[NYT] Hoopz Script GUI Hack (SILENT AIM, REACH,...

From ACM's TechNews, June 14, 2004 "Pay or Go Away: What Would Spammers Do?"EurekAlert (06/08/04) Researchers at the University of Michigan believe that charging spammers for every message they send would solve the spam problem within two to three years. Marshall Van Alstyne, an assistant professor in the School of Information, computer science doctoral students Thede Loder and Rick Wash, and Mark Benerofe, a technology industry and media executive in Atlanta, Ga., were in Washington, D.C., this week to present a proposal to the FTC's Bureau of Economics. The Attention Bond Mechanism (ABM) would have recipients and senders negotiate the terms of communication without any assistance from a third party. "The sender who believes his or her message is not spam is willing to put up that money--to risk it--to prove that if the recipient reads the email, they will agree that it is not spam," says Van Alstyne. The researchers say the technology needed to make the ABM system a reality is already available, adding that changes in infrastructure will be needed as well as proper wiring. The anti-spam technology would boost the "quality of information exchange and reduce the email volume that clogs networks and increases costs for consumers and business," adds Wash. Click Here to View Full Article From ACM's TechNews, June 11, 2004 "Invasion of the Spambots"Salon.com (06/08/04); Williams, Sam Spambots are mutating into numerous varieties that relentlessly penetrate new areas, such as instant messaging, blogs, chat rooms, and cell phones, and these mutations are being driven by two antithetical online publishing trends: Growing homogeneity in the use of Google and other basic software tools, and increasingly specialized content. These new, indirect techniques are designed for the purpose of enhancing visibility rather than solicitation or receipt confirmation, in the hopes that popular search engines such as Google will highly rank links to marketers' sites in search results. Innovative spambots lend themselves particularly well to adult entertainment companies such as Edge Productions, whose VP Domenic Merenda has split the programs into three varieties--address-harvesting bots, URL-proliferator bots, and lead-generation bots, the most advanced and expensive option. The lead-generation bots analyze R- and X-rated chat-room logs, where they scan transcripts to determine the names and addresses of the most active participants, who are then targeted by adult-oriented ads produced by third-party vendors. However, this strategy can backfire due to large numbers of bots disguised as people who turn out to be the most active forum participants. Carnegie Mellon University researchers have developed automated CAPTCHA programs to discourage spammers' use of lead-generation bots in chat rooms, although the safeguard is not foolproof. CAPTCHAs are set up so that users must identify a randomly generated word to prove they are human, the catch being that the word is distorted and often displayed against a patterned background that even the most advanced optical character recognition systems cannot decipher. From EduPage, June 9, 2004 Used Computers Full Of Sensitive InformationBBC, 9 June 2004 A British security firm researching the fates of lost or stolen laptops has found significant risk of security lapses in such situations. Pointsec Mobile Technologies purchased 100 laptops and hard drives from auctions and Web sites such as eBay. Despite having supposedly been erased, 70 percent of the hard drives the researchers inspected were easily readable. One of the hard drives obtained by the company for five euros on eBay included personal customer information, including pension plans, dates of birth, and home addresses, from one of Europe's largest financial services groups. In addition, Pointsec was able to access information on one in three laptops, simply by using commonly available password-cracking software. According to the company, most airports and police stations routinely sell unclaimed computers--with all of the information still on them--after three months. From ACM's TechNews, June 9, 2004 "Worst-Case Worm Could Rack Up $50B in U.S. Damages"TechWeb (06/04/04); Keizer, Gregg International Computer Science Institute security researchers Nicholas Weaver and Vern Paxson say that a worm attack could cost the United States as much as $50 billion in direct damages by attacking widely used services and carrying a highly destructive payload. The worst-case scenario combines state-funded attackers exploiting an unpublished Windows vulnerability with a fast-spreading worm. The $50 billion figure includes lost productivity, repair expenses, deleted data, and damaged equipment. The researchers say that worms would be the choice method for the attack because of their speed. The study says state-sponsored hackers would have both the time and resources needed to find an unpublished vulnerability and rigorously test their worm. While past worms have been limited to mostly Windows XP or Windows NT systems, a more effective worm would attack a wide range of Windows environments. The researchers also tested popular motherboard and system configurations, and found that a particularly well-designed worm could force users to replace the motherboard in a third of the tested systems, while the other two-thirds would need to have their BIOS restored. However, although the corrupted PC BIOS could be restored, it would require highly skilled workers. The most likely candidates for the exploit include the SMB/CIFS file-sharing service included on all Windows systems since Windows 98. Possible countermoves for government and businesses include deploying mass-mailed worm defenses, restricting file-sharing on users' desktops, and using SMB/CIFS-compatible servers. Still, Weaver and Paxson warn that "Current defenses are not capable of dealing with threats of this magnitude." Click Here to View Full Article "Recognition Keys Access"Technology Research News (06/09/04); Patch, Kimberly

[NYT] Hoopz Script GUI Hack (SILENT AIM, REACH,...

From New York Times, June 23, 2004 4 Rivals Almost United on Ways to Fight SpamBy Saul Hansell, Published: June 23, 2004 Four large Internet service providers agreed yesterday to a partial truce in their battle with one another over potential technology to stop junk e-mail in hopes that they can devote their united energy to fighting spam. Read the article. From ACM's TechNews, May 28, 2004 "Will Code Check Tools Yield Worm-Proof Software?"CNet (05/26/04); Lemos, Robert A report from the Business Roundtable blames buggy and vulnerable software code for most of the major cyberattacks and network breaches that have harried American consumers and businesses in recent years, and says these exploitable code errors stem from software development processes that lack effective testing, review, and safety measures. Though software is tested for flaws, usually the purpose of testing is to see if the software operates properly rather than if it fails when intentionally improper operations are performed. Static source code checkers originally developed by academic researchers to glean data about software flaws are being marketed by several companies as tools for spot-checking security. One such product was so well received by Microsoft that the computer giant bought Intrinsa, the company that sold it; the technology is now a key component of Microsoft's Trustworthy Computing Initiative, and Microsoft security program manager Michael Howard reports that Intrinsa's tools are used to regularly enforce discipline for developers. Fortify Software founder Mike Armistead notes that a commonly held attitude among software developers is that some errors will always be missed, and therefore it is acceptable to ship products and let others alert the developers of any flaws. But security researchers do not always disclose the flaws they detect, and many security experts think that developers could be held accountable for the glitches they fail to find, particularly if checking technology is available--factors that are raising the stock of automatic code error detection tools. Some people believe static source code checkers are not yet ready for commercialization: Immunity founder Dave Aitel perceives a need for such tools, but argues that current products generate too many false positives to be effective. Click Here to View Full Article From EduPage, May 28, 2004 Buffalo Spammer Gets Jail Time A judge in New York this week sentenced Howard Carmack, the so-called Buffalo Spammer, to the maximum three-and-a-half to seven years in prison under the state's new identity theft statute. Carmack was charged with setting up hundreds of e-mail accounts under false or stolen identities and sending 850 million spam e-mails through those accounts. Internet service provider EarthLink previously won a $16.4 million civil judgment against Carmack, though the company has yet to collect any money from Carmack. At his sentencing, Carmack said his prosecution was politically motivated and that he didn't see any victims of his actions. In response, Judge Michael D'Amico said, "I'm having a heck of a time figuring out why you think everybody is unfair to you," telling Carmack he caused a lot of harm to many people. Wall Street Journal, 27 May 2004 Read the article (subscription required) From ACM's TechNews, May 26, 2004 "Viruses Nip Russia After the Cold War"IDG News Service (05/25/04); Blau, John The end of the Cold War and the collapse of the Soviet Union have opened Russia's borders to the Internet, which in turn has given rise to massive computer virus infections. Security experts expect things to get worse now that network intrusions and the authoring of viruses are no longer the sole province of politically- or respectability-motivated hobbyists, but a tool for organized crime. One hacker-turned security expert observes that there is money to be made from hacking and virus-writing, while Mi2g Chairman DK Matai points out that "The Mafia, which has been using the Internet as a communication vehicle for some time, is using it increasingly as a resource for carrying out mass identity theft and financial fraud." Russia's economy is an ideal climate for hacking, as highly skilled but cash-strapped Russian tech professionals direct their talent toward scanning corporate networks for security holes, crafting malware for stealing financial data, setting up illegal spam farms by hijacking infected computers, or ransoming companies' livelihood by threatening to launch distributed denial-of-service attacks against their networks or publicize sensitive information online. Another factor is relatively lenient attitudes toward cybercrime in a nation where violent crime is rampant, according to Sergey Bratus of Dartmouth College's Institute for Security Technologies Studies. Also complicating enforcement is the increasingly global nature of cybercrime, which makes its perpetrators difficult to trace, and differing views on cybercrime's definition. Gus Hosein of the London School of Economics and Political Science predicts that "policies will be developed to enhance the investigation of viruses in order to trace virus makers and other perpetrators of cybercrimes, only to see those same powers used for different purposes, such as pursuing copyright crime and 'indecent' communications." Click Here to View Full Article "RPI Study Eyes Sick Computers"Associated Press (05/25/04); Hill, Michael 041b061a72