|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 28, 2003
- From: Howell, Paul
- Date: Sat Mar 29 10:06:25 2003
Security In The News
LAST UPDATED: 3/28/03
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Agencies are making progress in security,
OMB says
- Government
Computer News, 3/27/03
Wartime Internet Security Is 'Business as
Usual'
- Washington
Post, 3/27/03
Creation of cybersecurity post in
administration appears imminent
- Government
Executive, 3/27/03
Regional info-sharing network takes hold
in Oregon
- Computerworld,
3/27/03
Task force to aid homeland planning
- Federal
Computer Week, 3/28/03
FBI chief details progress on upgrading
computer systems
- Government
Executive, 3/27/03
DOE releases software quality improvement
strategy
- Government
Computer News, 3/27/03
Attackers Target Web Applications
- OSAC
Cybernews, 3/28/03
EU to unify e-crime rules
- vnunet.com, 3/28/03
- Also - Internet
Magazine, 3/28/03
Firewalls set to become illegal in many
American states
- The Inquirer,
3/28/03
- Also - The
Register, 3/28/03
UK.gov seeks input on anti-spam law
- Security Focus,
3/27/03
Microsoft antitrust case still has
bounce
- C-Net News,
3/27/03
Email worm beginning to spread
- Sydney
Morning Herald, 3/28/03
Newly Found Rolark Trojan Exploits a
Vulnerability in Microsoft IIS
- Help Net
Security, 3/28/03
Safety measures will be added to software
improvement model
- Government
Computer News, 3/27/03
New wireless security means costly
upgrade
- vnunet.com, 3/27/03
Report: Encryption Apps Show Promise
- Internet
News, 3/27/03
New task force will examine critical uses
of supercomputing
- Government
Computer News, 3/27/03
Software bug may cause Patriot missile
errors
- IT World,
3/28/03
Don't dismiss possibility of malicious
code on Linux
- Enterprise
Linux, 3/27/03
- Also - PCAdvisor,
3/28/03
Cyberterrorism-Infrastructure Protection
- Title: Agencies are making progress in security,
OMB says
- Source: Government Computer News
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- On March 27, 2003 the Office of Management and Budget (OMB) gave a
preview of its second annual report to Congress on the state of IT security
at federal agencies. According to Kamela White, a senior policy analyst at
OMB's Information Policy and Technology Branch, progress was made across the
board, but some security measures remain inadequate. The full report on the
security and certification of critical IT systems, which is mandated under
the Government Information Security Reform Act, is scheduled for release in
a few weeks. A significant number of IT projects are at risk if security
problems are not addressed.
- http://www.gcn.com/vol1_no1/daily-updates/21510-1.html
- Title: Wartime Internet Security Is 'Business as
Usual'
- Source: Washington Post
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- Despite a war-related spike in website defacements and cyber attacks
against public systems, security firms are not taking any additional
security measures to protect systems. As Vincent Weafer, the chief virus
researcher for Symantec Security Response, explains, security awareness is
already high due to the fact that most U.S. corporations already face a
significant number of "major attacks" and malware on an ongoing basis.
Despite warnings from the Homeland Security Department, there has not been a
large increase in cyber attacks against government systems since the onset
of hostilities in Iraq, although the number of scans and probes may have
risen. Authorities worry about the prospect of cyberterrorism or information
warfare, but experts disagree about the nature of the threat.
- http://www.washingtonpost.com/wp-dyn/articles/A37785-2003Mar27.html
- Title: Creation of cybersecurity post in
administration appears imminent
- Source: Government Executive
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- Speaking at a conference hosted by the Information Technology
Association of America (ITAA) on March 27, 2003, Sallie McDonald, a senior
Homeland Security Department (HSD) official, said that the Bush
administration is close to announcing the creation of a new senior position
responsible for cybersecurity. It remains unclear whether the new post will
cover cybersecurity throughout the government, or only at HSD. Howard
Schmidt and Paul Kurtz are named as possible candidates for senior
cybersecurity roles following a re-organization of national efforts.
- http://www.govexec.com/dailyfed/0303/032703td2.htm
- Title: Regional info-sharing network takes hold
in Oregon
- Source: Computerworld
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- Oregon's Regional Alliance for Information and Network Security (RAINS),
comprised of over 60 technology firms and government agencies, officially
launched its RAINS-Net secure information-sharing network on March 14, 2003.
The new network, which will be used to distribute emergency alerts, secure
e-mails messages, maps, audio and video files and other information to local
public and private entities responsible for homeland security and terrorism
response, is still in its experimental stages, but there are plans to expand
the project if it proves successful.
- http://www.computerworld.com/securitytopics/security/story/0,10801,79777,00.html
- Title: Task force to aid homeland
planning
- Source: Federal Computer Week
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- On March 27, 2003, the Council on Foreign Relations announced the
creation of a new task force aimed at helping federal and local emergency
first responders attain homeland security funding and coordinate their
response efforts. Warren Rudman, former U.S. senator and head of a
high-profile terrorism commission, was chosen to lead the new task force.
Former cybersecurity and infrastructure protection official Richard Clarke
will serve as a senior adviser to the task force.
- http://www.fcw.com/fcw/articles/2003/0324/web-taskforce-03-28-03.asp
- Title: FBI chief details progress on upgrading
computer systems
- Source: Government Executive
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- In testimony to a House Appropriations subcommittee on March 27, 2003,
FBI Director Robert Mueller said that significant progress has been made in
upgrading FBI computer systems. According to director Mueller, the FBI is
poised to launch a wide-area network that will link together the agency's
21,025 desktop computers in 622 locations, as well as a "corporate-data
warehousing capability" to allow investigators to access information from
multiple databases. The FBI is requesting $234.4 million to fight cybercrime
and defend against cyber attacks. The agency's cyber division will focus
primarily on "identifying and stopping individuals or groups conducting
computer intrusions and spreading malicious code on the Internet; catching
intellectual property thieves and Internet frauds; and halting online
predators who exploit children."
- http://www.govexec.com/dailyfed/0303/032703td1.htm
- Title: DOE releases software quality improvement
strategy
- Source: Government Computer News
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- The U.S. Energy Department has released an implementation plan to
improve the quality of safety software at defense nuclear facilities,
finding and fixing weaknesses in the system, analysis, and design software
used in safety related functions, as well as in the practices of those who
use the software. The plan was created after the Defense Nuclear Facilities
Board criticized Energy's original Quality Assurance Improvement Plan in
September 2002 for not producing substantial results. The board highlighted
significant problems on March 25, 2003 at the BWXT Pantex nuclear weapon
assembly plant, and is concerned that quality assurance plans "may be
jeopardized by observed inadequacies in software engineering practices." The
board has asked the National Nuclear Security Administration to report a
quality assurance plan in April 2003.
- http://www.gcn.com/vol1_no1/daily-updates/21513-1.html
Cybercrime-Hacking
- Title: Attackers Target Web Applications
- Source: OSAC Cybernews
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- Mike Harris, manager of Ernst & Young's advanced security center in
Dublin, spoke at a hacking seminar on March 27, 2003, stating that as
organizations increase their security with improved firewalls and patch
management, attackers have shifted their focus to web applications. Harris
cited a lack of web application security information among developers as a
cause of programming errors that make such applications vulnerable. Security
also has a low priority among many developers. One of the most common
attacks is SQL injection. SQL allows a web application to interact with a
database. It is possible to send an SQL statement via a web interface to
gain access to the data - an attack on an e-commerce site allowed access to
clients' credit card records. Attackers also exploit weaknesses in session
IDs and comments developers leave in production code that they can use to
figure out names and passwords.
- http://www.ds-osac.org/view.cfm?key=7E44574B4251&type=2B170C1E0A3A0F162820
Politics-Legislation
- Title: EU to unify e-crime rules
- Source: vnunet.com
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- The Council of the European Union (EU) has agreed on a framework
decision on attacks against information systems that seeks to harmonize
anti-hacking laws across Europe. The framework, which must be adopted by the
EU states by December 31, 2003, "will require member states to make
unauthorised access to computer systems a criminal offence," and will define
common penalties for hacking and distributing malware. At present, some
cybercrime investigations are hampered by inconsistent laws that leave some
countries as hacker havens.
- http://www.vnunet.com/News/1139796
- Also - http://www.internet-magazine.com/news/view.asp?id=3292
- Title: Firewalls set to become illegal in many
American states
- Source: The Inquirer
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- Citing security researcher Edward Felten, the article discusses that
legislation put forward in Texas, Massachusetts, South Carolina, Florida,
Georgia, Alaska, Tennessee and Colorado could outlaw the use of firewalls,
routers, network address translators and many other common technologies
because they conceal "the existence or place of origin or destination" of
communications. The story has not been officially confirmed, and it is
likely that the language of the bills will be changed once the potential
consequences become apparent.
- http://www.theinquirer.net/?article=8595
- Also - http://www.theregister.co.uk/content/6/30003.html
- Title: UK.gov seeks input on anti-spam
law
- Source: Security Focus
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- In light of the growing problem of spam - unsolicited commercial e-mails
- the British government began consultation on new anti-spam legislation on
March 27, 2003. The anti-spam law will seek to write measures from the
European Union's Electronic Communication Data Protection Directive into
British law. The effort, which is being led by the UK's Department of Trade
and Industry (DTI), will be based on the opt-in principle, meaning that all
e-mail and SMS spam will have to be approved by the recipient. A number of
U.S. states are also working on tougher anti-spam laws, including harsher
fines, but all these efforts may be futile because most spammers are based
outside U.S. or UK jurisdiction, or senders are untraceable.
- http://www.securityfocus.com/news/3481
- Title: Microsoft antitrust case still has
bounce
- Source: C-Net News
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- The anti-trust case against software giant Microsoft will go before a
federal appeals court, probably in the summer of 2003. In November 2002,
U.S. District Judge Colleen Kollar-Kotelly endorsed a settlement agreement
reached between Microsoft, the U.S. Justice Department and a group of
states, but the states of Massachusetts and West Virginia appealed the
decision. On March 27, 2003, a Microsoft spokesperson called the appeal "a
procedural matter." It is generally assumed that the decision will be
upheld.
- http://news.com.com/2100-1016-994364.html
Malware
- Title: Email worm beginning to spread
- Source: Sydney Morning Herald
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- Based on information from anti-virus company F-Secure, it appears that
three variants of the Lovgate e-mail worm are currently circulating on the
Internet. Particularly the latest variant, Lovgate.F, discovered on March
25, 2003, "is showing an increased number of infections," according to
F-Secure. Lovgate.F is an e-mail and network worm with backdoor
capabilities, and uses a longer list of passwords than previous variants to
gain remote access to systems. The top three countries where Lovgate.F is
active are Singapore, the Netherlands and China, according to security firm
MessageLabs.
- http://www.smh.com.au/articles/2003/03/28/1048653836233.html
- Title: Newly Found Rolark Trojan Exploits a
Vulnerability in Microsoft IIS
- Source: Help Net Security
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- Security firm Panda Software has discovered a Trojan called Rolark,
which exploits that vulnerability discovered in Microsoft's Internet
Information Server 5.0 on March 17, 2003. The flaw is a buffer overflow in
the WebDAV component, which could allow an attacker to get complete control
of a server. Rolark does not need to install itself or any files on the
attacked server to operate. The Trojan can be used to make a server a
platform for other attacks. The article provides links to Microsoft's patch,
and Panda's technical report.
- http://net-security.org/virus_news.php?id=209
Technology
- Title: Safety measures will be added to software
improvement model
- Source: Government Computer News
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- Officials from the Defense Department, Federal Aviation Administration,
Army, Navy, NASA, and Energy Department are working on the Integrity
Assurance (IA) program area. IA is meant to build safety and security
practices into software improvement models, and will be incorporated into
the FAA's Capability Maturity Model 2.0 and the Software Engineering
Institute's Capability Maturity Model Integration 1.1. Joe Jarzombek, deputy
director for software intensive systems at the Defense Systems Directorate,
says agencies won't need to incorporate the new security measures in their
CMMI strategies, "unless you're not already doing everything you need to be
doing."
- http://www.gcn.com/vol1_no1/daily-updates/21507-1.html
- Title: New wireless security means costly
upgrade
- Source: vnunet.com
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- The upcoming 802.11i standard for wireless products will not be
backwards compatible with previous versions of 802.1x, making upgrade costs
high for firms to take advantage of the improved encryption. The encryption
requires powerful hardware that current 802.11b cards lack, though
manufacturers can build it into future 802.11a, b, and g hardware. Mark
Stevens, vice president for network security at WatchGuard, says the current
Wireless Encryption Protocol (WEP) and Wi-Fi Protected Access (WPA)
standards are too weak, and the delays and compatibility concerns could
further slow down security developments. 11.6 million wireless access points
were sold to businesses worldwide in 2002, with an additional 6.8 million
for home use.
- http://www.vnunet.com/News/1139776
- Title: Report: Encryption Apps Show
Promise
- Source: Internet News
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- Technical Insights, a unit of IT research firm Frost & Sullivan,
forecasts new investment in encryption applications by research firms,
venture capitalists, and corporations - specifically, for public key
infrastructure (PKI), virtual private networks (VPN), and e-mail encryption.
Vendors will need to keep costs down and convince buyers of the financial
returns on security investments. Vendors should also work for
interoperability with other business applications. Intrusion detection
systems, tools that protect specific applications on corporate networks, and
vulnerability-assessment software and services should also see greater
demand.
- http://boston.internet.com/news/article.php/2171111
- Title: New task force will examine critical uses
of supercomputing
- Source: Government Computer News
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- The U.S. government will establish a task force for high-end computing -
also known as supercomputing - to be guided by the National Science and
Technology Council. The effort comes after the Office of Management and
Budget's Analytical Perspectives on the fiscal 2004 budget declared high-end
computing capabilities "increasingly critical" for research, national
security, and defense. During 2003, the task force will 1) develop an
inter-agency road map for supercomputing technologies, 2) survey federal
supercomputing capacity and develop a plan to improve accesibility, and 3)
issue recommendations for procuring supercomputing systems.
- http://www.gcn.com/vol1_no1/daily-updates/21506-1.html
Vulnerabilities
- Title: Software bug may cause Patriot missile
errors
- Source: IT World
- Date Written: March 28, 2003
- Date Collected: March 28, 2003
- According to U.S. military officials, investigations into two
friendly-fire incidents involving the Patriot Missile defense system during
the war in Iraq are ongoing, but the possibility of a software glitch is not
being excluded at this point. On March 23, 2003, a Patriot Missile battery
on the Kuwait border accidentally shot down a British Royal Air Force (RAF)
Tornado GR-4 aircraft returning from a mission over Iraq, killing both
pilots. The next day, a U.S. F-16 fighter jet was targeted by a Patriot
battery. Conflicting reports leave doubts as to whether Patriot Missile
batteries can function fully automatically, or whether they require some
input from human operators.
- http://www.itworld.com/Sec/2052/030328patriotbug
- Title: Don't dismiss possibility of malicious
code on Linux
- Source: Enterprise Linux
- Date Written: March 27, 2003
- Date Collected: March 28, 2003
- Keith Peer, CEO of Central Command Inc., warns businesses that use Linux
in server or desktop environments not to be lulled into a false sense of
security by their choice of operating system. Though fewer viruses have been
written for Linux than for Windows, as more enterprises adopt Linux, hackers
will begin focusing on that platform. Laura Koetzle of Forrester Research
explains that many hackers recognize the role Linux plays in keeping
sensitive business data. As Linux moves to more desktops, the ability of the
average user to protect a machine will decline. "Virus writers prey on
people's inability to self-secure. The average user doesn't know enough to
be secure. That's what virus writers exploit," says Peer.
- http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci890925,00.html
- Also - http://www.pcadvisor.co.uk/index.cfm?go=news.view&news=3192
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
To unsubscribe
from the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/cgi-bin/remove.cgi
The
Institute for Security Technology Studies (ISTS) accepts no responsibility
for any error or omissions in this e-mail. The information presented is a
compilation of material from various sources and has not been verified by
staff of the ISTS. Therefore, the ISTS cannot be made responsible for the
factual accuracy of the material presented. The ISTS is not liable for any
loss or damage arising from or in connection with the information contained
in this report. It is the responsibility of the user to evaluate the content
and usefulness of this information. References in this e-mail to any
specific commercial products, processes, or services by trade name,
trademark, manufacturer, or otherwise, does not constitute or imply
endorsement, recommendation, or favoring by the ISTS. ISTS is a research,
not operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
