*NEW BILL PUTS SQUEEZE ON AGENCY CIOs
By SWD Staff
Sen. John Edwards (D-N.C.) thinks its time that failing government
agencies were forced to clean up their acts. The presidential hopeful has
introduced a bill that would require the CIOs at federal agencies to find
vulnerabilities in their systems and fix them within a specific timeframe.
Under the proposed National Cyber Security Leadership Act, the National
Institute for Standards and Technology (NIST) must come up with mandatory
security guidelines within six months of the bill's passage. Exemptions
could be made on a case-by-case basis. CIOs also must create performance
goals that are reviewed quarterly. Which agency will enforce the bill's
requirements remains unclear.
Edwards says this is in response to a series of dismal annual reviews from
the General Accounting Office (GAO) and Office of Management and Budget
(OMB), which have found government agencies lax on information security.
The bill now goes to the Senate Governmental Affairs Committee for review.
*RIAA GAINS GROUND AGAINST MUSIC SWAPPERS
By SWD Staff
Verizon Communications says it will appeal a federal court order to
identify a subscriber suspected of massive music file swapping.
The order is a landmark victory for the Recording Industry Association of
America (RIAA), which is cracking down on copyright abuses of digital
music. Previous legal action taken by the RIAA concentrated largely on
copyrighted material available for download from personal Web sites. This
case appears to be the first time the entertainment industry has focused
its attention on someone distributing material from a personal computer
using the popular P2P file-sharing software KaZaA.
Verizon, the suspect's ISP, says the decision could have a chilling effect
on private communications, including e-mail and file exchanges, if
allegations of copyright infringement force ISPs to breach privacy
agreements with their subscribers.
*CONCERNS RAISED AS VIRUS WRITERS PUBLISH E-ZINE
By Keith Regan
A group of hackers described as "prolific" virus writers by one analyst
has published its first e-zine, raising concerns that the portal will fuel
a new wave of malicious code and virus variants.
According to security intelligence firm iDEFENSE, hackers who call
themselves GEDZAC, or Zoneavirus, recently published the 'zine, titled
Mitosis, which contains source code for a dozen viruses and tips, such as
how to avoid detection by antivirus software.
Ken Dunham, a senior intelligence analyst at iDEFENSE, says the fact that
the group is organized enough to publish the 'zine is significant.
"Most malicious coding groups fall apart or fail to progress to that
level," Dunham says.
Dunham says the code will "invariably be used by a script-kiddie or
individual learning how to create malicious code," likely resulting in
faster development of new variants and "powerful blended threats."
The new 'zine joins a growing list of publications, such as 2600 and
Phrack, written for and by the hacker community.
"The point to recognize is that the hacker community is more organized
than most people realize," says Jon Ramsey, head of development at
SecureWorks, a network intrusion detection and monitoring firm.
Others see value for security professionals in the 'zines. "It's a classic
tradeoff," says Ed Skoudis, VP of security strategy at consulting firm
Predictive Systems. "They spread ideas among the bad guys and the
not-so-elite bad guys, but they also let us good guys know what they're up
to. All in all, it's kind of valuable."
=====================================================