more financially costly than are breaches of confidentiality and integrity.
More personal and financial information compromises occur in commercial sector The US General Services Administration (GSA) and the US Department of Defense will follow up on Bank of America’s (BoA’s) recent loss of backup tapes containing personal information belonging to over one million government employees by cooperating in a risk assessment effort that will evaluate BoA’s security procedures. BofA asserts that it has improved its SmartPay backup procedures, but will not reveal how on the grounds that disclosing such information might furnish would-be attackers with information that could aid an attack. The GSA will also evaluate the information security policies of four additional SmartPay contractors. A spokesperson for the GSA stated that it is trying to make certain that all information security policies are consistent with present industry standards. Two San Jose Medical Group computing systems holding personal data of 185,000 current and prior patients were taken out of a locked area of a computer room within the group’s administrative offices. Names, addresses, confidential medical information, and SSNs were among the types of information on these systems. As in the case of the SAIC computer thefts several months ago, no evidence that the information has been misused or disclosed exists. Patients were cautioned to alert credit bureaus that their personal informa-
E. Schultz tion may have fallen into unauthorized hands and also to carefully examine their credit reports to determine if accounts or credit cards bearing their names were being used without authorization. Elsevier announced a personal information theft within its LexisNexis Seisint division, which compiles and sells personal and financial data concerning US consumers to third parties such as collections companies and federal agencies. Over 300,000 individuals within the US were potentially affected; they were notified about the security compromise via letters. Stolen passwords were used to gain access to names, addresses, and SSNs; company databases were accessed without authorization nearly 60 times. Elsevier is cooperating with law enforcement to determine whether the pilfered information has been used fraudulently and is offering free credit reports and free oneyear access to a credit monitoring service to all potentially affected individuals. T-Mobile, a major mobile phone carrier, had a security breach that resulted in the publication of the personal information of celebrity Paris Hilton. Phone numbers of numerous Hollywood stars were also compromised. Two security exposures in accounting firm PayMaxx’s Web-based W-2 service exposed payroll records of 12 companies. Company employment data as well as W-2 forms for the last five years for more than 25,000 individuals were compromised. After six attempts to access these data were noticed, PayMaxx shut off access to the site. PayMaxx has announced that it will notify each company that had data that were compromised. How much more of this kind of thing can the public take? The number of incidents in which personal and financial data have been stolen and the number of individuals who are actually or potentially affected is becoming staggering. One might ask why the same kinds of incidents are not occurring in Europe. The reason is simpledas I have said in this issue’s editorial, those who possess information about people are in many European countries held accountable for the care of this information. Without accountability, incidents of the nature will continue to proliferate.
ChoicePoint is under fire ChoicePoint is facing a myriad of woes after this giant data brokerage announced that perpetrators who used stolen identities to create bogus businesses deceived some of its employees into divulging the personal and sensitive data of possibly
Security views up to 150,000 US residents. ChoicePoint is the defendant in a class-action lawsuit filed in a US District Court in California on behalf of individuals who purchased ChoicePoint stock between April 22, 2004 and March 3, 2005. This suit alleges that ChoicePoint management was cognizant that it was selling data to illegal companies, that its security controls were deficient, that security incidents such as this had happened twice before, and that the company had left more than 500,000 individuals vulnerable to potential identity theft. ChoicePoint also faces lawsuits over alleged violations of the US Fair Credit Reporting Act and California State Law. Another lawsuit filed against ChoicePoint in Los Angeles Superior Court resulted from a woman’s receiving one of ChoicePoint’s letters informing her that this company had accidentally sold her personal information to identity thieves. This lawsuit will in all likelihood develop into a class-action suit against ChoicePoint. To make matters worse, ChoicePoint is also being investigated by the US Federal Trade Commission for possible failure to comply with federal information security laws and by the US Securities and Exchange Commission for possible insider stock trading violations by ChoicePoint’s Chief Executive Officer and Chief Operating Officer. Finally, US legislators called for an investigation by the US Department of Homeland Security and the US General Accounting Office to determine how both terrorists and identity thieves could misuse information from commercial databases such as CheckPoint’s. The recent compromise of people’s data was not the first such incident, either. In 2002, for instance, two men from Nigerian using bogus identities gained access to Choice Point’s database and purchased USD one million in goods. ChoicePoint is in a well-deserved world of trouble, just as were Enron, WorldComm, and Arthur Anderson several years ago after the facts concerning the way they conducted business surfaced. First, it is difficult to conceive how a company can (outside of motives of greed) justify collecting all kinds of data about individuals, especially when there is absolutely no consent on the part of the individuals whose data are collected. Perhaps more troubling, however, is the fact that the US government has up to now taken such a passive stance regarding the activities of data brokerages such as ChoicePoint, let alone companies in other parts of the commercial sector that wantonly collect, process and store personal data. One solutiondto require adequate protection of such datadstands above all others. Additionally, establishing federal regulations that limit the types and amount of data
267 about individuals that organizations can collect would also help considerably.
Personal information compromises at universities increase A rash of compromises of personal information has been occurring at US colleges and universities. A theft of a portable computer at the University of California-Berkeley resulted in personal information of over 98,000 individuals potentially being compromised. Affected individuals include those who attended this university’s graduate programs between 1976 and 2004. Approximately 30 percent of the files on the stolen computer included birthdates, addresses, names and SSNs. The university is sending out notification letters to affected individuals to comply with state law and has also created a Web site for people who are worried that their personal data may have fallen into the wrong hands. A Boston College computing system that was used for fund-raising was also recently compromised. Although this college’s management asserts that personal data were not stolen, the 120,000 alumni whose personal information may have been compromised will nevertheless be notified. Boston College plans to discontinue using SSNs as identifiers. Recently during routine network security inspection, University of Nevada-Las Vegas (UNLV) IT technical staff found that an individual had gained unauthorized access to the Student and Exchange Visitor Information System (SEVIS). The SEVIS server held records for up to 5000 former and current international students. The US Citizenship and Immigration Services utilizes SEVIS to keep current information on international students who are not US residents, exchange students, and their dependents in connection with a US Department of Homeland Security program that tracks data on foreign student enrollment, visa status, number of courses taken, changes in address and name, and off-campus work. UNLV management has notified all students whose information was in the database of the security breach and has provided information concerning how to avoid identity theft. California State University-Chico has notified nearly 60,000 individuals that the confidentiality of their personal information, including the names and SSNs of current, prior and potential students and current and prior staff and faculty, was recently compromised. University officials announced that SSNs will no longer be used to identify individuals. What has happened at these colleges and universities is simply dreadful. Due to lax security
268 controls at these institutions, hundreds of thousands of individuals are now vulnerable to identity theft. Information security at such institutions tends to be weak, largely due to fear that tightening the security of systems and networks will somehow interfere with the openness of the learning environment. Enough of all this idealismdit is well past time that these institutions get more serious about security. The security risks that colleges and universities fail to control affect not only students, faculty, and staff, but also huge numbers of alumni and donors.
Government initiatives address security To assist federal agencies in conforming to requirements in the Federal Information Security Management Act (FIMSA), the National Institute of Standards and Technology (NIST) released the final version of its security guidelines for protecting federal computers and the information they hold. These guidelines require government agencies to implement key security measures, policies, and procedures. The security controls recommended in these guidelines encompass 17 key issues, including user identification, user authentication, and security risk assessment. A primary goal of the guidelines is to assure the confidentiality, integrity, and availability of federal information systems that are not associated with national security interests. Singapore initiated its Infocomm Security Masterplan to provide momentum for developing the manpower needed to manage the growing number of cyberthreats and to create an early warning system when cyberattacks occur. This country has granted SD 38 million to establish the level of security necessary to prevent the country’s computing capabilities from being disrupted in the event of attacks against them. This three-year program will involve cooperation between the National Infocomm Security Committee and the Infocomm Development Authority of Singapore (IDA). The program focuses upon entities such as the government, private companies, and the public; it will include enhanced training and certification to augment skills of IT security professionals and to raise the general awareness of IT security among Singapore citizens. A information security monitoring center will continuously track security-related threats including viruses, worms, phishing scams, and unauthorized access attempts. The US FDIC Board of Directors voted unanimously to direct US banks to alert customers of potential identity theft threats when the banks
E. Schultz become aware of unauthorized access to sensitive customer information in which the information was misused or when there is a reasonable likelihood that misuse occurred. The Office of the Comptroller of the Currency and Office of Thrift Supervision approved the vote, but the Federal Reserve Board must also approve it before the directive can go into effect. Customer alerts will have to describe the nature of unauthorized accesses and actions taken to protect customers, provide contact phone numbers, caution customers to be on the alert, and explain how to put fraud alerts in credit reports. The government initiatives described in this news item seem like a big step in the right direction. I am especially impressed with Singapore’s initiative, which prescribes a large number of measures to strategically improve security in that country. The FDIC’s move to order banks to alert customers when customer information is compromised is another much needed and long overdue measure. At the same time, however, I seriously wonder if enough is being done to really brace countries for the increasing number and intensity of cyberattacks that have been occurring and that will occur in the future.
Fingerprint sharing alliance created Eighteen telecommunications equipment providers and network operators, including Deutsche Telekom AG, Earthlink, MCI, BT Group PLC, Cisco Systems, and NTT Communications, have established a Fingerprint Sharing Alliance through which they are developing an automated process for identifying and sharing attack profiles (‘‘fingerprints’’) across service-provider networks. The primary goal is more efficiently dealing with network attacks such as worm, virus and denialof-service attacks. Using technology and software created by Arbor Networks, the alliance members collect information from devices on their networks to provide statistical norms that are used to identify significant deviations. If a deviation points to an attack, the Arbor technology produces the fingerprint that is automatically distributed to every alliance member. Each service provider’s administrator can control the sharing and receipt of fingerprints. Sharing fingerprints in the manner described in this news item is a brilliant idea. Each of the organizations that are part of this alliance has data concerning attacks and suspicious network events that is potentially very helpful to the others. An early warning way, for example, helps some of
Security views these organizations to close their gateways or filter out certain kinds of traffic to stop specific types of new attacks. The fact that common technology is used and that fingerprint sharing is automatic will greatly facilitate the sharing process, too. Alliances between commercial entities are often short-lived, however. Will this alliance be successful and will it last? As with everything else, only time will tell.
AOL’s terms of service for AIM are controversial America Online (AOL) has recently made what superficially appears to be a small change to its terms of service for AOL Instant Messaging (AIM). This change may, however, be adverse to organizations that use this service. Many organizations use AIM@Work, which is based on AIM. AIM@Work features identity services that allow using corporate email addresses as AOL screen names as well as services such as voice and Web-based conferencing. AOL’s new terms of service give AOL the right to ‘‘reproduce, display, perform, distribute, adapt and promote’’ all content in connection with AIM that is transmitted across the network by users. Users also waive their right to any privacy, and any content posted by individuals allows AOL and other related companies to reproduce, display, perform, distribute, modify, and promote the content using any medium. Although AOL’s terms of service state that users are the owners of any content that goes over AIM, these terms also describe instances in which AOL could be the owner of products that are derived from usercreated content. These terms may or may not apply to organizations that pay for AIM@Work services. These changes in AOL’s terms of service apply to individuals who have downloaded AIM software on or after February 5, 2005. There are at least two ways of viewing the recent change in AOL’s terms of service for AIM. One view is that what AOL has not really done anything very much out of the ordinary in changing its terms of service. After all, when an Internet user posts information on a public discussion Web site, the information becomes available to many others who can copy and use this information in many ways. Additionally, stating that users have no right to privacy is a very common practice that helps users more carefully gauge what they do when they use a network and/or system. On the other hand, this change is to the best of my knowledge unprecedented among ISPs. AOL appears almost predatory in declaring its right to essentially do what it wants
269 with AIM content. AOL could help in determining which view is correct by offering an explanation to its users. In the mean time, I think that I will continue to avoid using AIM altogether.
Microsoft releases the first Windows Server 2003 service pack Microsoft recently released Service Pack (SP1) for Windows 2003 almost two years after this operating system was released. SP1 features include a built-in firewall, Network Access Quarantine Control components to isolate out-of-date virtual private network connections, and a Security Configuration Wizard that harvests data related to the functions of servers and blocks unnecessary network services and ports. Although SP1 contains hotfixes that have already been released, Microsoft has advised those who have kept their systems up to date with patches to install SP1 anyway because it deals with the root causes of particular types of attacks that were not included in the previous patches. Microsoft has also attempted to address the concern of application compatibility by testing more than 125 applications with SP1; this software giant has announced that it will soon post the test findings on its Web site. Windows Server 2003 SP1 was originally slated to be released in the second half of 2004, but working on SP2 for Windows XP delayed the release of Windows Server 2003 SP1. The fact that an SP for Windows Server 2003 has not appeared for two years after the release of this operating system stands in stark contrast to the situation that occurred with Windows 2000dMicrosoft actually announced an SP for this operating system even before it was released. Is security in Windows operating systems thus getting better? I would offer a guarded ‘‘yes.’’ Microsoft developed Windows Server 2003 in accordance with its Trusted Computing Initiative, an ambitious effort to incorporate security engineering methods into this operating system while it was being developed. Although there have been more than a few security-related vulnerabilities in this product, the number of vulnerabilities after two years is, to the best that I can determine, less than in previous Microsoft operating systems such as Windows 2000 and Windows XP.
Google is testing new phishing protection Google is testing new phishing protection with a function that alerts users of its free Web-based
270 email service about potential email phishing attacks. If a user opens a suspicious message, the software (called ‘‘Gmail’’) displays a dialog box that says: ‘‘Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.’’ Additionally, Gmail deletes live hyperlinks from suspect HTML-based emails to protect users from connecting to potentially harmful Web sites. The suspicious sites can be reached by analyzing the original code of the email, a feature that Gmail delivers. Gmail also provides a conspicuous ‘‘Report Spam’’ button to its users. Any message that is reported as spam is sent to a separate folder, while Google’s anti-spam routines are also notified. Google deserves a proverbial round of applause. When the ‘‘Googlability’’ security issue discussed in my editorial in the previous issue of Computers and Security surfaced, Google took steps to reduce the dangers that its search engine posed. Now Google is providing some level of protection against phishing for its email users. Google is not only setting an example for other ISPs; this company is also in many ways setting a trend that other Internet-dependent organizations are likely to follow.
Government workers issued access cards Government employees in the Washington DC Area are being given Radio-Frequency Identification (RFID) Department of Homeland Security (DHS) Access Cards (DAC) designed to allow secure physical access to secure areas, secure logins to government computing systems, and much more. In addition to combining biometric data with radio tags used in authenticating all types of access involving physical, wired, and wireless controls, DACs incorporate high-resolution images of the persons to whom they are issued as well as hardto-duplicate holographic images. The key identifier stored on the DAC is a record of each individual’s biometric signature that can be read by devices that connect to DHS computing systems. Rather
E. Schultz than simply entering a user name and password, DHS workers login to their systems by inserting their DACs in a special keyboard and then placing their fingers on the keyboard’s fingerprint reading device. The keyboard authenticates them by comparing their physical fingerprints to the card’s fingerprint record. Approximately 40,000 of the new cards are being issued to DHS employees and contractors this year, but the DHS is merely one of numerous US agencies that are responding to a Presidential directive necessitating new ID cards intended to thwart terrorists and that are conducive to rapid electronic authentication. Use of users’ fingerprint records renders the DAC more secure than previous ID card technologies because it authenticates both the card and the person to whom it has been issued. Wireless communications add to ease of use. The DAC’s RFID chip as well as its Bluetooth-enabled holder could, however, make it vulnerable to interception by hostile parties. The DHS will also use Faraday cages and metal billfolds, which have been proposed as controls for RFID chips in electronic passports, to boost assurance of the confidentiality of DAC data between transactions. The threat of passive eavesdropping grows in proportion to every new DAC. RFID transmission; and transmissions between the DAC and reader devices are thus encrypted to prevent individuals intent on intercepting wireless communications from being able to read the transmitted data. The RFID DAC cards that are being used are really more than anything else an intriguing experiment, one with excellent justification. Virtually every information security professional understands the immense dangers of relying on passwords for authentication. The RFIC DAC cards promise to be a considerably more secure authentication method than conventional password-based authentication. I am not sure whether RFID DAC cards are the ultimate security solution, but they are potentially so much better than passwords that the benefits of using them are very likely to outweigh the costs that are involved. Eugene Schultz Editor-in-Chief
www.elsevier.com/locate/cose
Security views Malware update Numerous MSN Messenger-based worms continue to surface. Several are mutants of Bropia worm, whereas others are variants of the Kelvir and Sumom worms. The Kelvir and Sunom variants install a backdoor Trojan program, Backdoor.Rbot. The number of worms that spread through instant messaging (IM) continues to grow rapidly. Ten IM worms surfaced during the first month and a half this year; this number is substantially higher than during the same period in 2004. Fontal-A SIS, a Trojan horse that spreads via file sharing or Internet relay chat (IRC), recently emerged. It runs on Nokia Series 60 smart phones, attempting to install a corrupted file that causes infected phones to stop working the next time they are rebooted. It additionally corrupts the application manager, preventing this Trojan from being uninstalled. Phones infected by this Trojan need to be reformatted, something that results in the loss of all data that have been stored on them. The Mabir Trojan horse, which targets a wider variety of Series 60 smart phones than Nokias, also surfaced. This piece of malware replicates via MMS messages. As happened several years ago, the number of new worms and viruses and the amount of damage that they do appears to be substantially declining. Why? Some think that the most successful worms and viruses have been written by only a few very prolific authors, several of whom have recently been arrested. Not only have the activities of the arrested authors been suppressed, but the arrests that have occurred may also have scared other authors and potential authors from writing and releasing self-replicating programs. Others claim that massive deployment of anti-virus measures such as virus walls and host-based anti-virus software have finally caught up with today’s worms 0167-4048/$ - see front matter doi:10.1016/j.cose.2005.04.005
and viruses. Alternatively, perhaps the day of the conventional worm and virus, as represented by Netsky, Sobig, MyDoom and Beagle, is ending; IM worms and viruses may be the heirs apparent. Whatever the reason, it is once again time to catch a proverbial breath during the current lull in worm and virus activity. At the same time, however, it is important to realize that during this lull malware authors are devising new types of malicious code that is once again likely to catch the information security community by surprise.
Update on the war against cybercrime Csaba Richter, a Hungarian, faces industrial espionage charges for allegedly intruding into intranets owned by Sony Ericsson AB and Ericsson AB. Richter has stated that he hoped that Ericsson would be so impressed with his technical skills that they would offer him employment. He has already admitted to stealing documents from Ericsson. After a long investigation, Scottish law enforcement has arrested 28 people on the grounds that they participated in identity theft schemes. The accused allegedly rummaged through trash, engaged in shoulder surfing to obtain personal information, and launched phishing schemes. Individuals lost almost two million GBP as the result of the identity theft activity. Guillaume Tena, a French security researcher, has received a suspended fine of 5,000 euros because he posted proof-of-concept code for exploiting security flaws in an anti-virus product. He must pay the fine if he is found guilty of another offense within five years. The vendor of the antivirus product, Tegam International, has also initiated a nine million euro civil suit against Tena.
264 UK police arrested an ISP employee on the grounds that he pilfered credit card information. The employee, who worked for Zen Internet, is accused of using the information he obtained to set up Internet gaming accounts that he subsequently sold. Three men have admitted in a legal hearing that they were members of organized groups that have been selling illegal copies of video games. The arrests were the culmination of an international anti-piracy effort called ‘‘Operation Higher Education.’’ A student at the University of Arizona pleaded guilty to a felony charge for having illegal copies of intellectual property. Parvin Dhaliwal had stored digital copies of recent movies and music that may have been worth up to USD 50 million. He was sentenced to three months in prison, three years of probation, 200 h of community service, and a fine of USD 5400. He must also enroll in a university course that covers copyright issues. Brazilian law enforcement authorities have arrested suspected phishing ring leader Valdir Paulo de Almeidag. A phishing ring allegedly run by him pilfered USD 37 million from bank accounts, primarily by using a Trojan horse program planted in victims’ computers that sent emails containing personal information to the phishing ring. The compromised systems may have sent as many as three million emails daily. David Jeansonne of Louisiana, who several months ago pleaded guilty to endangering public safety and damaging computing systems, has received a sentence of six months of imprisonment and was ordered to pay Microsoft USD 27,100. He sent out a Trojan horse that made WebTV customers’ computing systems dial the 911 emergency number, causing false alarm emergency services responses. Jeansonne must additionally serve a half-year of home detention in connection with a two year supervised release plan. A former IT manager who broke into one of his former employer’s company’s computer systems read email messages, erased data, and downloaded a proprietary database after he was fired. He was recently sentenced to five months of imprisonment. Last year Mark Erfurt pleaded guilty to charges of unauthorized access to a Manufacturing Electronic Sales computer system and obstruction of justice for deleting backup tapes. He must also serve five months of home detention and three years of supervised release. He must also pay restitution of USD 45,000. Daniel Baas, a former system manager for a company that performed data analyses for Acxiom Corp., received a sentence to 45 months
E. Schultz of imprisonment for gaining unauthorized access to Acxiom’s computer systems and also for stealing Acxiom password files. He accessed files on a number of Acxiom systems, downloading the files to disks at his house. There is no evidence that he ever misused or shared the stolen information, however. Law enforcement authorities in Estonia have arrested a yet unnamed 24-year-old man on the grounds that he allegedly pilfered money from bank accounts. The suspect allegedly sent email that, once opened, installed malware in victims’ systems. The email appeared to contain information concerning job opportunities, but the malware stole personal information such as account names and credit card numbers to be used in connection with identity theft attempts. Interestingly, this malicious code circumvented detection by anti-virus software and deleted all traces of itself once it gleaned the information that it was programmed to find. Thanks to Microsoft, Jeffrey Lee Parson, the man who wrote a mutant of the MSBlaster worm, received a lighter sentence than he might have. Microsoft requested that he serve 225 h of community service instead of having to pay a fine of USD 500,000 to Microsoft. Microsoft’s request was granted. Parson’s community service must not in any way include using the Internet or computing systems. Additionally, he must still serve an 18-month prison sentence. Two people have been charged with launching a denial-of-service attack against a business competitor. Jason Arabo of Michigan, one of the accused, allegedly hired an unnamed 17-yearold, the other defendant, to disrupt the Jerseyjoe.com Web site. The 17 year-old allegedly set up a botnet to do the damage, which unexpectedly spread out of control, eventually disrupting approximately 100 different Web sites. The financial toll was estimated as up to USD 2.5 million. Arabo faces as many as five years in jail and a fine of up to twice the amount of financial loss that the attack caused. Sumitomo bank announced that perpetrators unsuccessfully attempted to steal GBP 220 million from some of its systems in London. The perpetrators utilized keystroke logging in an effort to transfer money to multiple accounts around the globe and then withdraw the money. Yeron Bolondi was arrested by Israeli law enforcement authorities after he allegedly attempted to transfer nearly GBP 14 million into his own business account. He reportedly will face charges of money laundering and deception. Sumitomo bank later declared that it did not lose any money, but it would not offer
Security views more details until the current investigation is complete. The UK’s National High Tech Crime Unit published an alert that cautioned large banks to be wary of the keystroke logging threat. US-based games developer Valve suffered a compromise of the source code to its newest version of its game, Half-Life. A virus or worm installed a keystroke recorder program into the computer of the founder of this company. The cybercrime-related story that most caught my attention this time was the one in which Microsoft recommended some degree of leniency in Jeffrey Lee Parson’s sentence. What were Microsoft’s motives for doing this? Perhaps Microsoft figured that Parson would never be able to pay a fine of USD 500,000. Or was Microsoft simply ‘‘trying to look like the good guy?’’ Whatever the motive, sentences for cybercriminals tend to be rather light in proportion to the severity of the crime; making things easier for criminals is thus not exactly doing the fight against cybercrime any good. The story of the arrest of the 24-year old Estonian man draws attention to the techniques that today’s breed of cybercriminals are increasingly using. Tricking naı¨ve users into opening attachments is nothing new, nor are malicious programs that anti-virus software cannot recognize anything out of the ordinary. What is instead noteworthy about this case is that malware that erased itself after it obtained what it was programmed to collect was useddsomething that would severely impede forensics efforts in systems in which this kind of software resided. I would, unfortunately, count on cybercriminals not only developing and using more software of this nature, but also on using an increasing diverse set of methods for infecting systems with it.
Cybercrime legislation update US legislators recently introduced the Anti-Phishing Act of 2005. This act would prohibit phishing and would prescribe a maximum prison time of five years and a maximum fine of USD 250,000 for individuals who create bogus Web sites with the intention to pilfer money, credit card numbers, and other personal and financial data. The current bill is comparable to one that did not pass last year, but the current bill has some additional provisions. For one thing, it specifies the same penalties for pharming as for phishing. In pharming perpetrators redirect users’ browsers to bogus bank or e-business sites. Satire Web sites are exempt from the provisions of the Anti-Phishing Act.
265 US legislators have proposed legislation that will restrict data brokers such as ChoicePoint concerning the types of personal data that they are allowed to gather and sell. These legislators have drafted the Information Privacy and Security Act, which would necessitate that the US Federal Trade Commission define rules for data broker operations, including rules concerning securing personal data, provisions for people to determine if their personal information is in the possession of data brokers, and methods for people to correct errors in their personal data. Reactions from representatives of several data brokers were mixed. On the one hand, they stated that they were in favor of data privacy legislation as well as national legislation that mandates that corporations notify individuals whose personal data have fallen into unauthorized hands. Representatives also stated that they favored increased penalties for identity theft perpetrators. Additionally, they stated that they support an FTC proposal that would extend data safeguard requirements of the Gramm-LeachBliley Act that pertains to financial institutions to also apply to data brokers. They asserted, however, that methods that they use are already regulated by the US Fair Credit Reporting Act, which enables people to examine their credit records and to ask credit agencies to make corrections. Member of Parliament Derek Wyatt, who serves as Chairman of the All Party Parliamentary Internet Group (APIG), is trying to get the UK Computer Misuse Act updated to increase penalties for those who gain unauthorized access to systems and data and to make launching denial-of-service (DoS) attacks a crime. The mandatory jail sentence for unauthorized access to systems when no data modifications or further malfeasance occurs would be boosted from six months to two years. The sentence for unauthorized access in which damage occurs would be increased to a maximum of five years of imprisonment. States within the US are also considering new cybercrime-related legislation. Some of it, such as bills introduced in New Jersey and North Dakota, would put these states on par with California, which requires that residents of this state whose personal information has been compromised or may possibly have been compromised must be promptly notified. In Missouri a bill that would regulate the unauthorized acquisition of electronic data has been introduced. Additional much needed legislation, however overdue, is on its way. The US legislation that would prescribe constraints on data brokers is particularly critical given recent events. The massive compromises of personal information at
266 ChoicePoint (see story below) are undoubtedly only the tip of the iceberg; many other such widespread compromises are bound to surface soon. There is now serious doubt whether data brokers are committed to handling personal and financial information responsibly. One thing is for suredwithout proper legislation, data brokers and other companies that gather and store data about people will continue to act as they have in the past. Getting effective anti-phishing legislation is also necessary; without it, those who perpetrate phishing schemes will be tried on the basis of statutes that do not specifically apply to phishing per se, making obtaining convictions more difficult. Additionally, it is good to see that efforts in the UK to expand the definition of computer misuse and to get more realistic punishment for it are underway. DoS attacks should not be taken lightly, after all; they are often more financially costly than are breaches of confidentiality and integrity.
More personal and financial information compromises occur in commercial sector The US General Services Administration (GSA) and the US Department of Defense will follow up on Bank of America’s (BoA’s) recent loss of backup tapes containing personal information belonging to over one million government employees by cooperating in a risk assessment effort that will evaluate BoA’s security procedures. BofA asserts that it has improved its SmartPay backup procedures, but will not reveal how on the grounds that disclosing such information might furnish would-be attackers with information that could aid an attack. The GSA will also evaluate the information security policies of four additional SmartPay contractors. A spokesperson for the GSA stated that it is trying to make certain that all information security policies are consistent with present industry standards. Two San Jose Medical Group computing systems holding personal data of 185,000 current and prior patients were taken out of a locked area of a computer room within the group’s administrative offices. Names, addresses, confidential medical information, and SSNs were among the types of information on these systems. As in the case of the SAIC computer thefts several months ago, no evidence that the information has been misused or disclosed exists. Patients were cautioned to alert credit bureaus that their personal informa-
E. Schultz tion may have fallen into unauthorized hands and also to carefully examine their credit reports to determine if accounts or credit cards bearing their names were being used without authorization. Elsevier announced a personal information theft within its LexisNexis Seisint division, which compiles and sells personal and financial data concerning US consumers to third parties such as collections companies and federal agencies. Over 300,000 individuals within the US were potentially affected; they were notified about the security compromise via letters. Stolen passwords were used to gain access to names, addresses, and SSNs; company databases were accessed without authorization nearly 60 times. Elsevier is cooperating with law enforcement to determine whether the pilfered information has been used fraudulently and is offering free credit reports and free oneyear access to a credit monitoring service to all potentially affected individuals. T-Mobile, a major mobile phone carrier, had a security breach that resulted in the publication of the personal information of celebrity Paris Hilton. Phone numbers of numerous Hollywood stars were also compromised. Two security exposures in accounting firm PayMaxx’s Web-based W-2 service exposed payroll records of 12 companies. Company employment data as well as W-2 forms for the last five years for more than 25,000 individuals were compromised. After six attempts to access these data were noticed, PayMaxx shut off access to the site. PayMaxx has announced that it will notify each company that had data that were compromised. How much more of this kind of thing can the public take? The number of incidents in which personal and financial data have been stolen and the number of individuals who are actually or potentially affected is becoming staggering. One might ask why the same kinds of incidents are not occurring in Europe. The reason is simpledas I have said in this issue’s editorial, those who possess information about people are in many European countries held accountable for the care of this information. Without accountability, incidents of the nature will continue to proliferate.
ChoicePoint is under fire ChoicePoint is facing a myriad of woes after this giant data brokerage announced that perpetrators who used stolen identities to create bogus businesses deceived some of its employees into divulging the personal and sensitive data of possibly
Security views up to 150,000 US residents. ChoicePoint is the defendant in a class-action lawsuit filed in a US District Court in California on behalf of individuals who purchased ChoicePoint stock between April 22, 2004 and March 3, 2005. This suit alleges that ChoicePoint management was cognizant that it was selling data to illegal companies, that its security controls were deficient, that security incidents such as this had happened twice before, and that the company had left more than 500,000 individuals vulnerable to potential identity theft. ChoicePoint also faces lawsuits over alleged violations of the US Fair Credit Reporting Act and California State Law. Another lawsuit filed against ChoicePoint in Los Angeles Superior Court resulted from a woman’s receiving one of ChoicePoint’s letters informing her that this company had accidentally sold her personal information to identity thieves. This lawsuit will in all likelihood develop into a class-action suit against ChoicePoint. To make matters worse, ChoicePoint is also being investigated by the US Federal Trade Commission for possible failure to comply with federal information security laws and by the US Securities and Exchange Commission for possible insider stock trading violations by ChoicePoint’s Chief Executive Officer and Chief Operating Officer. Finally, US legislators called for an investigation by the US Department of Homeland Security and the US General Accounting Office to determine how both terrorists and identity thieves could misuse information from commercial databases such as CheckPoint’s. The recent compromise of people’s data was not the first such incident, either. In 2002, for instance, two men from Nigerian using bogus identities gained access to Choice Point’s database and purchased USD one million in goods. ChoicePoint is in a well-deserved world of trouble, just as were Enron, WorldComm, and Arthur Anderson several years ago after the facts concerning the way they conducted business surfaced. First, it is difficult to conceive how a company can (outside of motives of greed) justify collecting all kinds of data about individuals, especially when there is absolutely no consent on the part of the individuals whose data are collected. Perhaps more troubling, however, is the fact that the US government has up to now taken such a passive stance regarding the activities of data brokerages such as ChoicePoint, let alone companies in other parts of the commercial sector that wantonly collect, process and store personal data. One solutiondto require adequate protection of such datadstands above all others. Additionally, establishing federal regulations that limit the types and amount of data
267 about individuals that organizations can collect would also help considerably.
Personal information compromises at universities increase A rash of compromises of personal information has been occurring at US colleges and universities. A theft of a portable computer at the University of California-Berkeley resulted in personal information of over 98,000 individuals potentially being compromised. Affected individuals include those who attended this university’s graduate programs between 1976 and 2004. Approximately 30 percent of the files on the stolen computer included birthdates, addresses, names and SSNs. The university is sending out notification letters to affected individuals to comply with state law and has also created a Web site for people who are worried that their personal data may have fallen into the wrong hands. A Boston College computing system that was used for fund-raising was also recently compromised. Although this college’s management asserts that personal data were not stolen, the 120,000 alumni whose personal information may have been compromised will nevertheless be notified. Boston College plans to discontinue using SSNs as identifiers. Recently during routine network security inspection, University of Nevada-Las Vegas (UNLV) IT technical staff found that an individual had gained unauthorized access to the Student and Exchange Visitor Information System (SEVIS). The SEVIS server held records for up to 5000 former and current international students. The US Citizenship and Immigration Services utilizes SEVIS to keep current information on international students who are not US residents, exchange students, and their dependents in connection with a US Department of Homeland Security program that tracks data on foreign student enrollment, visa status, number of courses taken, changes in address and name, and off-campus work. UNLV management has notified all students whose information was in the database of the security breach and has provided information concerning how to avoid identity theft. California State University-Chico has notified nearly 60,000 individuals that the confidentiality of their personal information, including the names and SSNs of current, prior and potential students and current and prior staff and faculty, was recently compromised. University officials announced that SSNs will no longer be used to identify individuals. What has happened at these colleges and universities is simply dreadful. Due to lax security
268 controls at these institutions, hundreds of thousands of individuals are now vulnerable to identity theft. Information security at such institutions tends to be weak, largely due to fear that tightening the security of systems and networks will somehow interfere with the openness of the learning environment. Enough of all this idealismdit is well past time that these institutions get more serious about security. The security risks that colleges and universities fail to control affect not only students, faculty, and staff, but also huge numbers of alumni and donors.
Government initiatives address security To assist federal agencies in conforming to requirements in the Federal Information Security Management Act (FIMSA), the National Institute of Standards and Technology (NIST) released the final version of its security guidelines for protecting federal computers and the information they hold. These guidelines require government agencies to implement key security measures, policies, and procedures. The security controls recommended in these guidelines encompass 17 key issues, including user identification, user authentication, and security risk assessment. A primary goal of the guidelines is to assure the confidentiality, integrity, and availability of federal information systems that are not associated with national security interests. Singapore initiated its Infocomm Security Masterplan to provide momentum for developing the manpower needed to manage the growing number of cyberthreats and to create an early warning system when cyberattacks occur. This country has granted SD 38 million to establish the level of security necessary to prevent the country’s computing capabilities from being disrupted in the event of attacks against them. This three-year program will involve cooperation between the National Infocomm Security Committee and the Infocomm Development Authority of Singapore (IDA). The program focuses upon entities such as the government, private companies, and the public; it will include enhanced training and certification to augment skills of IT security professionals and to raise the general awareness of IT security among Singapore citizens. A information security monitoring center will continuously track security-related threats including viruses, worms, phishing scams, and unauthorized access attempts. The US FDIC Board of Directors voted unanimously to direct US banks to alert customers of potential identity theft threats when the banks
E. Schultz become aware of unauthorized access to sensitive customer information in which the information was misused or when there is a reasonable likelihood that misuse occurred. The Office of the Comptroller of the Currency and Office of Thrift Supervision approved the vote, but the Federal Reserve Board must also approve it before the directive can go into effect. Customer alerts will have to describe the nature of unauthorized accesses and actions taken to protect customers, provide contact phone numbers, caution customers to be on the alert, and explain how to put fraud alerts in credit reports. The government initiatives described in this news item seem like a big step in the right direction. I am especially impressed with Singapore’s initiative, which prescribes a large number of measures to strategically improve security in that country. The FDIC’s move to order banks to alert customers when customer information is compromised is another much needed and long overdue measure. At the same time, however, I seriously wonder if enough is being done to really brace countries for the increasing number and intensity of cyberattacks that have been occurring and that will occur in the future.
Fingerprint sharing alliance created Eighteen telecommunications equipment providers and network operators, including Deutsche Telekom AG, Earthlink, MCI, BT Group PLC, Cisco Systems, and NTT Communications, have established a Fingerprint Sharing Alliance through which they are developing an automated process for identifying and sharing attack profiles (‘‘fingerprints’’) across service-provider networks. The primary goal is more efficiently dealing with network attacks such as worm, virus and denialof-service attacks. Using technology and software created by Arbor Networks, the alliance members collect information from devices on their networks to provide statistical norms that are used to identify significant deviations. If a deviation points to an attack, the Arbor technology produces the fingerprint that is automatically distributed to every alliance member. Each service provider’s administrator can control the sharing and receipt of fingerprints. Sharing fingerprints in the manner described in this news item is a brilliant idea. Each of the organizations that are part of this alliance has data concerning attacks and suspicious network events that is potentially very helpful to the others. An early warning way, for example, helps some of
Security views these organizations to close their gateways or filter out certain kinds of traffic to stop specific types of new attacks. The fact that common technology is used and that fingerprint sharing is automatic will greatly facilitate the sharing process, too. Alliances between commercial entities are often short-lived, however. Will this alliance be successful and will it last? As with everything else, only time will tell.
AOL’s terms of service for AIM are controversial America Online (AOL) has recently made what superficially appears to be a small change to its terms of service for AOL Instant Messaging (AIM). This change may, however, be adverse to organizations that use this service. Many organizations use AIM@Work, which is based on AIM. AIM@Work features identity services that allow using corporate email addresses as AOL screen names as well as services such as voice and Web-based conferencing. AOL’s new terms of service give AOL the right to ‘‘reproduce, display, perform, distribute, adapt and promote’’ all content in connection with AIM that is transmitted across the network by users. Users also waive their right to any privacy, and any content posted by individuals allows AOL and other related companies to reproduce, display, perform, distribute, modify, and promote the content using any medium. Although AOL’s terms of service state that users are the owners of any content that goes over AIM, these terms also describe instances in which AOL could be the owner of products that are derived from usercreated content. These terms may or may not apply to organizations that pay for AIM@Work services. These changes in AOL’s terms of service apply to individuals who have downloaded AIM software on or after February 5, 2005. There are at least two ways of viewing the recent change in AOL’s terms of service for AIM. One view is that what AOL has not really done anything very much out of the ordinary in changing its terms of service. After all, when an Internet user posts information on a public discussion Web site, the information becomes available to many others who can copy and use this information in many ways. Additionally, stating that users have no right to privacy is a very common practice that helps users more carefully gauge what they do when they use a network and/or system. On the other hand, this change is to the best of my knowledge unprecedented among ISPs. AOL appears almost predatory in declaring its right to essentially do what it wants
269 with AIM content. AOL could help in determining which view is correct by offering an explanation to its users. In the mean time, I think that I will continue to avoid using AIM altogether.
Microsoft releases the first Windows Server 2003 service pack Microsoft recently released Service Pack (SP1) for Windows 2003 almost two years after this operating system was released. SP1 features include a built-in firewall, Network Access Quarantine Control components to isolate out-of-date virtual private network connections, and a Security Configuration Wizard that harvests data related to the functions of servers and blocks unnecessary network services and ports. Although SP1 contains hotfixes that have already been released, Microsoft has advised those who have kept their systems up to date with patches to install SP1 anyway because it deals with the root causes of particular types of attacks that were not included in the previous patches. Microsoft has also attempted to address the concern of application compatibility by testing more than 125 applications with SP1; this software giant has announced that it will soon post the test findings on its Web site. Windows Server 2003 SP1 was originally slated to be released in the second half of 2004, but working on SP2 for Windows XP delayed the release of Windows Server 2003 SP1. The fact that an SP for Windows Server 2003 has not appeared for two years after the release of this operating system stands in stark contrast to the situation that occurred with Windows 2000dMicrosoft actually announced an SP for this operating system even before it was released. Is security in Windows operating systems thus getting better? I would offer a guarded ‘‘yes.’’ Microsoft developed Windows Server 2003 in accordance with its Trusted Computing Initiative, an ambitious effort to incorporate security engineering methods into this operating system while it was being developed. Although there have been more than a few security-related vulnerabilities in this product, the number of vulnerabilities after two years is, to the best that I can determine, less than in previous Microsoft operating systems such as Windows 2000 and Windows XP.
Google is testing new phishing protection Google is testing new phishing protection with a function that alerts users of its free Web-based
270 email service about potential email phishing attacks. If a user opens a suspicious message, the software (called ‘‘Gmail’’) displays a dialog box that says: ‘‘Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.’’ Additionally, Gmail deletes live hyperlinks from suspect HTML-based emails to protect users from connecting to potentially harmful Web sites. The suspicious sites can be reached by analyzing the original code of the email, a feature that Gmail delivers. Gmail also provides a conspicuous ‘‘Report Spam’’ button to its users. Any message that is reported as spam is sent to a separate folder, while Google’s anti-spam routines are also notified. Google deserves a proverbial round of applause. When the ‘‘Googlability’’ security issue discussed in my editorial in the previous issue of Computers and Security surfaced, Google took steps to reduce the dangers that its search engine posed. Now Google is providing some level of protection against phishing for its email users. Google is not only setting an example for other ISPs; this company is also in many ways setting a trend that other Internet-dependent organizations are likely to follow.
Government workers issued access cards Government employees in the Washington DC Area are being given Radio-Frequency Identification (RFID) Department of Homeland Security (DHS) Access Cards (DAC) designed to allow secure physical access to secure areas, secure logins to government computing systems, and much more. In addition to combining biometric data with radio tags used in authenticating all types of access involving physical, wired, and wireless controls, DACs incorporate high-resolution images of the persons to whom they are issued as well as hardto-duplicate holographic images. The key identifier stored on the DAC is a record of each individual’s biometric signature that can be read by devices that connect to DHS computing systems. Rather
E. Schultz than simply entering a user name and password, DHS workers login to their systems by inserting their DACs in a special keyboard and then placing their fingers on the keyboard’s fingerprint reading device. The keyboard authenticates them by comparing their physical fingerprints to the card’s fingerprint record. Approximately 40,000 of the new cards are being issued to DHS employees and contractors this year, but the DHS is merely one of numerous US agencies that are responding to a Presidential directive necessitating new ID cards intended to thwart terrorists and that are conducive to rapid electronic authentication. Use of users’ fingerprint records renders the DAC more secure than previous ID card technologies because it authenticates both the card and the person to whom it has been issued. Wireless communications add to ease of use. The DAC’s RFID chip as well as its Bluetooth-enabled holder could, however, make it vulnerable to interception by hostile parties. The DHS will also use Faraday cages and metal billfolds, which have been proposed as controls for RFID chips in electronic passports, to boost assurance of the confidentiality of DAC data between transactions. The threat of passive eavesdropping grows in proportion to every new DAC. RFID transmission; and transmissions between the DAC and reader devices are thus encrypted to prevent individuals intent on intercepting wireless communications from being able to read the transmitted data. The RFID DAC cards that are being used are really more than anything else an intriguing experiment, one with excellent justification. Virtually every information security professional understands the immense dangers of relying on passwords for authentication. The RFIC DAC cards promise to be a considerably more secure authentication method than conventional password-based authentication. I am not sure whether RFID DAC cards are the ultimate security solution, but they are potentially so much better than passwords that the benefits of using them are very likely to outweigh the costs that are involved. Eugene Schultz Editor-in-Chief