• United States



by CSO Contributor

Sasser Worm Expected to Hit Hard Today; Ford Overruled Saftey Advice, Report Says; The Debate over Electronic Voting; The Debate over Data Aggregation

May 03, 20044 mins
CSO and CISOData and Information Security

Sasser Worm Expected to Hit Hard Today

A new series of worms released onto the Internet exploits a critical security vulnerability in Microsoft’s Windows XP and Windows 2000 operating systems and does not need users to open e-mail attachments in order to propagate, experts said Saturday. According to an IDG News Service story on today, the worm’s impact is expected to peak Monday as millions of workers bring their laptops back to their offices, after using them over the weekend to access the Internet from relatively unsecured home locations. Computers infected with the worm boot up normally but then hang up or shut down when users attempt to do any work. The new worm exploits the LSASS (Local Security Authority Subsystem Service) remotely exploitable buffer overrun vulnerability first reported by Microsoft on 13 April in Microsoft Security Bulletin MS04-011. Microsoft has rated the vulnerability as critical and security experts urged all users of vulnerable system to apply patches immediately. The worm does not damage files and is relatively easy to remove, although concerns have been raised that information stored on an infected computer could be compromised, the story says. Ford Overruled Saftey Advice, Report SaysThe Boston Globe today, Ford Motor Co. overruled its own safety engineers’ recommendations to recall up to 4.1 million pickups and sport utility vehicles after they had found substandard door latches, court documents indicated. After the recommendations, Ford ordered immediate design changes for future vehicles. But the automaker decided against a recall, which could have cost up to $527 million. At least 16 product-liability lawsuits filed against the automaker contend latch failures led to fatal accidents involving doors that flew open. Many have been settled, but others are pending.

According to an AP story in

The Debate over Electronic VotingNew York Times features a profile of Aviel D. Rubin, a professor at Johns Hopkins University, who has become the face of a growing revolt against high-technology voting systems. Rubin took center stage in the national voting scene last July, the Times reports, when he published the first in-depth security analysis of Diebold’s touch-screen voting software. That shot across the bow was met with outrage from the industry and from election officials who had spent tens of millions of dollars on Diebold machines, and Rubin was denounced as irresponsible and uninformed. In response, he signed up to become an election judge in the March presidential primary, and sat all day at a precinct in a church at Lutherville, Md., helping voters use the same Diebold touch-screen machines that he had criticized so roundly. He posted a report of the experience on the Internet, in which he wrote, “I started realizing that some of the attacks described in our initial paper were actually quite unrealistic, at least in a precinct with judges who worked as hard as ours did and who were as vigilant. At the same time, I found that I had underestimated some of the threats before.”


The Debate over Data AggregationWired today reports on the role of database aggregators in security—homeland and corporate. Database aggregators have quietly become powerful arbiters, whirring in the background when people seek jobs, get on airplanes, apply for insurance, commit a crime or fall victim to one, the story says. For example, ChoicePoint, a leading electronic data warehouse regularly mined by companies and the government, has on its computers 19 billion public records. That has made privacy activists suspicious. They worry that data aggregators don’t do enough to safeguard information that, although technically public, has never before been so efficiently and completely gathered in one place. ChoicePoints chief executive, Derek V. Smith, is leading the data-aggregation-as-security side of the debate, and this spring is releasing two books about fighting risks in the information age and talking up a controversial plan for a high-tech ID card.