Witty' Worm Wrecks Computers
The worm targets Windows computers that run specific security firewalls.

By Brian Krebs
washingtonpost.com Staff Writer
Sunday, March 21, 2004; 2:17 PM 

A quickly spreading Internet worm destroyed or damaged tens of thousands of personal computers worldwide Saturday morning by exploiting a security flaw in a firewall program designed to protect PCs from online threats, computer experts said.
The "Witty" worm writes random data onto the hard drives of computers equipped with the Black Ice and Real Secure Internet firewall products, causing the drives to fail and making it impossible to restart the PCs. Unlike many recent worms that arrive as e-mail attachments, it spreads automatically to vulnerable computers without any action on the part of the user.
At least 50,000 computers have been infected so far, according to Reston, Va.-based computer security firm iDefense and the Bethesda, Md.-based SANS Institute.More.... 

Should the U.S. Follow Europe to Opt-In Commercial E-Mail?

Here in the United States, supporters of the recently passed Can-Spam Act like to blame the continuing slurry of unsolicited e-mail on offshore spammers, sleazy operators who send their unwelcome messages from countries that are not subject to U.S. laws. In Europe, however, where the Organization for Economic Development is currently hosting a conference about how best to fight spam, they are blaming us, and a legislative process that they believe has sold out to the demands of business. There are, unfortunately, good reasons for that blame. 
One is that, according to at least one reputable anti-spam technology company, 80 percent of Europe’s spam comes from North America. Another is that anti-spam laws in the United States are considerably weaker than those in the European Union. The biggest legal difference is that in Europe all commercial e-mail must be opt-in. Nothing can be sent unless the recipient has given consent to the sender. In the United States, the Direct Marketing Association lobbied for, and won, legislation that permits the sending of opt-out commercial e-mail. To the Federal Trade Commission at least, industry’s push for an opt-out mechanism has been persuasive. Yet it is well known that opting-out often opens a Pandora’s box of spam. More.... 

How to Secure Web Services
The next new (vulnerable) thing 
BY SIMSON GARFINKEL 

SECURING WEB SERVICES is easy: All you have to do is secure your Web server, secure every message flowing in and out of your server, secure every application that has anything to do with SOAP and XML, and secure the business operations and practices driving the whole thing. OK, OK. So securing Web services isn't that easy—in fact, it's downright difficult. So, in the traditional fashion of software development—where the market demands features now and security later—many businesses are tempted to deploy Web services that aren't tremendously secure (and many probably do). 
In one sense, it could be argued that that isn't so terrible. Most of the potential security problems with Web services won't immediately be found by people with automated scanning tools if they're not yet trained to find the problems. But Web services security holes can be easily exploited by knowledgeable insiders—people interested in hacking for revenge or monetary gain. The insider threat is always at least as serious as the anonymous hacker threat. So ultimately, it pays to properly secure these services. More.... 

Thinking Inside the Box
Buying one security product containing an arsenal of capabilities is convenient, cheap and potentially dangerous
BY JOHN EDWARDS CIO Magazine

SECURITY | Like the mosquitoes that relentlessly swarm across the 49th state every summer, plagues of viruses and hack attacks continuously assault the University of Alaska-Anchorage's network. The school's CIO, Richard Whitney, hates hackers as much as he hates insects that bite. That's why, like a growing number of CIOs, he's decided to take an aggressive, "Swiss Army knife" approach to network defense by installing an integrated security gateway (ISG). "We like the idea of [having] intrusion detection, firewalling and inbound virus detection in one box," he says. "Most CIOs are in a position today where they're being forced [by cost and convenience issues] to consider this [approach] really seriously." 
To help enterprises that are battling network threats on multiple fronts (worms to spam to application vulnerabilities) several hardware vendors are now offering ISGs that combine an arsenal of security capabilities—such as intrusion detection and prevention, virus scanning, spam blocking and Web content filtering—in a single box. Many integrated products also incorporate a firewall and VPN support.  More....  

Germans bust hackers forum
Geeknews.net 

German police have carried out their biggest ever crackdown on internet piracy in probe against 126 members of an online hackers' forum. The Germans are thought to be part of a wider network of 476 people in 33 countries who were members of an internet forum called Liquid FXP. They hacked into internet service providers to gain access to film, music, computer software and games, then offered pirated versions for downloading.
According to Germany's federal criminal office, police carried out 132 search warrants against suspects on allegations of computer sabotage and hacking.
Investigators followed this up with a further 337 warrants enabling them to search through the computer data of companies and institutions linked to the hacked servers.
The probe was sparked by an investigation into one member of the forum on suspicion of credit card fraud.
Police said members of the forum discovered 11,820 servers worldwide with security gaps.
They would hack into the system and install their own server, which would then enable them to download what they wanted.

Anti-piracy vigilantes track file sharers

By Kevin Poulsen, SecurityFocus Mar 18 2004 4:55PM

A pair of coders nurturing a deep antipathy for software pirates set off a controversy Thursday when they went public with a months-old experiment to trick file sharers into running a Trojan horse program that chastises users and reports back to a central server. 
As of Thursday, the crime-busting duo's server had logged over 12,000 victims of "Walk the Plank," and a sequel they call "Dust Bunny," since the cyber sting secretly launched in January. The programs have circulated disguised as activation key generators and cracks for Unreal Tournament 2004, Pinnacle Studio 9, Norton Antivirus, TurboTax, and as a copy of the leaked Microsoft source code -- all titles chosen for their popularity on peer-to-peer networks. When executed, a large message appears scolding, "Bad Pirate!" 
"So, you think you can steal from software companies do you?," the text continues. "That's called theft, don't worry your secret is safe with me. Go thou and sin no more." More....  

Security groups call for crisis coordination center
By Florence Olsen fcw.com
March 18, 2004 

Two national task forces organized by the National Cyber Security 
Partnership called for a public awareness campaign, an early warning 
contact network and a national crisis coordination center to improve 
the nation's responses to cyber vulnerabilities, threats and 
incidents. 

Created last December at the National Cyber Security Summit, the task 
forces released their recommendations today for improving the nation's 
cybersecurity defenses. The National Cyber Security Partnership was 
formed to bring together private organizations and government 
agencies.  More....   

Flaw stymies Norton Internet Security

By Robert Lemos
Staff Writer, CNET News.com

A software component of Norton Internet Security could allow hackers to use the application as a backdoor into a person's computer system, security researchers warned Friday.

The flaw occurs in an ActiveX component used by security firm Symantec's flagship desktop security program, Norton Internet Security, according to an advisory published by research firm NGSSoftware. The security hole could be used to run an attack program that would then take control of the computer that the software was trying to protect.

"The attack can be achieved either by encouraging the victim to visit a malicious Web page or placing a script within...an HTML e-mail," the advisory stated.