[ISN] Hanford workers warned about security breach
http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html By SHANNON DININNY THE ASSOCIATED PRESS June 13, 2006 The U.S. Energy Department has warned about 4,000 current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. The discovery marks the second time in less than a week that the Energy Department has warned employees and its contractors' employees that their personal information may have been compromised. Police in Yakima discovered the list while investigating an unrelated criminal matter, the Energy Department said, adding that the list included the names of people who worked for a former Hanford contractor, Westinghouse Hanford, who were transferring to Fluor Hanford or companies under contract to Fluor Hanford in 1996. The Energy Department awarded Fluor Hanford the contract to clean up the highly contaminated nuclear site in December 1996. The list also included workers' Social Security numbers and birthdates, as well as work titles, assignments and telephone numbers. The department began notifying workers about the discovery Sunday. Employees at seven companies were warned to monitor their financial accounts and billing statements for any suspicious activity. There was no indication that Hanford's computer network was compromised. The Energy Department and Fluor Hanford were working with law enforcement officials to determine how the list was obtained and why it was in the home, the Energy Department said in a statement Monday. We, along with Fluor, are taking this very seriously, said Karen Lutz, an Energy Department spokeswoman at the south-central Washington site. Obviously, there's a concern to get the word out, because so many workers transfer to other contractors and other federal sites. Also on Monday, Energy Department officials began contacting 1,502 individuals by phone to inform them that their Social Security numbers and other information might have been compromised when a hacker gained entry to a department computer system eight months ago. The workers, mostly contract employees, worked for the National Nuclear Security Administration, a semiautonomous agency within the department that deals with the government's nuclear weapons programs. The computer theft occurred last September, but Energy Secretary Samuel Bodman and his deputy, Clay Sell, were not informed of it until last week. It was first publicly disclosed at a congressional hearing on Friday. Following the Hanford report Monday, Sen. Maria Cantwell, D-Wash., demanded corrective actions to ensure that federal employees' personal information remains secure. Today's news that the personal information of 4,000 Hanford workers has been floating around in the open shows that we still have a long way to go when it comes to keeping sensitive information out of the wrong hands, Cantwell said. Workers from the following companies were urged to check their financial statements: Fluor Daniel Hanford, Lockheed Martin Hanford, Rust Federal Services of Hanford, BW Hanford, Numatec Hanford, DynCorp Tri-Cities Services and Duke Engineering and Services Hanford. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Elections hacks don't guard us against hackers
http://www.miami.com/mld/miamiherald/14803773.htm By FRED GRIMM fgrimm at MiamiHerald.com Jun. 13, 2006 For a county supervisor of elections needing someone to test the vulnerabilities of his voting system, Dan Wallach's the man. Wallach, who runs the security computer lab at Rice University, is a nationally regarded expert on computer network security and voting system vulnerabilities. He's associate director of ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). Besides, his parents live in Lauderdale-by-the-Sea. He is a perfect choice. But not in Florida. Wallach and his associates at ACCURATE may represent academia's leading experts on voting system security, but under the new rules promulgated by the Florida Secretary of State, they don't qualify. Any security test, the secretary of state's office insists, must be performed by someone certified by the American Software Testing Qualifications Board, the American Society for Quality or the EC (E-Commerce) Council. Not only is Wallach not certified by the three organizations, ''I've never heard of them,'' he says. TRAINING COURSE Actually, the first two organizations are concerned with the overall quality of manufactured software, not security. The EC Council website offers a five-day training course into something called ''ethical hacking.'' Five days of training, under the new rules, would trump the most sophisticated résumés in computer science. Computer professor David Dill, of Stanford University, who served on California's Ad Hoc Task Force on Touch Screen Voting, and whose degree -- not the five-day kind -- comes from MIT, added his apprehensions to the comments on the proposed rules the Florida Secretary of State's office collected Monday. He said they would ``would exclude the most competent evaluators, such as those who have found most of the reported security holes in existing voting systems. ''I have checked with several computer security experts, who not only do not have these qualifications, but, like me, have never heard of them. A little research on the Web reveals these certifications to be of dubious relevance to voting system evaluation,'' Dill wrote. Other rules would require that the voting-machine vendors and the secretary's office get advance notice of any security test. And a supervisor of elections contemplating a security test must first take special pains to protect the machine manufacturer's secret operating code. CERTIFIED HACKERS Wallach and Dill seemed puzzled. Wallach noted that a voting machine ought to be secure no matter who tries to hack the system. The notion that a would-be hacker must first be properly certified and possess special qualifications (like a five-day online course), and the vendors need advance notice becomes utterly irrelevant in cyberspace. ''If someone is malicious and his goal is to throw the election, they're not going to ask permission.'' Wallach said. Of course, the new rules aren't really about protecting the integrity of elections. Only one Florida supervisor of elections allowed outside experts to test his voting system security. And when Ion Sancho's hackers discovered they could alter the outcome of an election and wipe out all trace of the tampering last year, it was a huge embarrassment to the Secretary of State's office. Instead of trying to fix the flaws, state officials and Diebold -- a maker of voting machines -- went after Sancho, disparaging his findings and suggested that he ought to be tossed from office. Then California -- not Florida -- directed a panel of computer science experts to look into the Leon County findings. The panel found the same flaws and more. Florida election bureaucrats were humiliated. ''The new rules are designed to make sure that they're never embarrassed again, '' Sancho said Monday. Florida first priority is to protect the vendors. We'll let California worry about the damn voters. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] KDDI suffers massive data breach
http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9001150 Martyn Williams June 13, 2006 IDG News Service Personal data on almost 4 million customers of Japanese telecom carrier KDDI Corp. has been breached, the company said Tuesday. The data includes the name, address and telephone number of 3,996,789 people who had applied for accounts with KDDI's Dion Internet provider service up to Dec. 18, 2003, KDDI said. Additionally the gender, birthday and e-mail addresses of some of the people was also leaked. KDDI is Japan's second largest telecommunications carrier. It operates fixed line, dial-up Internet, broadband and cellular services through a number of different companies. The carrier became aware of the leak on May 31 this year when it received a phone call from someone claiming to possess a CD-ROM of the data, said Yoko Watanabe, a spokeswoman for the Tokyo-based carrier. The original source of the data has yet to be determined and Watanabe declined to comment on other aspects of the case, which is being investigated by the police, she said. The leak is just the latest of several to hit the headlines in Japan this year. Personal information has been leaked by companies a number of times onto the Internet through viruses that infect PCs running file sharing programs. While the source of the data lost by KDDI is not yet clear, the episode is likely to increase fears of identity theft and other fraud in Japan. In recent years the number of frauds committed against consumers using such information has been on the rise. Armed with the name and address or telephone number of a consumer, fraudsters can send out bills or make calls demanding payment for services that were never delivered. The slick frauds often dupe consumers into sending money before they realize they have been tricked. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ...and now a word from one of our long time sponsors
http://attrition.org/news/content/06-06-13.001.html Cliff Notes: If you drink Coca-Cola products, email the 'coke reward' code to [EMAIL PROTECTED] to support a bunch of wack job heathens How many times have you thought, If everyone sent me one penny, i'd be rich!? In the case of attrition staff, maybe you thought If everyone sent me one beer, i'd need a new liver in three months! Attrition has been going strong for almost eight years now. In that time we haven't plagued the site with ad banners, pop-ups, or even the cute little google ad-words. We've accepted PayPal donations for several years and raked in a whopping 250 bucks (which we are honestly very thankful for). Our Amazon wishlists are never used, half the mail we get is mindless drivel complaining about insipid crap that is usually answered by actually reading the web pages. The box has been fully replaced two times due to hardware problems, payments are routinely made to our landlord for the bandwidth abuse and to keep him too drunk to find our power plug. In short, this isn't a site based around profit or self reward. We're more like those monks that inflict self pain thinking it brings them closer to a higher power. Misguided, pain-ridden, stupid monks. Since we've long been fans of the sci-fi idea of 'micro payments', and no system is in place for such a beast to really work, we've come up with one. Now you too can actually support the site without sending us money or hate mail. Chances are, you are a cracked-out coke fiend like most of us. I prefer the hard-core street drug they call Coke Zero these days, moving on from the weak suburban Diet Coke or that old-folks home Caffeine Free Diet Coke that Munge sips on between shots of Everclear. If you support Coca-Cola like a true patriot, and not those Pepsi jerks like a terrorist would, then you are in the perfect position to contribute. Coca-Cola is running a promotion where you receive a code for each purchase you make. With those codes, you register on one of their web sites and type in the codes to earn points. Enough points and you can earn various prizes, most of which are not worth the time to read about on the web site. If you click around enough, you get to the distant 10,000+ Points reward list, and things become brighter. In this pipe dream category is a pretty swell Sony LCD HDTV that would be a nice reward for the pain and suffering we're put through. So, next time you are getting your fix, take a few seconds to type in the coke code and mail it to us. Only takes a minute of your time and you can spend the rest of the day bragging about how you supported a non-profit site on the intarweb. The codes can be found inside the bottle caps of 2 liter, 1 liter or 20oz bottles, or in the tear off flap of 12-pack cases. They can be found in just about every variety of Coca-Cola products and look something like BNMW7 Y49XR 4X7VJ. This is it net denizens. Some 100,000,000 of you out there, and all it takes is 2,000 of you to mail in the code from a single 12-pack to reach our goal. You would be showing a small token of appreciation for eight years of hard work and it doesn't even require a visit to the post office. If you send in 100 points worth of codes (ten cases, or 33 bottles), we'll hook you up with private access to the old image gallery we used to make available (shut down long ago due to bandwidth abuse), which is up to 5,263 unique images of all varieties, and zero advertisements. That's it, simple and possibly rewarding. [EMAIL PROTECTED] Cut this out and post it at your work lounge! .--. | | | E-mail Coca-Cola Reward Code | |to the heathens at| | [EMAIL PROTECTED] | | | `--' _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] ADSM endorses XBRL technology
http://www.itp.net/business/news/details.php?id=21007 By David Ingham 13 June 2006 Abu Dhabi Securities Market (ADSM) has recently taken further steps to boost market transparency and improve its information technology systems. ADSM has declared its aim to become ISO 17799 compliant and has thrown its weight behind the XBRL information reporting standard. EXtensible business reporting language (XBRL) enables computer-readable tags to be applied to individual items of financial data in business reports. This helps to turn them from blocks of text into information that can be understood and processed by computer software. XBRL complements ADSM's programme to adopt international best practise standards of regulation and governance throughout the UAE markets, said Rashed Al Baloushi, acting director general of ADSM. It will give investors better access to a company's financial information, allowing them to make more informed decisions. Furthermore, analysts will be able to compare detailed data more efficiently and with increased accuracy. Under the current system, it can be difficult to benchmark data efficiently. ADSM said it will encourage all listed companies to adopt the technology, which it says can reduce data processing costs in addition to improving transparency. It has already held one educational seminar, which was attended by listed UAE companies and representatives from other markets in the region. Separately, ADSM has said that it plans to become the first UAE bourse to achieve ISO 17799 certification. ISO 17799 is a set of procedures designed to help companies improve their level of information security. It covers ten aspects of e-security, including policies procedures, access control and business continuity. Company and Cybertrust have been appointed to help ADSM benchmark its systems against the ISO 17799 requirements. Since ADSM was established, we have been constantly reviewing and updating our security systems in line with our growth, said Khalfan Al Mazrouei, IT manager of ADSM. But, in order to bring our systems up to an international standards we need ISO 17799 certification. _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] PCs to developing world 'fuel malware'
http://www.theregister.co.uk/2006/06/13/pc_donation_peril/ By John Leyden 13th June 2006 Programs to send PCs to third world countries might inadvertently fuel the development of malware for hire scams, an anti-virus guru warns. Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, cautions that developing nations have become leading centres for virus development. Sending cheap PCs to countries with active virus writing cliques might therefore have unintended negative consequences, he suggests. A particular cause for concern is programs which advocate 'cheap computers for poor third world countries', Kaspersky writes. These further encourage criminal activity on the internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind. But what about all the positive uses in education, for example, possible through the use of second-hand PCs in developing nations? We reckon these more than outweigh the possible misuse of some computers at the fringes of such programs. We wanted to quiz Kaspersky more closely on his comments but he wasn't available to speak to us at the time of going to press. A spokesman for Kaspersky Labs agreed that PC donation programs have benefits but maintained that in countries with fewer legitimate openings for work the possibility of unintended side effects can't be overlooked. He said that Eugene Kaspersky's comments should be viewed in the context of a wider discussion of criminal virus writing, contained in an essay on the anti-virus industry here. ® _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
[ISN] Black Hat Speakers + 2005 Content on-line
Forwarded from: Jeff Moss [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello ISN readers, I have a brief announcement I would like to make. The speaker selection for Black Hat USA 2006 is now complete. We have a fantastic line up of Briefings presentations and our largest selection of Training this year. Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html For the first time in four years, we have been able to expand our speaking line. This is due to Caesars Palace has expanded their conference space, and Black Hat will be getting the entire fourth floor to ourselves! This means that for the first time in four years, we were able to expand the number of presentation tracks, panels as well as offer more opportunities for networking in our Human Network area. Some notes from the schedule: *A Root-kit focused track draws attention to the amount of work, and the speed of advancement, going into this field. *Ajax to Fuzzers--web app sec is taken to a new level. The largest number of talks dealing with web application security ever delivered at a Black Hat. As the web moves to a more interactive web 2.0 model of participation it is only natural for there to be more risks involved. *A Windows Vista Security track which has been garnering a lot of press lately... this will be an unprecedented first comprehensive look at Vista security issues *Jim Christie is bringing his Meet the Fed panel over from DEF CON, and the Hacker Court is back along with panels on Disclosure, a Public Forum on Corporate Spyware Threats hosted by The Center for Democracy and Technology Anti-Spyware Coalition, and a new challenge will be presented by the Jericho Forum. Remember, prices increase July 1st for both the Briefings and Trainings. Register now to get the best rates! http://www.blackhat.com/html/bh-registration/bh-registration.html#us Other News: Black Hat is pleased to release the presentations from last years Black Hat 2005 Briefings in both audio and video format. Also a first they will be available for download in both H.264 .mp4 format (iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the Black Hat .rss feed to get them, but in the coming weeks we will make them available through the past conventions archive page. http://www.blackhat.com/BlackHatRSS.xml Black Hat would like to welcome the ISSA as a world wide supporting association. http://www.issa.org/ Thank you, Jeff Moss -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQEVAwUBRI9L4kqsDNqTZ/G1AQKjlQgAnLKMSLL6Uc4BznLQ+sGkCf+v4kBXmSR2 ogJYZ8eciZxwJMrAFGhXGhJOHGQJxp2U/HEnISNhg+3W6TGhyl9rVO62z+2aBSfw bvb+RSWWgMitiQqZcsRO8LkPorJlnpHSLzNxpH1GaVLFyJ17YwSCm1a/n2QPv+Pq 4nlC3KLKwgmFXY6uAkg95InvOeLly5uIelAGEllzIZ676A4fp5VMBeXtT/PDJwbs 49nZE8IPmxFPL1d9V47eWmjNpqMZBtNHuTaEhBhpWc1YbY0oE7Txv0EFWY2HGBLZ S4XnlJCO9rbD1y0fbd1qof3BKVGW/nXaBG9SBOnctbFSDeyEVUTD3w== =++JQ -END PGP SIGNATURE- _ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com