abstracts of recent articles and literature

540 0167-4048/00$20.00 © 2000 Elsevier Science Ltd. All rights reserved

Abstracts of Recent Articles and LiteratureChloë Palmer

Mobile phone targeted by virus writers. TheKaspersky Lab has discovered a new harmful programcapable of wreaking havoc to mobile phones.Over thelast few months some virus writers have turned theirattention to mobile phones and a virus writer with thepseudonym HSE has created a program that enablesSMS messages to be sent in any volume to chosennumbers at any time. This program has been named‘SMS-Flooder’ suggesting that the virus writer wantsto bring the fear of ‘hell or high water’ to mobilephone users.The program written in MS Visual Basic5.0 utilizes the public ‘canals’ in mobile phone networks in order to transmit the malicious SMS messages: www.free-sms.com, sms-link.btn.de, www.nm-info.de, www.pcteam.de, www.mobidig.net,www.lycos.de. Kaspersky Lab specialists classify thisprogram as a malicious code, but confirm that the pro-gram itself is not dangerous because it does not per-form any destructive action and is not capable of repli-cation.To date, the program has only been discoveredin Germany, seemingly because the gateways listedabove only allow SMS messages on the Germanmobile phone network. However, certain features ofthe program suggest that this is just the beginning ofthe creation of Trojan horses capable of attackingmobile phones. Network Security, September 2000.

Security weak for E-commerce servers. An inde-pendent study has slated the safety of SSL servers usedin E-commerce. Eric Murray, an independent securi-ty consultant generated a random sample of SecureServers running on the Internet and on each, ran aprogram that connects to an SSL server, obtains its

certificate and determines its security settings. Of the8081 servers sampled, 31.53% were found to have aweakness, 9.84% to have medium security and 58.63%to have strong security.

According to the report, the weaknesses were that theservers only supported weak (40-bit) ciphersuites(27.7% of weak servers), small (512 bits or less) RSAserver keys (80.85%), use of the flawed SSLv2 proto-col (1.18%), expired server certificates (9.97%), self-signed server certificates (2.79%) or a combination ofone or more of these weaknesses. These weaknessesmake the transactions that are protected by theseservers easy to attack with modern key-cracking andhacking techniques.The author of the survey feels thisproblem lies in the fact that many sites don’t bother toupdate or patch software, even when readily available,until they are forced to do so because someone hasbroken in. Until then, they are still open to well-known vulnerabilities. This tendency to not updateuntil forced to means that security software like SSLservers will simply not get updated.Transactions withweak sites can be at risk until the operators of theserver make updating a high priority. One way to doso is to check the strength of the server and complainto the administrators if it is using weak SSL to protectsensitive information like credit card details or bankaccount details. Network Security, September 2000.

FBI wants global Internet security organiza-tion. It has been reported that the FBI wishes toestablish a global Internet and E-commerce securityagency and the Bureau plans to make Internet safety

Computers & Security, 19 (2000) 540-546

COSEv19no6.qxd 9/11/00 9:43 AM Page 540

541

Computers & Security, Vol. 19, No. 6

concerns a main issue of this year’s World E-Comm-erce Forum to be held in London, UK in October.The FBI plans to ask if current informal cooperationbetween security agencies around the world shouldbecome more formalized. It will also discuss how toguarantee e-commerce security and how to combatInternet fraud and viruses with international laws.Network Security, September 2000.

Banking on network security basics. FollowingBarclays’ recent security problems, a consumer grouphas stated that high street banks need to get back to ITbasics in order to deliver secure online banking ser-vices. In the UK, the Consumer’s Association hascalled for banks to pay more attention to basic soft-ware testing and observe data protection legislation,rather than set up new bodies to tackle Internet secu-rity.According to Alan Stevens, head of digital servicesat the Consumer’s Association, “There are some verygood regulations and laws in place that apply to UKInternet banks. It is not a case of putting new regula-tions in place. Companies have to make sure that theirown back-office systems are secure and that they usenormal rules of IT development.” Barclays is still test-ing its upgraded online banking service and has notgiven a date for when it will be re-installed.The bankblamed the security glitch on a software code error inthe upgraded site. Network Security, September 2000.

RIP Bill passes Lords. The Regulatory ofInvestigatory Powers Bill (RIP) has passed the UK’sHouse of Lords with minor changes. Critics of thecontroversial Bill warn that if it passes it will mean theUK is the only European country where theGovernment has the power to seize encryption keysfrom businesses.Additions have been made to the Billallowing businesses to sue the security services if theirconfidentiality was breached as a result of the inter-ception of E-mail. Police will be required to inform ajudge within seven days of serving an order on a com-pany. Other changes to the Bill will see a TechnicalAdvisory Board oversee the installation of interceptcapabilities at ISPs. Previously, there have been dis-agreements over whether the Bill should be rejected asa matter of principle or amended to improve its worstsections. Most changes were demanded by an allianceof Conservative and Liberal peers. Jack Straw is keen

to push this Bill through as quickly as possible and itis expected to pass as law in October. InternetMagazine, September 2000, p. 15.

US to ban employer snooping. Proposed legisla-tion in the US demands that employees be notified ifbosses are using a range of commonplace monitoringtactics. This includes the scanning or reading of E-mail, monitoring of computer keystrokes and Web use,or eavesdropping in their telephone conversations.AnAmerican Management Association survey found that73% of major US firms record and monitor theiremployees’ phone calls, Internet connections andcomputer files. One quarter of the companies sur-veyed said that they fired employees for misuse of tele-coms equipment. In perhaps the most famous recentcase, The New York Times fired 22 employees for pass-ing around potentially offensive E-mails. Xerox alsofired 40 member so staff for spending work time surf-ing pornographic and shopping websites. Under theplan, companies that want to monitor E-mail, tele-phone and Web use would have to inform employeesannually or whenever monitoring policies change.Internet Magazine, September 2000, p. 15.

Online shopping hindering by security fears. Anew study carried out by the National ConsumerCouncil (NCC) in the UK has revealed that a lack ofconfidence in online security is hindering the expan-sion of Internet shopping. It has been reported thatthe Council found that currently only 3% of theBritish public shop online.The report found that cus-tomers are concerned with revealing credit card detailsonline, the lack of opportunity to check goods beforepaying and the risk of fraudulent suppliers.The reportalso revealed that Internet users are more worriedabout shopping online than people who do not usethe Internet.While 35% of adults think the Internet isthe most risky place to shop, among Internet users thatfigure rises to 50%. Network Security, September 2000.

Open all hours, Bill Thompson. In the UK, if BT getsits act together, thousands of people who access theInternet from home PCs will be installing ADSL con-nections later this year. Once they get the technicalproblems sorted and hand over their bank details, thesepeople will start to enjoy fast downloads, easy access to


Abstracts of Recent Articles and Literature

542

their favourite MP3s and even full-screen motionvideo. Unfortunately, they’ll also be the target of hack-ers, snoopers and anyone else who sees the ComputerMisuse Act as an invitation rather than a deterrent.‘Always-on’ is going to translate into ‘always open toabuse’ unless people start taking proper precautions.By the end of this year, large numbers of home PCswill be sitting at the end of always-on links and in thenight, while their owners are sleeping, they’ll be pen-etrated, reformatted and hacked. These peoples’ bankaccounts will be raided, their credit cards will beabused and their personal E-mail forged or widelypublished. Private letters will find their way ontohacker sites and confidential corporate informationwill appear on the Web. It is possible to make aWindows PC secure, but it’s complicated and restric-tive. It we want a solution, we’re going to have to askthe operating system suppliers and the telcos to starttaking security seriously. Internet Magazine, September2000, p. 41.

Online Graffiti, Richard Baguley. It is becoming anincreasingly popular pastime for hackers to defacewebsites, replacing the original content with a messageof their own. The attack usually takes the form ofreplacing the home page. Although this is a nuisance,attacks can be more serious and may include deletingthe entire website. PentaGuard has been responsiblefor a number of attacks on military and governmentwebsites.Their spokesperson said that often the serversare not badly configured, problems are caused by theplethora of bugs in NT. Others blame the site admin-istrators running bug-ridden software. Systems run-ning DNS with BLIND software are particularly vul-nerable to being overtaken, however overloading thebuffer is another popular method of obtaining controlof a system. The best way in which to stay safe is tokeep your operating system as secure as possible and toensure that you have backups and an up-to-date copyof your website in case of defacement or deletion.Internet Magazine, September 2000, pp. 73-76.

Privacy 2000 — In web we trust, Danial Tynan.The Web provides a constant opportunity for moni-toring of your surfing activities by third parties.Thereis a temptation to part with personal information inexchange for free goods and services such as E-mail

accounts, Web hosting services, Internet access andDSL connections. To protect yourself from cyber-spy-ing you may choose to give false information or usean IP address cloaking service. However, as soon asyou use your credit card, you loose anonymity.Thus,the biggest threat to privacy is actually legitimate busi-ness. One example is RealMedia who have been suedfor allegedly recording the tracks customers requestand thus building up a database of their musical tastes.DoubleClick have caused controversy by recordingdata each time you see one of their banner ads. Thesoftware saves a cookie to the hard drive which thensends URLs to the advertiser each time you see abanner belonging to them.Amazon.com has also beenaccused of recording too much data using itsZBubbles shopping software and is currently involvedin litigation with consumers. Zbubble’s menu bar sitson top of your browser as you surf, suggesting similarsites to visit. It records the addresses of each page youview. This is significant when using a search enginewhere your search criterion appear in the URL.Other information can be collected and fed back inthe same way. It is difficult for the community to beself-regulating because when one company starts sell-ing consumer profiles, others must follow or risk los-ing their competitive edge. Legislation is also difficultas there is the danger of using the legal sledgehammerto crack a nut. If consumers vote with their feet onthis issue, it is hoped that in time merchants will haveto respond. PC World, June 2000, p.p.103-116.

Liberty safe, E-commerce in peril. The UK gov-ernment has been forced to change its mind aboutpart of June’s Revelation of Investigationary PowersBill.The old clauses regarding the burden of proof fordecryption meant that the individual had to prove thatthey did not know, or could not remember theirdecryption password.This has been altered so that theprosecution has to prove beyond reasonable doubt thatindividuals actually knew their password when noticeof decryption was served.The rest of the Bill is large-ly unchanged and many critics say that it will still seri-ously damage E-business by damaging confidence.Business and Technology, July 2000, p.14.

E-Sleuths make net safe for E-commerce,David Essex. RIPTech Inc. has come up with a low


543


maintenance security system for small to medium-sizecompanies. Many existing systems are complex andrequire many man-hours in order to monitor them.RIPTech experts take the role of monitoring the datagenerated by security services such as firewalls, borderrouters or virtual private networks. The data is thenanalysed in real time, passing through four maineSentry modules. Meanwhile an event tracking mod-ule flags potential trouble spots.The system facilitatesa management overview of a company’s security pos-ture as a whole. Computerworld, June 12, p.80.

Missing disks highlight need for security,Jaikumar Vijayan. The US Department of Energy andthe FBI have launched a joint investigation into theloss of two computer drives from the Los AlimosNational Laboratory. The information is reported tocontain classified information on how to disarmRussian and US nuclear devices.The loss of the diskshas been blamed on failure to have procedures in placeto enforce security policies. It has been suggested thattagging technologies should be used to recover equip-ment, should things go wrong again. Security analystspointed out that unauthorized visitors are sometimesnot barred from sensitive areas because enforcing anaccess policy might hurt their feelings, and that secu-rity ultimately comes down to trust and humannature. Computerworld, June 19, p.8.

BSA takes a new tack in fight against piracy,Todd. R. Weiss. Business Software Alliance (BSA)recently announced software piracy settlements with20 different US companies totalling $2.4 billion inone week. A spokesman said that so many wereannounced at the same time to highlight the costs andprevalence of software piracy.The group estimates thatsuch piracy costs vendors about $3.2 billion in lostrevenue in the workplace alone. The BSA combatspiracy though a toll-free hotline 888-NO-PIRACYwhich is used to generate tip-offs.They are also con-ducting market surveys into how many PCs and soft-ware applications businesses have in comparison tohow many have been sold to them. Computerworld, July3, p.24.

EcomCard after teens with new E-card, DanielMcHardie. Canadian company EcomCard Inc. is

targeting the teenage E-commerce market by intro-ducing E-cards for shopping online. They want toeliminate the limiting factor of parent’s reluctance toallow teenagers to use a credit card by releasing a pre-paid card. Consumers would pick up an EcomCard ata participating shop or bank and have it programmedwith the maximum amount that they wish to spend.The card could then be used in a similar way to cred-it cards, by entering a sixteen digit code to purchaseonline goods and services.The difference between theEcomCard and credit cards is the anonymity and dis-posability of E-cards. The scheme is in response tomarket research which says that of 85% of teenagerswho use the Internet only 10% have purchased online.Interestingly 84% of teens also believe that using acredit card online is not secure. The teen market islargely untapped and the EcomCard could be verylucrative, however many alternative payment methodssuch as virtual cash have already failed. Even if the ini-tiative is successful, some doubt whether the teenagemarket have enough money to generate much rev-enue in the E-commerce market. The Toronto Globeand Mail,August 7, p.p. B1-B2.

Patent, Sabra Chartstrand. A new damage limitationsecurity device has been recently patented inKowaskai, Japan. Inventor Mikio Haseby has devel-oped a system where you can send an E-mail to a lostlaptop which will lock the device or delete the data itholds. It works by the owner of a wireless-enableddevice choosing a password and a security responseshould anything happen to the machine. If the laptopis then stolen or mislaid, the owner can send it an E-mail with the password in the subject line.The nexttime the machine is activated, the predeterminedsecurity measure is activated. NY Times,August 7.

Alleged CNN hacker faces more charges, IngridPeritz. The 16-year-old hacker accused of cripplingCNN’s website has been accused of a further 64charges. These include 54 counts of unauthorizedaccess to a computer service and 12 counts of mischiefin connection with other websites. Alleged high-pro-file victims include Yahoo, Amazon, Dell.com and eBay as well as some top American Universities.The youth, who calls himself Mafiaboy, is to appear in Youth Court on 28th September. Despite the



544

additional charges he still faces a maximum sentenceof two years of youth detention. The Toronto Globe andMail,August 4, p.A4.

E-terrorists target WAP. Hackers and E-Terroristsare currently exploring possible security holes in WAPphones and calculating their susceptibility to viruses.One known flaw is that when an E-mail is sent froma WAP phone to a land-based account the data isunencrypted at the point where it reaches theInternet, thus leaving the data vulnerable to attack. Ithas not yet been demonstrated that viruses can spreadfrom one mobile phone to another, however any newtechnology that becomes part of the public networkattracts a great deal of attention from hackers. Businessand Technology, June, p.15.

Following US lead, MITI to lift ban on encryp-tion-software exports. Japanese companies are to beallowed to export encryption software, it has beenruled by the Ministry of International Trade andIndustry (MITI). The prohibition was enforcedbecause of the fear that the programs might be usedfor military purposes.The MITI had required compa-nies wishing to export encryption software to state thepurpose for which it was to be used, but this hasproved impossible for companies using it on theInternet. However, the US recently lifted their prohi-bition, and it has been suggested that the Japanese aredoing the same in order to ensure that they do not fallbehind their foreign competitors. Under law, theapproval of MITI is still required for the export of cer-tain products which could be of military use. NikkeiWeekly, July 17, p.6.

‘Carnivore’ muzzled? Julie Hyman. The FBI’s E-mail probing software, Carnivore has caused controver-sy because it can be used to scan private E-mail.Although the FBI say that it can only read the senderand recipient’s addresses, it has raised concerns overpersonal privacy despite the fact that agents need acourt order in each instance before they can use thesoftware. In response to the program, ChainMail hasreleased a public service E-mail encryption programavailable for free. Although encryption is likely tobecome more widespread, it is necessary for bothsender and recipient to have the appropriate software,

to encrypt and decrypt, in order for it to work.Washington Times,August 8, p.p. B7, B9.

Countering counterfeiting. A year on from the USgovernment’s Intellectual Property Rights Initiative tocombat counterfeiting and piracy, some progress seemsto have been made. Tougher sentencing has beenenforced, based on the value of the loss of legitimategoods, rather than on the value of the counterfeitswhich is often much lower. Intellectual Property (IP)has been named as a priority in white-collar crimeaccording to the FBI’s Washington fraud unit. As aresult, indictments and convictions for IP crime haveincreased. The FBI and US Customs have alsolaunched initiatives to ensure that the government isnot working at cross purposes internally, and also toliase with enforcement agencies from other countrieson International cases. Security Management, July, p.16.

Ouch! Outlook’s virus vaccine hurts, Mitt Jones.Microsoft have released a fix in response to the ‘lovebug’ attack in May.The defence is two pronged.The ‘ILove You’ virus and last years Melissa virus worked bygetting into your system via executable code attachedto an E-mail. They then propagated themselves bysending themselves to users listed in the address booksof infected PCs.These factors are combated by firstlydenying executable E-mail attachments (.exe, .comand script files such as .vbs and .js files) and also noti-fying you every time any other application attempts toaccess your address book or to send E-mail fromOutlook.The drawbacks are obvious: you cannot sharedata if it happens to be in any way executable.Also, theupdate blocks various file types such as self-extractingzip files and MS Access Projects. If that were notenough, the update prevents parts of other applicationsfrom working. Examples of this include MS Office’smail-merge and Palm synchronisation software.Microsoft are expected to add further administrativetools to allow the new security measures to be cus-tomised. PC World,August, p.43.

E-signature law opens new doors for securityfirms, Karen Alexander. A new law has been passed in the US to make digital signatures as legally bindingas pen on paper ones. Firms who make computersecurity equipment anticipate increased interest in

COSEv19no6.qxd 9/11/00 9:43 AM 44

545


products which enable E-signatures to be made andthose which reduce the risk of theft. Despite the factthat some transactions using online signatures havebeen made, it is now felt that the legislation will addcredence to the practice. This may mean that big-money transactions will be carried out online andbusinesses such as the financial service industries mayaccept the use of E-signatures. Digital signatures havethe advantage of allowing business to be done in realtime. Although the new law validates the use of digi-tal signatures, it does not go far into defining them orthe technologies that should be used to support theirsecurity. In general terms, a digital signature is a secretcode assigned to an individual which they assign to atransaction or document to denote that they intendedto sign it.This digital signature can be verified in oneof three ways; something you know (like a password orpersonal information), something you have (like asmart card containing personal data) or by who youare (through digital scanning of fingerprints or retina).Most security programs involve at least two of thesetechnologies for digital signature verification. It isanticipated that consumers will be slow to latch ontothe new system as they are likely to place a sentimen-tal value on the old-fashioned signature. The realapplication at the moment is likely to be for businessto business transactions. L.A.Times, July 1, p.p. C1, C3.

‘Piecemeal security policy’ won’t work, AndyMcHue. Research group IDC has found that although75% of companies implement security measures, theapproach taken to security does not make it central tocorporate culture. The survey, Security Services:Protecting the E-business infrastructure revealed that manycompanies are looking at the issues too simplistically.Although more than two thirds of those surveyed hadfirewalls and almost all had virus protection software,few had considered a more sophisticated public keyinfrastructure. A spokesperson for IDC stated that theculture in security management needs to change fromone of barricading access to resources, to an attitude offacilitation of controlled access. Computing, July 27,p.4.

Safeco introducing coverage against Internetattacks, Ruth Levine. Safeco Corp. has created insur-ance to cover all manner of online threats. More

comprehensive than its rivals, Safeco is aiming at allbusinesses that are vulnerable to viruses and serviceinterruptions. Premiums start at $5000 per year withthe typical cover being around $50 000 and coveringup to $10 million in liability. Policies cover lost earn-ings, data retrieval costs and PR expenses.Third partycover is also available for intellectual property andinterruption of service claims. Insurance against theInternet may be a relatively new concept, but it is like-ly to become a critical element for businesses that have any online dealings. Puget Sound Business Journal,June 29.

When checking network security, can you hirehacker think tank? Paul Korzeniowski. The relation-ship between network security managers and hackersmay soon become a partnership. Some companies arenow putting hackers on the payroll in order to spotsecurity bugs that have been missed by the program-mer. In May 1999, a hacker from a group calledLOpht, discovered a security breech in Microsoft’sInternet Information Server 4.0. LOpht has since castof its hacking reputation and become a firm of secu-rity specialists. A spokesperson from LOpht criticisedthe way in which companies publicize security flaws:by issuing a press release and asking customers todownload a new module.He asserted that if the flawedcode were publicized, customers would understandthe problem and hackers might actually be able tohelp plug the hole. Hackers, by their very nature, havethe appropriate analytical skills to spot flaws, butopponents to the idea say that hackers cannot be trust-ed. Indeed, publicizing flaws has been described asanalogous to leaving a loaded gun unattended. Evenso, businesses are on the threshold making new deci-sions about where hackers fit in to computer security.Investors Business Daily, July 11.

Hijackers make off with e-Identities.The domainname Web.net, a hosting site for 700 Canadian chari-ties, has been stolen. Hackers forged or ‘spoofed’ an E-mail account and made changes to the database of thelegal owners, Network Solutions, altering the owner-ship of the Web.net domain. The hijackers also re-routed traffic elsewhere and then changed the owner’sname again.The motivation for attacking a non-prof-it making organization is unclear, as extortion under



546

these circumstances is more complex than with a prof-it-making company.The hackers may have intended tosell the domain name or have just stolen it for enter-tainment.This is not an isolated incident; bali.com hasalso been targeted by the same group.The practice ofscooping up valuable domain names, and then movingthem around until the paper trail is lost is known as‘domain name laundering’ and has the potential toallow a hijacker to amass substantial assets. TorontoGlobe and News, June 2.

The Pentagon worries that spies can see itscomputer screens, Michael J. McCarthy. The US mil-itary and intelligence agencies have launched a classi-fied programme called Tempest to guard against therisks of “compromising emanations” from computers.The problem is that every video-display terminalemits radio-frequency waves.These waves can be cap-tured remotely by an antenna focussed on themachine. When correctly set-up this surveillanceequipment can amplify these emissions and thentranslate them in order to display whatever is on the

targeted display screen.The danger is that security canbe compromised out of thin air from a distance of upto about 100 yards. The US government has beenfighting back by researching methods of damage lim-itation; protective materials and anti-surveillancemonitoring tools. One difficulty is that federal lawdoes not take account of computer surveillancethrough the air and so the practice may not be illegal.The courts have not yet had the opportunity to testthe question although there has been an FBI stingwhich resulted in the arrest of a man for attempting toexport such monitoring equipment. Some expertsclaim that concerns are exaggerated as there is a vastarray of other equipment emitting many radio-fre-quency waves, which would make it difficult to pickup the relatively weak emissions from a single com-puter. Emissions surveillance is also a costly method ofinformation gathering and the old-fashioned corpo-rate methods of, for example, bribing a disgruntledemployee, are much simpler and more cost effective.Wall Street Journal,August 7, p.p.A1,A6.


abstracts of recent articles and literature

Documents