Tuesday, October 03, 2006
How to defeat the new No. 1 security threat: cross-site scripting
How to defeat the new No. 1 security threat: cross-site scripting
Martin Heller
September 29, 2006 (Computerworld) Cross-site scripting, often abbreviated XSS, is a class of Web security issues. A recent research report stated that XSS is now the top security risk.
In a typical XSS scenario, a Web page might use JavaScript to dynamically generate some document content based on a field in a Uniform Resource Identifier (URI). In the normal course of events, the site itself would generate legitimate information for that field.
If, however, the script that generated the new content did not filter the URI, it would be possible for an attacker to feed the page a custom-designed URI that ran a script. The script could do almost anything, and the user would never know that he wasn't seeing legitimate content unless the hijacker was blatant.
This is potentially very bad, since it is one way to enable phishing. For example, suppose a Web page with a cross-site scripting vulnerability belonged to a bank. An attacker aware of the vulnerability could forge e-mails purporting to be from the bank, with URIs that indeed led to the bank's site, but contained some malicious script that wouldn't be obvious to a casual observer. Once a user clicked on the link in the e-mail and logged into the bank site, their login credentials (in the form of cookies) for the current session would be transmitted to the attacker, who would be able to take over the user's account as long as the session was active.
This is considerably worse than an attack that takes users to a forged Web page, because it can, in principle, bypass most forms of authentication protection. After all, it's using the bank's own authentication system, and then hijacking the results. David Flanagan, author of JavaScript: The Definitive Guide, says cross-site scripting "enables a pernicious vulnerability whose roots go deep into the architecture of the Web."
Some history
Cross-site scripting first received wide notice in February 2000, when CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests was published. The original summary was:
"A Web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a Web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user."
The systems affected were listed as "Web browsers" and "Web servers that dynamically generate pages based on unvalidated input."
One XSS example given in the original CERT advisory is this link:
Click here
Looking back at this example from the perspective of six years of dealing with XSS and malicious spammers, it seems a bit naïve. After all, only a user who didn't bother to look at the link destination could be tricked into clicking on such a link. The presence of the tag "
Martin Heller
September 29, 2006 (Computerworld) Cross-site scripting, often abbreviated XSS, is a class of Web security issues. A recent research report stated that XSS is now the top security risk.
In a typical XSS scenario, a Web page might use JavaScript to dynamically generate some document content based on a field in a Uniform Resource Identifier (URI). In the normal course of events, the site itself would generate legitimate information for that field.
If, however, the script that generated the new content did not filter the URI, it would be possible for an attacker to feed the page a custom-designed URI that ran a script. The script could do almost anything, and the user would never know that he wasn't seeing legitimate content unless the hijacker was blatant.
This is potentially very bad, since it is one way to enable phishing. For example, suppose a Web page with a cross-site scripting vulnerability belonged to a bank. An attacker aware of the vulnerability could forge e-mails purporting to be from the bank, with URIs that indeed led to the bank's site, but contained some malicious script that wouldn't be obvious to a casual observer. Once a user clicked on the link in the e-mail and logged into the bank site, their login credentials (in the form of cookies) for the current session would be transmitted to the attacker, who would be able to take over the user's account as long as the session was active.
This is considerably worse than an attack that takes users to a forged Web page, because it can, in principle, bypass most forms of authentication protection. After all, it's using the bank's own authentication system, and then hijacking the results. David Flanagan, author of JavaScript: The Definitive Guide, says cross-site scripting "enables a pernicious vulnerability whose roots go deep into the architecture of the Web."
Some history
Cross-site scripting first received wide notice in February 2000, when CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests was published. The original summary was:
"A Web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a Web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user."
The systems affected were listed as "Web browsers" and "Web servers that dynamically generate pages based on unvalidated input."
One XSS example given in the original CERT advisory is this link:
Looking back at this example from the perspective of six years of dealing with XSS and malicious spammers, it seems a bit naïve. After all, only a user who didn't bother to look at the link destination could be tricked into clicking on such a link. The presence of the tag "
GE: Laptop with data on 50,000 staffers stolen
GE: Laptop with data on 50,000 staffers stolen
Reuters
September 26, 2006 (Reuters) General Electric Co. said today that a company laptop containing the names and Social Security numbers of 50,000 current and former employees was stolen in early September.
The laptop, which had been issued to a GE official who was authorized to have the data, was stolen from a locked hotel room, GE said.
The Fairfield, Conn.-based company began mailing letters this week to the people whose names and Social Security numbers were on the laptop to notify them of the breach and offer a year's free access to a credit-monitoring service, GE spokesman Russell Wilkerson said.
Wilkerson declined to give further details such as where and when the theft took place or whether the company official is still with GE.
Nonetheless, he said, evidence suggested the thief was after the computer, not the data on it. Wilkerson also said there is no sign that the information had been used improperly.
The loss of the data, including employees' names and Social Security numbers, raises the specter that the information could be used in identity theft schemes, in which criminals apply for credit cards and other services under stolen names.
The U.S. Department of Veterans Affairs came under fire in the spring after a laptop containing data on 26 million military veterans and service members was stolen from a staffer's home.
In the past year, major U.S. companies that have reported the loss of computer equipment containing data on employees and customers have included aircraft maker The Boeing Co., financial services company Ameriprise Financial Inc. and a U.S. mortgage firm owned by Dutch bank ABN AMRO Holding NV.
Reuters
September 26, 2006 (Reuters) General Electric Co. said today that a company laptop containing the names and Social Security numbers of 50,000 current and former employees was stolen in early September.
The laptop, which had been issued to a GE official who was authorized to have the data, was stolen from a locked hotel room, GE said.
The Fairfield, Conn.-based company began mailing letters this week to the people whose names and Social Security numbers were on the laptop to notify them of the breach and offer a year's free access to a credit-monitoring service, GE spokesman Russell Wilkerson said.
Wilkerson declined to give further details such as where and when the theft took place or whether the company official is still with GE.
Nonetheless, he said, evidence suggested the thief was after the computer, not the data on it. Wilkerson also said there is no sign that the information had been used improperly.
The loss of the data, including employees' names and Social Security numbers, raises the specter that the information could be used in identity theft schemes, in which criminals apply for credit cards and other services under stolen names.
The U.S. Department of Veterans Affairs came under fire in the spring after a laptop containing data on 26 million military veterans and service members was stolen from a staffer's home.
In the past year, major U.S. companies that have reported the loss of computer equipment containing data on employees and customers have included aircraft maker The Boeing Co., financial services company Ameriprise Financial Inc. and a U.S. mortgage firm owned by Dutch bank ABN AMRO Holding NV.
Labels: General Electric Co.
List of Data Breach Notices Lengthening
List of Data Breach Notices Lengthening
Jaikumar Vijayan
September 04, 2006 (Computerworld) The steady stream of data compromises continued unabated last week, with several more companies disclosing security breaches.
One of the biggest snafus involved AT&T Inc., which said that malicious hackers had made off with credit card information and other personal data belonging to about 19,000 customers of the company's online store for Digital Subscriber Line equipment.
In a statement, AT&T said "unauthorized persons" had illegally hacked into one of its computer systems and accessed the customer data. The intrusion, which took place on the weekend of Aug. 26 and 27, was discovered "within hours," and the online DSL store was immediately shut down, according to AT&T.
If there's a continuing lesson to be learned from such incidents, it's that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.
"The bottom line is that the data is leaking and is not being contained in the way it should be," he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added.
Corporate users also need to adopt more "systemic security management" approaches, said Doug Graham, a partner at BusinessEdge Solutions Inc., an IT consulting firm in East Brunswick, N.J. "People want things to be secure, but too often they tend to see security as a problem for the security guys," he said. Instead, the goal should be to make security an integral part of all business processes, Graham said.
Among the companies reporting breaches last week was Philadelphia-based Sovereign Bancorp Inc., which said that three laptop PCs containing confidential information about bank customers had been stolen in two separate incidents in early August. Sovereign spokesman Carl Brown declined to disclose how many people were affected by the thefts, saying only that the number amounts to about 1% of the bank's customer base.
None of the data on the stolen laptops was encrypted, although the systems were password-protected, Brown said. That met corporate security policies, he added.
Mobile network operator Verizon Wireless disclosed that on Aug. 21, an employee accidentally sent an e-mail with an attachment containing the names, cell phone numbers, e-mail addresses and phone models of nearly 5,000 customers to about 1,800 other subscribers. The attachment was supposed to have been an electronic order form.
In an e-mailed comment, a spokesman for Verizon Wireless said the affected customers were informed of the breach but also were advised that the compromised data was unlikely to be of much use to identity thieves.
On Aug. 22, a laptop belonging to the Federal Motor Carrier Safety Administration was stolen. The FMCSA, which is part of the U.S. Department of Transportation, said last week that the laptop is believed to have contained the names, dates of birth, Social Security numbers and other personal data of about 193 people who hold commercial driver's licenses across 14 states.
An FMCSA spokesman said the agency isn't 100% sure that the laptop contained the personal information and only made that assumption based on the system's last interactions with its network.
Jaikumar Vijayan
September 04, 2006 (Computerworld) The steady stream of data compromises continued unabated last week, with several more companies disclosing security breaches.
One of the biggest snafus involved AT&T Inc., which said that malicious hackers had made off with credit card information and other personal data belonging to about 19,000 customers of the company's online store for Digital Subscriber Line equipment.
In a statement, AT&T said "unauthorized persons" had illegally hacked into one of its computer systems and accessed the customer data. The intrusion, which took place on the weekend of Aug. 26 and 27, was discovered "within hours," and the online DSL store was immediately shut down, according to AT&T.
If there's a continuing lesson to be learned from such incidents, it's that companies need to pay more attention to data security, not just network security, said Ron Ben-Natan, chief technology officer at Guardium Inc., a security tools vendor in Waltham, Mass.
"The bottom line is that the data is leaking and is not being contained in the way it should be," he said. Companies must pay more attention to measures such as activity monitoring and auditing, encryption, data classification and policy enforcement, he added.
Corporate users also need to adopt more "systemic security management" approaches, said Doug Graham, a partner at BusinessEdge Solutions Inc., an IT consulting firm in East Brunswick, N.J. "People want things to be secure, but too often they tend to see security as a problem for the security guys," he said. Instead, the goal should be to make security an integral part of all business processes, Graham said.
Among the companies reporting breaches last week was Philadelphia-based Sovereign Bancorp Inc., which said that three laptop PCs containing confidential information about bank customers had been stolen in two separate incidents in early August. Sovereign spokesman Carl Brown declined to disclose how many people were affected by the thefts, saying only that the number amounts to about 1% of the bank's customer base.
None of the data on the stolen laptops was encrypted, although the systems were password-protected, Brown said. That met corporate security policies, he added.
Mobile network operator Verizon Wireless disclosed that on Aug. 21, an employee accidentally sent an e-mail with an attachment containing the names, cell phone numbers, e-mail addresses and phone models of nearly 5,000 customers to about 1,800 other subscribers. The attachment was supposed to have been an electronic order form.
In an e-mailed comment, a spokesman for Verizon Wireless said the affected customers were informed of the breach but also were advised that the compromised data was unlikely to be of much use to identity thieves.
On Aug. 22, a laptop belonging to the Federal Motor Carrier Safety Administration was stolen. The FMCSA, which is part of the U.S. Department of Transportation, said last week that the laptop is believed to have contained the names, dates of birth, Social Security numbers and other personal data of about 193 people who hold commercial driver's licenses across 14 states.
An FMCSA spokesman said the agency isn't 100% sure that the laptop contained the personal information and only made that assumption based on the system's last interactions with its network.
Labels: AT and T
Building Up Database Defenses
Building Up Database Defenses
Robert L. Scheier
August 28, 2006 (Computerworld) Chief Security Officer Barak Engel doesn't store many customer credit card numbers at San Francisco-based Loyalty Lab Inc., which runs customer loyalty programs for retailers. But he protects those numbers fiercely.
A vulnerability scanning and remediation service from Qualys Inc. scans Loyalty Lab's network perimeter for weaknesses, while two-factor authentication from RSA Security Inc. verifies its users' identities. Tripwire Enterprise from Tripwire Inc. audits changes to the company's environment for signs of misuse, Nessus software from Tenable Network Security scans for vulnerabilities on servers, and SecureDB from nCipher PLC encrypts the data itself.
That's a lot of defense for less than a few hundred megabytes of credit card numbers. But customers, regulators and investors are requiring that companies do whatever it takes to protect "data at rest," whether that data is in a structured database, on a backup tape, on a storage-area network or in a spreadsheet on a notebook computer.
For Engel, one of the key drivers is the Payment Card Industry (PCI) data security standard. It specifies 12 requirements for all companies that accept credit cards, including encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, and activity monitoring and logging. To meet such requirements, organizations must determine what sensitive data they own, where it is stored, how it is used and the likely attacks it faces. They must then defend it using tools such as access control and authentication systems, vulnerability scanners, data access monitors and encryption.
Know the Threat
Threats may come from disgruntled employees using legitimate access rights to prowl for data, forgetful users whose data-rich notebooks are stolen, and dishonest employees who sell information to the highest bidder. Even if you trust (or are) the database administrator, many regulations require a "separation of duties" that limits which information a database administrator can view.
Data at rest is information that is stored, even temporarily, as opposed to data in transit over a network. It most often refers to structured data, such as the rows and columns of a relational database, but it can also include unstructured data created by other applications, such as word processing, spreadsheet and e-mail programs.
Without an upfront information assessment, organizations often encrypt too little or too much data or fail to build defenses against the most likely threats, says Gartner Inc. analyst Rich Mogull. Some vulnerability scanning and database access tools can help customers find databases they didn't know they had, as well as track where sensitive data is kept and how it's being used. These tools make it easier to identify which information to protect and where encryption and decryption will be required.
Encrypting more data than necessary can cripple database or application performance, says Trent Henry, a senior analyst at Burton Group, a research firm in Midvale, Utah. It can also lead to disaster if you can't find the proper decryption keys when you need the data. An information inventory also helps ensure that you are encrypting data at the most likely point of attack.
Defensive Tools
Many customers use a combination of four protective technologies, chosen to meet their specific needs and budgets. Access control and authentication products verify the identity of users and control which databases, applications and information they can access. Many of these functions are contained within commercial databases, says Mogull, and thus don't require third-party tools. Vulnerability scanners check databases (and sometimes servers) for well-known vulnerabilities, such as default or weak passwords or unnecessary services or processes that are running. They then produce audits or reports listing the results.
Database access monitoring tools track who accessed what data in which databases, when they accessed it and whether and how they changed it. The tools then alert security managers to suspicious behavior, such as a middle-of-the-night query for all customers' credit card numbers. Key features to look for, as with access control and authentication products, include the ability to create and enforce very granular identity and role-based access controls, as well as the ability to produce easy-to-understand audit reports. Some tools also generate reports geared to the requirements of specific regulations that focus on certain types of users, such as database administrators.
Ease of use and automation are key to customers such as David Furnas, CIO at Gila Regional Medical Center in Silver City, N.M. He says he's looking for data access monitoring software that will cut in half the 20 hours he spends each month trying to "filter out all the authorized, appropriate access" and correlate data from multiple monitoring tools in search of possible attacks.
The final category of tools encrypts data so it can't be used even if it is stolen. Encryption can be done fairly easily with a number of off-the-shelf products, but the real challenge is properly managing the keys needed to decrypt data when needed.
"When you start to talk about issues such as dual controls, split controls, rules about how do I rotate a key, how do I recover keys -- all of those are the areas that require significant thought," says Engel. That's why he, like many other customers, buys separate encryption and/or key management products even though many databases now ship with native encryption capabilities.
Harvey Ewing, senior director of IT security at Carrollton, Texas-based Accor North America, which owns and operates about 1,200 hotel properties in the U.S., Canada and Mexico, chose RSA Key Management from RSA Security. He says it provides a single key management system across the company's various applications.
Application programming interfaces from RSA allow Accor developers to easily adapt applications to access decryption keys as they need them, says Ewing. Without such keys, legacy systems wouldn't be able to perform any functions requiring that data, or would be unable to display that data correctly.
Another shortcoming of native database encryption is that it can't hide sensitive data from database administrators, says Burton Group's Henry. That's changing, he says, with products such as Oracle Corp.'s Oracle Database Vault, an option for Oracle databases that allows customers to "substantially limit what the DBA can do," he says.
No Silver Bullet
Customers, analysts and vendors agree that a mix of technologies is required to meet the needs of each unique environment. In addition to encryption, Ewing uses SecureSphere application layer firewalls from Imperva Inc. to protect his Web and database servers, as well as vulnerability and penetration testing tools.
Customers rely largely on access control and database access monitoring tools to comply with the Sarbanes-Oxley Act, says Prat Moghe, founder and CEO of Tizor Systems Inc. in Maynard, Mass., but they are using encryption more often to comply with PCI.
Even with products that allow users to encrypt only specific database columns (such as those holding credit card numbers), administrators may still need to restructure some databases to make encryption feasible. If a customer's Social Security number is used as the "index" field that helps locate all other information about that customer, encrypting Social Security numbers could require decryption of that column for every query and thus cripple database performance. Another approach, says Jeff Montgomery, director of product marketing at Cambridge, England-based nCipher, is to encrypt all but the last four digits of the sensitive number.
Rather than modifying applications so they can decrypt data, says Mogull, companies can also merely encrypt the file or hard drive where the data is stored (to deflect attacks on the database) and use data access monitoring tools to watch for suspicious activity from within the applications.
Making the wrong choice about where, for example, to use encryption can waste a lot of money, risk a lot of data and make a lot of users unhappy. That's why it's so crucial to first understand the threats facing your data and only then begin building your defense.
Robert L. Scheier
August 28, 2006 (Computerworld) Chief Security Officer Barak Engel doesn't store many customer credit card numbers at San Francisco-based Loyalty Lab Inc., which runs customer loyalty programs for retailers. But he protects those numbers fiercely.
A vulnerability scanning and remediation service from Qualys Inc. scans Loyalty Lab's network perimeter for weaknesses, while two-factor authentication from RSA Security Inc. verifies its users' identities. Tripwire Enterprise from Tripwire Inc. audits changes to the company's environment for signs of misuse, Nessus software from Tenable Network Security scans for vulnerabilities on servers, and SecureDB from nCipher PLC encrypts the data itself.
That's a lot of defense for less than a few hundred megabytes of credit card numbers. But customers, regulators and investors are requiring that companies do whatever it takes to protect "data at rest," whether that data is in a structured database, on a backup tape, on a storage-area network or in a spreadsheet on a notebook computer.
For Engel, one of the key drivers is the Payment Card Industry (PCI) data security standard. It specifies 12 requirements for all companies that accept credit cards, including encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, and activity monitoring and logging. To meet such requirements, organizations must determine what sensitive data they own, where it is stored, how it is used and the likely attacks it faces. They must then defend it using tools such as access control and authentication systems, vulnerability scanners, data access monitors and encryption.
Know the Threat
Threats may come from disgruntled employees using legitimate access rights to prowl for data, forgetful users whose data-rich notebooks are stolen, and dishonest employees who sell information to the highest bidder. Even if you trust (or are) the database administrator, many regulations require a "separation of duties" that limits which information a database administrator can view.
Data at rest is information that is stored, even temporarily, as opposed to data in transit over a network. It most often refers to structured data, such as the rows and columns of a relational database, but it can also include unstructured data created by other applications, such as word processing, spreadsheet and e-mail programs.
Without an upfront information assessment, organizations often encrypt too little or too much data or fail to build defenses against the most likely threats, says Gartner Inc. analyst Rich Mogull. Some vulnerability scanning and database access tools can help customers find databases they didn't know they had, as well as track where sensitive data is kept and how it's being used. These tools make it easier to identify which information to protect and where encryption and decryption will be required.
Encrypting more data than necessary can cripple database or application performance, says Trent Henry, a senior analyst at Burton Group, a research firm in Midvale, Utah. It can also lead to disaster if you can't find the proper decryption keys when you need the data. An information inventory also helps ensure that you are encrypting data at the most likely point of attack.
Defensive Tools
Many customers use a combination of four protective technologies, chosen to meet their specific needs and budgets. Access control and authentication products verify the identity of users and control which databases, applications and information they can access. Many of these functions are contained within commercial databases, says Mogull, and thus don't require third-party tools. Vulnerability scanners check databases (and sometimes servers) for well-known vulnerabilities, such as default or weak passwords or unnecessary services or processes that are running. They then produce audits or reports listing the results.
Database access monitoring tools track who accessed what data in which databases, when they accessed it and whether and how they changed it. The tools then alert security managers to suspicious behavior, such as a middle-of-the-night query for all customers' credit card numbers. Key features to look for, as with access control and authentication products, include the ability to create and enforce very granular identity and role-based access controls, as well as the ability to produce easy-to-understand audit reports. Some tools also generate reports geared to the requirements of specific regulations that focus on certain types of users, such as database administrators.
Ease of use and automation are key to customers such as David Furnas, CIO at Gila Regional Medical Center in Silver City, N.M. He says he's looking for data access monitoring software that will cut in half the 20 hours he spends each month trying to "filter out all the authorized, appropriate access" and correlate data from multiple monitoring tools in search of possible attacks.
The final category of tools encrypts data so it can't be used even if it is stolen. Encryption can be done fairly easily with a number of off-the-shelf products, but the real challenge is properly managing the keys needed to decrypt data when needed.
"When you start to talk about issues such as dual controls, split controls, rules about how do I rotate a key, how do I recover keys -- all of those are the areas that require significant thought," says Engel. That's why he, like many other customers, buys separate encryption and/or key management products even though many databases now ship with native encryption capabilities.
Harvey Ewing, senior director of IT security at Carrollton, Texas-based Accor North America, which owns and operates about 1,200 hotel properties in the U.S., Canada and Mexico, chose RSA Key Management from RSA Security. He says it provides a single key management system across the company's various applications.
Application programming interfaces from RSA allow Accor developers to easily adapt applications to access decryption keys as they need them, says Ewing. Without such keys, legacy systems wouldn't be able to perform any functions requiring that data, or would be unable to display that data correctly.
Another shortcoming of native database encryption is that it can't hide sensitive data from database administrators, says Burton Group's Henry. That's changing, he says, with products such as Oracle Corp.'s Oracle Database Vault, an option for Oracle databases that allows customers to "substantially limit what the DBA can do," he says.
No Silver Bullet
Customers, analysts and vendors agree that a mix of technologies is required to meet the needs of each unique environment. In addition to encryption, Ewing uses SecureSphere application layer firewalls from Imperva Inc. to protect his Web and database servers, as well as vulnerability and penetration testing tools.
Customers rely largely on access control and database access monitoring tools to comply with the Sarbanes-Oxley Act, says Prat Moghe, founder and CEO of Tizor Systems Inc. in Maynard, Mass., but they are using encryption more often to comply with PCI.
Even with products that allow users to encrypt only specific database columns (such as those holding credit card numbers), administrators may still need to restructure some databases to make encryption feasible. If a customer's Social Security number is used as the "index" field that helps locate all other information about that customer, encrypting Social Security numbers could require decryption of that column for every query and thus cripple database performance. Another approach, says Jeff Montgomery, director of product marketing at Cambridge, England-based nCipher, is to encrypt all but the last four digits of the sensitive number.
Rather than modifying applications so they can decrypt data, says Mogull, companies can also merely encrypt the file or hard drive where the data is stored (to deflect attacks on the database) and use data access monitoring tools to watch for suspicious activity from within the applications.
Making the wrong choice about where, for example, to use encryption can waste a lot of money, risk a lot of data and make a lot of users unhappy. That's why it's so crucial to first understand the threats facing your data and only then begin building your defense.
Microsoft files lawsuit against DRM hackers
Microsoft files lawsuit against DRM hackers
Jeremy Kirk
September 27, 2006 (IDG News Service) Microsoft Corp. is suing a group of hackers who apparently gained access to the company's proprietary source code, creating a program that wipes media files clean of file-sharing restrictions.
The suit, which Microsoft filed last Friday in a district court in Seattle, gives only a nickname for the ringleader, "viodentia," who is one of 10 "John Does" whom Microsoft believes are responsible for breaking its Windows Media Digital Rights Management (DRM) software.
Last month, a program called FairUse4WM surfaced that removed the DRM (digital rights management) technology from Windows Media 10 and 11 files. Many major download services, such as Napster LLC, use Windows DRM, and its removal would allow the files to be copied or played without restriction or uploaded to file-sharing networks.
Microsoft is suing for copyright infringement, since FairUse4WM uses code from the company's Windows Media software development kit Version 9.5, a tool set used by software developers to build applications.
Microsoft said the hackers have caused it more than $75,000 in losses. It is seeking a permanent injunction against the defendants and compensation.
In a separate document filed with the court, Microsoft said the defendants have gone to substantial lengths to hide their identities. It asked for extra time to issue subpoenas to e-mail service providers, to track down some e-mail addresses linked to the individuals, to help it to identify them.
The hackers have proved enduring foes for Microsoft. Soon after FairUse4WM was released, Microsoft issued an update to its DRM software, making the hacking program ineffective. The hackers responded less than a day later by updating FairUse4WM again.
Their efforts are unlikely to affect the growth of legitimate download services, however, since content providers are aware that no DRM is unbreakable, analysts said.
"I think in the long term it's not going to deal Microsoft any crushing blow, but it's certainly an irritant for them," said Jonathan Arber, research analyst for Ovum PLC in London.
Technology companies will have to make it too hard for hackers to break the DRM, a leap that could be difficult considering any update to the DRM technology would still have to be compatible with hardware in the market, said Paul Jackson, principal analyst at Forrester Research Inc.
Additionally, frequent software updates tend to alienate users, he said. "It’s a question of highly determined hackers desperate to prove their moxie, versus a corporation that can't release updates every 10 minutes because that annoys people," Jackson said.
Jeremy Kirk
September 27, 2006 (IDG News Service) Microsoft Corp. is suing a group of hackers who apparently gained access to the company's proprietary source code, creating a program that wipes media files clean of file-sharing restrictions.
The suit, which Microsoft filed last Friday in a district court in Seattle, gives only a nickname for the ringleader, "viodentia," who is one of 10 "John Does" whom Microsoft believes are responsible for breaking its Windows Media Digital Rights Management (DRM) software.
Last month, a program called FairUse4WM surfaced that removed the DRM (digital rights management) technology from Windows Media 10 and 11 files. Many major download services, such as Napster LLC, use Windows DRM, and its removal would allow the files to be copied or played without restriction or uploaded to file-sharing networks.
Microsoft is suing for copyright infringement, since FairUse4WM uses code from the company's Windows Media software development kit Version 9.5, a tool set used by software developers to build applications.
Microsoft said the hackers have caused it more than $75,000 in losses. It is seeking a permanent injunction against the defendants and compensation.
In a separate document filed with the court, Microsoft said the defendants have gone to substantial lengths to hide their identities. It asked for extra time to issue subpoenas to e-mail service providers, to track down some e-mail addresses linked to the individuals, to help it to identify them.
The hackers have proved enduring foes for Microsoft. Soon after FairUse4WM was released, Microsoft issued an update to its DRM software, making the hacking program ineffective. The hackers responded less than a day later by updating FairUse4WM again.
Their efforts are unlikely to affect the growth of legitimate download services, however, since content providers are aware that no DRM is unbreakable, analysts said.
"I think in the long term it's not going to deal Microsoft any crushing blow, but it's certainly an irritant for them," said Jonathan Arber, research analyst for Ovum PLC in London.
Technology companies will have to make it too hard for hackers to break the DRM, a leap that could be difficult considering any update to the DRM technology would still have to be compatible with hardware in the market, said Paul Jackson, principal analyst at Forrester Research Inc.
Additionally, frequent software updates tend to alienate users, he said. "It’s a question of highly determined hackers desperate to prove their moxie, versus a corporation that can't release updates every 10 minutes because that annoys people," Jackson said.
Labels: Microsoft Corp.
Six charged in case of AOL identity theft ring
Six charged in case of AOL identity theft ring
Robert McMillan
September 27, 2006 (IDG News Service) Six men have been charged with orchestrating a phishing scheme that targeted AOL users, the Department of Justice said Wednesday.
The men are accused of harvesting thousands of AOL e-mail addresses and then infecting victims' PCs with malicious software that would prevent them from logging onto AOL without entering their credit card numbers, bank account numbers and other personal information.
Under the scam, victims received fake e-mail greeting cards that would silently infect their computers with the log-on software, according to a grand jury indictment. Victims were also spammed with phoney e-mail messages that claimed to have come from AOL's billing department.
"Due to a central server meltdown, your credit card information was lost," one such e-mail read, according to the indictment. "In order to enjoy your AOL experience and keep your account active, you must enter your credit card information within 24 hours."
Some of the fake greeting cards claimed to come from Web sites such as Hallmark.com or BlueMountain.com, the indictment states.
AOL users appear to have been the primary targets of the fraud, but others may also have been targeted, according to Tom Carson, a spokesman for the United States Attorney's office for the District of Connecticut. "The investigation is ongoing," he said. "I think we can say the bulk of those targeted were AOL users, but we can't say with 100% certainty that they were the only victims," he said.
The accused are believed to have defrauded thousands of people , U.S. Attorney Kevin O'Connor said in a statement. "These are insidious crimes that wreak havoc on the lives of victims, and we will seek strict terms of imprisonment."
The alleged scam was conducted over a two-year period, beginning in 2004, the U.S. attorney said.
Proceeds from the crime were used to purchase gaming consoles, laptop computers and gift cards, the indictment states.
The men were actually indicted on fraud charges last week by a federal grand jury in New Haven, Conn., but the charges were not made public until Wednesday, when three of the men pleaded guilty.
The three who have pleaded guilty face between two years and nine and a half years in prison, Carson said. They are Charlie Blount Jr., 22, of Branford, Conn., Richard D'Andrea, 22, of West Haven, Conn., and Thomas Taylor Jr., 20, also of West Haven. They are scheduled to be sentenced in mid-December.
The three men awaiting arraignment are Michael Dolan, 22, of North Miami Beach, Fla., Keith Riedel, 20, of Winter Haven, Fla., and Daniel Mascia, 22, of West Haven.
Dolan had previously been sentenced to two years of probation after pleading guilty to accessing a protected computer without authorization.
Robert McMillan
September 27, 2006 (IDG News Service) Six men have been charged with orchestrating a phishing scheme that targeted AOL users, the Department of Justice said Wednesday.
The men are accused of harvesting thousands of AOL e-mail addresses and then infecting victims' PCs with malicious software that would prevent them from logging onto AOL without entering their credit card numbers, bank account numbers and other personal information.
Under the scam, victims received fake e-mail greeting cards that would silently infect their computers with the log-on software, according to a grand jury indictment. Victims were also spammed with phoney e-mail messages that claimed to have come from AOL's billing department.
"Due to a central server meltdown, your credit card information was lost," one such e-mail read, according to the indictment. "In order to enjoy your AOL experience and keep your account active, you must enter your credit card information within 24 hours."
Some of the fake greeting cards claimed to come from Web sites such as Hallmark.com or BlueMountain.com, the indictment states.
AOL users appear to have been the primary targets of the fraud, but others may also have been targeted, according to Tom Carson, a spokesman for the United States Attorney's office for the District of Connecticut. "The investigation is ongoing," he said. "I think we can say the bulk of those targeted were AOL users, but we can't say with 100% certainty that they were the only victims," he said.
The accused are believed to have defrauded thousands of people , U.S. Attorney Kevin O'Connor said in a statement. "These are insidious crimes that wreak havoc on the lives of victims, and we will seek strict terms of imprisonment."
The alleged scam was conducted over a two-year period, beginning in 2004, the U.S. attorney said.
Proceeds from the crime were used to purchase gaming consoles, laptop computers and gift cards, the indictment states.
The men were actually indicted on fraud charges last week by a federal grand jury in New Haven, Conn., but the charges were not made public until Wednesday, when three of the men pleaded guilty.
The three who have pleaded guilty face between two years and nine and a half years in prison, Carson said. They are Charlie Blount Jr., 22, of Branford, Conn., Richard D'Andrea, 22, of West Haven, Conn., and Thomas Taylor Jr., 20, also of West Haven. They are scheduled to be sentenced in mid-December.
The three men awaiting arraignment are Michael Dolan, 22, of North Miami Beach, Fla., Keith Riedel, 20, of Winter Haven, Fla., and Daniel Mascia, 22, of West Haven.
Dolan had previously been sentenced to two years of probation after pleading guilty to accessing a protected computer without authorization.
Labels: AOL
H-P drama to take congressional stage
H-P drama to take congressional stage
CEO, other current and former executives to face grilling
By Rex Crum, MarketWatch
Last Update: 4:45 PM ET Sep 27, 2006
SAN FRANCISCO (MarketWatch) -- The unfolding drama surrounding Hewlett-Packard Co.'s boardroom-spying and surveillance scandal was set to move to a bigger stage Thursday, as present and former company officials head up to Capitol Hill for a day of congressional grilling.
Representatives are expected to press H-P (HPQHewlett-Packard Co.
News , chart, profile, more
Delayed quote dataAdd to portfolio
Analyst
Create alertInsider
Discuss
Financials
Sponsored by:
HPQ ) to account for controversial, and possibly illegal, tactics used in the company's efforts to find the source of media leaks. Private investigators posed as employees; Social Security numbers were used to track individuals' personal phone records, and fake e-mails were sent to reporters to ferret out sources. Perhaps most significantly, people working on H-P's behalf lied about their identities to obtain personal information about employees, board members, journalists and their family members -- a practice known as pretexting.
The company's approach has exposed it to charges that the investigative steps were more like outtakes to a bad detective film, rather than the behavior of a business known for its "H-P way," a reputation built on integrity, corporate civility and honesty.
H-P Chief Executive Mark Hurd, company general counsel Ann Baskins, outside attorney Larry Sonsini and former Chairwoman Patricia Dunn are slated to tell their versions of the pretexting matter in front of the House Committee on Energy and Commerce's subcommittee on oversight and investigations. Former H-P senior counsel Kevin Hunsaker, former global security manager Anthony Gentilucci and private investigator Ronald DeLia, also will appear under subpoena.
On Wednesday the committee issued subpoenas to more HP subcontractors.
The hearing will mark the most-public airing yet of the details surrounding what started as a company investigation into boardroom leaks, but in less than a month has turned into a roiling scandal for one of the biggest companies in technology.
Along with upheaval on the H-P board, the matter has brought the word "pretexting" into the vernacular and put investor focus on corporate governance, along with growing profits and revenue.
'If anything, this has been a textbook case of how not to operate as a board.'
— Michael Perlis, Stroock & Stroock & Lavan
"If anything, this has been a textbook case of how not to operate as a board," said Michael Perlis, a securities litigation partner with New York law firm Stroock & Stroock & Lavan LLP, and a former assistant director of enforcement at the Securities and Exchange Commission. "Now every couple of days there's a new story about what happened. It's like death by a thousand cuts."
H-P has found itself dealing with a new embarrassment nearly every day since the spying scandal became public on Sept. 6. Dun, the former chairwoman, instigated an investigation into leaks of information that appeared to come from H-P board meetings. Private investigators hired by H-P found that board member George Keyworth was the source of the leaks.
At a May 2006 meeting, Keyworth was asked to resign, but refused. Another board member, Thomas Perkins, quit in protest of the methods used to link Keyworth to the leaks. It later emerged that investigators used pretexting and other methods to get information on other board members, H-P employees and journalists.
Keyworth resigned from the board on Sept. 12. Dunn stepped aside the same day, with Hurd becoming chairman; she quit the board on Sept. 22.
Grandstanding and posturing
Securities and litigation lawyers following the H-P scandal say that a certain amount of grandstanding should be expected during the congressional hearings Thursday.
Subcommittee members are expected to try and show they can ensure individuals' privacy through legislation, and H-P will try to assert that the pretexting, which included giving Social Security numbers and other personal information to private investigators, was a one-time occurrence in an investigation whose purpose, according to Hurd, "was absolutely proper and appropriate."
"H-P happens to be at the forefront of this issue," said Joseph Sanscrainte, a telecom and privacy attorney with Bryan Cave LLP, in New York. "We might see some new bills proposed as a result of this, while H-P will probably focus upon things it didn't do, like wiretapping."
While H-P's board has come under fire for what might end up being declared illegal activities -- California Attorney General Bill Lockyer is looking into criminal charges against current and former company officials -- H-P shareholders have, up until recently, stuck with the company. The stock closed at $35.39 on Wednesday, and is down just 51 cents since the pretexting matter was made public.
However, on Tuesday, a group of large pension funds that own H-P shares began raising the issue of more investor involvement in the company's board.
The New York State Common Retirement Fund, the Connecticut Retirement Plans and Trust Funds, the North Carolina Retirement Systems and the American Federation of State, County and Municipal Employees Pension Funds together filed a proposal seeking access to H-P's proxy to allow shareholder groups more say in who gets on the board.
The four funds want H-P to change its bylaws to allow groups that hold 3% or more of the company's stock for at least one year to be able to post nominations for H-P board members. The four funds own a combined 30 million H-P shares worth about $676 million.
CEO, other current and former executives to face grilling
By Rex Crum, MarketWatch
Last Update: 4:45 PM ET Sep 27, 2006
SAN FRANCISCO (MarketWatch) -- The unfolding drama surrounding Hewlett-Packard Co.'s boardroom-spying and surveillance scandal was set to move to a bigger stage Thursday, as present and former company officials head up to Capitol Hill for a day of congressional grilling.
Representatives are expected to press H-P (HPQHewlett-Packard Co.
News , chart, profile, more
Delayed quote dataAdd to portfolio
Analyst
Create alertInsider
Discuss
Financials
Sponsored by:
HPQ ) to account for controversial, and possibly illegal, tactics used in the company's efforts to find the source of media leaks. Private investigators posed as employees; Social Security numbers were used to track individuals' personal phone records, and fake e-mails were sent to reporters to ferret out sources. Perhaps most significantly, people working on H-P's behalf lied about their identities to obtain personal information about employees, board members, journalists and their family members -- a practice known as pretexting.
The company's approach has exposed it to charges that the investigative steps were more like outtakes to a bad detective film, rather than the behavior of a business known for its "H-P way," a reputation built on integrity, corporate civility and honesty.
H-P Chief Executive Mark Hurd, company general counsel Ann Baskins, outside attorney Larry Sonsini and former Chairwoman Patricia Dunn are slated to tell their versions of the pretexting matter in front of the House Committee on Energy and Commerce's subcommittee on oversight and investigations. Former H-P senior counsel Kevin Hunsaker, former global security manager Anthony Gentilucci and private investigator Ronald DeLia, also will appear under subpoena.
On Wednesday the committee issued subpoenas to more HP subcontractors.
The hearing will mark the most-public airing yet of the details surrounding what started as a company investigation into boardroom leaks, but in less than a month has turned into a roiling scandal for one of the biggest companies in technology.
Along with upheaval on the H-P board, the matter has brought the word "pretexting" into the vernacular and put investor focus on corporate governance, along with growing profits and revenue.
'If anything, this has been a textbook case of how not to operate as a board.'
— Michael Perlis, Stroock & Stroock & Lavan
"If anything, this has been a textbook case of how not to operate as a board," said Michael Perlis, a securities litigation partner with New York law firm Stroock & Stroock & Lavan LLP, and a former assistant director of enforcement at the Securities and Exchange Commission. "Now every couple of days there's a new story about what happened. It's like death by a thousand cuts."
H-P has found itself dealing with a new embarrassment nearly every day since the spying scandal became public on Sept. 6. Dun, the former chairwoman, instigated an investigation into leaks of information that appeared to come from H-P board meetings. Private investigators hired by H-P found that board member George Keyworth was the source of the leaks.
At a May 2006 meeting, Keyworth was asked to resign, but refused. Another board member, Thomas Perkins, quit in protest of the methods used to link Keyworth to the leaks. It later emerged that investigators used pretexting and other methods to get information on other board members, H-P employees and journalists.
Keyworth resigned from the board on Sept. 12. Dunn stepped aside the same day, with Hurd becoming chairman; she quit the board on Sept. 22.
Grandstanding and posturing
Securities and litigation lawyers following the H-P scandal say that a certain amount of grandstanding should be expected during the congressional hearings Thursday.
Subcommittee members are expected to try and show they can ensure individuals' privacy through legislation, and H-P will try to assert that the pretexting, which included giving Social Security numbers and other personal information to private investigators, was a one-time occurrence in an investigation whose purpose, according to Hurd, "was absolutely proper and appropriate."
"H-P happens to be at the forefront of this issue," said Joseph Sanscrainte, a telecom and privacy attorney with Bryan Cave LLP, in New York. "We might see some new bills proposed as a result of this, while H-P will probably focus upon things it didn't do, like wiretapping."
While H-P's board has come under fire for what might end up being declared illegal activities -- California Attorney General Bill Lockyer is looking into criminal charges against current and former company officials -- H-P shareholders have, up until recently, stuck with the company. The stock closed at $35.39 on Wednesday, and is down just 51 cents since the pretexting matter was made public.
However, on Tuesday, a group of large pension funds that own H-P shares began raising the issue of more investor involvement in the company's board.
The New York State Common Retirement Fund, the Connecticut Retirement Plans and Trust Funds, the North Carolina Retirement Systems and the American Federation of State, County and Municipal Employees Pension Funds together filed a proposal seeking access to H-P's proxy to allow shareholder groups more say in who gets on the board.
The four funds want H-P to change its bylaws to allow groups that hold 3% or more of the company's stock for at least one year to be able to post nominations for H-P board members. The four funds own a combined 30 million H-P shares worth about $676 million.
