* Forwarded (from: netmail) by Roy J. Tellason using timEd 1.10.y2k.



Date: Thu, 14 Aug 2003 08:46:52 -0700
From: "NewsScan" 
Subject: FBI enters investigation of Blaster

The FBI is investigating the origin of the malicious computer program
Blaster (also known as MSBlaster and LoveSan), which has already wormed its
way into more than 250,000 Internet-connected computers running Windows
software. Blaster has been infecting computers in organizations of every
kind (e.g, CBS, the Senate, and the Federal Reserve Bank of Atlanta) -- in
spite of the fact that computer experts say it's not well-written software.
Dan Ingevaldson of Internet Security Systems Inc. warns: "A better
version of this worm wouldn't crash any machines; it would work correctly
every time, move faster, and delete or steal its victims' files." 
[*The Washington Post*, 14 Aug 2003; NewsScan Daily, 14 Aug 2003]
  http://www.washingtonpost.com/wp-dyn/articles/A56071-2003Aug13.html

--

Date: Tue, 12 Aug 2003 12:23:22 -0400
From: "Fuzzy Gorilla" 
Subject: Re: Software patching gets automated (RISKS-22.84)

In http://catless.ncl.ac.uk/Risks/22.84.html#subj11.1 Peter Neumann
speculates: "And when it is *fully* automated, think of how wonderful
it will be to have new Trojan horses and security flaws installed
instantaneously, without having to require human intervention.".

Even without Trojan horses and security flaws, it introduces yet another
point of failure into the system, as evidenced by the "Blaster"
worm. According to a New Scientist article "Computer worm attacks
software patch server"
http://www.newscientist.com/news/news.jsp?id=ns99994046 :

  After infecting a vulnerable computer, the worm is programmed to send a
  volley of bogus traffic to Microsoft's software update service,
  windowsupdate.com on 16 August. If enough machines are infected this will
  overwhelm the site, preventing system administrators from using it to
  download the software patches needed prevent other machines being
  infected.  "It's an extremely devious trick by Blaster's author," says
  Graham Cluley, of UK anti-virus company Sophos. "Blaster attempts to knock
  Microsoft's windowsupdate.com Web site off the Internet."



Date: Thu, 14 Aug 2003 09:33:03 -0400
From: Dave Brunberg 
Subject: Denver school information system on the Internet

I found this link to an article about Denver's "Internet Student
Information System," which offers parents (or anyone with a
userid/password combo) to view their children's (targets'?) whereabouts,
grades, disciplinary records, and demographic info online.

http://www.denverpost.com/Stories/0,1413,36~53~1569401,00.html

  Teachers enter class attendance data into the system at the beginning of
  each class, and "Almost on an hourly basis, a parent can find out if their
  child is in a particular class. Most schools will stick to updating
  attendance two or three times a day."  "While the systems differ, they
  share a concern for security with school-issued user IDs and passwords. "
  "If [parents] want to participate, they must take a photo ID to the school
  and then they are given a user ID and personal password. They have access
  only to their children's information."

Sounds really secure, no?  No word on the form of userid or password, or
how to change the password, etc., standard RISKs apply.  Near the end of
the article, security and privacy issues are given a brief note:

  "Like Castagna at Lakewood High, Bailey said no concerns have been raised
  about privacy, and nobody's information has been hacked.  David Craven,
  Cherry Creek's director of instructional technology, said the systems use
  the same safeguards as online banking.  "People have an expectation to get
  general information on the Web.  It's just part of their lives."

  "The value is contingent on how secure the database is," said Stephen
  Keating, director of the Privacy Foundation at the University of
  Denver. "If the school district thinks they've got it protected so that
  only the parents or the student can get access to that student's
  information, then it sounds viable."  But, he cautioned, "just
because you
  think it's secure doesn't mean it is."

  Mark Silverstein, legal director of the American Civil Liberties Union in
  Denver, said, "If the information is only available to the parents of a
  student, I don't see what the concern is about privacy."

I'll take a brief quote from that to look at again: "If the school
district thinks they've got it protected so that only the parents or the
student can get access to that student's information, then it sounds
viable."  Um, shouldn't the district KNOW they've got it protected? 
Shouldn't they be actively trying to crack the system?  Maybe they can ask
some of their brighter 10th graders to try--that would probably open up
some interesting discussion when the results became known.  Anyone want to
take a bet on how
many Mountain Dews it takes to crack this one?

David W. Brunberg, Engineering Supervisor, The F.B. Leopold Company, Inc., 
227 South Division Street, Zelienople PA 16063  (724) 452-6300

--

Date: Wed, 13 Aug 2003 20:28:37 -0400
From: "Carl G. Alphonce" 
Subject: Biloxi schools have cameras in classrooms, pictures on Internet

According to a CNN article
  http://www.cnn.com/2003/EDUCATION/08/12/classroom.cameras.ap/index.html
the Biloxi, Mississippi school district has put cameras in all of its
classrooms.  The project was funded by casino revenues.  Pictures taken by
the cameras are viewable on the Internet.  If the article is correct, and
the images really are accessible from anywhere on the Net, the risks of
others viewing the pictures is real.

The article does not give much motivation for installing the cameras.  It
states, "[Deputy superintendent] Voles said the camera installation is
a precaution, and that students and teachers have said they feel
safer."  The potential for abuse and the potential chilling effect on
the classroom is left as an exercise for the reader.  I wonder, might the
introduction of these cameras perhaps backfire, attracting those who seek
publicity, since they are guaranteed a record of their activities?

Carl Alphonce, Dept of Computer Science and Engineering
University at Buffalo, Buffalo, NY 14260-2000         



---