Category: News

Richard Lugar, R-Ind., said at a hearing Thursday that the Council of Europe’s cybercrime treaty should be ratified quickly because it “will help the United States continue to play a leadership role in international law enforcement and will advance the security of Americans at home and abroad.” Lugar is the chairman of the Senate Foreign Relations Committee.

The treaty would require participating nations to update their laws to reflect computer crimes such as unauthorized intrusions into networks, the release of worms and viruses, and copyright infringement. The measure, which has been ratified by Albania, Croatia, Estonia, Hungary, Lithuania and Romania, also includes arrangements for mutual assistance and extradition among participating nations.

If ratified by the Senate, the treaty would “enhance the United States’ ability to receive, as well as render, international cooperation in preventing, investigating and prosecuting computer-related crime,” Samuel Witten, a legal adviser at the U.S. State Department, said when he testified Thursday.

“Such international cooperation is vitally important to our efforts to defend against cyberattacks and generally improve global cybersecurity.” An addition to the treaty would require nations to imprison anyone guilty of “insulting publicly, through a computer system” certain groups of people based on characteristics such as race or ethnic origin, a requirement that could make it a crime to e-mail jokes about Polish people or question whether the Holocaust occurred.

The Department of Justice has said that it would be unconstitutional for the United States to sign that addition because of the First Amendment’s guarantee of freedom of expression. Because of that objection, the Senate is not considering the addition, but other nations ratifying the treaty are expected to adopt both documents. Still, some civil liberties groups have criticized the portion of the treaty that is moving through the Senate.

The Electronic Privacy Information Center on Thursday sent a letter to the Foreign Relations Committee saying it should not be ratified because it would “would create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards.”

More info: http://news.com.com/Senate+debates+cybercrime+treaty/2100-1028_3-5238865.html

“There is an incredibly shrinking pool of IT security professionals in government,” said Jack Johnson, chief security officer at the Homeland Security Department. Johnson is working on developing the Homeland Security Information Network, which he said would be at Defense Department “secret level” by year’s end. He also said Homeland Security is looking to redesign personnel security to prevent internal cyber attacks.

“The sharing amongst bad guys is growing,” he said at a SecureE-Biz.net conference. “The sharing amongst the good guys on procurement, technology and approach needs to grow at an equal or greater rate.

The president last year signed a law authorizing a significant increase in cyber-security R&D funding, but it was not requested in the fiscal 2005 White House budget proposal.

Thomas O’Keefe, deputy director of the Federal Aviation Administration office of information systems security, said more research and development, and more collaboration among researchers and industry, is needed on cybersecurity. The air-traffic network is completely separate from the Internet, as well as other aspects of the FAA network, making it impossible for viruses to spread from those sources, he said.

More info: http://www.govexec.com/dailyfed/0604/061004tdpm2.htm

During a panel discussion about the possibility of government creating cybersecurity regulations, Press and Rich Mogull, a research director for Gartner Research, advocated government taking a more active role.

While others on the panel suggested the U.S. government could affect cybersecurity by using its huge purchasing power to influence companies, Press questioned why software vendors aren’t sued for selling products with security flaws. Without laws allowing software vendors to be sued, “you are rewarding people for selling broken products,” he added. Instead of software vendors being held responsible for cybersecurity problems, the buyers pay the bill, Press said. Instead of government regulations, software buyers should demand better products, he said. In all but the desktop market, where Microsoft dominates, competition over the past couple of years has helped improve software security, Pescatore added.

Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News’ Beltway Boys, asked the panel why more cybersecurity legislation hasn’t been considered in the U.S. Congress.

“There’s a fear of stifling innovation,” said Roger Cressey, president of Good Harbor Consulting LLC and former counterterrorism expert at the White House.

Fred Barnes, executive editor of the conservative Weekly Standard and cohost of Fox News’ Beltway Boys noted that some government and private cybersecurity experts have been warning of the possibility of a “digital Pearl Harbor,” a massive attack on U.S. IT assets, for several years. The threat cannot be overstated, answered Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. However, Dix said Monday he hopes the subcommittee’s efforts to raise awareness about cybersecurity will get company chief executives to take the issue seriously.

But Press suggested that the software industry should be proactive and work with Congress now to pass legislation the industry can live with.

More info: http://www.nwfusion.com/news/2004/0607cybertooi.html

Software companies must add additional controls to the development process for software produced outside the U.S., said Steve Solomon, chief executive officer of the Dallas, Texas-based Citadel.

“Software development organizations should be required to have all overseas-developed software examined for malicious capabilities embedded in the code,” Solomon told the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Much of the hearing, which lasted more than two hours, was devoted to government agencies detailing their cybersecurity efforts, but Solomon’s comments drew disagreement from Microsoft Corp. and Juniper Networks Inc. representatives.

Subcommittee chairman Adam Putnam, a Florida Republican, focused some of his questions on the patching process after software vulnerabilties are discovered. Asked by Putnam if the patching process and the alert process that accompanies it is working well, Scott Culp, senior security strategist for Microsoft, said he believes software vendors are working hard to notify government and private customers. “I remain concerned that we are collectively not moving fast enough to protect the American people and the U.S. economy from the very real threats that exist today …

Solomon also suggested that companies that rely on patch management services have “false security” because they are missing larger problems, such as the lack of broad security policies and recovery after attacks.

Incentives such as tax breaks, cybersecurity insurance and lawsuit reform could help software companies make more secure products, Rosenthal added.

Meanwhile, the U.S. Department of Homeland Security (DHS) is working with private companies to pump up the programs offered by US-CERT, the government’s computer emergency readiness team, said Amit Yoran, director of the National Cyber Security Division at DHS. US-CERT launched a national cyber alert system in January, and around mid-year it plans to roll out a partner program to encourage private companies and universities to work with government agencies. Goals of the partner program include the better sharing of information on cyber threats, improving cyber response and increasing discussion about cybersecurity, Yoran said.

More info: http://www.infoworld.com/article/04/06/02/HNoffshorecheck_1.html

Representatives at the Cupertino, Calif.-based company were quick to point out that the threat was merely a so-called proof-of-concept virus–a worm developed by someone to show that vulnerabilities are present in a particular type of system–and not a virus already spreading in the wild.

However, Oliver Friedrichs, senior manager of Symantec’s Security Response Team, said W64.Rugrat.3344 can attack 64-bit Microsoft Windows files successfully. He said the virus does not infect 32-bit files and will not run on 32-bit Windows systems. Since 64-bit systems have yet to proliferate widely, Symantec maintains that the virus does not yet represent a serious threat. “We always see early adopters trying to find a way to attack new technology right away, as we did with 32-bit, so it’s not surprising to see this,” Friedrichs said. “But we do expect to see more of these, as 64-bit technology becomes more prominent.”

The 64-bit market is expected to grow rapidly. By the end of next year, most Intel chips, will be 64-bit capable, and virtually all of rival Advanced Micro Devices’ processors will be 64-bit chips. Software titan Microsoft is also pushing the high-end market forward. Earlier this month, Chairman Bill Gates asked hardware makers to start writing 64-bit drivers for their software.

Among the advantages of 64-bit software is the ability to gracefully accommodate more physical memory than the 4GB limit in 32-bit systems.

Symantec said it was not expecting widespread copycats of W64.Rugrat.3344, since the affected assembly code requires fairly advanced technical knowledge. Symantec said W64.Rugrat.3344 was created in IA64 (Intel Architecture) assembly code and infects IA64 executable files, excluding .dll files. The security specialists reported that W64.Rugrat.3344 also infects files that are in the same folder as the virus, as well as all files within related subfolders.

Symantec is currently updating its Norton AntiVirus product line to protect against W64.Rugrat.3344 and expects to have versions of the software armed to defeat the virus ready by the end of the day Thursday. The company earmarked the 64-bit virus as a Level 1, or the least dangerous sort of threat ranked on its five-tiered ratings system, but warned users to update their virus protection systems as quickly as possible.

The company earmarked the 64-bit virus as a Level 1, or the least dangerous sort of threat ranked on its five-tiered ratings system, but warned users to update their virus protection systems as quickly as possible.

More info: http://zdnet.com.com/2100-1105_2-5221949.html?tag=adnews

Microsoft said on Tuesday that it had agreed to combine its Caller ID efforts with the SPF, a specification crafted by Pobox.com Chief Technology Officer Meng Wong.

A recent crop focuses on the idea that ISPs could publish the range of Internet Protocol addresses associated with their e-mail domains. If there’s no match, the recipient’s ISP can safely assume that the message is spam–or at least fraudulently addressed. The combined SPF and Caller ID, which has yet to be named, will use XML (Extensible Markup Language) to let Net service providers post IP addresses in the Domain Name System, the giant database that translates alphanumeric domain names like “news.com” into numerical IP addresses for Web servers.

“The convergence of the two proposals is a very positive milestone in the war on spam and brings together the best of both SPF and Caller ID,” said Microsoft spokesman Sean Sundwall. AOL, which in December began testing SPF, hailed Microsoft’s collaboration with Wong. “We welcome Microsoft to the position we have long held concerning the attributes of SPF,” AOL spokesman Nicholas Graham said. “And on the need for a joint standard that is about more than one technical standard, one technology or one company. We were the first ISP to agree to test and implement SPF, back in December, and we think this convergence is the right approach at the right time.”

Other systems for authenticating mail are also in progress. Sendmail and Yahoo have gotten behind DomainKeys, which authenticates e-mail through digital signatures and is not mutually exclusive with DNS-based systems.

More info: http://zdnet.com.com/2100-1104_2-5220253.html