|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - March 2, 2004
- From: Howell, Paul
- Date: Wed Mar 03 08:32:43 2004
Title: Message
Security In The News
LAST UPDATED: 3/2/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
Information security weaknesses could
impact food production, GAO says
- Government
Executive, 3/1/04
- Also - Government
Computer News, 3/1/04
Incident management system to galvanize
response
- Government
Computer News, 3/1/04
- Also - Federal
Computer Week, 3/1/04
Politics-Legislation
S.F.: If You're Asked, Don't Tell
- Wired
News, 3/1/04
Malware
Automated kits fuel virus epidemic
- vnunet.com, 3/1/04
Viruses and DDoS attacks flood UK
firms
- ZDNet UK,
3/2/04
- Also - PC
Pro, 3/2/04
- Also - vnunet.com,
3/2/04
Technology
Microsoft enlists developers in security
push
- ZDNet,
2/29/04
Big companies turn to packaged Sarb-Ox
apps
- Computerworld,
3/2/04
Microsoft to make its software
'behave'
- Network World
Fusion, 3/1/04
XrML keeps content under control
- Network
World Fusion, 3/1/04
$200 billion: one estimate of what DOD
must spend to go net-centric
- Government
Computer News, 3/2/04
Vulnerabilities & Exploits
Windows leak dangers 'exaggerated'
- The
Register, 3/1/04
Best Practices & Risk Management
Security experts hit back at
presidential advisor
- ZDNet UK,
3/2/04
Homeland Security & Infrastructure Protection
- Title: Information security weaknesses could
impact food production, GAO says
- Source: Government Executive
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- The General Accounting Office (GAO) reports that the Department of
Agriculture has not developed an information security policy for its
networks, possibly endangering the United States food supply should those
networks be disrupted. The GAO finds that Agriculture has not protected its
network boundaries, nor does it monitor or control access to those networks.
Sensitive mission-critical data can be viewed or changed by an attacker
without detection. GAO also found a lack of management involvement in
security, making it difficult for security personnel to effectively enforce
security programs.
- http://www.govexec.com/dailyfed/0304/030104tdpm2.htm
- Also - http://www.gcn.com/vol1_no1/daily-updates/25107-1.html
- Title: Incident management system to galvanize
response
- Source: Government Computer News
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- Speaking at the National Association of Counties conference in
Washington, Homeland Security Secretary Tom Ridge unveiled the National
Incident Management Systems (NIMS), a standard template for responding to
emergencies on the national, state, and local levels. NIMS incorporates best
practices developed by first responders all over the country, and includes
command, communications and information, preparedness, and a joint
information and integration center. Secretary Ridge argued that NIMS will
help to integrate the nation and to leverage future technologies.
- http://www.gcn.com/vol1_no1/daily-updates/25105-1.html
- Also - http://www.fcw.com/geb/articles/2004/0301/web-nims-03-01-04.asp
Politics-Legislation
- Title: S.F.: If You're Asked, Don't
Tell
- Source: Wired News
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- Voters in San Francisco will have an opportunity to vote on a new legal
measure when they vote in the March 2, 2004 Democratic primaries:
Proposition E, intended to protect the privacy of citizens targeted by the
federal government under the Patriot Act. Section 215 of the Patriot Act, a
law rushed through Congress shortly after the September 11 terrorist
attacks, allows federal investigators to seize library, financial, health,
education, and other personal records from local governments, and issue gag
orders to keep city workers from making such seizures public knowledge.
Proposition E would allow San Francisco's Board of Supervisors to review
Patriot Act subpoenas for any signs of federal abuse. Three states and 256
municipalities have passed measures condemning the Patriot Act.
- http://www.wired.com/news/politics/0,1283,62451,00.html
Malware
- Title: Automated kits fuel virus
epidemic
- Source: vnunet.com
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- As Netsky.D and several Bagle variants storm the Internet, virus experts
are blaming the rise in viruses with the widespread use of automated virus
creation kits. Inexperienced users can tweak the code of successful viruses
to create new malwares. These viruses manage to spread because the average
user keeps making the same mistakes, such as opening e-mail attachments from
unknown sources. Virus writers are also exploiting a number of open vectors;
for example, virus scanners cannot filter password protected .zip files.
Researchers are uncertain whether the number of virus authors is growing,
but they do know they are learning effective tactics, such as using familiar
icons for malware files.
- http://www.vnunet.com/News/1153171
- Title: Viruses and DDoS attacks flood UK
firms
- Source: ZDNet UK
- Date Written: March 2, 2004
- Date Collected: March 2, 2004
- The United Kingdom's Department of Trade and Industry (DTI) has released
preliminary results of its biennial Information Security Breaches Survey,
finding that half of British businesses suffered a virus or distributed
denial of service (DDoS) attack in 2003, a 25% increase over 2002. 93% of
smaller companies and 99% of larger companies have virus protection. The
Blaster worm accounted for a third of infections at smaller companies, and a
half at larger companies, leading to network disruptions lasting from half a
day to a month. The survey, conducted by a consortium led by
PricewaterhouseCoopers, gathered data from roughly 1,000 telephone
interviews. The full results will be published at the InfoSecurity Europe
Conference on April 27, 2004.
- http://news.zdnet.co.uk/0,39020330,39147959,00.htm
- Also - http://www.pcpro.co.uk/news/news_story.php?id=54403
- Also - http://www.vnunet.com/News/1153185
Technology
- Title: Microsoft enlists developers in security
push
- Source: ZDNet
- Date Written: February 29, 2004
- Date Collected: March 2, 2004
- Microsoft will release updated versions of its development tools with
new security features when it releases Windows XP Service Pack 2. The new
versions of Visual Studio.Net and the .Net Framework will check existing
applications for interoperability with Service Pack 2, and guide developers
in using the new security features. Free web-based training and
documentation will also be available on Microsoft's developer website.
Microsoft chair Bill Gates outlined the security changes included in Service
Pack 2 at the RSA Conference in San Francisco, describing changes to
Internet Explorer, Outlook, an enhanced firewall, and protections against
buffer overruns.
- http://zdnet.com.com/2100-1104_2-5167106.html
- Title: Big companies turn to packaged Sarb-Ox
apps
- Source: Computerworld
- Date Written: March 2, 2004
- Date Collected: March 2, 2004
- Large companies subject to the Sarbanes-Oxley Act, a law requiring
certain information technology practices when handling financial data, are
deciding to purchase off-the-shelf software to comply with the regulations
rather than develop applications in house. Regis Corporation, which runs
9,700 hair salons in North America and Europe, spent $100,000 for Movaris's
Certainty compliance tool, finding it riskier and costlier to develop
software themselves. Juniper Networks also purchased the Movaris tool.
Companies find that developing the software is not only costly, but keeping
it up to date with new regulations means a continuing responsibility. Other
companies, such as Regal Entertainment Group, are building compliance
solutions from a combination of different off-the-shelf softwares. Many
corporate users find that they do not understand Sarbanes-Oxley enough to
formulate a compliance strategy, further driving the demand for pre-packaged
solutions.
- http://www.computerworld.com/governmenttopics/government/legislation/story/0,10801,90595,00.html?from=homeheads
- Title: Microsoft to make its software
'behave'
- Source: Network World Fusion
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- Microsoft's adoption of "active protection," or behavior blocking,
technology marks a shift in software strategy for the company. At the RSA
Conference in San Francisco, Microsoft chief software architect Bill Gates
outlined the behavior blocking technology expected to be included in Windows
software by the end of 2004. Such technology looks for unusual behavior
within a computer, identifying intrusions and virus activity. John
Pescatore, of Gartner Research, notes the strategy is a departure for
Microsoft, which usually focused on making their products user friendly.
Microsoft is also teaming up with RSA Security to provide stronger
authentication to Windows with the SecurID handheld token.
- http://www.nwfusion.com/news/2004/0301microsoftrsa.html
- Title: XrML keeps content under control
- Source: Network World Fusion
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- Many companies need rights management tools to control the flow of
information either for regulatory compliance or to protect sensitive
business data. XrML (Extensible Rights Markup Language) determines the
conditions of use for electronic content and works to enforce those
conditions. XrML is under consideration by OASIS (Organization for the
Advancement of Structured Information Standards) and ISO (International
Standards Organization) as the MPEG-21 Rights Expression Language. XrML
software lets an author add usage policies, distribution restraints, and
even time-based permissions for certain operations. When a user tries to
read the document, the application follows instructions to contact a license
server to validate the user's authorization. Using a standard rights
language will let different applications and platforms work with the same
content.
- http://www.nwfusion.com/news/tech/2004/0301techupdate.html
- Title: $200 billion: one estimate of what DOD
must spend to go net-centric
- Source: Government Computer News
- Date Written: March 2, 2004
- Date Collected: March 2, 2004
- Roger Roberts, senior vice president of Boeing, estimates that it will
cost $200 billion--$10 billion per satellite and $100 billion for
next-generation equipment--to create net-centricity, integrating land, sea,
air, and space into a single battlespace. Net-centric promises to transform
battle operations; the soldier in the field will have more information than
a general or admiral, creating new rules of engagement and new tactics. Mr.
Roberts forecasts that in a few years, Defense will have to consider how to
replace legacy systems and manage satellite links as new technology, such as
the Global Information Grid, comes online.
- http://www.gcn.com/vol1_no1/daily-updates/25112-1.html
Vulnerabilities & Exploits
- Title: Windows leak dangers
'exaggerated'
- Source: The Register
- Date Written: March 1, 2004
- Date Collected: March 2, 2004
- The leak of Microsoft source code sparked concern of an increase in
exploits as black hat hackers examine it for vulnerabilities. However, a
cryptographer's panel at the RSA Conference doubted the apparent danger,
calling it a "minor data point in the open source debate." Paul Kocher of
Cryptographic Research expressed irritation that black hats could examine
the code, but legitimate researchers were legally constrained from doing so.
The possible vulnerabilities in the source code would not matter to elite
hackers in the opinion of Bruce Schneier, chief technology officer at
Counterpane Internet Security, noting that any reasonable intelligence
agency would already have access to the source code.
- http://www.theregister.co.uk/content/6/35933.html
Best Practices & Risk Management
- Title: Security experts hit back at
presidential advisor
- Source: ZDNet UK
- Date Written: March 2, 2004
- Date Collected: March 2, 2004
- Computer industry officials are responding to the remarks of John
Gordon, advisor to President Bush on Homeland Security, for criticizing the
security practices used while writing code. During his keynote speech at the
RSA Conference, Mr. Gordon argued that if developers learned to write more
secure code, and reduced software vulnerabilities and errors by a factor of
ten, the industry could eliminate 90% of threats. Many officials at
cybersecurity companies, however, say vulnerabilities come from people
rather than software. Jay Heiser of TruSecure questions how better code
would combat spam, phishing, child pornography, and viruses. Richard Starnes
of Cable and Wireless argues that users must be better trained in security
issues. Despite such criticisms, industry also found much to agree with in
Mr. Gordon's speech, such as the call for better usability in security
products.
- http://news.zdnet.co.uk/business/0,39020645,39147967,00.htm
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
