Security Web Digest: Most Commonly Exploited Vulnerabilities ... and More

Copy protection vendor to sue Princeton student P2P industry association proposes music encryption scheme Homeland Security may require public companies to disclose security efforts Sony flash memory unit gets fingerprint reader


A security organization, in conjunction with the Department of Homeland Security and security agencies from both the Canadian and British governments, on Wednesday published its fourth annual list of the most commonly exploited Internet vulnerabilities. The SysAdmin Audit Security Network (SANS) Institute, which first rolled out a list four years ago with the FBIs National Infrastructure Protection Center (NIPC), unveiled a pair of Top 10 lists, one noting vulnerabilities within Windows software, the other tagging the top flaws in Linux and Unix programs. The two lists are meant to steer system administrators toward the most widely exploited vulnerabilities, and include details on how they can mitigate risks associated with the vulnerable software.

Intellectual Property

SunnComm Technologies, a developer of CD antipiracy technology, said Thursday that it will likely sue a Princeton student who early this week showed how to evade the companys copy protection by pushing a computers Shift key. Princeton Ph.D. student John "Alex" Halderman published a paper on his Web site on Monday that gave detailed instructions on how to disarm the SunnComm technology, which aims to block unauthorized CD copying and MP3 ripping. The technology is included on an album by Anthony Hamilton that was recently distributed by BMG Music.

An industry group that represents Kazaa has proposed a strategy that, if employed, could turn some peer-to-peer file-sharing services into a source of revenue for the recording industry. The Distributed Computing Industry Association (DCIA), which represents Kazaas parent companies Sharman Networks and Altnet, has suggested that music files traded through peer-to-peer networks could be encrypted so that only users who pay an access fee would be able to access the files. The DCIA has argued that the scheme could generate around US$900 million per year for the music industry, but the organization acknowledges that would only be the case if competing file-sharing networks agree to cooperate.

Homeland Security

Publicly traded companies could be required to disclose their efforts to secure information on their computer systems, U.S. Homeland Security Secretary Tom Ridge said on Thursday. "I think we need to talk about some kind of public disclosure, what are you doing about your security, physical and cybersecurity. Tell your shareholders, tell your employees, tell your communities within which you operate, Ridge told the Business Software Alliance, a software-industry trade group. Ridge said he had met with William Donaldson, chairman of the Securities and Exchange Commission, to discuss whether companies should be required to disclose cybersecurity efforts in their SEC filings.


Sony Corp. has developed a version of its Micro Vault USB flash memory storage unit with an integrated fingerprint reader. The Micro Vault with Fingerprint Access has 128MB of memory and will go on sale in the U.S. and Europe in November, said Shinji Obana, a spokesman for Sony in Tokyo. Sony is providing a series of applications that can be used with machines running the Windows operating system to prevent all but registered users from unlocking screen savers, or to provide user-level access to certain files and directories either in the Micro Vault or on the PCs hard disk drive.