The News – 03/19/02

Cleaning Out the Old Links, part 2

I’ve got such a collection of interesting and important material that hasn’t found its way into SNS yet that I have to clean house. I cleaned out a bunch in the last SNS. Here’s some more of the best of what I’ve got.

• Facial Recognition and Other Threats to Privacy: Virage Inc. has developed software that can automate video security, eliminating the need to pay low wages to bored personnel just to stare at monitors all day. You can program the system to recognize suspicious faces, locations, words or phrases. Great. Now surveillance can be in the hands of machines. Doesn’t that make you feel better? To top it off, Visionics, a maker of face recognition software, is enthusiastic about the possibility of creating “national shield” (Mom & apple pie alert!) linking every camera in the country.
  
  Thankfully, not everyone thinks this is a great idea. “We're collecting data on everyone on the assumption that anyone may be the next terrorist,” said Deirdre Mulligan, director of the Law and Technology Clinic at UC Berkeley. “This subverts our traditional notion of the ability of the government to survey its citizens” only if there is probable cause to suspect criminal conduct. Security expert Bruce Schneier agrees: “You end up with a society in which the database is more important than reality.”
  LA Times
  
  
• UK ISP Closes After DoS Attack: For those who are still wondering if the danger posed by Internet miscreants is mostly hype, check out this story. UK Internet Service Provider (ISP) Cloud-Nine was forced to close after being hit with a massive denial of service (DoS) attack.
  ISP Review (UK)
  
  
• Walk-up Printing for PDAs: Startup Flexiworld wants to make it easy for your to walk up to any printer and print emails or other documents wirelessly. I don’t even want to think about the security implications of this idea.
  The Portland Business Journal
  
  
• The eBay Scam: Miscreants have been attempting to steal unwary users’ credit card numbers through a fake email that purports to be a purchase confirmation from eBay. My Dad received the email in mid-January, along with thousands of others. Recipients received the following email:
  
  

Your order has been completed and will be mailed within 24-48 hours.

Your credit card has been charged $460.50 for the following purchase...

- Microsoft X Box ( $399.00 )

- NFL Fever ( $50.00 )

Plus shipping and handling.  If you feel that your credit card has been billed wrongly, please visit http://ebayservices-cancelorder.cjb.net and fill out all the needed information to cancel the following order.

Again that site is <a href="http://ebayservices-cancelorder.cjb.net">eBay Services:  Cancel Order</a>,

Thank you,

eBay Services.

• “Unbreakable” Oracle 9i Broken: It had to happen. The good marketing people at Oracle thought an ad campaign calling Oracle 9i unbreakable was a good idea. If they’d asked the Oracle techies, they probably would have been told that nothing’s unbreakable, given enough time and motivation. Sure enough, the software has been cracked, easily, using the ever-popular buffer overflow exploit. Make sure your marketing department has a better clue than Oracle’s!
  SecurityFocus
  
  
• More from the FBI Survey: A recent SNS quoted results from a recent survey by the Computer Security Institute (CSI), in conjunction with the FBI Computer Intrusion Squad. In addition to finding that that 81 percent of corporate respondents said the most likely source of attack was from inside the company, the survey also revealed:
  
  
• 85 percent of respondents (Large corporations and government agencies) detected security breaches within the last twelve months
• 35 percent of respondents quantified their financial losses at $377,828,700
• 91 percent of respondents detected employee abuse of Internet privileges
• 94 percent detected computer viruses within their network
• 78 percent of respondents stated they had detected Denial Of Service Attacks
• 58 percent reported their network had been attacked 10 or more times

CSI

• Domain Sellers Busted: Alert SNS Reader Roger Hamm sent along this article about domain scammers who were selling bogus .usa domain names. The UK company, dotusa.com, traded on Amercians’ patriotic sentiment to sell more than $1 million in names at $59 apiece before being busted by the FTC. Buyers of the .usa domains found they couldn’t be used on the Internet. Oops.
  Yahoo
  
  
• Genomics Predictions: The Centre for Research on Innovation and the Institute for Alternative Futures recently released predictions from the ESRC Genomics Scenario Project. One of the most intriguing: “By 2005 biomarkers indicate the likely presence of several cancers, classify their defining molecular characteristics, and indicate which therapies should be beneficial to the particular type of tumour.”
  Institute for Alternative Futures
  

• Verticalnet Gets Serious: Last month, Kevin McKay, former SAP CEO, was appointed Verticalnet's new president and CEO. McKay appears to be a heavyweight, having held key positions at SAP, Sony Electronics and PricewaterhouseCoopers. Erstwhile B2B exchange Verticalnet appears to be trying to remake itself as a vendor of Collaborative Supply Chain solutions. Such solutions provide supply chain visibility, comprehension, and rapid response that leads to lower costs and inventory, higher revenue, and growth opportunities. Modernizing the supply chain by improving communication and planning processes will be corporations’ big To Do for this decade. Strategic Sourcing, Collaborative Planning, and Multi-tier Order Management look to shave dollars off supply chain costs. It remains to be seen, however, how successful Verticalnet will be in a marketplace dominated by i2 and, to a lesser extent, Manugistics.
  Philadelphia Business Journal
  
  
• Automated Security Testers: I’ve recommended the Microsoft Personal Security Advisor, and the enterprise tools offered by its creator, Twin Cities-based Shavlik Technologies, in the past. They’re great tools, and a must for any Microsoft-based user. A new player in the area of security vulnerability assessment and automated fixes is BigFix.com, which offers customers a free online service that finds security holes, software bugs, outdated drivers, and viruses on a PC, then automatically retrieves and installs the patch or update. It’s unclear if BigFix makes use of the Microsoft database of security vulnerabilities that the Shavlik tools access. To use BigFix, the user must subscribe to Fixlet sites maintained by experts around the world, who provide Fixlets in their area of expertise. I’m a little wary of allowing “experts” to determine how to fix my software, however. And while automatic updating might be OK for desktop computers, I don’t think it would fly for production servers. A free consumer version of the software is available at Download.com.
  BigFix

• Wireless Email Easily Hacked: If you use a BlackBerry™or SMS (Short Message Service) or any other kind of messaging on your wireless phone, be aware that your messages can be intercepted. While you may not be sending information on your company’s latest secret project from your portable device, if you route all your messages to your BlackBerry, you could be receiving sensitive information. The latest demonstration of the insecure nature of wireless communications is courtesy of @Stake Inc., a security consulting company in Cambridge, Mass. mentioned in a previous SNS. @Stake was able to intercept BlackBerry Internet Edition traffic using a scanner with a digital output, an antenna and freely downloadable software. Since the email is sent over the wireless network in the clear, much like the email you send over the Internet every day, once the message is intercepted, it’s easily readable.
  eWeek
  

Briefly Noted

• Shameless Self-Promotion Dept.: Take our survey on corporate policies on home use of network resources.
  
  StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.
  
  CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Burn Your Inbox™.
  
  As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
  CTOMentor