Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: SECURITY WIRE DIGEST, VOL. 3, NO. 94, DECEMBER 13, 2001
- From: Howell, Paul
- Date: Thu Dec 20 07:34:35 2001
-----Original Message-----
From: Security_Wire_Digest@bdcimail.com
To: grue@umich.edu
Sent: 12/20/01 2:00 AM
Subject: SECURITY WIRE DIGEST, VOL. 3, NO. 94, DECEMBER 13, 2001
SECURITY WIRE DIGEST, VOL. 3, NO. 94, DECEMBER 13, 2001
Security Wire Digest is an e-mail newsletter brought to you on Mondays
and
Thursdays by Information Security magazine. SWD is written, edited and
produced by:
Shawna McAlearney, editor, mailto:smcalearney@infosecuritymag.com
Andy Briney, mailto:abriney@infosecuritymag.com
Anne Saita, mailto:annes@sbcglobal.net
Christine St. Pierre, mailto:cpierre@infosecuritymag.com
Lawrence M. Walsh, mailto:lwalsh@infosecuritymag.com
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE DIGEST IS SPONSORED BY: VeriSign - The Internet Trust
Company
Which security solution is right for your Web site? Before you decide,
request your FREE guide, "Securing Your Web Site For Business," to learn
the facts. In the guide, find solutions for:
* Encrypting online transactions
* Securing corporate intranets
* Authenticating your Web site. Get your FREE guide today at:
http://www.verisign.com/cgi-bin/go.cgi?a=n042465660057000
=====================================================
CONTENTS
**EDITOR'S NOTE**
1. INFOSEC NEWS
*WEP Patch Now Available
*Microsoft Disclosure RFCs Face Uphill Battle
*Judges May Get Discretionary Power in Sentencing Cybercriminals
2. INDUSTRY BRIEFS
*Schmidt Jumps From Industry to Federal Protection
*U.S. Court Hacker Pleads Guilty
*Cable Companies Clamp Down on Home Use & VPNs
*VeriSign Acquires Managed Security Assets of Telenisus
3. HAPPENINGS
=====================================================
**EDITOR'S NOTE**
Security Wire Digest will be on hiatus for the holidays. Publication
will
resume January 7, 2002.
=====================================================
1. INFOSEC NEWS
*WEP PATCH NOW AVAILABLE
By Shawna McAlearney
Users of the inherently insecure Wireless Equivalent Privacy (WEP)
protocol caught a break last Friday when a partnership between RSA
Security and Hifn produced a patch for the beleaguered protocol.
Designed
to encrypt communications transferred over standard 802.11 wireless
networks, WEP uses encryption keys that are too similar to each other,
making it relatively easy for someone to compromise the codes.
"Right now wireless security is an insecure mess," says Counterpane CTO
Bruce Schneier. "It's robustly insecure--and no single patch will make
it
secure--but every little bit helps, and RSA's patch certainly does
that."
"Fast Packet Keying," a new technology based on the RC4 algorithm, is
designed to secure the WEP encryption standard by generating a unique
key
for each data packet sent over the wireless LAN. It's designed to avoid
the similarities in the packet keys by providing a rapid way to derive
unrelated RC4 keys from a shared secret.
The Institute of Electrical and Electronics Engineers (IEEE) 802.11
committee has approved the Fast Packet Keying technology. It will be
distributed as a software or firmware patch by vendors and device makers
are upgrading their software.
According to RSA, the Fast Packet Keying solution is customized to the
hardware environment of wireless LAN products and is designed to offer
the
highest levels of data protection without replacing wireless LAN
hardware
and preserving interoperability.
"With the incorporation of Fast Packet Keying, organizations can safely
turn to wireless networks for operational flexibility and efficiency
without sacrificing the integrity of their systems," Hifn's chief
scientist Doug Whiting, said in a statement. "The wireless market now
has
a strong security solution that is designed to create a secure,
interoperable pipeline between the wired network and wireless clients."
http://www.rsasecurity.com/news/pr/011217-2.html
http://www.rsasecurity.com/rsalabs/index.html
*MICROSOFT DISCLOSURE RFCS FACE UPHILL BATTLE
By Shawna McAlearney
Lack of critical industry support could spell trouble for Microsoft's
bid
to make its proposed vulnerability disclosure model into an IETF
standard.
"Should the concerned folk ever complete an Internet draft, it is quite
contentious whether any significant community of the IETF would support
it," says Randy Bush, an area director of the operations and management
and routing areas at the Internet Engineering Task Force (IETF).
The IETF is the protocol engineering and development arm of the
Internet.
Comprised of workgroups to solve specific industry problems, it
determines
which issues are salient. Prior to creating a workgroup, an RFC would be
publicly released by the IETF. Though authors Steve Christie of Mitre
and
Chris Wysopal of @stake haven't presented a paper for RFC consideration,
it appears unlikely that the IETF will support the creation of this RFC,
some details on the two proposed drafts are available.
Identifying requirements for researchers, vendors and intermediaries,
one
draft outlines time frames for vendor response, public disclosure and
the
release of exploit code. It places partial responsibility on the
discoverer of the vulnerability to conduct sufficient research to ensure
that the problem is genuine and previously unknown, exercise due
diligence
to contact the vendor, ask a trusted third party for assistance if the
vendor doesn't respond promptly, provide the vendor with all known
details
of the vulnerability--including any programs, scripts, or
pseudo-code--and
work with the vendor to explain the vulnerability, conduct further
analysis if necessary, and test any patches or workarounds that the
vendor
provides.
Vendor responsibilities include acknowledging a vulnerability report
within five business days, attempting to reproduce the problem,
notifying
the discoverer and any intermediaries once the problem is replicated,
responding if the vendor doesn't believe there are security implications
and announcing when a patch and/or workaround will be available.
The draft also suggest that the vendor be provided with a "last chance"
warning of at least five days before releasing an advisory. If the
vendor
is unresponsive, the discoverer and vulnerability coordinator should
agree
on an alert release date and may publicize that a vulnerability has been
discovered--excluding details. Time extensions are permitted, as long as
the vendor continues to make a good faith effort to fix the
vulnerability.
Extra time is allowed when the issue is related to a design flaw or
affects multiple product lines or vendors.
One provision particularly caught the eye of NTBugtraq editor Russ
Cooper.
It says once a patch is released, the parties involved may provide a
grace
period of at least one week, but no more than 30 days, before providing
specific details that could be utilized to exploit the issue.
"The draft I saw said vulnerabilities must be disclosed," says Cooper,
who
is also surgeon general at TruSecure. (TruSecure publishes Security Wire
Digest.) "Why must they be? What if both parties decide not to disclose
it?"
According to the draft, the vendor must identify the ways in which the
workarounds may affect functionality and shouldn't assume that the scope
of the problem is limited to what the discoverer has found.
Onus is also on the vendor to examine its product to ensure that it is
free of similar vulnerabilities, examine other products to ensure that
they don't have the same vulnerability and provide a Web page that lists
all security advisories.
The authors of the draft say those involved in vulnerability disclosure
need to provide researchers with sufficient details to support analysis,
in order to help devise longer-term solutions.
The security community has warred for years on the merits of full versus
responsible vulnerability disclosure. The debate regained momentum in
October when Microsoft's Scott Culp released an editorial calling for an
end to "information anarchy," his feelings on full disclosure. That
paper
and a meeting of industry luminaries hosted by Microsoft in November
spawned a "forum" in which members "shall follow a code of conduct
regarding the responsible handling of security vulnerabilities."
"Full Disclosure is a necessary evil"
http://www.securityfocus.com/news/238
"It's Time to End Information Anarchy"
http://www.microsoft.com/technet/columns/security/noarch.asp
*JUDGES MAY GET DISCRETIONARY POWER IN SENTENCING CYBERCRIMINALS
By SWD Staff
After making certain computer crimes akin to terrorist acts, Congress
will
now weigh a bill giving federal judges more latitude in sentencing
cybercriminals. The "Cyber-Security Enhancement Act of 2001" amends U.S.
Sentencing Commission guidelines for computer crimes to take into
account
circumstances surrounding cyberattacks.
H.R. 3482 would allow judges to consider several factors when sentencing
those convicted of computer crimes, including: the potential and actual
loss of an attack; level of sophistication involved; personal or
commercial financial gains; malicious intent; and extent that
individuals'
privacy rights were violated.
Judges also could impose stiffer sentences as a deterrent for
non-terrorist computer crimes. Another consideration would be whether a
government computer used for national security or judicial
administration
was used in the commission of a cybercrime. The bill also leaves plenty
of
wiggle room by also authorizing "any other factor the Commission
considers
appropriate" as fair game for sentencing.
Introduced by Reps. Lamar Smith, R-Texas, and Sherwood Boehlert, R-N.Y.,
the Cyber-Security Enhancement Act also exempts ISPs from liability if
they cooperate with law enforcement investigations. In addition, the
proposed law would dissolve the Office of Science and Technology at the
National Institute of Justice and transfer resources a newly created,
similar program at the U.S. Justice Department.
The new, competitive program would promote research, development and
testing of law enforcement technologies used by federal, state, and
local
police and prosecutors. Numerous devices fall into this program,
including
tools and techniques that facilitate investigative and forensic work,
computer forensics and computer crimes.
=====================================================
**TALK BACK**
Reader responses to reader questions.
"What's your biggest infosecurity-related concern for 2002? Have your
priorities changed from 2001 to 2002? Why or why not?"
Send your response to mailto:abriney@infosecuritymag.com with the
subject
line "Talk Back." Responses will be printed in the February 2002 issue
of
the magazine and online.
Talk Back Archives
http://www.infosecuritymag.com/talkback_archives.shtml
=====================================================
2. INDUSTRY BRIEFS
*SCHMIDT JUMPS FROM INDUSTRY TO FEDERAL PROTECTION
Drafting much-needed intellectual capital for federal cybersecurity,
President George W. Bush is expected to appoint Microsoft's CTO Howard
Schmidt vice chairman of the newly constituted federal Critical
Infrastructure Protection Board. According to Computerworld, Schmidt
will
work with national cybersecurity czar and board chairman Richard Clarke
in
overseeing the protection of critical infrastructure information
systems.
No dates have been announced for Schmidt's appointment or his subsequent
resignation from Microsoft.
*U.S. COURT HACKER PLEADS GUILTY
A cracker who accessed the Public Access to Court Electronic Records
(PACER) system on several hundred occasions and downloaded millions of
pages of data to his personal computer pled guilty Tuesday to one felony
count of fraud in connection with computers. Nicholas Mamich, 44, gained
unauthorized access to 65 PACER computer servers belonging to several
U.S.
district courts. The Administrative Office of the United States Courts
estimated that it cost at least $40,000 to discover and repair the
damage
caused by the defendant's hacks. Mamich could be sentenced up to five
years imprisonment, a $250,000 fine, or both. Mamich has also agreed to
pay full restitution for the damage prior to sentencing. Sentencing is
scheduled for March 12, 2002.
*CABLE COMPANIES CLAMP DOWN ON HOME USE & VPNs
Cable companies are starting to force teleworkers to sign up for
higher-priced business class Internet service by prohibiting VPNs for
residential broadband connections or refusing to provide user support
for
residential VPN users. Both Comcast and Cox Communications have policies
that prevent residential customers from using a VPN, thus forcing them
to
pay for a more expensive business line if their home office requires
one.
Cable giants AT&T Broadband, AOL Time Warner and Cablevision are more
generous, but they won't provide help desk support for home users with a
corporate VPN. Cable companies say the push for business class relates
to
bandwidth usage. Critics say the telecommunications giants just want
more
money, given that businesses are charged more but receive essentially
the
same service. The crackdown comes at a time when more corporations are
installing VPNs to protect remote users' private information transmitted
via the public Internet.
*VERISIGN ACQUIRES MANAGED SECURITY ASSETS OF TELENISUS
VeriSign, a provider of digital trust services, last Friday announced it
purchased the managed security division of Telenisus for $5.8 million.
VeriSign says it intends to use the assets to enhance the offerings of
its
Consulting Services Group, who's services include network architecture
and
design, implementation, monitoring and security management solutions for
enterprises facing the complex technical requirements of large-scale
networks and Internet infrastructures. Telenisus has been foundering in
the managed security services space; the company blames diminishing
sales
as the reason for its four rounds of layoffs this year.
http://corporate.verisign.com/news/2001/pr_20011214.html
=====================================================
3. HAPPENINGS
EDITOR'S NOTE: Check event listings for postponements and cancellations.
JANUARY
Enterprise Security Management
W-F, Jan. 2-4, Dallas, Texas
http://www.vigilar.com
Secure Communications & VPNs
W-F, Jan. 2-4, Boston, Mass.
http://www.globalknowledge.com/imsec
Network Attacks & Countermeasures
M-W, Jan. 7-9, Albany, N.Y.
http://www.nsec.net/training
SANS South Beach
M-S, Jan. 7-12, Miami, Fla.
http://www.sans.org
CyberCrime on Wall Street
Th & F, Jan. 10-11, New York, N.Y.
http://www.iirusa.com/cybercrimeonwall$t
SANS Down Under
Th-T, Jan. 10-15, Melbourne, Australia
http://www.sans.org
Basic Computer Forensics
M-W, Jan. 14-16, Jacksonville, Fla.
http://www.lc-tech.com
WEST 2002
T-Th, Jan. 15-17, San Diego, Calif.
http://www.west2002.org
Deploying Internet & Intranet Firewalls: Hands On
T-F, Jan 15-18, New York, N.Y.
http://www.learningtree.com/us/ilt/courses/488.htm
Designing Security Architectures
Th & F, Jan. 17-18, San Jose, Calif.
http://www.globalknowledge.com/imsec
SANS Peachtree 2002
Su-Th, Jan. 19-24, Atlanta, Ga.
http://www.sans.org
Advanced Computer Forensics
M-W, Jan. 21-23, Jacksonville, Fla.
http://www.lc-tech.com
Hacking Immersion: Attack & Defense
M-F, Jan. 21-25, Atlanta, Ga.
http://www.vigilar.com
Internet Worms & Viruses
T, Jan. 22, Buffalo, N.Y.
http://www.nsec.net/training
HIPAA Security & Privacy Briefing
T & W, Jan. 22-23, New Orleans, La.
http://www.misti.com
Internet & Intranet Security: A Comprehensive Introduction
T-F, Jan. 22-25, Rockville, Md.
http://www.learningtree.com/us/ilt/courses/468.htm
Ultimate Hacking
T-F, Jan. 22-25, New York, N.Y.
http://www.globalknowledge.com/imsec
Information Assurance Technical Framework Forum
Th, Jan. 24, Laurel, Md.
http://www.iatf.net
2002 HIMSS Annual Confernce & Exhibition
Su-Th, Jan. 27-31, Atlanta, Ga.
http://www.himss.org
Introduction to Internet Security
M & T, Jan. 28-29, Dallas, Texas
http://www.misti.com
COMNET Conference & Expo
M-Th, Jan. 28-31, Washington, D.C.
http://www.comnetexpo.com
eXtreme Hacking-Defending Your Site
M-F, Jan. 28-Feb. 1, Chicago, Ill.
http://www.ey.com/security
Windows 2000 Security: Hands On
M-F, Jan. 28-Feb. 1, Chicago, Ill.
http://www.learningtree.com/us/ilt/courses/562.htm
SANS Aloha IV
M-S, Jan. 28-Feb. 2, Honolulu, Hawaii
http://www.sans.org
Creating a Computer Security Incident Response Team (CSIRT)
T, Jan. 29, Pittsburgh, Pa.
http://www.cert.org/training
Concepts & Trends in Information Security
W, Jan. 30, Washington, D.C.
http://www.cert.org/training
Real Time Threat Management
W, Jan. 30, New York, N.Y.
http://www.esecurityinc.com
2nd Annual Privacy & Data Security Summit
W-F, Jan. 30-Feb. 1, Washington, D.C.
http://www.privacyassociation.org/html/conferences.html
CyberSabotage!
W-F, Jan. 30-Feb. 1, Miami, Fla.
http://www.marcusevansconferences.com
Network Firewall Security
W-F, Jan. 30-Feb. 1, Orlando, Fla.*
http://www.misti.com
Advanced Network Attacks & Countermeasures
Th & F, Jan. 31-Feb. 1, Buffalo, N.Y.
http://www.nsec.net/training
If you know of an information security conference that should be
included
in the list of Happenings, please e-mail
mailto:cpierre@infosecuritymag.com.
=====================================================
Security Wire Digest and Information Security magazine are published by
TruSecure, the world's leader in Internet security services.
Copyright (c) 2001. All rights reserved. Redistribution of this
newsletter
is permitted provided all content (including this notice) is reproduced
verbatim with proper attribution to Security Wire Digest and Information
Security magazine. http://www.infosecuritymag.com
=====================================================
To SUBSCRIBE to Security Wire Digest, go to:
http://infosecuritymag.bellevue.com
To UNSUBSCRIBE from SecurityWire Digest, go to:
http://infosecuritymag.bellevue.com/USL.asp?EM=grue@umich.edu
To CHANGE your e-mail address, go to:
http://infosecuritymag.bellevue.com/CEL.asp?EM=grue@umich.edu
To subscribe or renew your existing subscription to Information Security
magazine, print edition, please go to:
http://www.submag.com/sub/is
|
