Cis.aueb.gr

NSA to Defend Against Hackers
Baltimore Sun (09/20/07) P. 1A; S. Gorman
The National Security Agency is planning a new "Cyber Initiative," an effort to enlist federalagencies to monitor Internet-based control systems for electricity grids, subways, nuclear po-wer plants, and other infrastructure to prevent unauthorized intrusions. Initially, as many as2,000 workers from DHS, NSA, and other agencies could be assigned to the project. Theplan is a major shift in NSA practices, according to former and current intelligence officials.
The new domestic role for the NSA, which traditionally focused on the government's classi-fied networks, would require a revision of the agency's charter. NSA officials would not dis-cuss any specific programs, but did say that cybersecurity is a critical objective for the agen-cy. Cybersecurity has long been an unwanted responsibility, with various federal agenciesmanaging small portions of it, but the NSA, for the most part, was not involved. The Dept. ofHomeland Security's first chief of cybersecurity, A. Yoran, says that although the govern-ment has made progress, in general federal efforts are "somewhat spotty." One of the biggestproblems is that the DHS is responsible for the problem, but does not have the authority orexpertise to get other agencies and the private sector to adhere to regulations. Current andformer intelligence officials, including several NSA veterans, warn that the new NSA net-work monitoring program could create new privacy concerns. "If you're going to do cyberse-curity, you have to spy on Americans to secure Americans," says a former government offici-al familiar with NSA operations. "It would be a very major step." Is the US at Risk From Cyberwarfare?
IDG News Service (09/20/07), R. McMillan
Commerce could take a serious hit from cyberattacks, given the degree to which elections,banking, and point-of-sale systems have migrated online. "As we become more networkedand more wired, our vulnerabilities increase," notes Center for Intelligence Research andAnalysis director J. Mulvenon, who cites the May shutdown of Estonian Internet servers andthe subsequent crippling of Estonia's banking system as a case in point. The Homeland Secu-rity Department's G. Garcia says preparing for cyberattacks involves many of the same pro-cedures as gearing up for other online threats. "For our purposes, we really need to focus onreducing our vulnerabilities so those attacks don't happen in the first place," he explains. Oneof the sticking points in plans for the US to wage cyberwarfare against other countries is thatsuch attacks could have a cascading effect that damages civilian systems and services thatmay not be intended targets. There is also the additional threat of rogue elements who maylaunch cyberattacks without the approval of their government. Cyberwarfare planners will fornow continue to proceed with caution out of concern for unintended consequences, accordingto Mulvenon.
International Blue Ribbon Task Force to Address Critical Challenge of the Information
Age, UCSD News (09/19/07), W. Froelich
A new international Blue Ribbon Task Force on Sustainable Digital Preservation and Access,funded by the National Science Foundation and the A. Mellon Foundation, will work to pre-serve society's most important digital data. The task force will be assisted by the Library ofCongress, the National Archives and Records Administration, the Council of Library and In-formation Resources, and the Joint Information Systems Committee of the United Kingdom.
"It is impossible to imagine success in the Information Age without the availability of ourmost valuable digital information when we want it now and in the future," says Fran Berman,director of the San Diego Supercomputer Center and UC San Diego and co-chair of the TaskForce. "It's critical for our society to have a long-term strategic plan for sustaining digital da-ta and we are excited about the potential for the task force to help form that plan." Bermanand co-chair Brain Lavoie, a research scientist and economist with the Online Computer Lib-rary Center, will assemble an international group of leaders to develop recommendations forthe economic sustainability of digital information. Over the next two years the task force willlisten to a broad set of international experts from the academic, public, and private sectors.
After two years, the task force will develop a comprehensive analysis of current issues andactionable recommendations to create sustainable strategies for data preservation. "In additi-on to developing sound technical processes for preserving digital information, we must alsoensure that our preservation strategies are economically sustainable," Lavoie says. "The workof the panel will be an important step toward achieving that goal." Does Antivirus Have a Future?
London Guardian (09/20/07), W. Grossman
The continued effectiveness of antivirus software is in doubt as sneakier, more commercial,and more sophisticated malicious software emerges and is used to launch new kinds of at-tacks. Antivirus vendors hear such skepticism regularly, and Sophos technology consultantG. Cluley says that regardless of malware's refinement or methodology, its arrival at a com-puter remains consistent and conventional, in that it is transmitted as a piece of executablecode that can be spotted by security software before it can cause harm. Cluley adds that anti-virus software's current capabilities may be underestimated by certain parts of the softwarecommunity, and notes that AV software is in a state of continuous evolution and has becomeless dependent on virus signatures. Yet a Panda Security poll of 1.5 million consumer PCsfound that 37% had fully updated security, and nearly 25% of them were still compromisedby malware. AV software is making a transition from blocking bad software to passing onlybenevolent software, while drive-by attacks--malware that is automatically downloaded whenone visits a contaminated Web site--are becoming increasingly common. Malware authors'motivation is also changing, from a desire to hack for the challenge of it or for braggingrights to a desire to turn a profit. University of Auckland researcher P. Gutmann estimatesthat a talented virus programmer can earn up to $200,000 a year. New viruses are also beingdesigned for stealthiness so that they can linger on a user's system without being spotted, in-creasing the amount of time they have to wreak havoc. Experts expect security software's de-ployment and strategy will be rethought, and Columbia University computer science profes-sor S. Stolfo predicts that "eventually, systems implanted in machines will learn your ownpersonal behavior and protect by detecting abnormalities." Collecting of Details on Travelers Documented
Washington Post (09/22/07) P. A1; E. Nakashima,
The Automated Targeting System has been used to screen travelers since the mid 1990s, butthe amount of information gathered and how it is used has changed drastically since 2002, according to former Dept. of Homeland Security officials. The system is used to collect elect-ronic records on the travel habits of millions of Americans who fly, drive, or take cruises, in-cluding information on who they travel with, the personal items they carry, and even thebooks they bring, according to documents obtained by civil liberty advocates and statementsfrom government officials. The personal travel records are preserved for up to 15 years. Agroup of civil rights activists requested copies of their own travel records, which included adescription of a book on marijuana that one of them carried, and the phone number of one ofthe activist's sisters in Japan. Dept. of Homeland Security officials, including DHS secretaryM. Chertoff, insist that the collection of such information is vital to making connections bet-ween possible terrorist suspects, and that the department only gathers information related topossible criminal activities. "I flatly reject the premise that the department is interested inwhat travelers are reading," says DHS spokesman R. Knocke. "We are completely uninterest-ed in the latest T. Clancy novel that the traveler may be reading." Knocke says that if the tra-veler's behavior or belongings lead an inspection officer to believe there may be a possibleviolation of the law, it is the officer's duty to further scrutinize the traveler and to record theincident.
Summit to Address Online Threats to Security
The Tartan (09/24/07), E. Kang
Carnegie Mellon University's CyLab will host the second annual Anti-Phishing WorkingGroup e-crime Researchers' Summit on Oct. 4-5. The summit will feature top e-crime re-search experts, including Cigital CTO G. McGraw, who will deliver a keynote address on se-curity threats in online multi-player games. "With hundreds of thousands of interacting us-ers," McGraw says, "today's online games are a bellwether of modern software yet to come.
The kinds of attack and defense technique I [will] describe are tomorrow's security techniqu-es." The summit will focus on security threats created by massive multiplayer online role-playing games (MMORPG) and phishing, but will also discuss the precautions needed to pre-vent e-crime and how to determine the risk of a particular threat. McGraw says that MMOR-PG threaten not only the security of individual players but the welfare of the entire onlinegaming community. Panelists from the Harvard Center for Research on Computation and So-ciety, Indiana University, and People for the American Way will address the issue of phish-ing, focusing on how phishing could potentially affect the 2008 elections and how to preventphishing using both new and old techniques.
Online Game Helps People Recognize Internet Scams
Carnegie Mellon News (09/24/07), B. Spice; A. Watzman
Carnegie Mellon University computer scientists have developed Anti-Phishing Phil, an onli-ne fishing game that teaches people how to recognize and avoid email "phishing" attemptsand other Internet scams. During testing at the Carnegie Mellon Usable Privacy and Security(CUPS) Laboratory, people who spent 15 minutes playing the game were better able to spotfraudulent Web sites than people who spent 15 minutes reading anti-phishing tutorials andeducational material. The lab is now testing the game on the general public through its Website. Participants are asked to take a short quiz, play the game, and then take another quiz.
"We believe education is essential if people are to avoid being ripped off by these phishingattacks and similar online scams," says CUPS Lab director and associate research professorin the School of Computer Science's Institute for Software Research L. Cranor. "Unlike viru-ses or spyware, phishing attacks don't exploit weaknesses in a computer's hardware or soft-ware, but take advantage of the way people use their computers and their often limited know- ledge of the way computers work." The game managed to improve users' accuracy in spottingdangerous Web sites from 69-87%. "We designed the game to teach people how to use Webaddresses, or URLs, to identify phishing Web sites," says PhD student and lead developer ofAnti-Phishing Phil S. Sheng.
Apple: 'Unlocking' Software Damages iPhone
USA Today (09/25/07) P. 4B; J. Graham
Apple recently issued a formal statement that said using any software to unlock an iPhonecauses "irreparable damage" to the system. Apple also cautioned that such software will cau-se havoc with the iPhone when it is combined with a new software update that allows iPhoneusers to access a new feature to buy music downloads through a wireless Internet connection.
Previously, Apple has released software updates that prevent others from hacking into itsproducts, but Apple's Phil Schiller says that is not the case with the iPhone. "We tested thephones and discovered that some of these unlocking programs permanently damage softwa-re," Schiller says. Some Web sites offer unlocked iPhones for sale, while other sites sellsoftware to allow iPhone owners to unlock the phone themselves. Digital Media analyst P.
Leigh says Apple's warning will make consumers think twice before attempting to unlocktheir phone, but hackers will continue to break the code and find ways around the new soft-ware update. "Consumers will scream and yell about this, but in the end, they don't havemuch of a choice," Schiller says. "The iPhone is a mass-market product, and Apple doesn'twant people to circumvent it." Not Much Anonymity for Unprotected File-Sharers
University of California, Riverside (09/25/07)
University of California, Riverside researchers, in a paper titled "P2P: Is Big Brother Watch-ing You?," show that about 15% of users on file-sharing networks are on the networks to lo-ok for illegal file-sharing for the recording industry or the government. "We found that a nai-ve user has no chance of staying anonymous," says UCR graduate student A. Banerjee.
"100% of the time, unprotected file-sharing was tracked by people there to look for copyrightinfringement." However, the research did show that "blocklist" software such as PeerGuardi-an, Bluetrack, and Trusty Files is fairly effective at creating anonymity, reducing the risk ofbeing observed to about 1%. "Of course no one is suggesting that illegal downloading is agood idea," says UCR computer science professor M. Faloutsos. "But the P2P technology ishere to stay and these industries would be better off trying to find ways to provide affordableand convenient alternatives that would allow computer users to download their products le-gally." UCR's paper was named "best paper" at the International Federation for InformationProcessing Networking 2007 conference.
Using Spam Blockers to Target HIV, Too
BusinessWeek (10/01/07)No. 4052, P. 68; S. Baker; J. Greene
A team led by Microsoft Research's D. Heckerman set out to build a tool that could block un-wanted spam email through the thorough mapping out of thousands of possible spam indica-tors, and spammers responded to their efforts by modifying these identifiers to get around theblockers, for instance by substituting a "1" for the "i" in "Viagra." This virus-like mutation ofspam inspired Heckerman, who is also a physician, to apply the principles behind the spam-blocking technology to the development of software that can detect the AIDS-causing HIVvirus. The application of the spam blocker to AIDS research is not so surprising, as many of Microsoft's researchers stretch into other disciplines regularly. Heckerman analyzes bothspam and HIV through the study of statistical relationships in their features, which mutateconstantly. The Microsoft scientist draws parallels between spamming methodologies and theinfection of cells by HIV, which is done when the virus injects its own genetic material intothe cell and then replicates itself by the thousands, spawning mutants that are sometimesdrug-resistant. Cells infected by HIV frequently carry mutated "signposts" that cannot be de-ciphered by immune systems, leading to cases in which drugs that are effective against oneform of the virus are ineffective against another form. The hope of Heckerman and his col-leagues is that their work could not only be fed into the generation of successful vaccines, butalso lead to an effective tool for damming the deluge of junk email.
US Video Shows Simulated Hacker Attack
Associated Press (09/27/07), T. Bridis; E. Sullivan
A video made by the Idaho National Laboratory for the Homeland Security Department de-picts an electrical turbine catching fire to illustrate what could happen if hackers launched anattack on the US electrical grid. The videotaped simulation, known as the "Aurora GeneratorTest," was produced by researchers probing a hazardous vulnerability in US utility compani-es' computers; the programming flaw has since been repaired. According to experts, the elec-trical equipment that runs the country's water, power, and chemical plants is "very old tech-nology." Moreover, security issues were not taken into consideration when such systems we-re originally designed. Years ago, top telecommunications advisers to President Bush assert-ed that an organization could electronically carry out an attack on the electric power gridfrom a remote location and with a great deal of anonymity. The Idaho National Laboratoryconfirmed such a possibility, dubbing it "the invisible threat." However, other industry ex-perts note that criminals would require specialized information--such as how to deactivatewarning systems--to conduct such an attack. Regardless, the Homeland Security Departmentand electrical companies have been collaborating to improve security measures, and to date"we've taken a lot of risk off the table," says R. Jamison of the Homeland Security Depart-ment. In addition, the Federal Energy Regulatory Commission put forward a series of stan-dards in July 2007 that, if implemented, would safeguard the nation's electric power supplysystem from cyberattacks by mandating the creation of plans and controls.
MIT Launches Kerberos Consortium
MIT News (09/27/07), P. Richards
MIT on Thursday announced the launch of the Kerberos Consortium, a joint effort on thepart of industry and academia to create a universal authentication program based on Kerberosto protect computer networks. "By establishing the Kerberos Consortium, MIT seeks to per-mit Kerberos to continue to grow and develop as a stable and universal 'single sign-on' mec-hanism for the users of modern computer networks," says Kerberos Consortium executivedirector S. Buckley. Kerberos Consortium chief technologist S. Hartman says the objective isto make Kerberos more useful and available. "We foresee a day when Kerberos-based aut-hentication and authorization will be as ubiquitous as TCP/IP-based networking itself," Hart-man says. One of the consortium's primary objectives is to provide the solutions it promotesas open source reference implementations that can be used by consortium members in theirproducts and organizations without licensing fees. "We see a number of our customers askingfor open source, stable, and interoperable single-sign on technology, based on the Kerberosprotocol," says Sun Microsystems director K. Jenks. "The MIT Kerberos Consortium is an outstanding way to address our customers' requirements, and a continuation of the work wehave been doing within the Kerberos community over the last several years." Online Biometrics Flaw Gives Hackers a 'Fake Finger'
New Scientist (09/24/07), A. Ananthaswamy
Researchers in Germany have discovered that the "fuzzy vault" cryptographic scheme requi-res too much computing power and can be broken in a day using a desktop computer. Thebiometrics strategy was seen as a way for people to use their fingerprints to log into onlinebank, email, and other accounts. A more advanced level of cryptography, the "fuzzy vault"made the transmission of an encrypted fingerprint possible because the print scanned by auser's PC would not have to look exactly like the match stored by a Web site. The system isdesigned to store a user's fingerprint on a secure database as a list of coordinates for specificfeatures, create a list of number pairs comprised of the real coordinates and their encryptedpartners, and generate thousands of fake versions to disguise them. Researchers had believedthat a hacker would not be able to pick out the real coordinates among the numerous fakepairs. However, an analysis by P. Mihailescu at the University of Gottingen that involved a-bout 500 fake versions suggests otherwise. A hacker could use the coordinates to create a fa-ke finger and impersonate someone "for a lifetime," says Mihailescu.

Source: http://www.cis.aueb.gr/Besides%20Security/securitynews/NEWS-92_01_10_07.pdf