daily online news

CHINESE authorities are considering dismantling the legendary Great Firewall of China, at least while the Olympics are running.

Wang Hui, head of media relations for the organising committee said that plans to tear down the Great Firewall of China were being debated and a decision was expected soon.

He hinted that this was one of the ways that the Olympics may promote progress in China and would be in place when 20,000 foreign journalists planning to cover the Games show up.

It could be a bit embarrassing for China if BBC hacks cannot access their website to file stories because that news site is banned.

We have not heard if anyone can read the INQ outside Hong Kong after a dark satanic rumour said that we were on the Chinese list of banned sites.

China is debating whether to relax control of the Internet during the Olympics, allowing access to banned websites such as the BBC, a spokeswoman for the organising committee said Tuesday.

Plans to tear down the so-called Great Firewall of China were being debated and a decision was expected soon, said Wang Hui, head of media relations for the organising committee.

"We are studying this now based on suggestions of some journalists and a study of the experiences of other countries, so during the Olympics there may be some changes," she said. "This is one of the ways the Olympics may promote progress in China."

China tightly polices cyberspace and Chinese web surfers see a stripped-down version of the Internet minus some news sites such as the BBC and those belonging to human rights groups or any other sites judged subversive by the country's communist rulers.

Wang said that changes were expected to be in place in time for the Olympics for the 20,000 foreign journalists planning to cover the Games.

"I believe you will be able to (access banned sites such as the BBC) but I can't give you a promise yet. The relevant government departments are still working on it," she said.

It was unclear whether Chinese citizens would benefit from the plan to reduce Internet oversight but wider reporting freedoms introduced for foreign journalists here last year have not been extended to domestic reporters.

From January 1, 2007, travel and interview restrictions were lifted on foreign journalists working in China in line with the country's undertaking to provide free access to the country for the media before and during the Games.

Internet Security Systems released a part of its X-Force 2007 Trend Statistics Report on Tuesday, showing an overall decrease in the number of vulnerabilities reported in 2007.

The report, which the security services division of IBM plans to release piecemeal, found that researchers reported 5.4 percent fewer vulnerabilities in 2007 compared to 2006. The drop marks the first decrease in reported flaws since 2000, according to a post on ISS's X-Force blog. The X-Force found that high-severity vulnerabilities increased by 28 percent year over year.

"The drop could represent an anomaly, a statistical correction or a new trend in the amount of disclosures," Kris Lamb, a security researcher at ISS's X-Force Labs, stated in the blog post. "Researchers could simply be focusing on the sometimes more difficult, high-priority finds."

The report is the second study of vulnerability trends that concluded that the total number of flaws has fallen. In October, Microsoft also noted a drop in the number of vulnerabilities reported in the first half of 2007 as well as an overall increase in the number of high-severity flaws found by researchers.

While flaw data from the National Vulnerability Database continues to note a rise in the number of vulnerabilities found in 2007, some flaws found in previous years are occasionally counted in the current year's tally, Jeff Jones, security strategy director for Microsoft, said in an interview last year. In addition, some vulnerabilities with a single Common Vulnerability Enumeration (CVE) identifier are counted more than once by the National Vulnerability Database, according to Jones.

The ISS report also found that the majority of critical vulnerabilities (20 of 28 flaws) found in 2007 in Internet Explorer were memory corruption issues, similar to 2006.

European spam networks have pumped out more unsolicited e-mail than those in the U.S. for the third month in a row, according to security vendor Symantec.

Symantec called this a "significant shift" in spam trends as, historically, compromised U.S. computers have been used to send spam, and many spammers have been U.S.-based.

Fredrik Sjostedt, one of Symantec's European product marketing managers, told ZDNet UK on Tuesday that Symantec suspects gangs are taking advantage of the increasing European broadband market.

"The penetration of broadband is tremendous in Europe," Sjostedt said. "We've now clearly overtaken the U.S. in sending spam."

Symantec also believes many spammers are now based in Europe. "Historically the majority of spammers were U.S.-based, but now we're seeing a lot of Eastern European and Russian spam gangs active. Spammers tend to use closer turf as a jump off point," Sjostedt said.

More broadband means compromised computers can send spam faster, while gangs are increasingly becoming organized, said the Symantec manager.

"We've moved away from traditional, individual spammers, to loosely tied groups of spam senders, malware coders, and people selling access to botnets," Sjostedt said.

The largest botnet sending spam originated with the Storm worm, Sjostedt said. Storm is a network of compromised computers with sophisticated attack and defense mechanisms, including "fast-flux" command and control servers, which frequently change location.

"Storm is the most prevalent distribution method" for spam, Sjostedt said. While most spam relays are in Europe, botnets are global phenomena, he pointed out.

No television, no wedding or family photographs, and definitely no image of herself on her driver's license: That was the devout Christian life that Nebraska resident Frances Quaring was trying to lead.

Which is why, after the state of Nebraska rejected her request for a license-without-a-photograph in the mid-1980s, Quaring sued the state in a landmark case that ended up at the U.S. Supreme Court. She won, with the justices agreeing that preserving her freedom of religion outweighed the state's interest in requiring an ID photograph.

More than two decades after the Quaring case, approximately a dozen states now offer religious exceptions when issuing driver's licenses. But because of a federal law called the Real ID Act that takes effect on May 11, residents of those states who have pictureless licenses could expect problems flying on commercial airliners and entering federal buildings, including some Social Security and Veterans Affairs offices.

The new rules could affect thousands of Americans in states including Nebraska, Pennsylvania, Oregon, Minnesota, Kansas, Arkansas, and Indiana. Religious groups including some Amish, Old Order Mennonites, Muslims, members of Native American faiths, and fundamentalist Christians object to identification cards bearing their photographs--or, in some cases, even showing their unshrouded faces in public.

The American Civil Liberties Union, which has criticized Real ID on numerous grounds, says it has received complaints about the law's rigidity toward religious groups and is "exploring all options," including a legal challenge to the law.

"We are deeply concerned that Real ID and the associated regulations intrude on the religious liberty of many Americans who for reasons of faith wear head coverings or object entirely to having their photo taken," said Daniel Mach, director of litigation for the ACLU Program on Freedom of Religion and Belief. "The faithful shouldn't have to choose between a driver's license and their religious beliefs."

Under Real ID, there's no obvious wiggle room for Americans who object to facial photograph requirements on religious grounds. The lengthy new regulations released by the U.S. Department of Homeland Security last month set minimum standards for state-issued driver's licenses and IDs, among which is a "full facial digital photograph" that adheres to specific federal requirements.

This could pose real problems for some residents of states with a history of allowing the devout to obtain valid driver's licenses without photographs in an attempt to accommodate religious beliefs. Still more states have enacted laws known as "religious freedom restoration acts," which more broadly allow for accommodation of religious beliefs in the face of government regulations.

"My understanding is that the Real ID legislation takes that option away from states," said Steve Nolt, a history professor at Goshen College who has studied Amish interaction with government regulations in recent decades.

For some Christians, Quaring included, one source of religious objections to Real ID comes from the Christian Bible's Second Commandment, which in one translation says: "You shall not make for yourself an idol in the form of anything in heaven above or on the earth beneath or in the waters below."

Homeland Security justifies its mandates by saying a facial photograph "serves important security purposes." Its stated goal through Real ID--approved unanimously by the Senate and overwhelmingly by the House of Representatives as part of a "Global War on Terror" bill--is to improve driver's license security and thereby handicap terrorists, identity thieves, and illegal immigrants.

"Given these security concerns and the clear statutory mandate, DHS believes that a driver's license or identification card issued without a photograph could not be issued as a Real ID-compliant driver's license or identification card," the agency says.

Translated, that means in just over three months, federal agencies may no longer accept those "noncompliant driver's licenses" for Americans who are boarding a commercial airplane or entering a federal building. In addition, Homeland Security can add other requirements--one Homeland Security official recently suggested Real ID could be required to buy certain cold medicines--without consulting Congress first.

The lack of flexibility is troubling to Herman Bontrager, the secretary-treasurer of the National Committee for Amish Religious Freedom. His all-volunteer group has met at least twice with Homeland Security officials to try to seek a compromise, and it's also talking with some members of Congress, as the Amish don't generally file lawsuits. They've had "congenial" conversations that discussed alternative possibilities for verifying identity--the Amish are amenable to fingerprints instead of photographs, he said--but no actual progress has been made so far.

The photo ID requirement has already raised practical concerns in recent years, particularly because of the newly instated passport requirement for crossing into Mexico and Canada, where the Amish often travel to visit family or seek medical treatment, Bontrager said. Because the Amish don't fly on airplanes, most do not have passports, he said, adding that he worried the Real ID requirements could make it less convenient for them to access federal buildings. Without a photo-equipped license, they won't be able to visit some Social Security offices, for instance.

"I think the Amish appreciate the conversations and the access to Homeland Security people, but we're now getting down to the implementation phase," said Bontrager, a Lancaster County, Penn., resident who runs an insurance company inspired by Biblical principles. "Each step in the rulemaking progress, we provide comment, and so on and never get any response. We have not yet seen any evidence that they're willing to make accommodations or provide options."

Real ID could be the latest skirmish in years of legal battles between states and the federal government over religious freedom laws. Until 1990, U.S. law said that the government has to show a "compelling interest" in order to succeed in limiting a person's free exercise of religion, as evidenced in the Quaring case. But then came a U.S. Supreme Court case called Employment Division v. Smith, which concluded that if a rule is neutral and isn't designed to target a particular religion, then it may pass constitutional muster.

In a response to critics of that decision, Congress enacted a law called the Religious Freedom Restoration Act, which attempted to shift more of the burden back to the government in winning such cases. It said: "Government shall not substantially burden a person's exercise of religion" except in limited circumstances. That law, however, was partially gutted by the Supreme Court, which ruled Congress had overstepped its boundaries by applying that rule to the states, prompting many states to enact their own versions of the law.

What's relevant to the new Real ID rules, however, is that the Religious Freedom Restoration Act does still appear to apply to federal laws and rules, said the ACLU's Mach. If the ACLU does challenge Real ID, it plans to make its case using that law.

Whether such a challenge would be successful is another question.

Because Homeland Security appears to have a fairly narrow requirement--that is, that a driver's license applicant's face be uncovered--the government would likely be able to argue that it's pursuing its security-related goals in the narrowest possible way, said Seval Yildirim, director of the Center for International and Comparative Law at Whittier Law School in California.

"In other words, this is not an outright prohibition on all religious clothing or covering, but only those that prevent the state from identifying the individual," said Yildirim, who is defending a Muslim police officer in Philadelphia who was prohibited from wearing her head scarf while in uniform and on the job.

A few years ago, the ACLU of Florida lost a case in which the state revoked a devout Muslim woman's license because, after a later review, the state decided she may not wear a veil that covered most of her face. The ACLU argued that such a practice violated Florida's version of the Religious Freedom Restoration Act, but state courts ruled that the government's security concerns outweighed Freeman's religious freedom. Critics said the decision reflected a post-9/11 mentality that's less permissive of religious liberties.

Even though only some Muslims could be affected by the Real ID rules, it's a "significant minority," said Ibrahim Ramey, director of the human and civil rights division of the Muslim American Society Freedom Foundation. Ramey estimated that about 80 percent of Muslim women wear headscarves and about 10 percent also don a niqab, or face veil.

Organizations like his would "certainly be willing" to sign onto legal action with other civil liberties groups against the rules, Ramey said. (The Muslim American Society also has broader concerns about Real ID's implications for undocumented immigrants.)

"I would argue again that the benefit of religious accommodation far outweighs what some people might perceive as the drawback or the problematic nature of doing it," Ramey said in a telephone interview. "I don't think it's something...that will involve anything close to a large plurality of Muslim women, but for any woman that chooses to wear the covering, it ought to be something that's respected and accommodated by the larger society, particularly if there's no evidence of criminal intent."

Skype has fixed a cross-zone scripting weakness in its voice over IP client software which spawned a couple of security bugs over recent weeks.

Problems have arisen for Windows users because Skype uses Internet Explorer web controls to render internal and external HTML pages.

Skype is running these web controls in Local Zone and, worse, accessing HTML pages in an unlocked Local Zone mode, an approach that opens the door to so-called cross-zone scripting exploits.

For example, the use of vulnerable controls made it possible to inject a malicious script into the "Add video to chat" dialogue on video-sharing sites such as Skype partner DailyMotion. Skype was initially obliged to block the feature after the vulnerability was discovered last month.

A similar vulnerability in the SkypeFind feature, which lets users recommend businesses to others running the VoIP client, also stemmed from the same underlying cross-zone scripting weakness. Skype patched the feature when the SkypeFind problem came up last week, but the underlying issue remained.

Tuesday brought the arrival of a more complete fix that addresses the underlying architectural weakness involved in both the SkypeFind and DailyMotion security flaps.

Skype said it fixed the core vulnerability by setting IE control security context to Internet Zone (instead of local zone, as previously implemented). Windows users need to update to Skype for Windows version 3.6.*.248 or later, as explained in an advisory here.

More background on cross-zone scripting vulnerabilities can be found in postings by security researcher Aviv Raff, who's kept a close watching brief on the issue over recent weeks.

The initiative, known as the Federal Desktop Core Configuration (FDCC), mandates that all U.S. federal agencies lock down their general-use desktop computers using a set of more secure settings. Created by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS) and the Department of Defense (DOD), the five standard configurations apply to Microsoft's Windows XP, Windows Vista, the firewall software included with the two operating systems, and Internet Explorer 7.

While the U.S. Office of Management and Budget set February 1 as the deadline for complying with the FDCC, few of the agencies represented at a recent meeting of 1,700 federal information-technology workers expected to make to deadline.

"One agency (representative) stood up and said we are there today -- the other agencies shared their challenges in complying," said Stephen Quinn, a computer scientist with the National Institute of Standards and Technology (NIST).

The Federal Desktop Core Configuration initiative builds upon a project begun by the U.S. Air Force in 2004, when the military service branch required that all Windows computers conform to one of three different configurations. While improving desktop security was the primary motivation for the program, the Air Force ended up cutting 30 percent from its information-technology management budget after completing the initiative.

In March 2007, the Office of Management and Budget mandated that a similar program be adopted government wide and set February 1 as the deadline for compliance.

"It is critical for all Federal agencies to put in place the proper governance structure with appropriate policies to ensure a very small number of secure configurations are allowed to be used," Clay Johnson, deputy director for management at the OMB, wrote in a March 27 memorandum (pdf), adding that among the benefits "information is more secure, overall network performance is improved, and overall operating costs are lower."

The Federal Desktop Core Configuration consists of more than 700 settings designed to minimized the number of potential entry points -- also known as the "attack surface area" -- of the operating system. A specific Windows XP or Windows Vista computer will generally have to abide by three of the configurations: one locking down the operating system, another hardening the firewall and a third to secure Internet Explorer 7. The FDCC limits software, such as instant messaging software and file-sharing software, as well as requires that wireless hardware be turned off by default.

However, at the FDCC Implementers Workshop held in late January, the vast majority of agencies had not reached 100 percent compliance, according to attendees interviewed by SecurityFocus. Most agencies have complied with 95 percent to 98 percent of the required settings in the configuration, Shelly Bird, architect in Microsoft's Consulting Services for the U.S. Public Sector, said in an e-mail interview.

"Customers that have decentralized purchasing, little to no central control of their systems, and have their typical users used to running with Local Administrator instead of the recommended User rights, are the ones who have the most work to do,"

The FBI is gearing up to create a massive computer database of people's physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists.

But it's an issue that raises major privacy concerns -- what one civil liberties expert says should concern all Americans.

The bureau is expected to announce in coming days the awarding of a $1 billion, 10-year contract to help create the database that will compile an array of biometric information -- from palm prints to eye scans.

Kimberly Del Greco, the FBI's Biometric Services section chief, said adding to the database is "important to protect the borders to keep the terrorists out, protect our citizens, our neighbors, our children so they can have good jobs, and have a safe country to live in."

But it's unnerving to privacy experts.

"It's the beginning of the surveillance society where you can be tracked anywhere, any time and all your movements, and eventually all your activities will be tracked and noted and correlated," said Barry Steinhardt, director of the American Civil Liberties Union's Technology and Liberty Project.

The FBI already has 55 million sets of fingerprints on file. In coming years, the bureau wants to compare palm prints, scars and tattoos, iris eye patterns, and facial shapes. The idea is to combine various pieces of biometric information to positively identify a potential suspect.

A lot will depend on how quickly technology is perfected, according to Thomas Bush, the FBI official in charge of the Clarksburg, West Virginia, facility where the FBI houses its current fingerprint database.

"Fingerprints will still be the big player," Bush, assistant director of the FBI's Criminal Justice Information Services Division, told CNN.

But he added, "Whatever the biometric that comes down the road, we need to be able to plug that in and play."

First up, he said, are palm prints. The FBI has already begun collecting images and hopes to soon use these as an additional means of making identifications. Countries that are already using such images find 20 percent of their positive matches come from latent palm prints left at crime scenes, the FBI's Bush said.

The FBI has also started collecting mug shots and pictures of scars and tattoos. These images are being stored for now as the technology is fine-tuned. All of the FBI's biometric data is stored on computers 30-feet underground in the Clarksburg facility.

In addition, the FBI could soon start comparing people's eyes -- specifically the iris, or the colored part of an eye -- as part of its new biometrics program called Next Generation Identification.

Nearby, at West Virginia University's Center for Identification Technology Research, researchers are already testing some of these technologies that will ultimately be used by the FBI.

"The best increase in accuracy will come from fusing different biometrics together," said Bojan Cukic, the co-director of the center.

But while law enforcement officials are excited about the possibilities of these new technologies, privacy advocates are upset the FBI will be collecting so much personal information.

"People who don't think mistakes are going to be made I don't think fly enough," said Steinhardt.

He said thousands of mistakes have been made with the use of the so-called no-fly lists at airports -- and that giving law enforcement widespread data collection techniques should cause major privacy alarms.

"There are real consequences to people,"

You don't have to be a criminal or a terrorist to be checked against the database. More than 55 percent of the checks the FBI runs involve criminal background checks for people applying for sensitive jobs in government or jobs working with vulnerable people such as children and the elderly, according to the FBI.

The FBI says it hasn't been saving the fingerprints for those checks, but that may change. The FBI plans a so-called "rap-back" service in which an employer could ask the FBI to keep the prints for an employee on file and let the employer know if the person ever has a brush with the law. The FBI says it will first have to clear hurdles with state privacy laws, and people would have to sign waivers allowing their information to be kept.

Critics say people are being forced to give up too much personal information. But Lawrence Hornak, the co-director of the research center at West Virginia University, said it could actually enhance people's privacy.

"It allows you to project your identity as being you," said Hornak. "And it allows people to avoid identity theft, things of that nature."

There remains the question of how reliable these new biometric technologies will be. A 2006 German study looking at facial recognition in a crowded train station found successful matches could be made 60 percent of the time during the day. But when lighting conditions worsened at night, the results shrank to a success rate of 10 to 20 percent.

As work on these technologies continues, researchers are quick to admit what's proven to be the most accurate so far. "Iris technology is perceived today, together with fingerprints, to be the most accurate," said Cukic.

But in the future all kinds of methods may be employed. Some researchers are looking at the way people walk as a possible additional means of identification.

The FBI says it will protect all this personal data and only collect information on criminals and those seeking sensitive jobs.

The ACLU's Steinhardt doesn't believe it will stop there.

"This had started out being a program to track or identify criminals," he said. "Now we're talking about large swaths of the population -- workers, volunteers in youth programs. Eventually, it's going to be everybody."

On-demand application security testing firm Veracode has added detection for backdoors and malicious code to its services. The addition aims to tap into concerns about the integrity of code developed by outsourced contractors.

Veracode’s SecurityReview provides application code review as an online subscription-based service. Clients submit compiled binaries, which use Veracode models to look for security problems. Unlike conventional code review schemes, the service works without looking at the source code of applications.

The firm, which began trading last year after being spun out by Symantec from its @stake acquisition, is targeting independent software developers and financial sector firms with a service designed to improve the security quality of applications without the need to hand over precious bodily fluids intellectual property in the form of source code. The service is applicable whether a firm is developing applications internally, purchasing software or integrating code from partners.

As the complexity of modern software applications increases, with components assembled from reusable binary components (libraries), security problems are increasingly likely to slip through quality assurance procedures (assuming any are in place). Veracode's pitch is that its service allows clients to screen for problems at a fraction of the price of manual code review. Veracode’s SecurityReview identifies software flaws introduced through either coding errors or malicious intent using binary code and dynamic web analysis techniques. It competes with firms such as Fortify Software.

The addition of backdoor detection capability is designed to boost the appeal of the service, which remains primarily about identifying regular security bugs. The term "backdoor" covers a lot of potential "hidden threats". According to Veracode, backdoors fall into four categories, as follows:

* Special Credential Backdoors – Involve the hard coding of logic and special credentials into program code. The functions are commonly inserted by developers for either customer support or for debugging. If discovered, attackers can use the short-cuts as a backdoor.
* Hidden Functionality Backdoors – Routines that allow authentication procedures to be bypassed, sometimes the result of leftover debug code.
* Rootkits – Functions that hide the presence of what may turn out to be a backdoor.
* Unintended Network Activity – A common characteristic of backdoors where applications may be found to listen on undocumented ports, make outbound connections to establish a command and control channel, or leak sensitive information over the network via SMTP, HTTP, UDP, ICMP, or other protocols. Occasionally this may be an intended support feature, but it can carry security and privacy risks and therefore ought to be detected.

Automatic detection of software vulnerabilities or malicious code is something of a Holy Grail for the security industry. Simply submitting Windows Vista, for example, to analysis by Veracode’s SecurityReview is not going to unearth every potential security problem. Chris Wysopal, CTO of Veracode and former high profile member of hacker collective L0pht Heavy Industries, told El Reg: "This is no silver bullet. We are not suggesting firms throw away threat modeling, dynamic testing or other elements of their security development lifecycle.

"Our service provides visibility into code, allowing organisations who haven't looked for problems before to add security to their development lifecycle."

Conventional code reviews processes commonly involve inspecting source code. PGP, for example, bases its promises that its encryption software is free of backdoors on the availability of its source code.

Veracode argues testing application binaries is effective as a security validation technique because binary (compiled code) represents the actual attack surface for the hacker. However, it also states that backdoors inserted in open source software might be detected in a matter of weeks whereas backdoors in commercial "closed source" applications might remain undetected for years, a factor that suggests the publication of source code improves security.

However, source code-only analysis runs into problems in the world of proprietary software, because even if you have access to the secret sauce you might not have access to the code of third-party libraries. Veracode claims a lack of access to source code doesn't hamper its efforts.

"Our service provides the same accuracy rates as source code tools. Even source code going through translation,"

Spam figures for January have bucked the seasonal trend, according to Symantec.

The security firm's State of Spam report found that January spam levels were almost identical to December's, accounting for 78.5 per cent of all email traffic during the month.

"While logic would dictate that spam levels would subside after the holidays, they have continued to soar," said the report.

Symantec estimated that 28 per cent of the spam emails collected were for consumer products such as electronic devices and clothing. An additional 23 per cent were for internet services and software.

Financial scams accounted for 10 per cent of spam, while fraud/phishing emails accounted for six per cent.

Europe continued to expand its lead over the US as the source of spam emails during January.

"The percentage of spam that claimed to originate from Europe is now significantly greater than from North America," said the report.

"Approximately 44 per cent of all spam email now claims to originate from Europe compared to 35.1 per cent from North America."

Symantec warned that the current wave of attacks is targeting seasonal events such as Valentine's Day and the US tax deadline.

n the Democratic and Republican primaries being held today, voters from 24 states will cast ballots for presidential candidates, making it the biggest "Super Tuesday" in US history.

But this election day comes with a much more dubious distinction: mistrust of the electronic equipment that will be used to tally many of the votes is higher than ever, computer and political experts say. Doubts about e-voting are no longer the esoteric stuff of geeks and conspiracy theorists. For perhaps the first time, they have become a mainstream obsession.

"In 2002 and 2003, I had trouble getting any credibility in the press or getting politicians to listen to me," says David Dill, a Stanford University computer science professor and a critic of electronic voting machines. "Now, the tide has definitely turned, and the momentum is against e-voting. By and large, there is a perception that it is problematic."

According to a report issued by two voting advocacy groups, six of the 24 states holding primaries today are at a high risk of miscounting votes because of machines that malfunction or are tampered with. Five other states are rated at medium risk, according to Common Cause and Verified Voting Foundation.

The states rated to carry the most risk - which include New York, New Jersey and Arkansas - are those that use electronic voting machines that don't produce a paper record that can be used in an audit or recount. Those found to be a medium risk use machines that provide a so-called voter-verified paper record but don't require audits that check for the accuracy of e-voting gear.

The widespread doubts about e-voting follow last year's release of reports prepared by elections officials in California and Ohio that found critical vulnerabilities in all the machines currently in use. Among the findings:

* An un-patched Windows 2000 server used by systems made by Premier Election Systems (formerly Diebold) left them open to a host of documented vulnerabilities that could allow it to be controlled by an attacker.
* An undisclosed account in the software made by Hart InterCivic could allow an attacker to gain unauthorized access to officials' election management database.
* Physical locks in Sequoia's Edge system could be bypassed by unfastening screws.

Even before the reports were issued, voters had grown wary of e-voting after some highly improbable election results were recorded in a 2006 race in Florida's Sarasota County. Machines supplied by a company called Election Systems & Software (ES&S) showed that Republican Vern Buchanan edged out Democrat Christine Jennings by just 369 votes in the race for the state's 13th Congressional district. More than 18,000 of the ballots cast recorded no vote in the race, an "undervote" rate that was about nine times higher than other races. (Jennings has contested the results in court.)

Each report or event "has planted a question mark, or raised a little red flag in people's minds about whether we can trust the machines, and whether they will live up to the promises made about them," says David Wagner, a computer science professor at the University of California at Berkeley who participated in a top-to-bottom study of voting machines commissioned by California Secretary of State Debra Bowen. "Four years ago, this only got attention from really obscure corners."

Elections officials in California, Ohio Florida and Colorado have all either scrapped touch-screen voting or placed tough new limits on their use. While critics of e-voting have generally applauded the moves, not everyone is happy.

"The efforts, especially in California and Colorado and Ohio, have been to cast doubts and aspersions on the electronic voting equipment by the very tests that were conducted," says Stephen Weir, the County Clerk of California's Contra Costa County and the head of the California Association of Clerks and Election Officials. "We feel that was grossly unfair and really designed with a conclusion in mind, and that was to decertify the voting systems."

In Weir's mind, California's study was akin to the crash tests car makers perform on new models before they are delivered to consumers. Laboratory scientists strap a dummy into a vehicle that's had its brakes disconnected and is sent hurtling into a brick wall.

"Yeah, the dummy is going to go through the windshield every time," he says. Just like the crash tests, he argues, the e-voting studies didn't take into account the real-world protections that are provided by things like security workers at polling places. "None of us had a chance to say: 'By the way, here's what it looks like when you have brakes, seat belts, et cetera,'" he complains.

It's a critique that's shared with some political science experts, including Henry Brady, another professor at UC Berkeley. While he remains concerned about electronic voting's susceptibility to equipment failure or tampering, he says those risks are being exaggerated at the exclusion of others.

One such risk few people pay attention to is the use of optical scanning machines that require ballots to be transported to a central office before being processed. That leaves them vulnerable to all kinds of tampering.

"We're so focused on the security issue that we've sometimes gotten rid of e-voting machines with paper trails... and replaced them with optical scan systems with a central count," he says.

Another overlooked problem, he says, is the confusing layout elections officials sometimes choose for paper or touch-screen ballots. Sarasota County's high undercount rate in the 2006 election was most likely the result of a ballot form that included two races on the same page, a mistake that could have been made using paper ballots.

Brady's suspicion may be correct. But because the ES&S machines used by Sarasota County didn't provide paper receipts showing how, or if, each person voted, it's hard to know for sure. And it's criticisms like these that are perhaps the most common refrain among e-voting opponents.
Son of Hanging Chad

When computers are the sole means used to register a vote, there's nothing tactile or otherwise to review later if anomalies are found. That's a deficiency that's largely not found with older methods of voting. Even during the hanging chad debacle of 2000, there were punch cards that could be inspected.

"These machines are an unnecessary risk," says Brian Chess, chief scientist at Fortify Software, a security company that supplied software that was used by officials in California, Ohio and Florida to analyze the source code of touch-screen machines. "They weren't developed with state-of-the-art security in mind or robustness in mind." (Fortify has offered to make its software available free of charge to voting officials throughout the country so they can independently analyze their systems.)

He says the experience companies like Diebold have gained in building highly secure automatic teller machines is of little value when designing e-voting machines. That's because the requirements for the two machines are vastly different. ATMs collect copious amounts of information about who is using the machine, exactly what was transacted and when. Touch-screen machines, by contrast, require that ballots be cast in secret.

In many respects, the move to e-voting is the result of the contested presidential election of 2000, which was settled only after a 5-4 vote along party lines by justices of the US Supreme Court. The controversy brought attention to the aging fleet of analog voting systems and affirmed voters' resolve for equipment that would be more dependable.

But for a growing number people, the resulting reliance on computers represents a step backward, not only because they are perceived as more vulnerable to malfunctions and tampering but also because there's no easy way to know if the results they report are accurate.

"With e-voting, there's a greater danger that we could have a problem on a much wider scale," says Avi Rubin, a professor at Johns Hopkins University and a longtime critic of touch-screen voting machines. "If we have an e-voting system and you get a result that appears perfectly believable and is wrong, you would have no way of knowing that. We don't know, and that right there is cause for concern."

Nearly two dozen companies announced on Monday the creation of an organization to set best practices and standards for the evaluation of antivirus software.

As previously reported by SecurityFocus, more than 40 researchers met in Bilbao, Spain, last month to finalize the details of the group, dubbed the Anti-Malware Testing Standard Organization (AMTSO). The members of the group -- which includes antivirus firms, testing labs, and security companies -- create guidelines for the testing of software and act as a forum to analyze current anti-malware tests.

"As anti-malware solutions become more complex, many existing tests are unable to evaluate product effectiveness properly, resulting in product reviews that are sometimes incomplete, inaccurate and misleading," the group stated on its Web site. "AMTSO is focused on addressing the global need for improvement in the objectivity, quality and relevance of testing methodologies."

The founding of a group focused on testing standards comes 18 months after antivirus companies criticized independent product tester Consumer Reports for grading their products' performance against test data that included 5,500 newly created virus variants. The antivirus companies questioned the reasoning that led to a testing lab writing viruses, while other security researchers argued that it's reasonable to measure the performance of antivirus software against previously unknown threats.

The founding members of the group are ALWIL Software, AV-Comparatives, AV-Test.org, AVG Technologies, Avira GmbH, Bit9, BitDefender, Dr. Web, Ltd., ESET, F-Secure, G DATA Software, Hispasec Sistemas, IBM, Kaspersky Lab, McAfee, Microsoft, Norman ASA, Panda Security, PC Tools, Sana Security, Secure Computing, Sophos, Symantec (the owner of SecurityFocus), Trend Micro, and Virusbuster.

"Traditional tests are become increasingly irrelevant as they fail to take into account the new technologies built into security solutions," Stuart Taylor, research manager for Sophos, said in a statement. "One of AMTSO's objectives is help drive better real-world tests for everyone, which will benefit all computer users looking for the highest level of protection."

The group is open to member from testing labs, antivirus companies, academia, and media reviewers.

Real ID became law not through the usual legislative process, but instead as part of a mammoth Iraq spending and Asian tsunami bill, the "Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005."
The following is the full, unedited text of the bill:

TITLE II--IMPROVED SECURITY FOR DRIVERS' LICENSES AND PERSONAL IDENTIFICATION CARDS

SEC. 201. DEFINITIONS

In this title, the following definitions apply:

(1) DRIVER'S LICENSE--The term "driver's license" means a motor vehicle operator's license, as defined in section 30301 of title 49, United States Code.

(2) IDENTIFICATION CARD--The term "identification card" means a personal identification card, as defined in section 1028(d) of title 18, United States Code, issued by a State.

(3) OFFICIAL PURPOSE--The term "official purpose" includes but is not limited to accessing Federal facilities, boarding federally regulated commercial aircraft, entering nuclear power plants, and any other purposes that the Secretary shall determine.

(4) SECRETARY--The term "Secretary" means the Secretary of Homeland Security.

(5) STATE--The term "State" means a State of the United States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, the Trust Territory of the Pacific Islands, and any other territory or possession of the United States.

SEC. 202. MINIMUM DOCUMENT REQUIREMENTS AND ISSUANCE STANDARDS FOR FEDERAL RECOGNITION

(a) Minimum Standards for Federal Use

(1) IN GENERAL--Beginning 3 years after the date of the enactment of this division, a Federal agency may not accept, for any official purpose, a driver's license or identification card issued by a State to any person unless the State is meeting the requirements of this section.

(2) STATE CERTIFICATIONS--The Secretary shall determine whether a State is meeting the requirements of this section based on certifications made by the State to the Secretary. Such certifications shall be made at such times and in such manner as the Secretary, in consultation with the Secretary of Transportation, may prescribe by regulation.

(b) Minimum Document Requirements--To meet the requirements of this section, a State shall include, at a minimum, the following information and features on each driver's license and identification card issued to a person by the State:

(1) The person's full legal name.

(2) The person's date of birth.

(3) The person's gender.

(4) The person's driver's license or identification card number.

(5) A digital photograph of the person.

(6) The person's address of principle residence.

(7) The person's signature.

(8) Physical security features designed to prevent tampering, counterfeiting, or duplication of the document for fraudulent purposes.

(9) A common machine-readable technology, with defined minimum data elements.

(c) Minimum Issuance Standards.

(1) IN GENERAL--To meet the requirements of this section, a State shall require, at a minimum, presentation and verification of the following information before issuing a driver's license or identification card to a person:

(A) A photo identity document, except that a non-photo identity document is acceptable if it includes both the person's full legal name and date of birth.

(B) Documentation showing the person's date of birth.

(C) Proof of the person's social security account number or verification that the person is not eligible for a social security account number.

(D) Documentation showing the person's name and address of principal residence.

(2) SPECIAL REQUIREMENTS

(A) IN GENERAL--To meet the requirements of this section, a State shall comply with the minimum standards of this paragraph.

(B) EVIDENCE OF LAWFUL STATUS--A State shall require, before issuing a driver's license or identification card to a person, valid documentary evidence that the person--

(i) is a citizen or national of the United States;

(ii) is an alien lawfully admitted for permanent or temporary residence in the United States;

(iii) has conditional permanent resident status in the United States;

(iv) has an approved application for asylum in the United States or has entered into the United States in refugee status;

(v) has a valid, unexpired nonimmigrant visa or nonimmigrant visa status for entry into the United States;

(vi) has a pending application for asylum in the United States;

(vii) has a pending or approved application for temporary protected status in the United States;

(viii) has approved deferred action status; or

(ix) has a pending application for adjustment of status to that of an alien lawfully admitted for permanent residence in the United States or conditional permanent resident status in the United States.

(C) TEMPORARY DRIVERS' LICENSES AND IDENTIFICATION CARDS

(i) IN GENERAL--If a person presents evidence under any of clauses (v) through (ix) of subparagraph (B), the State may only issue a temporary driver's license or temporary identification card to the person.

(ii) EXPIRATION DATE--A temporary driver's license or temporary identification card issued pursuant to this subparagraph shall be valid only during the period of time of the applicant's authorized stay in the United States or, if there is no definite end to the period of authorized stay, a period of one year.

(iii) DISPLAY OF EXPIRATION DATE--A temporary driver's license or temporary identification card issued pursuant to this subparagraph shall clearly indicate that it is temporary and shall state the date on which it expires.

(iv) RENEWAL--A temporary driver's license or temporary identification card issued pursuant to this subparagraph may be renewed only upon presentation of valid documentary evidence that the status by which the applicant qualified for the temporary driver's license or temporary identification card has been extended by the Secretary of Homeland Security.

(3) VERIFICATION OF DOCUMENTS--To meet the requirements of this section, a State shall implement the following procedures:

(A) Before issuing a driver's license or identification card to a person, the State shall verify, with the issuing agency, the issuance, validity, and completeness of each document required to be presented by the person under paragraph (1) or (2).

(B) The State shall not accept any foreign document, other than an official passport, to satisfy a requirement of paragraph (1) or (2).

(C) Not later than September 11, 2005, the State shall enter into a memorandum of understanding with the Secretary of Homeland Security to routinely utilize the automated system known as Systematic Alien Verification for Entitlements, as provided for by section 404 of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (110 Stat. 3009-664), to verify the legal presence status of a person, other than a United States citizen, applying for a driver's license or identification card.

(d) Other Requirements--To meet the requirements of this section, a State shall adopt the following practices in the issuance of drivers' licenses and identification cards:

(1) Employ technology to capture digital images of identity source documents so that the images can be retained in electronic storage in a transferable format.

(2) Retain paper copies of source documents for a minimum of 7 years or images of source documents presented for a minimum of 10 years.

(3) Subject each person applying for a driver's license or identification card to mandatory facial image capture.

(4) Establish an effective procedure to confirm or verify a renewing applicant's information.

(5) Confirm with the Social Security Administration a social security account number presented by a person using the full social security account number. In the event that a social security account number is already registered to or associated with another person to which any State has issued a driver's license or identification card, the State shall resolve the discrepancy and take appropriate action.

(6) Refuse to issue a driver's license or identification card to a person holding a driver's license issued by another State without confirmation that the person is terminating or has terminated the driver's license.

(7) Ensure the physical security of locations where drivers' licenses and identification cards are produced and the security of document materials and papers from which drivers' licenses and identification cards are produced.

(8) Subject all persons authorized to manufacture or produce drivers' licenses and identification cards to appropriate security clearance requirements.

(9) Establish fraudulent document recognition training programs for appropriate employees engaged in the issuance of drivers' licenses and identification cards.

(10) Limit the period of validity of all driver's licenses and identification cards that are not temporary to a period that does not exceed 8 years.

(11) In any case in which the State issues a driver's license or identification card that does not satisfy the requirements of this section, ensure that such license or identification card:

(A) clearly states on its face that it may not be accepted by any Federal agency for federal identification or any other official purpose; and

(B) uses a unique design or color indicator to alert Federal agency and other law enforcement personnel that it may not be accepted for any such purpose.

(12) Provide electronic access to all other States to information contained in the motor vehicle database of the State.

(13) Maintain a State motor vehicle database that contains, at a minimum:

(A) all data fields printed on drivers' licenses and identification cards issued by the State; and

(B) motor vehicle drivers' histories, including motor vehicle violations, suspensions, and points on licenses.

Quietly on Friday, Heathrow Airport recruited quantities of involuntary lab rats to test fingerprint-based security/traffic control system planned for Terminal 5. The luckless pioneers were selected at Terminal 1, where biometrics are now being deducted from any domestic passengers wishing to visit the international lounge.

Unconvincingly, BAA claims that the security system is being used to identify passengers in order to stop them swapping tickets once they're in the departure lounge. Terminal 5, due to open later this year, will mix domestic and international passengers in a single lounge, while although Terminal 1 has two lounges, domestic passengers are allowed to use the international one. So they need separating too - how they've managed previously, we've really no idea.

The system being used was described by The Register a little over a year ago. When fully operational it will take biometrics from all passengers as they pass into the departure lounge, and match them up as they board the aircraft. The biometrics being taken are fingerprints and a digital photograph - not, as incorrectly reported elsewhere, iris scans.

According to BAA the biometrics data will not be passed on to other authorities and will be destroyed at the end of each day. This goes some way to making the system relatively harmless (although 'destroyed on boarding' would be better), so long as we believe them, and for as long as it takes before the government starts saying 'retention of records' and 'access for the security services.'

But let's just rewind to that bit about stopping passengers swapping tickets, and try to figure out how biometric ID could help. The basic pre-biometric system used at Heathrow and most other UK international airports is approximately as follows. Passengers check in, showing their tickets and passports. They pass through the security barriers, and on their way the bar code on their ticket is scanned. In the vicinity of the security barriers their passport may be checked, but recent Register observations indicate that this isn't always the case.

It's therefore perfectly possible that both passport checks, at check-in and boarding, are carried out by the airline's staff, and if online check-in is used, then the only check of the physical passport may be at the gate. It's also perfectly feasible that the passport is never checked for forgery, never has its barcode scanned, nor (for the new ones) has its chip read at any point in the process. Which may strike you as something other than progress towards the government's goal of counting everybody in and out, but no matter.

Whether or not you'd count the personal details filled in during online check-in as an ID check is perhaps debatable, but there is at least one ID check in the process, at the point of departure. So yes, you could get into the departure lounge on a domestic ticket and then switch to an international one, but you'd still need a passport (real or fake) to match the name on the ticket, and someone pretending to be you would have had to get them past security. Granted, future security systems may turn out to be tougher for international passengers and therefore there might be an advantage in ducking through the domestic departures gate, but the process of evasion seems sufficiently logistically challenging for one to doubt that an actual vulnerability exists, at least for passengers starting their journey at Heathrow.

BAA however explains that the actual vulnerability is solely a borders and immigration matter, and goes like this. International passenger arrives at Heathrow as a transit passenger, then switches tickets to a domestic flight, thus evading UK immigration at Heathrow and arriving elsewhere in the UK as a domestic passengers. Which strikes us as one hell of a vulnerability in the routing of transit passengers (sheesh, don't they have security at Heathrow?), but one that could possibly be fixed by some means other than fingerprinting absolutely everybody who uses the place. Or the country, which is the longer-term goal.

Nor are other 'benefits' of the system particularly obvious. It allows you to know who has passed into the lounge, but you know that already from the barcode scan. It tells you when they've got onto the aircraft and who didn't make it, but you know that from the passenger list. And as you're not sharing the data with anybody else and torching it at the end of the day, there's no benefit there either. There might be a benefit if you were proposing to dispense with the ID check at the gate, because that might be faster - but what new vulnerabilities might you introduce there?

The first chip to pack more than two billion transistors has been launched by silicon giant Intel.

The quad-core chip, known as Tukwila, is designed for high-end servers rather than personal computers.

It operates at speeds of up to 2Ghz, the equivalent of a standard PC chip.

It marks the latest milestone in chip technology; Intel released the first processor to contain more than one billion transistors in 2006.

"It's not revolutionary, it's another evolutionary step," said Malcolm Penn, an analyst at Future Horizons, of Tukwila.

Memory machine

The chip industry is driven by Moore's Law, originally articulated by Intel co-founder Gordon Moore in 1965.

The industry axiom states that the number of transistors it is possible to squeeze in to a chip for a fixed cost doubles every two years.

In 2004, the equivalent processor to Tukwila contained 592 million of the tiny switches.

Although the new chip packs more than 2 billion transistors it operates at a relatively modest speed of 2Ghz, the equivalent of many PC chips.

Last year IBM released what was described as the "world's fastest commercial chip" that operates at 4.7Ghz.

The dual-core Power6 processor contains just 790 million transistors.

A large number of the transistors on the new Intel chip are used for memory.

"[It] contains lots of onboard memory and registers which are just a very efficient computer architecture to process data faster," said Mr Penn.

Cache memory holds data to be processed by the chip. The closer it is to the processor, the quicker the data can be crunched.

"It's like the difference between getting food from the fridge, rather than from the corner shop," said Mr Penn.

"The very early microprocessors had no cache memory onboard - it was all off chip - and now they have as much as they can fit on within the chip size limitation," he said. Mr Penn. "That's an ongoing trend."

Tiny technology

The chip also bucks the trend seen in many modern processors of aiming for lower power consumption.

"That's very much a reflection of the market place demands," said Justin Ratner, chief technology officer of the firm.

He said that firms that used the chips demanded more performance and were willing to trade power to get it.

"These chips go into a quite a unique market place," he said.

The firm will also show off a chip designed for ultra-mobile devices, known as Silverthorne.

The processor is based on the firms latest transistor technology which contains features just 45 nanometres (billionth of a metre) wide.

Tukwila is based on 65 nanometre technology.

"[Using 65nm technology] reflects the design time involved in that processor," Mr Ratner told BBC News.

Both chips will be shown off at the International Solid State Circuits Conference (ISSCC) in San Francisco.

Download file HERE

Adobe - came from name of the river Adobe Creek that ran behind the
house of founder John Warnock.

Apache - It got its name because its founders got started by applying patches
to code written for NCSA's httpd daemon. The result was 'A PAtCHy'
server -- thus, the name Apache

Apple Computers - favorite fruit of founder Steve Jobs. He was three months
late in filing a name for the business, and he threatened to call his company Apple
Computers if the other colleagues didn't suggest a better name by 5 o'clock.

CISCO - its not an acronym but the short for San Francisco.

Google - the name started as a jokey boast about the amount of information
the search-engine would be able to search. It was originally named 'Googol',
a word for the number represented by 1 followed by 100 zeros. After founders,
Stanford grad students Sergey Brin and Larry Page presented their project to
an angel investor, they received a cheque made out to 'Google'

Hotmail - Founder Jack Smith got the idea of accessing e-mail via the web
from a computer anywhere in the world. When Sabeer Bhatia came up with
the business plan for the mail service, he tried all kinds of names ending in
'mail' and finally settled for hotmail as it included the letters "html" - the
programming language used to write web pages. It was initially referred to
as HoTMaiL with selective upper casing.

HP - Bill Hewlett and Dave Packard tossed a coin to decide whether the
company they founded would be called Hewlett-Packard or Packard-Hewlett.

Intel - Bob Noyce and Gordon Moore wanted to name their new company
'Moore Noyce' but that was already trademarked by a hotel chain, so they
had to settle for an acronym of INTegrated ELectronics.

Lotus (Notes) - Mitch Kapor got the name for his company from 'The Lotus
Position' or 'Padmasana'. Kapor used to be a teacher of Transcendental
Meditation (by Maharishi Mahesh Yogi).

Microsoft - coined by Bill Gates to represent the company that was devoted to
MICROcomputer SOFTware. Originally christened Micro-Soft, the '-' was
removed later on.

Motorola - Founder Paul Galvin came up with this name when his company
started manufacturing radios for cars. The popular radio company at the time
was called Victrola.

ORACLE - Larry Ellison and Bob Oats were working on a consulting project
for the CIA (Central Intelligence Agency). The code name for the project was
called Oracle (acronym for: One Real Asshole Called Larry Ellison)

Red Hat - Company founder Marc Ewing was given the Cornell lacrosse team
cap (with red and white stripes) while at college by his grandfather. He lost it and
had to search for it desperately. The manual of the beta version of Red Hat Linux
had an appeal to readers to return his Red Hat if found by anyone !

SAP - "Systems, Applications, Products in Data Processing", formed by 4 ex-IBM
employees who used to work in the 'Systems/Applications/Projects"

SUN - founded by 4 Stanford University buddies, SUN is the acronym for Stanford
University Network.

Xerox - The inventor, Chestor Carlson, named his product trying to say 'dry' (as
it was dry copying, markedly different from the then prevailing wet copying).
The Greek root 'xer' means dry.

Yahoo! - the word was invented by Jonathan Swift and used in his book 'Gulliver's
Travels'. It represents a person who is repulsive in appearance and action and is
barely human. Yahoo! founders Jerry Yang and David Filo selected the name
because they considered themselves yahoos.

In an ongoing attack, students and faculty at nearly a dozen universities and colleges have been targeted by phishing e-mails since the middle of January. The e-mail messages masquerade as missives from each school's help desk, asking that the student confirm their username and password as well as requesting more personal information, including date of birth and country of origin.



The attacks, which appear to have started as early as January 20 and are ongoing, have targeted a few thousand e-mail addresses at each school, according to reports posted to two security mailing lists used by school information-technology professionals.

"The attacks are fairly widespread (with)in U.S. .edu," Douglas Pearson, technical director of the Research and Education Network (REN) Information Sharing and Analysis Center (ISAC), stated in an e-mail interview. "We've seen large, small, public, and private institutions attacked."

Schools targeted include Columbia University, Duke University, Princeton University, Purdue University, and the University of Notre Dame. The e-mail accounts of students and faculty that fall prey to the fraud are used, in most cases, to send out further spam as part of a lottery scam, Pearson and IT administrators stated. The attack may have already hit European schools earlier in the month, one university IT administrator stated on a security mailing list.

The lottery scam, known also as a Nigerian Advance Fee scam, offers extremely large sums of money to the victim, if the victims first sends a smaller amount to the fraudster. In reality, the group running the scam will continue to ask for money from the victim, delaying the final payoff. The con is also known as a 419 scam, after the Nigerian legal code that it violates.

Some victims of the scam continue to send increasing sums of money, in hopes of getting back the funds that they have already sent. In 2004, a financial analyst stole more than AU$1 million from his clients, paying increasing amounts of money to the fraudsters in hopes of correcting his original mistake. The scams have also reportedly been used to fund terrorist groups.

In the latest phishing scam, the e-mail message, of which there are a few variations, carries the subject line "VERIFY YOUR (address) EMAIL ACCOUNT NOW" and tells recipients that the school is deleting unused e-mail accounts. The e-mail addresses include those of students and faculty as well as "functional" addresses that don't correspond to a particular person, according to a Princeton University official. The phishing scam requests that the recipient reply to the e-mail with their username, password, date of birth and country of origin. The messages Reply-To address is forged to make it appear to come from the specific school's help desk or information services department.

At Princeton University, less than a dozen people fell prey to the original e-mail scam, sending along their usernames and passwords to the fraudsters, a representative of the university told SecurityFocus. The Office of Information Technology blocked compromised accounts from sending spam and contacted the affected students.

"From our end, we were pretty fast about getting the problem fixed and preventing other things from happening," said Emily Aronson, a spokeswoman for Princeton University.

Suggesting that the phishing scam was not just about sending out spam, the university blocked a request to the school's human resources database to change the name of one victim. The request was issued from a computer belonging to a domain registered to Nigeria, a Princeton IT administrator stated.

A warning posted to the Educause security mailing list by a member of the University of Cincinnati's information services stated that a large proportion of their students fell for the attack.

Phishing attacks targeted at a specific subset of people, while fairly common in the corporate world and against banking customers, have not often been used against students. Princeton and other schools sent out warnings to their students and faculty about the attacks and stressed that users should never give out sensitive information or passwords to other people.

"The best defense against this kind of attack is a continuing awareness program," stated one IT administrator on the UniSOG mailing list. "Having said that; we all know that users are a notorious weak link, and this kind of attacks will continue to be successful."

The academic network response group, REN-ISAC, called for schools to use its notification system to send information about the incidents to other institutions.

"REN-ISAC members have shared, in our private trust community, a number of other practical responses," Pearson said. "We don't encourage public discussion of specific responses because that's a useful feedback loop for the miscreants. We do suggest that university security teams join REN-ISAC in order to participate in the sensitive information sharing."

UPDATE: The article was updated with additional information on the attack, including that faculty, as well as students, have been targeted.

Skype has patched a flaw involving its SkypeFind feature. But the security researcher who discovered the flaw said the VoIP platform remains exposed to cross-zone scripting vulnerabilities, like the latest SkypeFind bug and an earlier flaw involving movie files.

SkypeFind lets users recommend businesses, or post reviews, to others running the voice-over-IP client. Problems have arisen because Skype has neglected to sanitise a field designed to pass across reviewers' names (even though it does clean up data provided in the business item entry and text submitted in a review).

As a result of this partial oversight hackers could replace a reviewer's name with a malicious script, allowing them to inject malware onto machines running the popular application.

"An attacker can inject a malicious script in his Skype's Full Name, and whenever a victim will view a business which was reviewed by the attacker, in the SkypeFind dialog, the malicious script will be executed in an unlocked Local Zone," warns security researcher Aviv Raff, who was also instrumental in revealing previous cross-zone scripting vulnerabilities in Skype.

"Fortunately for the attacker, it is also possible to open the dialog in a specific business details page from the browser, using the skype: URI handler (e.g. skype:?skypefind ). This means that it is possible for the attacker to create a worm," he added.

In a security notice, Skype said it had fixed the SkypeFind feature. It doesn't go into details beyond saying users don't need to update client software. Skype suggested the whole thing was a storm in teacup because the flaw was hard to exploit. "There is one important precondition for the exploit to work. [The] victim must receive Skype contact request authorisation from the attacker's Skype account," it said.

Raff took issue with this assessment, pointing out that hacking techniques to automate users' contact requests would have reduced the difficulty of mounting attacks.

"The victim enters a malicious website [that] automatically calls the attacker via Skype," Raff said, describing one technique. "This can be done by using the Skype: URI handler. The attacker's bot intercept[s] the call and cancels it. Now that the bot has the victim's username, it uses the User.IsAuthorize API call to allow the victim to view the attacker's full name.

"After a few seconds, the malicious website opens the malicious SkypeFind dialog, and the victim gets owned," Raff said.

Raff has posted a Flash-based video demo (created by another security researcher, Guy Mizrahi) of the SkypeFind attack on his blog. Skype's fix fall short in providing adequate safeguards against exploitation, Raff concludes.

"I've contacted Skype security team, and they have provided a quick fix for the full name issue," Raff writes. "Unfortunately, this is not enough. I'm worried that there are probably other ways to inject a script to this dialog."

"I strongly advised Skype to disable this feature until they provide a patch for the cross-zone scripting vulnerability."