Security views

Computers & Security (2004) 23, 3e11

www.elsevier.com/locate/cose

Security views

New US bill to tighten security of electronic voting systems A new US bill, the Voter Confidence and Increased Accessibility Act of 2003, proposes substantial changes in electronic voting. It would require that electronic voting machines supply paper receipts to allow voters to verify that they have voted, allowing manual audits, if needed. Additionally, it would allow voters to correct any errors made by electronic voting systems and would ban the use of wireless devices in transferring votes from polls to election centers. The use of undisclosed programs in electronic voting systems would also be forbidden; all software and hardware would have to be certified by accredited laboratories. Finally, under the provisions of this proposed law the source code of any program in such systems would have to be available for public inspection. Having witnessed and learned of so many security-related incidents over the years, I worry about security in computing systems in general. Given the number of vulnerabilities that have been identified in critical systems such as the ones that control and tally voting, I am even more concerned about the potential consequences of security breaches in these systems. A few states and organizations within the US have analyzed and tried to remedy security-related concerns in these systems, but others have simply ordered and deployed voting systems without analyzing security (or the lack thereof) in these systems. The US government has until very recently for the most part taken a laissez faire stance as far as voting systems used by states and local governments. No solution geared towards addressing security and other concerns on a national level has emerged until the Voter Confidence and Increased Accessibility Act of 2003 was drafted. This bill promises to put into place the comprehensive measures needed to 0167-4048/$ - see front matter doi:10.1016/j.cose.2004.01.004

provide far better assurance of the security and reliability of these systems.

US federaleindustry security alliance Federal and industry officials are cooperating on US Department of Homeland Security (DHS) initiatives with a plan recently introduced at a National Cyber Security Summit held in California. The plan creates five joint federal/industry task forces under the auspices of the National Cyber Security Division within the Information Analysis and Infrastructure Protection (IAIP) Directorate of the DHS to secure the US against cyberattacks. These five task forces will focus on: (1) security awareness for home users and small businesses, (2) developing early warning capabilities, (3) complying with best practices and standards through corporate governance, (4) developing technology, tools, and practices that facilitate complying with best practices and standards, and (5) infusing security throughout the entire software development life cycle. The task forces have been given a March 1, 2004 deadline to develop specific measures to be implemented under DHS supervision. As I am sure you are aware by now, I am skeptical of the chances that any cybersecurity effort undertaken by DHS, including the new federal/industry task force initiative, will be successful. As Marcus Ranum has so eloquently said in his recent book, The Myth of Homeland Security, DHS was created for all the wrong reasons, it cannot possibly achieve what its charter says it should, and it is employing a flawed approach in its cybersecurity efforts. At the same time, however, some of the foci of this new initiative, particularly developing early warning capabilities and concentrating on security during the software development life cycle, make a good deal of sense to me. Can DHS this

4 time turn the corner, so to speak, or will it smother yet another of its efforts with more bureaucratic bungling? Only time will tell.

Cybersecurity bill opposed by business Chairman of the US House of Representatives Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee, Representative Adam Putnam, proposed a bill called the ‘‘Corporate Information Security Accountability Act of 2003’’ to reduce the risk of cyberattacks that could result in blackouts or the unauthorized release of private financial information. Momentum for this legislation grew after worms that shut down computer systems around the world spread around the Internet last summer. Two worm infections happened while a power blackout crippled the Northeast US in August. The blackout was unrelated to the worm outbreak, but its results drew further attention to the possibility of terrorist attacks over the Internet. Experts, many of whom have testified in hearings before Putnam’s subcommittee, have said the systems at which this bill was aimed are extremely vulnerable to attack. Earlier, Richard Clarke, the former chairman of the President’s Critical Infrastructure Protection Board, had called for Congressional action on a specific standard that the US Securities and Exchange Commission (SEC) could use to measure and enforce corporate cybersecurity efforts. Modeled on the SEC’s response to the Y2K changeover in computer systemsdwhich required companies to fix those problems and report regularly on their progressdthe bill would have required all publicly traded companiesdincluding utilities, banks, and other business sectorsdto conduct computer security assessments and report the results to the SEC. The companies would have been required to file annual plans for closing security gaps and continuing operations in case of computer breaches. To determine the appropriate security for various IT systems, companies would also have been required to inventory their critical IT assets, provide an annual risk assessment, spell out their risk mitigation strategy and incident response and business continuity plans, delineate company policies and procedures for reducing security risks to an acceptable level, and test security controls and techniques to ensure their effectiveness. Business groups argued that they did not want another version of Y2K compliance rules, saying that the SEC is not equipped to write rules governing computer security. Technology groups stated the rules would be outdated even before taking

E. Schultz effect. The bill was shelved after companies that opposed this approach offered to work on another plan that would tighten security but involve less government oversight. The proverbial butting of heads between government and industry never seems to cease, as shown by the ongoing debate over possible US government regulation over cybersecurity within the commercial sector. Both sides are acting predictably (and also, from the perspective of their own interests, very rationally). The US government worries about the cybersecurity problems within critical sectors of industry that comprise a weak link in the national infrastructure. Industry, on the other hand, wants to avoid the cost, amount of paperwork, and interference that they fear government regulation would cause. Frankly, I doubt whether the US government is currently sufficiently prepared to regulate industry when it comes to information security because (with a few exceptions in several agencies) the government does not seem to be able to secure its own systems all that well. If and when government agencies consistently receive ‘‘A’’ and ‘‘B’’ marks on security audits, it will be time for the government’s position on cybersecurity regulation of industry to be taken more seriously. In other words, the US government needs to stop saying ‘‘do as I say, not as I do.’’

Survey reveals huge differences in approaches to security across Europe In a survey of European firms, McAfee found major differences in how firms on the continent deal with malware, hacker attacks, and spam. It found that French and German firms are most prepared to deal with these problems, but the UK leads the way among nations that see good security as a way of enabling business processes. McAfee warned that many European firms are doing little more than reacting to virus and worm outbreaks instead of adopting measures that prevent future incidents. Forty-eight percent of the European firms questioned see security as little more than fixing the security breaches that viruses, worms and malicious hackers attempt to exploit. Many firms were doing little to tackle the newest type of multivector attacks known as ‘‘blended threats;’’ 30% of European firms have no technology in place to address these threats. In the UK and the Netherlands, more than 40% of firms are doing nothing about blended threats. According to McAfee, French, German and Swedish firms were best prepared. These different figures are at least partially

Security views related to language differencesdmany viruses and worms are written to attack only English language computing systems. The steady growth in the number of viruses and worms in the wild and the havoc they cause have forced some organizations to adopt inadequate practices for dealing with security problems. Many of the technology managers who responded to the survey do little more than react to each virus and worm outbreak or attack. According to McAfee, firms need to break this pattern and instead determine how to protect what is important to their business and devote the time and effort to realistically project just how dangerous future novel attacks are going to be. I suspect that although the McAfee survey focused on Europeans, very similar results would be obtained if this survey were administered anywhere else in the world. With the main exception of the financial sector in numerous countries around the world, the state of the art of the practice of information security is simply not as advanced as it needs to be to deal with today’s security threats. Organizations tend to ignore security-related risk because it does not seem applicable to them or because they have other, higher budget priorities. Sadly, many organizations appear to find doing little proactively but investing considerable time and resources in reacting to security-related incidents to be more palatable (albeit almost certainly not more cost-effective).

Member of Senator Hatch’s staff put on leave during hacking investigation US Senate Judiciary Committee chairman Orrin Hatch of Utah has placed one of his staff members on paid administrative leave as a result of an investigation involving the possible theft of memos from the systems of two Democratic senators. According to Hatch’s statement, the investigation began late last year, after Hatch consulted with the Senate sergeant-at-arms in addition to Senators Patrick Leahy of Vermont and Edward Kennedy of Massachusetts. That action followed assertions from Kennedy and Senator Dick Durbin of Illinois that memos were pilfered from their servers and then were subsequently leaked to the media. The memos allegedly describe the Democratic strategy to thwart the confirmation of several of President Bush’s judicial nominees. A week later all potential data regarding the alleged break-in had been preserved and two federal prosecutors had interrogated approximately 50 people regarding the incident. An outside company is conducting

5 forensic examinations to determine if there was any unauthorized access to 14 documents. Hatch wrote that he hopes the forensic examination will determine who had access to the files of both Democratic and Republican members of the Senate Judiciary Committee. Interviews conducted by federal prosecutors revealed that committee files were compromised by a member of the Judiciary Committee majority staff. In addition, a former majority committee staff member may also have been involved. Interestingly, this is the third time in a year that a controversial information security-related news item concerning Senator Hatch has surfaced. At one point Mr. Hatch proposed confiscating computers used in downloading copyrighted music, something that generated a great deal of outrage among the US public. Shortly afterwards, Mr. Hatch’s Web site contained a link to a pornographic site, something that was removed shortly after the news media discovered it. Now one of Mr. Hatch’s staff is suspected of breaking into computers used by leading Senators of the opposition party. The truth concerning what has happened will hopefully surface and the staff member(s) under investigation either will be absolved of wrongdoing or, if guilty, will have to face the consequences of the law. But the thought that staff members of a government might stoop so low as to access computers without authorization is appallingdsomething that Mr. Hatch and other committee chairpersons need to address as a very high priority issue. Could this be the next Watergate-type scandal? It will be interesting to see how this ugly incident unfolds.

Cybercrime arrests and convictions on the rise Numerous arrests and convictions for violation of computer security-related laws have occurred recently. Here are some of the more notable cases:  Joseph McElroy, an 18-year old UK university student, pled guilty to charges of illegally accessing computer systems at Fermi National Accelerator Laboratory near Chicago, Illinois. He said he broke into the compromised computers to download movies and music. His sentence may include restitution payment of up to £21,000.  Helen Carr has pled guilty to federal conspiracy charges for running a phishing operation in which she sent bogus email requesting verification of account and other information to obtain

6

E. Schultz

















bank account and credit card numbers to misuse later. The Ohio resident, who may get as many as five years of prison, was arrested after she sent one of her emails to an FBI agent. A teenager from Brisbane, Australia is the first person to face charges under Australian Criminal Code Act 1995. He is under arrest on the grounds that he gained unauthorized access to an Australian ISP’s and also a UK university’s computer systems. Information supplied by the ISP led to the charges filed against him. Edward Krastov was arrested in California for stealing computers from the office of a Wells Fargo Bank employee, an act to which he has confessed. The computers stored customer account data and other types of personal information, but according to the bank the pilfered information has not been misused. Kenneth Patterson admittedly broke into American Eagle Outfitters computers to glean and then make public login names, passwords, and details concerning how to break into the computers, and also launched denial-ofservice attacks against the computers. An exemployee of this company, he was sentenced to one and a half years of jail time and was also ordered to pay restitution of $64,000. Frans Davaere of Belgium was convicted of charges that he hacked five Web sites. He had to pay a fine of V15,000 and restitution of V35,000; he also received a one year suspended jail sentence. A resident of Pennsylvania pled guilty to enticing children to visit pornographic Web sites by setting up sites with similar but slightly misspelled Internet domain names as those in widely known children’s sites. He also confessed to possessing child pornography. He is expected to serve between 30 and 37 months in prison under the terms of a plea bargain negotiated with prosecutors. Michael Luebbe of Ohio received a five-year prison sentence after he admitted to using computers to download photos and videos that showed adults sexually abusing young children. Five men were arrested for using the Internet to try to lure children into having sex with them. They were caught when they approached undercover law enforcement agents who posed as children. Some of the suspects allegedly sent pornography to the agents. Fourteen people in Phoenix were arrested in connection with Operation Predator, a crackdown program designed to protect children from sexual predators on the Internet and to stop child pornography.

 A 27-year-old Boy Scout leader from Indiana was charged with attempting to engage in unlawful sexual conduct with a 14-year-old boy whom he met in a chat room. The man allegedly drove to Ohio to engage in sexual acts with the boy.  Spanish police have arrested a Spaniard who is the suspected author of the Raleka worm, which exploited a bug in the Remote Procedure Call (RPC) service in Windows 2000 and XP. This worm infected at least 120,000 computers last year. This is the first arrest of its kind in Spain.  Daniel Baas of Milford Ohio admitted in federal district court that he accessed computers owned by Acxiom Corporation without authorization and then pilfered customer data. He faces a possible prison term and a restitution payment.  Six UK men who pled guilty to bilking UK banks (including the Halifax and Co-operative Bank) out of £350,000 via the Internet received jail sentences totaling 15 and a half years. The six men created false identities and then used them in opening bank accounts, negotiating overdraft payments, and applying for credit cards. The UK’s National Hi-Tech Crime Unit (NHTCU) performed the investigation and made the arrests. Arrests and convictions in the cybercrime arena occurred at an unprecedented rate over the last few months. Could this be evidence of a new trend, one in which both law enforcement agencies and the court system pursue cybercriminals more competently and vigorously than ever before? Possibly. But remember, also, that recent cybercrime-related legislation in several countries has expanded the range of acts defined as illegal and increased penalties for violation of cybercrime statutes. Perhaps legislative advances are also part of the reason for the increase in arrests and convictions. Whatever the reason(s), the growing number of arrests and convictions should send a message to the black hat community as well as sexual predators that computer crime results in punishmentda message that has been barely (if at all) heard up to now.

Operation cyber sweep targets on-line fraud Officials of the Internet Fraud Complaint Center, a joint project involving the FBI, the US Department of Justice, and the National White Collar Crime Center, said that 125 people have been arrested or convicted and that 70 indictments have

Security views been served in a coordinated nationwide enforcement operation designed to crack down on on-line fraud. The operation, known as Operation Cyber Sweep, was coordinated with numerous federal, state, local, and foreign law enforcement agencies. The investigation targeted a variety of on-line economic crimes that involved schemes including fraud, software piracy and the fencing of stolen goods. As part of the effort, ClearCommerce Corporationda founding member of the Merchant Risk Council, a group of merchants fighting on-line frauddprovided information to the FBI about online criminals that took advantage of some of its members’ customers as well as their methods of perpetrating on-line fraud. Since Operation Cyber Sweep began, investigators have uncovered more than 125,000 victims who have incurred losses of more than $100 million. On-line fraud very frequently preys upon the gullibility of users who comply with instructions in messages they receive without realizing that it is extremely unlikely that credit card companies and banks would ever use the Internet to contact customers about problems with their accounts. It would be nice to think that at some point home users and others will become less nai¨ve and will accordingly not comply with the instructions in such messages, but I will not hold my breath. Users are the hardest of all groups to reach when it comes to information security awareness. Massive law enforcement efforts such as Operation CyberSweep are the best hope of bringing on-line fraud perpetrators to justice. Additionally, this news item further attests to the fact that genuine progress in the war against cybercrime is occurring.

Legitimate music swapping tried at universities The fight between the Recording Industry Association of America (RIAA) and individuals who download and play copyrighted music on the Internet recently took an interesting twist. Two universities, Penn State University and the Massachusetts Institute of Technology (MIT), initiated special programs to allow their students to download music legally. Penn State has partnered with Napster on-line music to allow students to listen to songs with the consent of the recording industry; Penn State will pay fees of approximately $10 per student per semester for the use of this music. This university will then recoup these fees out of student technology fees that students already must pay. Students who download songs to MP3

7 players or CDs must pay an additional fee of $1 for each song, however. MIT attempted to use its cable TV system to allow students to play songs, but discontinued doing so after unexpected copyright concerns surfaced. MIT is working with the recording industry to find a way to reinstate its ‘‘music through cable TV’’ service to students. Although the problem of copyrighted music being downloaded illegally is by no means limited to university campuses, a significant portion of the problem exists within this arena. Several universities have simply blocked peer-to-peer file sharing altogether, something that solves the legal problems associated with downloading music without authorization, but that also is unpopular among students. What Penn State has done and what MIT is trying to do seem like a better allaround solution to the problem; the recording industry will collect revenue that it otherwise would have lost, universities will not have to worry about lawsuits over copyright infringement, and students will be able to listen to all the on-line music they want via the Internet. Other universities (and possibly also ISPs) would do well to consider Penn State’s solution as a model for dealing with on-line music copyright issues.

Security issues keep Microsoft in the spotlight According to securityfocus.com, a number of Diebold cash machines running on Windows XP fell victim to the MSBlaster and Welchia worms. According to Diebold the cash machines had to be shut down for an extended period of time. Believed to be the first case in which worms have infected cash machines, information security experts predicted more troubles of this variety as more critical systems are implemented on Windows operating systems. Concern over the MSBlaster worm and other security issues have reportedly caused a sharp drop in Microsoft’s unearned revenuedmoney taken in for software deals that span future quartersdin the most recent quarter. Although some drop in unearned revenue was expected, the declinedmore than $700 milliondwas more severe than expected. While the security issue and its likely impact on this quarter’s bookings is important, the bigger issue is whether Microsoft will be able to get the companies that signed up for long-term deals to renew their contracts. Whether or not such deals are signed is heavily tied to overall corporate spending, and Microsoft could be hurt if an expected increase in

8 software expenditures fails to materialize. Analysts say that the company is starting to see profits from its consumer businesses, something that has helped to offset what appears to be the negative effect of the security issues associated with this software giant’s products. In a new cooperative effort with law enforcement to find the identity of authors of worms, viruses and other malicious code, Microsoft has created an anti-malware reward program that offers $5 million in rewardsda kind of ‘‘bounty hunter’’ program. The initiative’s first two bounties ($250,000 each) are for information leading to the arrest and conviction of the people responsible for writing and releasing the MSBlaster worm and Sobig worms. The Welcher variant of MSBlaster, intended to protect machines against the original worm, was so prolific that it shut down entire networks. The Sobig.F worm spread through email, turning infected systems into mail engines that sent out floods of messages. Two suspects have been arrested so far for modifying and releasing minor variations of the MSBlaster worm, but law enforcement has not yet named any suspects in connection with the Sobig worm. Microsoft said the rewards are open to residents of any country, subject to the laws within individual countries. According to the rules of Microsoft’s reward program, anyone with pertinent information concerning worm authorship needs to report it to law enforcement. Forgive me for repeating myself, but the ultimate leverage in the struggle to get software vendors to develop more secure, less vulnerability-ridden software is in the hands of consumers, who have the choice of buying or not buying a vendor’s software, based on their security standards and requirements. If a vendor continually produces vulnerability-plagued software and if consumers buy less of this software, the vendor will eventually get the point. This appears to be happening, at least to some degree, with Microsoft. If the drop in Microsoft’s unearned revenue is in fact closely connected with consumer worry over security in Microsoft’s products, Microsoft will eventually catch on and do something about it. Meanwhile, Microsoft’s latest tactic, curiously, is to create a ‘‘bounty hunter’’ program that is ostensibly geared towards punishing those who generate a great deal of media attention by writing the malware that capitalizes upon vulnerabilities in Microsoft’s (but apparently not other vendors’) products. I wish this program much success, but the number of individuals capable of writing malware who believe that law enforcement will never find them is enormous. And, perhaps more importantly, the program will not and cannot address what is really wrong in the first placedinadequate

E. Schultz security engineering of the code that this software giant produces.

Success stories in dealing with spam and malware According to a spokesperson for the M.D. Anderson Cancer Center at the University of Texas, the hospital and research institution’s 13,000 employees would have received up to 25,000 spam messages per day had it not been for a spam-prevention service implemented earlier this year. In June 2003 alone, the service detected and blocked enough spam to account for more than half of all the messages received. The spam threatened not only network performance, but also worker productivity. With estimates that it costs the medical center about $1 for each unwanted mail message that gets through to computer users and since the Houston medical center receives about 620,000 spam messages during an average month, successfully blocking them theoretically frees up $620,000 for other activities. The University’s experience provided a business case for buying security products, such as network- and server-level anti-virus and anti-spam software from Trend Micro and a Webbased vulnerability-detection tool called WebInspect from SPIDynamics. The Trend Micro anti-virus package, which cost $150,000 plus $20,000 in annual maintenance fees, is stopping thousands of worms and viruses each month from reaching the medical center’s computers. Trend Micro’s anti-spam product, which segregates suspected junk mail from legitimate mail, cost about $100,000 plus $20,000 in annual maintenance fees. And, according to the University, the $100,000 SPIDynamics product, which detects Web page vulnerabilities before they affect servers and desktops, paid for itself in three months. According to one estimate, spam cost US businesses $10 billion in 2003dthe result of lower productivity, loss of legitimate messages and the need for increased bandwidth and storage, considering that it costs US companies $874 per employee per year in lost productivity, based on hourly pay of $30 and a work year of 2080 h. Worms and viruses were also a problem for the University, which was being hit by at least one serious worm and/or virus attack every month. Based on what it cost to clean up the Nimda worm outbreak in September 2001, worm and virus cleanup costs were estimated to be about $1 million per outbreak. The newly implemented security technologies now provide the ability to detect weaknesses before an attacker

Security views does, prevent denial-of-service attacks, and prevent server compromises that can cost hundreds of thousands of dollars to repair. The technologies have also freed the IT staff from having to manually identify system weaknesses to let them focus on more productive efforts. To prevent the rapid spread of spam and worm and virus-laden mail messages, TeliaSonera, a telecommunications group in the Nordic and Baltic regions, is blocking Internet traffic to and from computing systems that send junk email or spam. The company will block all Trojan-infected PCs without warning. TeliaSonera is the first ISP in Europe to adopt such far-reaching measures. This ISP emphasized that it is not blocking computers permanently and that it will offer assistance to solve the problem and then remove any blocks afterwards. Whether TeliaSonera’s efforts will be successful against worms and viruses that massively infect Internet-connected systems remains to be seen, given that it is not practical to block huge numbers of these systems. Since March, TeliaSonera has used the Mail Abuse Prevention System (MAPS) to block email from known senders of electronic junk mail. In addition, TeliaSonera plans to introduce general protection against worms and viruses in both incoming and outgoing mail, as well as protection against spam in email addressed to receivers outside its network. At the request of the Federal Trade Commission, a US District Court has issued a temporary restraining order against Anish Dhingra and Jeffrey Davis, two officers of D Squared Solutionsda San Diego, California, company that sent a torrent of Windows Messenger Service pop-up spam. The FTC describes the operation as ‘‘self-serving,’’ because the ads often promoted software to block pop-up spam. D Squared discovered how to send ads through the Messenger Service in a variety of Windows systems as long as users were logged on to the Internet, even if their browsers were not in use. The firm allegedly sent torrents of spam notices as often as every 10 min to some users. Some of the repeated, unwanted pop-up spam notices were attempts to induce the consumers to pay the defendants to stop the bombardment. Through its Web sitesdsuch as Blockmessenger.com, Defeatmessenger.com, or Fightpopups.comdD Squared sold its pop-up blocking software for $25e$30. So far, most ISPs have blocked only Internet traffic to certain PC-specific ports, such as the ports used in gaining remote access to Windows shares. A UK-based ISP named NTL started blocking incoming traffic bound for port 135, which is utilized by the Windows Remote Procedure Call (RPC) service, a vulnerability that was exploited by the

9 recent MSBlaster and Welchia worms. AOL has adopted a considerably different strategy in that it is actually disabling users’ Microsoft Windows Messenger service to stop spammer pop-up boxes and to also protect users against a security flaw in the service that is still being exploited by MSBlaster and Welchia. This ISP uses a script to turn off the Windows Messenger Service and then block the digital channels or ports when a user logs on to its network. If users want to enable this service, they can either do it themselves or go to an AOL site that uses another program to do it for them. AOL also has a special site where users can click on a single button to have this service turned off. So far, at least 15 million AOL users’ Windows systems have reportedly had the feature turned off. Finally, AOL UK has been bombarded with spam originating from countries other than the UK. Realizing that its legal options within the UK itself are limited, AOL UK is preparing to initiate legal action against an individual in another country who has been unusually persistent in flooding its UK customers with spam. I love information security success stories and find the ones in this long news item intriguing for several reasons. Lew Wagner of the University of Texas has served as an exemplary role model for information security professionals by showing in precise financial terms how return on investment (ROI) measures can be used to justify security solutionsdin this case, anti-spam and malware solutionsdthat were deployed where he works. Although some may quibble with the exact dollar values he derived, these values are at least reasonable and believable (and almost certainly more credible with Mr. Wagner’s management than the too often used handwaving-based justifications that all of us have at times used). Additionally, it is encouraging to find that ISPs are starting to adopt proactive security measures, measures that will protect their customers as well as others from large numbers of Internet-based attacks. Windows RPC traffic over the Internet is inherently unsafe, so NTL’s decision to block the main port associated with this service makes a great deal of sense. If other ISPs follow suit, worms that exploit vulnerabilities in this service will be far less successful than were the MSBlaster and Welchia worms. The Microsoft Windows Messenger Service (not to be confused with IMdinstant messaging) is also not only inherently unsafe, but also annoying, as evidenced by all the pop-up spam that is sent via this service. AOL’s decision to turn this service off in its customers’ machines is truly a brave onedcivil libertarians have already cried fouldbut it is by no means a necessary service.

10 Additionally, at least this ISP provides instructions for how to turn this service back on if users choose to do so. Finally, AOL UK’s decision to carry out legal action against someone outside of the UK is another bold and far-reaching decision. The outcome of this case is likely to set a precedent for other international cases involving the transmission of spam.

Cisco, anti-virus software companies team to protect networks Developed jointly by Cisco Systems and anti-virus software companies Network Associates, Symantec, and Trend Micro, a new Cisco Network Admission Control program addresses security risks from employees who log onto corporate networks via broadband connections from their home PCs or via wireless connections from handheld devices. The Cisco program helps prevent malware infections by enabling routers to enforce access privileges when a remote computer attempts to connect to a network. Noncompliant devices are denied access, quarantined, or allowed only limited access to network computing resources. The program also enables routers to evaluate whether a particular computer’s anti-virus definitions are sufficiently updated and whether its operating system is adequately patched before allowing it to connect to a network. Many organizations had stopped viruses and worms at their network perimeter using firewall and intrusion-detection system software; however, some of those companies were infected anyway when mobile workers and telecommuters used unprotected home Internet connections or logged onto corporate networks using dial-up or virtual private network (VPN) connections. At the heart of the system is a software client called the Cisco Trust Agent, which is installed on laptops, home desktops, or servers or mobile devices that will be connecting to a computing network. This agent collects information from other security software clients, including anti-virus clients, and relays that information to Cisco devices on the network. Network Associates, Symantec, and Trend Micro have licensed the Trust Agent software from Cisco and will be integrating it with their software clients. Network Associates is integrating the Trust Agent with McAfee Security technology as part of the McAfee Trusted Connection Strategy program. Cisco is also integrating the Trust Agent with the Cisco Security Agent, a software client for servers and desktop systems that provides firewall, intrusion-detection, and content-based security. This integration enables Cisco

E. Schultz networks to enforce access policies based on whether or not a machine’s operating system is adequately patched. The approach described in this news item requires machines that connect to the net to have an acceptable level of security to be able to gain normal levels of access. As hard-nosed as this approach may seem, I am confident it is the way of the future. At some point in time organizations, even organizations that are not terribly keen about information security, are going to have to ensure that systems that comprise weak links in security are not given the chance to infect and/or attack other systems within their own network (as well as within others). The alternative is to continue to tolerate high numbers of intrusions and worm/ virus infections, both of which are causing escalating costs in today’s computing environments. Numerous organizations are actually already using a variation of this approach, at least to a limited extent, in that they perform vulnerability scanning and then block network access of systems that have an unacceptable number of vulnerabilities. The approach described in this news item goes further in that it is much more seamless. But is it really affordable? That remains to be seen.

NEC preinstalls security software NEC is supplying preinstalled support software that performs a variety of security-related functions. One is to monitor the security level of the Windows Internet Explorer (IE) Web browser and to warn users when the security settings have been changed from the recommended ‘‘medium’’ level. This is to guard against lowering of settings without the user’s knowledge, as can happen as a result of a virus or worm infection. This software also alerts users that operating system patches need to be installed. If users so allow, patch installation is automatic. The functions are enabled on new PCs and also those sold since October 2002 on which NEC’s dedicated support software is running. The software polls a NEC support server for messages and updates from the company to the user and then uses this polling mechanism to enable the new functions. In response, Microsoft said it was considering using automatic patching of systems, similar to the action NEC has decided to take. One of the actions included on a security CD-ROM Microsoft began distributing free to Japanese users in September is activating the Windows Update function, which installs critical hotfixes. I am nervous about the notion of automatic patching, especially in Windows systems, because

Security views patches that are currently available are too often flawed. Subsequent versions may have to be created to fix the flaws. As evidenced many times in the past, installing current versions could seriously damage systems. A process in which patches are first tested in a non-production environment before they are installed in a production environment needs to be in place, something that suppliers of automated patching capabilities cannot provide. But most users will just ‘‘blindly’’ accept patches, regardless of whether they work, and the prognosis will be even worse if and when companies such as Microsoft implement mandatory automatic patching, that is, automatic patching that cannot be turned on or off by users and system administrators. Perhaps more frightening is the notion of putting any vendor that makes bug-riddled software in charge of automatic, non-optional patch installationda worst possible scenario. In this case I (and, I suspect, many others) would refuse to use that vendor’s products any more. On the other hand, the current situation concerning patch installation is not working. Recent outbreaks of worms and viruses confirm that many users (and even entire organizations) simply do not download patches for their operating systems. So the automatic patching issue boils down to a ‘‘loseelose’’ situation, one that will continue to exist until vendors finally start producing software that has so many vulnerabilities.

New UK anti-spam law goes into effect A new spam law in the UK that limits what on-line marketers can send over the Internet recently went into effect. These marketers can send commercially oriented bulk messages only to those who have given their prior consent to receive them, with the exception of existing customers of a specific commercial organization. Critics are skeptical that this approach to spam restriction will do any good. Regulating spam is not an easy issue because it requires considering both the wishes of the Internet user community and commercial interests, the latter of which have much to gain but little to lose if users are flooded with spam. Critics of this new anti-spam law are most likely correct in pointing out that the exclusion provision in this law will provide a big loophole for the commercial

11 sector. Companies are very likely to liberalize what they mean by ‘‘customer,’’ and I can imagine all kinds of ploys (such as luring users to Web sites and getting them to sign up for a free service) that will be used to expand ‘‘customer lists.’’ Still, history tells us that very little legislation is perfect right from its onset. You have to start somewhere, and this new UK anti-spam law is at least a start.

Concerns over spyware grow Proposed legislation that would forbid corporate spyware as well as spyware bundled with freeware that presents advertisement messages has been drafted in the US Congress. This legislation was prompted by growing public concern over the presence of spyware in computing systems. Opposition to the proposed legislation has already surfaced. The Center for Democracy and Technology claims that this proposed legislation misses the real pointdprivacydand recommends instead that a wide-ranging privacy protection bill that would require any programs that collect information about individuals or systems to inform users when they are about to gather such information and to also provide a way for users to stop or delete these programs. The Consortium of Anti-Spyware Technology Vendors, which includes the developers of well-known anti-spyware programs such as Pest Patrol and Ad-Aware, maintains that terms such as ‘‘spyware’’ and ‘‘adware’’ instead need to be more precisely defined and that best practices for companies that use spyware need to be created and put into place. Several issues ago I wrote an editorial on spyware, so I will make this commentary brief. In essence I said that it is deplorable that spyware is allowed on users systems and that something needs to be done. Companies are crossing ethical and other boundaries while the public sits by passively. Again, although the legislation that has been drafted is not perfect, it, too, will serve as a good start in drawing some reasonable lines concerning what organizations can do to users’ computers without their consent and will punish those who cross those lines. Eugene Schultz Editor-in-chief