Security Web Digest: Outsourcing A Risk? US Networks Safer Than Before, Sabotage To Combat Piracy ..

Security officer roles changing... Senior Homeland Security Advisor wants to rely on older, mature technologies... Cuckoo eggs hatch into malicious programs that suck up bandwidth... and more from around the web


The duties of filling corporate security officer positions -- whether the title is chief security officer (CSO), chief information security officer (CISO) or something else -- are as diverse as the IT industry itself, according to a panel of security executives. Gathering at the fifth annual International Techno-Security Conference, the panel painted a picture of a set of corporate positions that are still in their embryonic stages despite their high profile. Jeff Reich is director of information security at Interland, a hosting company, as well as the former architect of security programs at Dell and online payment vendor Checkfree. His role has differed at each company, he said. "When I was at Dell, we really focused on protecting intellectual property," said Reich. "When I was at CheckFree Corp., our main focus was on privacy and protecting the integrity of the transactions. And now at Interland, my focus is to provide all of those things to our customers."

The audience also peppered the panel of with questions about the wisdom of outsourcing software development to cheap labor overseas, where there is little or no way to ascertain the security risk that workers may pose. Of particular concern to some attendees is the work that is being sent to China. While not yet a major provider of outsourcing services, China has a significant economic espionage program that targets U.S. technology, the users noted. Also of concern are countries in Southeast Asia, particularly Malaysia and Indonesia, where terrorist networks are known to exist. A recent study by Gartner predicts that by 2004, more than 80% of U.S. companies will consider outsourcing critical IT services, including software development, to countries such as India, Pakistan, Russia and China.


After successfully creating a new domestic security framework since the attacks of Sept. 11, 2001, the federal government must tackle the bigger job of building on that framework and putting new security systems and procedures into place, according to a senior White House advisor on science and technology policy. In doing so, however, the government should emphasize the use of existing technologies rather than plowing money into research and development of new technology to solve the domestic security problem, according to John Marburger, Science Advisor to President Bush and director of the U.S. Office of Science and Technology Policy. Of the $3.2 billion slated by the Bush administration for domestic security research and development in fiscal 2004, only around a third is slated for the new Department of Homeland Security, Marburger said. Ongoing research in other branches of the government will absorb much of the rest. Of the approximately $1 billion for DHS research, around two-thirds will go into researching bioterrorism countermeasures and the rest will be spent in areas where "the technology is more mature," he said.

Steven Cooper, CIO of homeland security, said multilayered security efforts have made the probability of a digital surprise attack relatively low. Its highly unlikely that the United States will experience a crippling "digital Pearl Harbor," he said. Cooper contends that the nation is safer than it was a year ago, noting that no terrorist incident has occurred in the United States since Sept. 11, 2001, and that a number of al-Qaida operatives and other terrorists have been arrested.


Some of the worlds biggest record companies, facing rampant online piracy, are quietly financing the development and testing of software programs that would sabotage the computers and Internet connections of people who download pirated music, according to industry executives. From attacking personal Internet connections so as to slow or halt downloads of pirated music to overwhelming the distribution networks with potentially malicious programs that masquerade as music files, the covert campaign is being developed and tested by a cadre of small technology companies.

In 2000, another anti-piracy effort was hatched using "Cuckoo Eggs." These "eggs" are songs that look exactly like a real artists song, and the first few seconds of the MP3 audio file are the song it purports to be. But after about 30 seconds, the copyrighted work is replaced by a cacophonous sound -- a cartoon voice telling you that you screwed up, followed by an incessant, annoying, cuckoo clock sound for the remainder of the song. The scheme involves building these eggs, and setting them free on music sharing services. The files are the same size and bear the same name as copyrighted work thats already being shared illegally on these systems. Its virtually impossible to tell them from the real thing unless you listen to the MP3 song for a minute or two.