disLEXia

Monday, 25. November 2002

Cabinet Office beats off 1,000 cyber attacks in October

The Cabinet Office has suffered almost 6,000 cyber attacks this year with more than 1,000 incidents occurring in October alone. Cabinet Office minister Douglas Alexander revealed the scale of the attacks in a parliamentary written answer. With the government stepping up preparations for a war with Iraq, Brian White, MP for Milton Keynes and a former IT professional, asked a series of parliamentary questions to ascertain government department's response to the threat of cyber terrorism. While the Cabinet Office fought off 5,857 cyber attacks this year, the Foreign Office told White it had not been subject to a single attack. "I was surprised that they were not on a par with some other departments," said White. "There is a possibility that they are not necessarily the most open department." IT security consultants Mi2G said: "It is highly unlikely that attacks were not even attempted on the Foreign Office. At the very least the Foreign Office's Internet facing computers would have been probed or scanned for potential attack as this is a commonplace occurrence." Peter Sommer, senior research fellow at the Computer Security Research Centre at the London School of Economics, said: "Most attacks people talk about are from the Internet and much will depend on the extent departments are connected. "If you put up Web sites, people will throw probes at them but there is a difference between leaning against a front door and stamping all over the inside of a computer." A Foreign Office spokesman insisted that the department was not trying to hide the number of attacks it had faced. "The reason why we have no record of digital attacks is probably because the term digital attacks can be defined in many ways. It is not secrecy," he said. The Foreign Office is now upgrading its systems and intends to carry out a full penetration test in 2003. White said that overall he was "reassured" that government departments are reviewing the security of their communication and information systems, but believes more can be done. "Policies on security need to be constantly reviewed and monitored. Re-looking at security can't be done too often. What each department could do is collate statistics about attacks and publish them on a quarterly or bi-annual basis." CW360.com Nov 25 2002 8:34AM ET [moreover Computersecurity]
16:07 | #

Thursday, 14. November 2002

FBI asks companies to fight cybercrime

FBI Director Robert Mueller called for more help from companies to battle cybercrime [FCW: Security]
12:56 | #

Verbraucher sollen sich selbst schützen

Die FTC jubelt wieder einmal über ihre Maßnahmen gegen Spammer. Dabei ist die Situation - wie sie selbst feststellt - verheerend. Mail-Adis, im Chat benutzt, erhalten schon nach Minuten Spam. [intern.de]
09:55 | #

Wednesday, 13. November 2002

Calif. law says firms must disclose only online intrusions

[Politech]
07:36 | #

CA Law Demands Public Disclosure Of Break-Ins

BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good. [Slashdot]
00:00 | #

Thursday, 01. August 2002

The left hand of the government asketh ...

Despite the reports being a day apart, the following two stories appeared next to each other in last evening's Edupage from EDUCAUSE. EDUCAUSE made no comment on the juxtaposition. However, I suspect that pretty much anyone can see the cause for concern here. Poorly thought out "quick fix" legislative solutions, such as the DMCA, can definitely be much more trouble than they are worth.

------- Forwarded message follows -------
>Date sent:      	Wed, 31 Jul 2002 17:43:42 -0600
>From:           	EDUCAUSE@EDUCAUSE.EDU
>Subject:        	Edupage, July 31, 2002


[...]
TOP STORIES FOR WEDNESDAY, JULY 31, 2002
  Clarke Urges Hackers to Find and Report Bugs
  H-P Uses DMCA Against Bug Finders


[...]
CLARKE URGES HACKERS TO FIND AND REPORT BUGS
Richard Clarke, the cybersecurity advisor to President Bush, told
attendees of the Black Hat conference in Las Vegas that they should
find and report software bugs that compromise computer security. [...]
Associated Press, 31 July 2002
http://www.nandotimes.com/technology/story/484376p-3867743c.html


H-P USES DMCA AGAINST BUG FINDERS
In an apparent first, Hewlett-Packard has invoked the controversial
Digital Millennium Copyright Act (DMCA) to stop researchers from
releasing information about software bugs. [...] But H-P sent
a letter to SnoSoft, a group of researchers, saying that the group
faces fines of $500,000 and jail time for releasing information about a
bug in an H-P Unix application. SnoSoft said that they notified H-P of
the flaw early enough that a patch should have been available before
public disclosure of the bug. [...]
CNET, 30 July 2002
http://news.com.com/2100-1023-947325.html

To subscribe, unsubscribe, or change your settings, visit http://www.educause.edu/pub/edupage/edupage.html [Rob Slade via risks-digest Volume 22, Issue 20]
16:34 | #

Sunday, 19. May 2002

FBI does not care about standards, nor getting that information

A few days ago I noticed that one of my children got spam in his mailbox. Browsing through it,it looked very nasty, advertizing child-pornography. As this is a crime both in my country and in Maryland, USA, I decided to report it.

Finding www.fbi.gov was easy. Finding an e-mail address was difficult. In fact, I failed finding an e-mail address. What was available was one of those Webforms that never really is appropriate for the task in hand. As the Webform was the only alternative, I tried to register my complaints, hoping that someone would contact me via e-mail so all details could be reported.

Within hours there was an attempt, I say attempt because my mailserver is configured to reject connections from abusive and rfc-ignorant sites. A common technique that spammers hide behind is sending e-mail from a domain that does not exist. Those mails can never be replied to, nor complained about.

Guess what? the connection attempt was from

I see two problems with FBI'S attitude. The serious one is that they will miss some tips and e-mails with data (not everyone has an explorer browser available). The other problem is that their IT-responsibility seems to be totally clueless.

What's most important? To get those tips - or to make sure that everyone uses Microsoft Explorer whenever they contact FBI. I have my opinion, but unfortunately I cannot vote in the US.

I also sent a copy of the same mail to the Swedish police, where I could find e-mail addresses, but they seem to have ignored the report. [peter h via risks-digest Volume 22, Issue 08]
09:22 | #

Thursday, 27. September 2001

FC: "Good Samaritan" hacker pleads guilty to breaking and entering

[Follow-up on RISKS-21.62 items. PGN]

'Good Sam' Hacker 'Fesses Up, By Declan McCullagh, 27 Sep 2001 declan@wired.com

It seemed like such a straightforward example of prosecutorial misconduct: An Oklahoma man was being investigated by the Justice Department for helping a newspaper fix a Web site security hole.

The outcry among the geek community last month began with an uncritical story on LinuxFreak.org entitled "Cyber Citizen Lands Felony Charges?" Sites such as Slashdot soon picked up the sad tale of 24-year-old Brian K. West as evidence of out-of-control, tech-clueless government lawyers, and urged everyone to e-mail the U.S. Attorney in charge of the prosecution.

Making the story even more appealing to the open-source community was the Microsoft angle: West was said to have reported to the Poteau (Oklahoma) Daily News and Sun a security flaw in Microsoft NT 4.0 IIS and Microsoft FrontPage. But a guilty plea that West signed tells a far different story -- and shows how easily a well-meaning community of programmers and system administrators can be led astray.

http://www.wired.com/news/politics/0,1283,47146,00.html

[Politech archive on U.S. v. Brian K. West: http://www.politechbot.com/cgi-bin/politech.cgi?name=sperling]

[PGN-excerpted from the Sperling release: While probing the site, defendant made copies of six proprietary Practical Extraction Report Language (PERL) scripts that were part of the source code running the PDNS Web page. Defendant also obtained password files from PDNS and used those passwords to access other parts of the PDNS Web page. Defendant electronically shared the scripts and the password files for the PDNS Webs ite with another individual. Defendant's access to the Web page involved interstate communications. ...] [Declan McCullagh via risks-digest Volume 21, Issue 67]
00:00 | #

Thursday, 17. May 2001

Our software is *never* wrong

The other day I got an e-mail from my on-line credit-card company telling me that my e-mail preferences had been updated. Trouble is, I hadn't logged in to my account for weeks, and I could not remember ever setting any e-mail preferences. So my risk radar said, "Hack!" and I called the company.

The rep assured me that my account had not been broken into. How did they know, I asked. "I've got your account right here and I can tell that no one has tried to break in." Yes, but *how* can you tell that? Well, because if someone had tried to break in it would have said so, and it didn't, so no one has.

I explained to the rep about the e-mail that I got which could only be explained by either someone breaking in or a bug in their software. And if there was a bug in their e-mail software there might also be a bug in their hack-detection software. It should come as no surprise that this made little impression on the rep. [Erann Gat via risks-digest Volume 21, Issue 41]
00:00 | #

Friday, 12. January 2001

Two billion dollar theft (Re: CIOs: "What, Me Worry?" RISKS-21.19)

I can give a first hand account of a $2 billion theft of proprietary information to illustrate how these exaggerated figures get manufactured. Back in 1989 I worked at a Toronto software development company that did lots of work with the Unix operating system, and licensed the Unix source code from AT&T for about $60,000 a year.

Night after night someone was logging in to the computers from a dialup line to download chunks of the Unix source code. Somebody at the company noticed this, called in the police, who traced the connection to an ex-employee, raided his house and seized his home computer. Apparently the ex-employee, a software development manager, who had recently left the company, missed having access to the Unix source code and wanted to grab a copy of it for personal study. Satisfied that the source code had been recovered, and that this wasn't a case of espionage or sabotage, the company would have been happy to let the matter drop.

But the cops insisted on laying charges and it appears that they leaked the story to the media. All three Toronto newspapers (Toronto Sun, Toronto Star, and the Globe & Mail) reported that the police had foiled a $2 billion theft!

Why wasn't this as a $60,000 theft of a commercial source code license? Or at the very most a $500 theft of an educational license, since the ex-employee's intended use was only to study it?

Well it seems that the police had called up AT&T and asked them "How much is Unix worth?" The answer was $2 billion. AT&T gave Unix an asset value of $2 billion on their books. The police equated a little mischief to the cost of acquiring total ownership of AT&T's Unix System Laboratories and all its intellectual property!

In this case, the large corporation gave an accurate estimate to a bogus question. It was law enforcement (and sloppy fact checking by the media) that twisted the story.

But you know, even the $2 billion asset value seems suspect to me now because AT&T sold Unix to Novell in 1993 for just $270 million (see http://www.att.com/press/0693/930614.ulb.html). Novell in turn sold it to SCO in 1995 for a paltry $54 million (6M SCO shares at about $9 each is $54M, see http://www.novell.com/company/ir/96annual/mandis.html). But if AT&T overestimated by tenfold, the police still exaggerated by 4 million fold. [S Harris via risks-digest Volume 21, Issue 21]
00:00 | #

Friday, 29. December 2000

Re: Seattle Hospital Hacked (RISKS-21.14)

The first response to intrusion news stories by most organizations is almost formulaic: deny the attack, make (often false) allegations that this could never happen HERE, attack the credibility of the source of the news, and lastly take a stand against such heinous activity. The response by the UWMC to the intrusion into their network generally follows the formula.

They started back-pedaling the next day: "We have received the first tangible evidence from news-gathering organizations that someone did, in fact, gain criminal access to a limited number of administrative databases that contain some confidential information on at least 5,000 cardiology and rehabilitation medicine patients treated at our hospital," said Tom Martin, director and chief information officer for University of Washington Medical Centers Information Systems. >From MSNBC: "Hospital Confirms Hacking Incident" 2000-12-8

For more complete coverage, I recommend going to where the story broke: www.SecurityFocus.com and search on "University of Washington Medical Center"

The original UWMC announcement, however, is still true. Read it carefully, they worded it so that they never actually denied the attack.

Dan Theunissen, dan.theunissen.no.spam@ieee.org ["Daniel Theunissen" via risks-digest Volume 21, Issue 18]
00:00 | #

Friday, 22. December 2000

Re: Seattle Hospital Hacked (Wallack, RISKS-21.16)

*The Washington Post*, and a local TV station, obtained the "proof" from me, after the medical center sought to dismiss the incident as a rumor. Though I should hardly have to say it, I confirmed every aspect of this story before breaking it. (Even we "Internet reporters" do that sort of thing.) The hacker took command of large portions of the medical center's internal network.

The University of Washington Medical Center later reluctantly acknowledged the accuracy of my report.

http://www.washingtonpost.com/wp-dyn/articles/A46320-2000Dec8.html http://www.nytimes.com/2000/12/08/technology/08HACK.html http://www.msnbc.com/news/499856.asp http://dailynews.yahoo.com/h/ap/20001208/us/med_center_hacker_3.html http://www.komotv.com/news/qtmovie.asp?ID=8157

Kevin L. Poulsen, Editorial Director, SecurityFocus.com, Washington D.C. (202)232-5200 ["Kevin L. Poulsen" via risks-digest Volume 21, Issue 16]
00:00 | #

Wednesday, 20. December 2000

Re: Seattle Hospital Hacked (RISKS-21.14,15)

I just spoke to Walter Neary at the university of Washington. He confirmed a 9 Dec 2000 report in *The Washington Post* that hackers gained access to confidential medical files. He said it was a good summary of the incident. (Other newspapers and television stations also reported on the incident as well.)

But the statement you distributed was issued two days earlier. At that time, Neary said the college didn't know whether to believe the hackers' claims that they had accessed confidential data. He said the Washington Post and other reporters later obtained proof -- the records themselves -- that show that the hackers did indeed break into the computer.

But he still disputes an Internet report, referenced in the statement, which claims that hackers "took control'' of the university's computers.

Todd R. Wallack, Business Reporter, San Francisco Chronicle (415) 764-2815 [Todd Wallack via risks-digest Volume 21, Issue 16]
00:00 | #

Wednesday, 13. December 2000

Re: Seattle Hospital Hacked (RISKS-21.14)

Here's the response from the University of Washington, Health Sciences and Medical Affairs, News and Community Relations, 7 Dec 2000

The following statement is for attribution to Tom Martin, director and chief information officer for University of Washington Medical Centers Information Systems:

An Internet-based news service yesterday netcast a rumor that 'a hacker took command of large portions of the University of Washington Medical Centers internal network earlier this year.' Unfortunately, this rumor was reported as fact. However, it is completely inaccurate.

Last summer, we halted an unknown hacker who had gained criminal entry into portions of our academic computer system. This is the only incident we are aware of that bears any resemblance whatsoever to the report in yesterdays SecurityFocus News. While we have no evidence that confidential data were obtained as part of that incident, we do know for certain that no one has ever gained unauthorized entry into our separate and highly confidential patient-care computer systems.

The UW and most other universities make limited use of firewall technology and are under constant assault by recreational hackers. Recognizing this, we take extraordinary measures to protect our clinical-based systems that go well beyond the high security employed, for example, by most community hospitals. These measures include the latest hardware and software, encryption technologies, and strong host-based security.

As the incident we detected last summer illustrates, we are constantly vigilant for hacker attacks on all of our computer systems. We believe that rumors such as the one given credence in yesterdays netcast only encourage recreational hackers to pursue their criminal activity."

For more information, contact L.G. Blanchard or Walter Neary, 1-206-543-3620 ["Lynda Ellis (LabMed)" via risks-digest Volume 21, Issue 15]
00:00 | #

Thursday, 07. December 2000

Seattle Hospital Hacked

http://www.securityfocus.com/news/122

Seattle Hospital Hacked

Dutch hacker downloads thousands of patient records. By Kevin Poulsen December 6, 2000 3:54 PM PT

A sophisticated hacker took command of large portions of the University of Washington Medical Center's internal network earlier this year, and downloaded computerized admissions records for four thousand heart patients, SecurityFocus.com has learned.

The intrusions began in June, and continued until at least mid-July, before network administrators at the Seattle teaching hospital detected the hacker and cut him off. The medical center was purportedly unaware that patient records were downloaded, and elected not to notify law enforcement agencies of the intrusions.

"It's a story of great incompetence," said the hacker, a 25-year-old Dutch man who calls himself "Kane." "All the data taken from these computers was taken over the Internet. All the machines were exposed without any firewalls of any kind."

SecurityFocus.com reviewed portions of the databases the hacker downloaded. One of the files catalogs the name, address, birth date, social security number, height and weight of over four thousand cardiology patients, along with each medical procedure they underwent. Another file provides similar information on seven hundred physical rehabilitation patients. A third file chronicles every admission, discharge and transfer within the hospital during a five-month period.

"I can say we're investing an incident," said hospital spokesperson Walter Neary. "We are taking it very seriously."

In a telephone interview, Kane said he did not tamper with any hospital data, and described his forays into the hospital's network as a renegade public service aimed at exposing the poor security surrounding medical information. A self-described computer security consultant by trade, the hacker's illicit investigation was inspired by a conversation with a colleague, in which they wondered aloud about how well highly sensitive computers were protected. "The conversation came around to medical data, which is sensitive indeed, and I thought I'd have a look around," said Kane. <...>

Lauren Gelman, Director of Public Policy, Electronic Frontier Foundation 1-202/487-0420 [Lauren Gelman via risks-digest Volume 21, Issue 14]
00:00 | #

Tuesday, 23. April 1991

Re: Dutch hackers and KSC

I have received NO incident reports indicating that any KSC systems were hacked, or involved in any hacking incidents relating to the Dutch hacker case.

Ron Tencati, Security Manager, NASA Science Internet (NSI) Coordinator, NSI-CERT, STX/Code 930.4/Goddard Space Flight Center/Greenbelt,MD [TENCATI@NSSDCB.GSFC.NASA.GOV (NSI Security Manager (301)286-5223) via risks-digest Volume 11, Issue 54]
23:32 | #

disLEXia, a research project by Maximillian Dornseif