More people need to be talking about these issues. We’ve brought them up, and often try to educate people we meet everyday.
I always ask people about their kids online and video game usage, and ask if they are aware of these issues, and more. It amazes me how many people are just not aware of these issues.

from the Tennessean Newspaper

MySpace isn’t private space
Teens’ personal thoughts exposed to all eyes

By VIVI HOANG • Staff Writer • February 17, 2008

Franklin mom May-Ling Weitzman faked a Facebook page, creating an online alter ego with a different age, name and graduation date. Then she searched for her teen daughter’s page.

Her daughter wasn’t fooled by the subterfuge and spotted Weitzman, 48, from a mile off with great amusement. But mom made her point: Web privacy is, essentially, a myth.
Advertisement

Kids these days can, with a touch of a finger, instantly post their thoughts online for all to see. But mix that with youthful impetuousness and the belief that only their friends can see their musings, and it’s a recipe for trouble and very real consequences, from embarrassment to more serious fallout such as failed friendship and missed job opportunities.

Parents can head off that problem by, like Weitzman, seeing what their kids are doing online — stressing that these virtual spaces are extensions of themselves, and to behave accordingly.

“I try to always tell my kids that being online, just because you’re sitting in your living room, it’s not private,” she said. “It’s as if you were in middle of a big city, in the middle of a large square.”

Then there’s the problem of other people’s kids. Coping with a snide comment, rumor-laden blog post or less-than-tasteful photos presents a parental challenge unheard of even 10 years ago.

Solving the problem may be as simple as sitting your teen down for a frank talk.

“They’re young and not realizing any repercussions in the future,” said Melissa Wert, technology integration specialist at Harpeth Hall. “These kids don’t even understand the power they have in their hands to destroy somebody or do harmless, fun, entertaining things.”
What kids are doing online

For the wired generation, pursuing real-world relationships into the cyber-realm by blogging, leaving comments and posting photos and videos comes as natural as breathing.

According to a December report from the Pew Internet & American Life Project, 64 percent of kids ages 12 to 17 who are online are crafting things to go on it.

But teens often treat their personal spaces online as if they’re playgrounds only their friends can enter. Up go their thoughts, their gripes, their photos from that last wild party.

A few years ago when Tammy Nash, a counselor at Martin Luther King Jr. Magnet High School, heard that a student had posted a suicide note online, she checked out the youth’s site. Nash was able to help the teen but remembers being taken aback by some of the sexually provocative passages the student had published in such a public space.

“It’s like a diary,” Nash said. “Some of them are just getting into the shock-jock thing.”

Harpeth Hall sophomore Chelsea Stessel has seen spats flare up over something as innocuous as a boy leaving a flattering comment on a girl’s photo.

Stessel, 16, has staked out cyber real estate since she was in grade school, starting with the kid-centric Neopets and moving on to Xanga, MySpace and finally, Facebook. She’s so aware of the Internet’s influence she’s even joined her school’s chapter of Teenangels, a division of WiredSafety.org that educates parents and youth about online safety and privacy.

“I make sure I don’t post anything anyone would see and get offended by,” she said. “If I have a problem with someone, I deal with it in person or a call.”
Follow the Golden Rule

If everyone played by the rules, or at least the Golden Rule, this would be less of a problem.

Anya Weitzman, 18-year-old daughter of May-Ling Weitzman and a University School of Nashville senior, knows this is wishful thinking: A friend of hers in college skipped a big football game that everyone on her floor went to watch so she could study for an exam.

Schoolmates heckled the friend viciously online for the affront.

“You say a word, and it’s ephemeral, it’s gone,” Anya said, pointing out that conversely, what’s done online can become virtually permanent, easily saved and duplicated.

As far back as 2002, there was the Star Wars Kid, a hapless Quebec teen whose awkward light-saber slashings got leaked to the Internet and viewed by millions. It spawned several mocking remixes, including Matrix and Lord of the Rings versions. So extensive was the humiliation, the 10th grader dropped out of school and finished the semester at a children’s psychiatric ward.

Glencliff High teacher Philip Davis has had numerous conversations with students about how they carry themselves online. He uses analogies like, “Your room is not made of glass — why would you post things online for everyone to see?”

Sites such as Facebook and MySpace allow users to choose how private their profiles are, but teens sometimes aren’t aware or haven’t taken the time to do it, so their profiles remain public by default.

Chris Johnson, 17, a Glencliff senior, had his MySpace page set up by a friend, and didn’t realize he could configure the page to limit who could view it. But he’s savvy enough to censor what goes up on his profile. A photo he might consider harmless fun with his friends might produce far less humorous interpretations from others.

His page is a reflection of who he is, and Johnson wants it to be a positive one.

“These days, parents know how to get on,” he said. “And you don’t want younger kids to see. You want to set an example for them. They follow what you do.”
Many eyes are watching

But in the foggy bliss of youth, sometimes repercussions seem nebulous and far-off.

“They think people aren’t going to see that,” said Michael LoJacono, 17, a USN senior. “There are teachers who have Facebooks. There are a lot of chances for things to happen.”

And people are paying attention.

When Mike Saint, 58, asked while in the car with his 15-year-old daughter Molly, a Harpeth Hall sophomore, whether he should get a Facebook account, she nearly drove off the road.

“She was incredulous,” said Saint, who runs a management consultant firm. “But after a while, she thought it was kind of cool. She helped me set it up.”

He uses his access to Facebook for work but he also finds it is an easy, quick way of keeping up-to-date on what his daughter has going on.

“I used to say there’s nothing meaner in the world than a seventh-grade girl to another seventh-grade girl, whether it’s in person, over the phone, instant messaging or on Facebook,” Saint said. “You hope your children socialize with children whose parents are teaching them right from wrong and good from bad in dealing with other people.”

Molly, also a Teenangel, advises parents to work on an open relationship with children. “Know what your kids are doing. Most kids will let their parents see their Facebook.”

Not just friends and parents are paying attention, but teachers, college admissions counselors and employers. At the Career and Employment Center at Middle Tennessee State University, students are told employers can, and do, access social networking sites to check on prospective employees.

“We have a PowerPoint presentation that actually . . . has four pictures that were gotten off Facebook or MySpace and show students being students — just not very professional,” said center director Bill Fletcher. “What if an employer saw this? Would they want to hire you?”
Parents have options

If you discover inappropriate content related to your child online, you’ve got a few options.

First, if it was your own kid that posted it, use the circumstances as a teaching moment, said Anastasia Goodstein, author of Totally Wired: What Teens and Tweens Are Really Doing Online.

There are paid services like Reputation Defender that search out what information about your family can be found online and then endeavor to remove what’s inaccurate or slanderous.

“But if it is something that goes viral — say, it’s a topless photo of their daughter that was taken without the daughter realizing it was going to be spread around — you can’t do anything,” said Goodstein. “You have to soldier through it.”

Vivi Hoang can be reached at 259-8067 or vhoang@tennessean.com.

Foudn via yahoo news / Techweb
Five Most Overlooked Open Source Vulnerabilities Found By Audits

By Charles Babcock
InformationWeek Tue Jan 22, 5:45 PM ET

After reviewing 300 million lines of code in 2007, Palamida, a vulnerability audit and software risk management company, says it’s identified the five vulnerabilities most frequently overlooked by users in their open source code.
ADVERTISEMENT

The five are listed in alphabetical order. Palamida did not attempt to assign a frequency ranking to the five, CEO Mark Tolliver said. Also, the Palamida list reflects known vulnerabilities that have been aired and fixed by their parent projects but are still encountered in the user base, such as businesses and government agencies. The projects named are not frequent offenders when it comes to security vulnerabilities, but their code is so widely used that unpatched vulnerabilities show up in Palamida’s enterprise and nonprofit agency software scans. In all cases, a patch is available to fix the vulnerability.

Open source code is “not any more vulnerable than commercial software” and in some cases, less so, said Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.

The company conducts audits on enterprise software, spotting uses of open source and identifying origins of code. It both sells products to conduct audits and offers audit services and risk management consulting.

Palamida’s list of five frequently overlooked vulnerabilities is as follows:

Geronimo 2.0, the application server from the Apache Software Foundation, contains a vulnerability in its login module that allows remote attackers to bypass authentication requirements, deploy a substitute malware code module, and gain administrative access to the application server. The access is gained by “sending a blank user name and password with the command line deployer in [Geronimo's] deployment module,” the Palamida report said. A blank user name and password should trigger a “FailedLoginException” response in Geronimo 2.0 but doesn’t.

A patch for the vulnerability exists at https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.

Geronimo competes with Red Hat’s JBoss and other open source application servers.

The JBoss Application Server has a “directory traversal vulnerability in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5. It allows remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code,” the Dec. 7 report concluded.

A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.

The third frequently encountered vulnerability on the list is the LibTiff open source library for reading and writing Tagged Image File Format, or TIFF, files. The LibTiff library before release 3.8.2 contains command-line tools for manipulating TIFF images on Linux and Unix systems and is found in several Linux distributions.

Using the LibTiff library in a version before 3.8.2 allows “context-dependent attackers to pass numeric range checks and possibly execute code via large offset values in a TIFF directory,” the Palamida report states. The large values may lead to an integer overflow or other unanticipated result and constitutes an “unchecked arithmetic operation,” the report said.

A patch is available at http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.

The fourth vulnerability on the list is found in Net-SNMP, or the programs that deploy the SNMP protocol. It’s found in version 1.0, version 2c and version 3.0. When certain versions of Net-SNMP are running in master agentx mode, the software allows “remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a freeing of an incorrect variable,” the report said.

A patch is available at http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.

The fifth overlooked vulnerability is found in Zlib, a software library used for data compression. Zlib 1.2 and later versions allow a remote attacker to cause a denial-of-service attack. The attack designs a compressed stream with an incomplete code description of a length greater than 1, causing a buffer overflow.

The patch consists of upgrading zlib to version 1.2.3 at www.zlib.net/zlib-1.2.3.tar.gz.

The fact that the vulnerabilities exist doesn’t mean that anyone should stop using open source code. But users should adopt vulnerability patches or update to the latest, stable version of the code, said Theresa Bui, VP of marketing at Palamida. A complete description of the five vulnerabilities, along with their Common Vulnerability and Exposure number, can be found at Palamida’s Dec. 7 Web site listing. The CVE is a project of the Mitre Corp. that gives vulnerabilities a shared definition and reference number across security vendors.

See original article on InformationWeek.com

Hopefully if they are reporting this it means that we have fixed all the potential problems in this area. Just another reminded that as our society becomes more and more dependent upon technology, we also become more vulnerable to problems – be it intentional maliciousness or just breaking down.

Story found via PcWorld:
CIA Says Hackers Have Cut Power Grid
Several cities outside the U.S. have sustained attacks on utility systems and extortion demands.
Robert McMillan, IDG News Service
Saturday, January 19, 2008 6:00 AM PST

Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. Central Intelligence Agency analyst said this week.

Speaking at a conference of security professionals on Wednesday, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” he said in a statement posted to the Web on Friday by the conference’s organizers, the SANS Institute. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

“According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure,” SANS said in the statement.

One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. “It appeared that there were a lot of people who didn’t know this already,” said the attendee, who asked not to be identified because he is not authorized to speak with the press.

He confirmed SANS’ report of the talk. “There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack,” he said.

Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable.

The U.S. is taking steps to lock down the computers that manage its power systems, however.

On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

CIA representatives could not be reached immediately for comment.