ebook img

Computers & Security (November) PDF

69 Pages·2006·2.935 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Computers & Security (November)

Computers & Security Editor-in-Chief Dr Eugene Schultz, CISSP Chief Technology Officer High Tower Software 26970 Aliso Viejo Pathway Aliso Viejo, CA92656, USA Email: [email protected] Editor Academic Editor IFIP TC-11 Editor Nova Dudley-Gough Prof. Eugene Spafford Prof. Dr Dimitris Gritzalis Elsevier Professor and Director Dept. of Informatics E.A.T, 18.139 Purdue University CERIAS Athens University of Economics Radarweg 29 Department of Computer Science and Business Amsterdam 1398 Computer Science Building 76 Patission Street, 1043 NX Purdue University, West Lafayette Athens GR-104 34 Netherlands IN 47907-1398, USA Greece Email: [email protected] Email: [email protected] Email: [email protected] Editorial Board Charles Cresson Wood August Bequai Independent Information Security Consultant Attorney At Law, McLean, Va. and Author Email: [email protected] Email: [email protected] Dr Richard Ford Sarah Gordon Associate Professor Senior Research Fellow, Symantec Security Response Florida Institute of Technology Email: [email protected] Email: rford@fit.edu Professor William J (Bill) Caelli Leon A M Strous Head — School of Software Engineering and Data Senior IT-Auditor at the Payment Systems Policy Communications, Queensland University of Department, De Nederlandsche Bank Technology Email: [email protected] Email: [email protected] Stephen Hinde Prof. Zhenfu Cao Group Information Protection Manager, BUPANet Department of Computer Science and Engineering Email: [email protected] Shanghai Jiao Tong University Email: [email protected] Publisher David Clark Marketing Ursula Culligan Editorial Administrator Vicky Barker PUBLISHED 8 ISSUES PER YEAR Orders, claims, and journal enquiries:please contact the Customer Service Department at the Regional Sales office nearest you: Orlando:Elsevier, Customer Service Department, 6277 Sea Harbor Drive, Orlando, FL 32887-4800, USA; phone: (877) 8397126 or (800) 6542452 [toll free numbers for US customers]; (+1) (407) 3454020 or (+1) (407) 3454000 [customers outside US]; fax: (+1) (407) 3631354 or (+1) (407) 3639661; e-mail: [email protected] or [email protected]; Amsterdam:Elsevier, Customer Service Department, PO Box 211, 1000 AE Amsterdam, The Netherlands; phone: (+31) (20) (4853757); fax: (+31) (20) 4853432; e-mail: nlinfo- [email protected]; Tokyo:Elsevier, Customer Service Department, 4F Higashi-Azabu, 1-Chome Bldg, 1-9-15 Higashi-Azabu, Minato-ku, Tokyo 106-0044, Japan; phone: (+81) (3) 5561 5037; fax: (+81) (3) 5561 5047; e-mail: jp.info@ elsevier.com; Singapore:Elsevier, Customer Service Department, 3 Killiney Road, #08-01 Winsland House I, Singapore 239519; phone: (+65) 63490222; fax: (+65) 67331510; e-mail: [email protected] © 2006 Elsevier Ltd. www.elsevier.com/locate/cose Number 8 November 2006 Contents Predicting the future of InfoSec Expected benefits of information security E. E. Schultz 553 investments J. J. C. H. Ryan and D. J. Ryan 579 Security views 555 A virtual disk environment for providing file system recovery J. Liang and X. Guan 589 Tightening the net: A review of current and next generation spam filtering Wavelet based Denial-of-Service tools detection J. Carpinter and R. Hunt 566 G. Carl, R. R. Brooks and S. Rai 600 computers & security 25 (2006) 553–554 From the Editor-in-Chief 5 Predicting the future of InfoSec IrecentlyparticipatedinaprojectconductedbytheSANS bolsteringthecredibilityandleverageofthepracticeofinfor- Instituteinwhichagroupofinfosecprofessionalswasasked mationsecurityasawhole. topredictinfosectrendsofthefuture.Interestinglyandnot Additionally, unauthorized keystroke sniffers currently surprisingly,thepredictionthatlaptopencryptionwillbecome abound,enablingperpetratorstostealpasswords,SocialSe- mandatorywithinUSgovernmentagenciesandotherorgani- curitynumbers,creditcardnumbers,personalidentification zationsthatstorepersonalandfinancialdataoncomputing numbers, and more. The unfortunate aftermath has been systems and will be built into new computers ranked first arapidproliferationofidentitythefts.Inthefuture,however, (i.e.,themostlikelytooccur).Anotherlesshighlyrankedpre- I predict that keystroke sniffers will be used for even more dictionwasthatthatanewwormorviruswillinfectthousands sordid purposes. Perpetrators will increasingly use them in of computers sometime in the futuredhumorous evidence extortion attempts. Individuals involved in extramarital af- thatthe‘‘P.T.Barnumeffect’’isstillverymuchaliveandwell. fairswill,forexample,becomepotentialvictimsinextortion Althoughnumerouspredictionsaboutthekindsofinfor- plots because perpetrators will capture the keystrokes they mation security-related events that will occur in the future enterwhentheycorrespondwiththeirextramaritalpartners continuallysurface,whataboutthefutureofinformationse- and then attempt to get those whose keystrokes were curityitself?DonnParker,atrueinfosecpioneer,oncecharac- recorded to pay to avoid having the contents of their mes- terizedthepracticeofinformationsecurityas‘‘afolkart’’in sagesexposed.Encryptingemailtrafficwillinsuchcasesdo contrasttootherbetter-established,moresystematicprofes- no good in protecting them from extortionists even though sional disciplines. Will infosec ever break out of whatever encryptingemailis,allthingsconsidered,anexcellentsecu- shacklesthathavehelditbackforsolong?Theanswerisal- ritypractice. most certainly sodin fact, this has already been happening Regulatory and compliance considerations have already overthelastfewyears.Organizations’infosec-relatedspend- bolstered information security considerably, but I expect inghasaccordingtoavailablestatisticsgenerallycontinuedto theseconsiderationstobecomeconsiderablymorenumerous growyear-by-year,somethingthathasnotbeentrueoftheIT andintenseinthefuture.Thereasonisthatmoreregulatory/ arenaasawhole.Seniormanagementisslowlybutsurelyin- compliance legislation that requires particular infosec prac- creasinglyappreciatingthevalueofinfosecinprotectingorga- ticeswithinorganizationsislikelytobepassedinanattempt nizations’informationassets.Iwillgoonrecordaspredicting tostemthetideofsoftware,movieandmusicpiracy,datase- that this trend will continueda sign of growing acceptance curitybreachesleadingtoidentitytheft,andthelike.Thiswill andsuccess. proveevenmorehelpfultothegrowthofinformationsecurity Otherfactorsnotdirectlyrelatedtothepracticeofinfosec inthefuture. perseare,however,alsolikelytopropelinfosecincreasingly Finally,thepracticeofinfosechasifanythingincreasingly towardssuccess.Inparticular,thecontinuedgrowthofcrime, been centered on security risk management. Risk manage- notjustcomputer-relatedcrimeperse,islikelytocontribute mentingeneralhasgrownsubstantiallyinthebusinessworld to infosec’s growth because so much evidence concerning overthelastfivetotenyears,andinfosecprofessionalshave actsofcrimeresidesincomputers.Ataxevader’scomputer beenabletofillinpiecesofriskmanagementdilemmasthat is, for example, likely to contain incriminating information other professionals have not been able to do. Given the ex- that law enforcement agencies would dearly love to have. treme importance of risks related to information resources, Computerforensicsspecialistsarebestpreparedtodiscover infosec professionals are likely to hold an exceptionally at- and preserve such information. Computer forensics is thus tractivesetofcards.Onceagain,thefutureofthepracticeof likely to grow by leaps and bounds in the future, thereby infosecappearstobeverypromising. 5 Theopinionsinthiseditorialareentirelythoseoftheauthor,notofHighTowerSoftware.TheydonotinanywayrepresentHigh TowerSoftware’spositionontheissuesthatareaddressed. 554 computers & security 25 (2006) 553–554 Inshort,infosechasincreasinglyprovenitsvaluetosenior Dr.E.EugeneSchultz,CISSP,CISM management and stakeholders, and additional factors and E-mailaddress:[email protected] considerationsareonlylikelytoboostthepracticeofinfosec. Thereisthusgenuinecauseforgrowingoptimismconcerning 0167-4048/$–seefrontmatter thefutureofinfosec. ª2006ElsevierLtd.Allrightsreserved. doi:10.1016/j.cose.2006.10.010 computers & security 25 (2006) 555–565 Security views 1. Malware update 2. Update in the war against Cybercrime Avirus-wormhybrid,Worm.Mocbot.a,hasspreadprolifically AlawsuitfiledinthestateofWashingtonagainstMovieland.- inShanghai.ExploitingavulnerabilityinWindowsXPtoinfect comparentcompanyDigitalEnterprisesallegesthatbreaches systems,thismalwareusesachatnetworktogaincontrolof of the state’s Computer Spyware and Consumer Protection victim systems and then gleans passwords and financial Actshaveoccurred.Peopleareenticedtoorderafree,three- data. Infected systems often become so unstable that they day trial of the company’s software that enables them to maynotevenbeabletoconnecttotheInternet.Shanghai’s downloadmovieclips.Aftertheendofthetrialperiod,pop- anti-virussupportcenterhasrespondedtomorethan800calls up messages that appear every hour or sometimes even forhelp.Awarningmessagereading‘‘GenericHostProcessfor more often demand payment. The pop-ups remain on the Win32Services’’withmanywordsprintedinChinesecharac- screenfor40secondsandcannotbeclosedduringthattime. tersindicatesthatWorm.Mobbot.ahasinfectedacomputer. The pop-ups are created by clandestine software installed ForabriefperiodSamsungElectronics’USWebsitecon- onusers’computerswithouttheirconsent. tainedaTrojanhorseprogramthatrecordedkeystrokesand Romanian law enforcement has arrested 23 people who stopped anti-virus software on systems on whichit was in- are accused of being part of an Internet fraud ring. These stalled. This program was not automatically injected into individuals allegedly created fraudulent Web sites that Websitevisitors’computingsystems;userinteractionwasin- captured users’ email addresses and then asked them to steadrequired.SamsungremovedthisprogramfromitsWeb update their personal information. The information was siteassoonasitwasinformedoftheproblem. allegedly subsequently used in offering fictitious items over Anotherzero-dayvulnerabilitythatcouldbeexploitedto the Internet. The accused individuals allegedly defrauded allow remote code execution in Microsoft Word 2000 has individuals out of more than USD 120,000. Anyone who is been found. This vulnerability can be exploited when users convicted could receive a sentence of up to 15 years of runningvulnerableversionsofWord2000openWorddocu- imprisonment. ments containing exploit code. Several instances of such AUSfederalgrandjuryhasindictedJovanyDesir,aFlorid- codearealreadyinthewild.Trojan.Mdropper.Q,forexample, ian,onfivecountsofwirefraud.HeallegedlysetupWebsites installstwopiecesofmaliciouscodeoncomputingsystems appearingtobeAmericanRedCross,PayPal,eBay,andseveral that it infects, both of which are related to Backdoor.Femo, banks’sitesdesignedtotrickindividualswhodonatedmoney abackdoorTrojanprogramcapableofprocessinjectioninvic- forHurricaneKatrinavictimreliefintorevealingtheirfinan- timsystems. cial information. If convicted, Desir could get a prison sen- AnewAOLInstantMessenger(AIM)worm,Win32.Pipeline, tenceofupto50yearsandaUSD1millionfine. isspreadingandappearstobetryingtobuildabotnet.Itin- Internet-relatedcrimeinJapanhasaccordingtostatistics fects computing systems whenever users are fooled into fromJapan’sNationalPoliceAgencyrecentlygrownsubstan- downloadinganexecutablefilethatappearstobeaJPEGim- tially. Figures indicate that 1802 reported cases of Internet age. Once Win32 Pipeline is installed and running, it estab- crime occurred during the first half of 2006, a 12% increase lishes connections with numerous remote computers to comparedtothesameperiodin2005.Internet-relatedfraud downloadmaliciouscodeintotheinfectedsystem. constitutedthelargestproportionofreportedInternetcrime Asfarasmalwaregoes,onceagainverylittlehaschanged with40%ofthereportedcases.Unauthorizednetworkaccess, sincethelastissueofComputersandSecurity.Malwarewriters includingphishingploysandillegalaccesstobankaccounts, continuetowriteprogramsthataredifficulttodetectsothat constituted265ofthereportedcases,a34%jumpcompared theseprogramscanaccomplishtheauthors’goalsbeforethe tothe2005statistics. programsarediscoveredanderadicated.Malwarewritersare DavidLennonpleadedguiltytoviolatingSection3ofthe goingformoney,notfame,atrendthatislikelytolastthrough UK’s Computer Misuse Act (CMA) for launching a denial- theforeseeablefuture.Assuch,manydeadlyTrojanandother of-service (DoS) attack in which approximately five million programsundoubtedlyonceagainremainundetected. messages were sent to his former employer’s mail server 556 computers & security 25 (2006) 555–565 two-and-a-half years ago. The barrage of messages crashed piratedsoftware.Ferrer,whopleadedguiltytoconspiracyand the server. He was sentenced to two months of curfew, the criminal copyright violation several months ago, operated terms of which require him to be home by 12:30 a.m. and aWebsiteinwhichcopiesofpopularprogramswereavailable remainthereforasetperiodoftime.In2005chargesagainst atlowprices.Affectedcompaniesmayhavebeencheatedout Lennonweredismissed;ajudgeruledthathehadnotviolated ofuptoUSD20millioninlostsales.Ferrerhasconsentedto the CMA, but the Crown Prosecution Service appealed the appear in public service announcements regarding software ruling.Lennon’scasehasledtoeffortstoupdatetheCMAto infringement.Hemustalsoforfeitmotorvehicles,boats,and coverabroaderrangeofcomputer-relatedcrimes. airplanes bought with sales from his Web site and must TheUSSecuritiesandExchangeCommission(SEC)issuing complete50hoursofcommunityservice. aConnecticutmarriedcouple,JeffreyStoneandJanetteDiller NicholasLeeJacobsenofCaliforniahasbeensentencedto Stone,forusingspamtopumpupthepriceofstocktheyhad one year of home confinement and must also pay USD bought.Thecoupleallegedlysubsequentlydumpedthestock 10,000 for gaining unauthorized access to a T-mobile com- onceitsvaluemomentarilyrose.TheyallegedlymadeUSD1 puterandthenaccessingrecordscontainingthenamesand millionoffofthescheme. Social Security numbers (SSNs) of about 400 T-mobile cus- ThegovernmentofthePeoplesRepublicofChina(PRC)has tomers.Thebreak-inoccurredtwoyearsago. finedHeshengZhihuiEnterpriseManagementConsultingfor Jon Paul Oson of California has pleaded not guilty to spamming. This company was fined 5000 yuan for sending chargesthatheharmedprotectedcomputingsystems.Oson massive amounts of email containing unsolicited advertise- wasformerlyemployedatSanDiego’sCouncilofCommunity mentstoInternetusersandadditionallywastoldtoimmedi- HealthClinics,butreportedlyresignedaftergettingasub-par ately stop sending spam. A PRC anti-spam regulation went evaluation. Afterwards he allegedly gained unauthorized intoeffectearlierthisyear;itrequiredorganizationssending accesstocomputersattwoSouthernCaliforniahealthclinics commercialemailtoofferawayforrecipientstoagreetoor and deleted patient and billing information. A number of declinereceivingsubsequentmessages.Thefineimposedon patients did not receive needed services because of the the consulting firm that sent spamwas the first ever in the attacks.OsonisbeingheldinlieuofUSD75,000bail.Iffound PRC. Additionally, authorities in the PRC are targeting Web guiltyofthechargesagainsthim,hecouldgetupto20yearsof sites that breach this country’s new copyright laws that jailtimeandfinesofuptoUSD500,000. wentintoeffectlastJuly1.Morethan100Websites,including SulagnaRay,anemployeeofJaishreeInfotechineastern some that make movies and music available for free, have India, has been arrested on fraud charges. She allegedly beenclosed. used credit card information she collected while she sold AT&T is suing 25 data brokers on the grounds that they dishTVstocustomersintheUStobuyInternetgoodsvalued usedpretexting,the practice ofsettingup boguson-line ac- atRs.1.8lakh.Themotivewasreportedlyto‘‘havefun.’’ countstogainaccesstoinformation,toobtainapproximately The Virginia Court of Appeals has upheld Jeremy Jaynes’ 2500AT&Tcustomers’callrecords.AT&Tsaysthataffected conviction for sending spam to AOL customers. Two years customershavebeeninformed. ago Jaynes was convicted of breaking Virginia’s anti-spam; ChristopherMaxwellof California has beensentencedto hewassubsequentlysentencedtonineyearsofprisontime. morethanthreeyearsofimprisonmentwiththreeyearsofsu- Jaynes’ lawyers argued that the Virginia court did not have pervisedreleaseafterwards.Hecreatedabotnetthatinfected jurisdiction in this case because the spam was sent from millionsofcomputersworldwideinanattempttoreapprofits a computer in North Carolina instead of in Virginia, where from installing spyware on compromised machines. Earlier AOLserversreside.Thedefenselawyersalsocontendedthat this year Maxwell pleadedguilty to one count of plotting to Virginia’s anti-spam law violates the right of free speech. deliberatelyharmaprotectedcomputingsystemandoneof Jaynesremainedfreeonbondpendingtheappeal,butVirgin- causing damage to a computer that impeded medical treat- ia’s Attorney General asked that the judge revoke the bond ment.AccordingtotheFBI,Maxwellandtwoasyetunidenti- and force Jaynes to go to jail. Jaynes’ lawyers have stated fied accomplices made more than USD 100,000 from their thattheywillfileafurtherappeal. illegalactivities.Thebotsdisruptedcomputersatnumerous EricMcCartyofCaliforniahaspleadedguiltytothecharge organizations, including the US Department of Defense ofaccessingaprotectedcomputerwithoutauthorization.He (DoD), a California school district, and a Seattle hospital. admits he accessed the University of Southern California’s Maxwell has also been ordered to pay more than USD (USC) admission application system last year and pilfered 250,000 in restitution to the DOD and Seattle’s Northwest seven students’ personal data after USC rejected his bid for HospitalandMedicalCenter. admission. He will be sentenced in December. Having pled JasonAraboofMichiganhasreceivedaprisonsentenceof guiltytoafelonycount,heislikelytoreceivesixmonthsof 30monthsandmustpaymorethanUSD500,000inrestitution home detention and then three years of supervised release. forplottingtoattackbusinesscompetitors’Websites.Arabo Additionally, he will probably be ordered to pay restitution soldclassicsportsteamjerseyson-line;byhisownadmission of about USD 37,000. McCarty told the press that he found hehiredJasmineSinghtoperpetratedenial-of-service(DoS) asecurityholewhenhewasapplyingtoUSCon-line. attacks against Web sites operated by others who offered NathanPetersonofCaliforniahasreceivedasentenceof87 similarmerchandise.Singhwasrecentlysentencedtoserve monthsimprisonmentandafineofUSD5.4millionforsoft- fiveyearsofprisontimeandtopayUSD35,000inrestitution. ware piracy. The length of his prison sentence constitutes DannyFerrerofFloridamustservesixyearsinprisonand a new record for software piracy in the US. Late last year payrestitutionofmorethanUSD4.1millionfortraffickingin Peterson pleaded guilty to charges of criminal copyright computers & security 25 (2006) 555–565 557 infringement.HesoldpiratedcopiesofsoftwareusingaWeb Hotmail service; among other things, these terms and siteandbysendingemailmessages;hereportedlyearnedUSD conditions forbid sending spam to Hotmail users. Microsoft 5.4million(theamountofhisfine)bydoingso.TheFBIclosed filedthecivilsuitbecauseUKlawenforcementdidnotpursue downPeterson’soperationearlylastyear. prosecution on the basis that UK anti-spam legislation is AQueenslandAustraliacompanyhassufferedatarnished narrowinscope. reputation due to a spam attack in which its name was KSTMLLC,acompanyspecializinginsendingbulkemail, spoofed by individuals who do not even live in Australia. hasbeenorderedtopayEarthlinkUSD11millionforspam- The National Online Talent Management (NOTM) agency’s ming Earthlink customers in violation of the US CAN-SPAM customersandotherswhowerenotfamiliarwiththiscom- Act. The judgment, rendered by a federal court in Atlanta, pany have sent large numbers of hostile email messages to also forbids KSTM LLC from inserting bogus information in the NOTM agency complaining about the spam. The bogus the‘‘from’’fieldsinemailmessages,obfuscatingtheidentity emailhadcontainedlargeamountsoftextfromabonafide of the sender, selling email addresses, and interacting with NOTMmessage.NOTMistryingtofigureoutawaytorestore orobtainingEarthlinkaccounts. itspublicimage. A US federal judge has ordered UK-based Spamhaus, TwoCaliforniacompaniesandthreeindividualshavecon- a ‘‘spam busting’’ company, to pay USD 11.7 million in sentedtopayaUSD2millionfinetosettletheFederalTrade damages to e360 Insight LLC. Spamhaus has identified e360 Commission’s(FTC’s)chargesoffalseanddeceptivepractices. InsightLLCasaspamsource,resultinginSpamhaus’decision Enternet Media, Conspy, Baback Hakimi, Lida Rohbani, and toblockallemailssentbythiscompany.Thejudgeordered NimaHakimiconductedaployinwhichtheyadvertisedvirus Spamhaus toquitblockingemailfromthiscompanyand to and spam eradication, but in reality infected computing postanapologyonitsWebsite.Spamhausplanstodefythe systemsofuserswhorespondedtotheirofferwithmalicious judge’sorder,sayingthate360InsightLLCisabonafidespam- code. Users saw a pop-up that advised them of problems merunderUKspamlawsandthatUSlegaljurisdictiondoes withtheirbrowsersandofferedtofixthemforfree.Turning notapplytoUKorganizations. down the offer resulted in the pop-up ad being displayed. Xinet,thePeoplesRepublicofChina’s(PRC’s)secondlarg- People who downloaded the so-called fix caused difficult- estdomainnameservice(DNS)provider,experiencedaDoS to-remove spyware and trackingsoftwareto be installed on attack that took down 180,000 Web sites over eight hours. their machines. The accused also deployed other tactics AmongthemanysitesthatweretakendownwastheShang- such as offering free music files, mobile phone ring tones haiDailysite,whichcontainedinformationabouttheattack. andwallpapertotrickpeopleintodownloadingthemalware TraciSoutherlandofOhiohasreceivedaprisonsentenceof onto their computers. The conditions of the settlement 13yearsforstealingpersonaldatafromtheHamiltonCounty, permanently prohibited the accused from interfering with OhioClerkofCourts’Websiteandthenusingthedatatoper- users’ computers. As many as 18 million computers around petratecreditcardandcheckfraudamountingtoUSD500,000. theworldmayhavebeeninfectedwiththemaliciouscode. TheWebsitehasbeenchangedsuchthatitblocksaccessto FernandoFerrer,Jr.andIsisMachado,bothofFlorida,were documentsthatcontainpersonallyidentifiableinformation. indicted on charges of conspiracy to engage in computer Six individuals have been arrested on fraud charges for fraud,conspiracytoperpetrateidentitytheftandconspiracy theirallegedparticipationinaphishingployinwhichcredit to illegally disclose individually identifiable health informa- cardandbankaccountnumberswerestolenfromAOLusers. tion.Theyalsofacefraud-relatedchargesinconnectionwith TheindividualsallegedlygleanedthousandsofAOLaccount misusing computers and violating of the Health Insurance addressesandthenmailedecardsthatdownloadedprograms Portability and Accountability Act (HIPAA). Ferrer and thatkeptusersfromloggingontoAOLwithoutfirstentering Machadoallegedlyconspiredtopilferpersonalmedicaldata credit card and/or bank account information. The perpetra- pertainingtomorethan1100ClevelandClinicFloridapatients tors allegedly bought computers, gift cards, and gaming and exploiting it to make more than USD 2.8 million from systemsusingthepilferedfinancialinformation.Threeindi- bogus Medicare claims. The Cleveland Clinic has informed viduals have already pleaded guilty and face sentencing; patientswhoseinformationwaspilferedofthedatasecurity theyarelikelytohavetoservesomewherebetweentwoand breach. If convicted of the charges against them, Machado nine-and-a-halfyearsofprisontime.Threeothershavestill andFerrercouldeachgetamaximumof10yearsofimprison- notbeenarraigned. mentandafineofUSD250,000. Microsoft is suing a yet unidentified programmer who FaridEssebarandAchrafBahloul,bothfromMorocco,have created and released a program that defeats digital rights been sentenced to prison for their activities related to the management (DRM) copy protection in Windows media Zotobworm.ThiswormwasreleasedinAugustlastyear;it files. Microsoft has released several patches to counter the infected numerous computers, including computers belong- program, but the individual has in each case released an ingtotheAssociatedPress,ABC,CNN,theNewYorkTimes, updatedversionoftheprogramthatcircumventsthepatches. and the US Immigration and Customs Enforcement Bureau. Microsoft wants unspecified damages and a permanent in- Essebar and Bahloul received a two-year and one-year junctionagainstdevelopingsoftwarethatdefeatsDRMcopy sentence, respectively. Defense attorneys for both men said protection. The suit claims that the programmer obtained thattheyplantofileanappeal. Microsoft source code without authorization, an allegation Microsoft has won a civil suit against a Paul Fox, a UK deniedbytheaccused. spammer.AcourthasorderedhimtopayGBP45,000toMicro- YvonHennings,acontractorattheStevensHospitalemer- softforviolatingthetermsandconditionsofusingMicrosoft’s gencyroominEdmonds,Washington,pilferedpatients’credit 558 computers & security 25 (2006) 555–565 cardnumbersandthenhandedthemovertoherbrother,who and prior Chevron employees. Chevron has started to used them to buy a large amount of goods on the Internet. inform individuals whose data were on the stolen laptop Hennings has pleaded guilty to conspiracy to perpetrate and has offered them free credit monitoring and identity access device and wire fraud; she will be sentenced soon. restoration services. Chevron also sent an email to all its Herbrotherwillgoontrialearlynextyear. employeestoinformthemofthedatasecuritybreachand Thenumberofcomputercrime-relatednewsitemsineach toboostawarenessoftheneedfordatasecurity. SecurityViewscolumnissteadilygrowingissue-by-issue.My (cid:2) Ten laptop computers that hold personally identifiable count indicates that there are 28 such items in the current information of Medicare and Medicaid patients who have issue,anewrecord.Thetrendtowardsagrowingnumberof received treatment at Hospital Corporation of America arrests,trialsandconvictionsforcomputercrime-relatedac- (HCA)-managed hospitals in eight states were stolen from tivitiescontinues,too.Lawenforcementandthelegalsystem HCAoffices.HCAisconductinganinternalreviewandthe havetargetedbothindividualsandcrimerings,andwherelaw FBIhasbeencalledintoinvestigate. enforcementisunableorunwillingtoarrestcriminals,organi- (cid:2) A laptop computer that contained personally identifiable zationssuchasMicrosoftandEarthlinkareincreasinglyfilling information,includingnames,SSNsandmedicalinsurance inthegapbyfilinglawsuits.Nottoomanyyearsagocomputer information pertaining to more than 28,000 Home Care criminals could operate with much greater boldness; there patientsofBeaumontHospitals,wasstolenfromthecarof was little to fear when they engaged in their sordid deeds. a nurse in Detroit. So far no evidence of misuse of the Theymustnowbemorecleverandclandestinetoavoidbeing information exists. The laptop’s stored information was prosecutedorsued,andtheprobabilitythattheywillhaveto both encrypted and password-protected, but the nurse’s facetheconsequencesoftheiractionsseemstobecontinually access code and password also fell into the wrong hands increasing. when the computer was taken. The login connection for the stolen computer was deleted. The laptop was found andreturnedthreeweeksafterthetheft. 3. More compromises of personal and (cid:2) A laptop system with personally identifiable information financial information occur pertainingtoover600AmericanFamilyLifeAssuranceCo. (Aflac) policyholders was pilfered from an Aflac agent’s Compromisesofpersonalandfinancialinformationcontinue car. Aflac informed people who were potentially affected to occur at alarming rates. Computer theft and loss of by the data security breach in a letter. The stolen laptop computerscontinuetobeoneofthemajorreasonsforsuch had tracking technology installed. Aflac has set up a call compromises,asshownbythefollowingnewsitems: line for potentially affected customers. Local law enforce- menthasbeencalledin. (cid:2) Another US Department of Transportation (DOT) laptop (cid:2) TheFederalMotorCarrierSafetyAdministration,adivision systemwasstolenduringanagency-sponsoredconference of the DOT, has announced that a laptop stolen from lastspring.Thecomputer,whichwasassignedtothespecial agovernmentcarmaycontainpersonallyidentifiabledata agentinchargeoftheMiami,Floridaoffice,heldcleartext pertaining to nearly 200 people who have commercial case file information. DOT’s Inspector General has not driver’s licenses. The incident occurred last August in resolved the issue concerning whether or not the laptop Baltimore,Maryland.Thisdatasecuritybreachpotentially storedpersonallyidentifiableinformation. affects 40 motor carrier companies. Law enforcement has (cid:2) Another Department of Veterans Affairs (VA) laptop com- beennotified. puter, one that contains personal information pertaining (cid:2) TwolaptopsystemsstolenfromtheWashington,DCoffices tonearly20,000USveterans,waslostbutthenlaterfound. of professional services contractor DTI last August con- ArewardofuptoUSD50,000hadbeenofferedforinforma- tainedtheSSNsof43DepartmentofEducationemployees tionleadingtoitsrecovery.Unisys,acompanycontractedto who were evaluating grant applications for the teacher monitor insurance claim processing data for VA, had the incentive fund. The data were not encrypted. Almost all computer. Khalil Abdullah-Raheem, a temporary Unisys of the potentially affected people have been notified, as employee, was arrested in connection with the theft. He were law enforcement and the Department of Education. wasreleasedafterhepostedaUSD50,000bond.TheFBIis Security cameras recorded the actions of a suspect in the determining whetheror notthe data storedon thelaptop theft. A reward for the return of the stolen computer has werecompromised. beenoffered. (cid:2) WilliamsSonomahasnotifiedapproximately1200current (cid:2) Alaptopcomputerpilferedfromthehouseofacontractor and prior employees that their personal information was for the city of Chicago stored personally identifiable stored on a computer that was taken from the apartment information, including names and SSNs, of thousands of ofaDeloitte&Toucheemployee.Noneofthisinformation city employees. Nationwide Retirement Solutions (NRS) is was encrypted. Deloitte & Touche was performing an informing people whose information was on the stolen annual audit of Williams Sonoma’s financial statements. computerandwillofferthemoneyearoffreecreditmoni- Local law enforcement is performing an investigation of toringandUSD25,000offreeidentitytheftinsurance.NRS theincident. hasusedencryptiononalllaptopsystemssincetheincident (cid:2) Chevron Corp. conceded that a laptop stolen from an occurred. independentcontractorholdspersonallyidentifiableinfor- (cid:2) A computer taken from a medical lab’s sample collection mation pertaining to an undetermined number of current center in New Jersey contains personally identifiable computers & security 25 (2006) 555–565 559 information of patients. LabCorp mailed letters to inform approximately9000patientswerestolenfromtheNagasaki people whose information was on the computer, which UniversityHospitalofMedicineandDentistry.Names,birth was stolen early last spring. The information includes dates and medical diagnoses were among the types of namesandSSNs,butnottheresultsoflabtests. information that may have fallen into the wrong hands. (cid:2) WellsFargohasinformedcertainofitsemployeesthattheir Eight USB memory sticks and two hard drives were also personalinformation,includingnames,SSNs,andmedical taken.Lawenforcementhasbeennotifiedofthethefts. insurance and prescription drug information, may have (cid:2) ComputerstakenfromtheKenyaRevenueAuthority(KRA) fallen into the wrong hands because a laptop system and held income tax return information. Other Kenyan offices aharddrivewerestolenfromanauditcompanyemployee’s have also recently experienced similar thefts. The thieves car.TheauditcompanywasappraisingWellsFargo’shealth havereportedlybeentargetingrecentmodelsofcomputers, plan information in accordance with Internal Revenue andarenotinterestedinanydataonthem. Service (IRS) requirements. Wells Fargo terminated the (cid:2) TheLeedsSchoolofBusinessattheUniversityofColoradois servicesoftheauditcompanyafterwards. notifyingover1300currentandformerstudentsthattheir (cid:2) Twolaptopsystemsthatcontaineddatapertainingtoover names,SSNsandgradesarestoredontwocomputingsys- 13,000 prior and current systems were pilfered from an temsthathavedisappeared.Oneofthecomputershassince office at the University of Minnesota. The data include showedup. The university has set up a hotlineto answer names,datesofbirth,aptitudetestscores,academicproba- questionsfromindividualswhoarepotentiallyaffected. tion information, the SSNs of some of the students, and (cid:2) Alaptopsystemstolenfromthecarofafinancialservices more.Affectedindividualswerenotifiedofthedatasecurity companyemployeeinEdmonton,Albertacontainspersonal breach.Auniversityspokespersonsaidthatstoringthedata informationof8000areamedicaldoctors.Thecompany,MD onaharddrive,aswasthecaseinthestolenlaptop,isnot Management Ltd., has informed the doctors of what astandardoperatingprocedure. happened. Alberta’s Office of the Information and Privacy (cid:2) AlaptopsystemstolenfromanOttawabranchoftheBank Commissioner said that MD Management Ltd. did not of Montreal contains personally identifiable information adequatelysafeguardtheinformationfromtheft. pertaining to approximately 900 bank customers. A bank (cid:2) A computer taken from a North Carolina Department of spokesperson announced that no evidence that the infor- Motor Vehicles (DMV) office holds personal information mation has been misused exists. BMO Bank of Montreal pertainingtoapproximately16,000driver’slicenseholders has recommended that potentially affected customers in the state. The information includes names, addresses closely monitor their accounts for potentially suspicious andSSNsofindividualswhowererecentlyissueddriver’s activity. licenses. No indication that the information has been (cid:2) A laptop system stolen from the car of a Florida National misused exists; the DMV has informed everyone who has Guard soldier stored personally identifiable information beenpotentiallyaffected. pertaining to up to 100 Florida National Guard soldiers. TheincidentledtoaFloridaNationalGuardsecurityreview. Other compromises were the result of unauthorized (cid:2) A laptop system pilfered from an employee of auditor remoteaccesstosystems,asdescribedbelow. Morris,Davis&Chanheldcleartext,personallyidentifiable pension plan information that included names and SSNs (cid:2) AsecurityincidentinoneoftheUniversityofSouthCaroli- of employees from Howard, Rice, Nemerovski, Canady, na’s servers may have exposed personal information Falk & Rabkin, a San Francisco law firm. The incident pertainingto6000currentandpriorstudents.Allpotentially potentiallyaffectedapproximately500people,allofwhom affected individuals have been informed of the incident, werenotifiedabouttheincident. whichtooknearlyoneyeartoidentify.Thereisnoevidence (cid:2) TwocomputingsystemsstolenfromtheRadiationTherapy of identity theft attempts resulting from the incident. Department at DePaul Medical Center in Norfolk, Virginia Law enforcement has not been contacted concerning the stored information pertaining to approximately 100 pa- incident. tients. The hospital is informing everyone who has been (cid:2) AT&Thasadmittedthatpersonalandfinancialinformation potentiallyaffected. pertainingtoapproximately19,000customerswhousedthe (cid:2) TheUSDepartmentofCommerce(DoC)hasconcededthat company’s on-line shopping site to subscribe to DSL 1137ofitslaptopcomputershavebeenlostorpilferedsince serviceshasbeencompromised.Theperpetratorsusedthe 2001andthat249ofthemholdpersonallyidentifiableinfor- informationtheystoletoinitiatephishingattacksinwhich mation.Some ofthecomputerswerepassword-protected; email messages directed recipients to visit a certain Web some others had data encryption. DoC Secretary Carlos sitetoupdatetheircreditcardinformation.AT&Tinformed Gutierrez said that approximately 6200 households could credit card companies of the security breach immediately beaffectedbythethefts. after learning of it and has also informed potentially (cid:2) AlaptoptakenfromthehotelroomofaGeneralElectric(GE) affected customers. AT&T is also cooperating with law employee contains the names and SSNs of approximately enforcement. 50,000currentandpriorGEemployees.AGEspokesperson (cid:2) Players of Second Life, members of a virtual community, said that this company is offering all potentially affected havebeenrequestedtochangetheirpasswordsafteraper- peopleoneyearoffreecreditmonitoring. petrator gained unauthorized access to a database that (cid:2) A Nagasaki University official has stated that six laptop storedpersonalinformationpertainingtoall650,000mem- computers holding personal information pertaining to bers of this community. The compromised information

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.