April 2004 – Page 2 – CyberSecurity Institute

Security Updates on Tap for Server 2003

Posted on April 9, 2004December 30, 2021 by admini

One of the biggest modifications expected for the server operating system is a system known as ACI (Advanced Client Inspection), which checks the health of PCs attempting to connect to a network.

The system is similar to Cisco Systems Inc.’s Network Admission Control project but is done strictly through Windows.

When a client machine tries to log on to a network, Windows Server 2003 checks the security posture of the PC and compares it against a predetermined corporate policy.

Microsoft plans to ship a set of security policy templates for ACI, but customers can design their own as well.

The system also will allow administrators to set group policies for departments that have differing security requirements.

“The notion of one size fitting all in terms of security just isn’t the case,” said Mike Nash, vice president of the Security and Technology Business Unit at Microsoft, in an interview during the Microsoft Security Summit here last week.

While Microsoft plans to release a service pack for Windows Server 2003 in the second half of this year, it’s unclear whether ACI will be included in that or delivered in some other form, Nash said.

This technology, along with some behavior-blocking and intrusion prevention features, is part of a second set of security tools that the company has planned for Windows XP but that likely won’t be ready in time for SP2 (Server Pack 2), which is in beta.

Nash said SP2 will include a tool that gives customers the ability to specify which wireless LANs users are allowed to connect to, thereby eliminating the risk that can arise from connecting to unknown and potentially hostile networks.

http://www.eweek.com/article2/0,4149,1565334,00.asp?kc=EWRSS03119TX1K0000594

RogueWatch does the watching for you

Posted on April 8, 2004December 30, 2021 by admini

Programs such as Netstumbler and WaveRunner survey the airwaves to feel out rogue access points.

Testing with them, however, requires a human (most likely you) to seek out problems in the wireless coverage area by walking around the trouble spots looking for an anomaly.

AirDefense, a wireless LAN security company, has one product designed just for the busy IT professional who has better things to do than walk around testing for rogue access points.

RogueWatch centrally monitors a wireless LAN for rogue access points, using distributed sensors and a server appliance tailored to monitoring this activity.

http://techrepublic.com.com/5100-6263_11-5176405-1-1.html

Major security breaches usually due to human error

Posted on April 7, 2004December 30, 2021 by admini

Major security breaches, defined by a survey “as one that caused real harm, resulted in confidential information taken or interrupted business,” are slowly increasing and are most often attributed to human error (47%), rather than technical problems.

IT directors welcome Big Four’s corporate security initiative

Posted on April 7, 2004December 30, 2021 by admini

The consortium, which includes the Big Four accounting firms and insurance giant AIG international, aims to agree a cyber-risk model that can be used by companies in all industries.

Auditors and insurers could also use the “risk preparedness index” to help decide whether a company has adequate IT security arrangements.

Although details of the framework have yet to be finalised, security experts believe it will focus on an organisation’s IT security safeguards, such as its firewalls and anti-virus software, and compare this against the security threats it faces.

“IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative,” said Barclays group chief technology officer Kevin Lloyd. “We will continue to monitor the development of this framework with interest and potentially inclusion in the shaping of the framework.”

Nick Leake, director of operations and infrastructure at ITV, said, “I think the real value of this approach is in sorting out the companies with dreadful levels of non compliance/operation from those with high levels – it won’t be much use in distinguishing the better of two already very compliant operations. And as with all these things, it will have to be kept up to date.”

Industry experts said that an accepted model for measuring security risk would be a breakthrough if widely adopted and would also help IT departments justify security spending.

“The new security standard looks promising, although a lot of the devil will be in the detail,” said Graham Titterington, principal analyst at Ovum. “It will make it easier for people to justify spending on IT security because of the backers of the standard are blue chip companies, which gives it credibility with the board.”

Neil Barrett, technical director of security consultancy information risk management, said the proposed security standard would allow IT directors to measure their organisation’s security arrangements against a benchmark.

http://www.computerweekly.com/articles/article.asp?liArticleID=129789&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

Delivering the 12kb Bomb

Posted on April 6, 2004December 30, 2021 by admini

A young virus writer, sitting in his underwear in his parent’s dark basement, takes a hex editor and modifies a few bytes of the latest Netsky.M (16.5kb), Beagle.J (12kb) or Mydoom.G (20kb) mutation, spawns a new virus variant, and then releases it into the wild.

The resulting few thousand compromised machines, a conservative estimate perhaps, will sit naked as drones or “bots” on the Internet, waiting patiently for their summons and commands.

A mere 12 kilobytes of action-packed code is impressive.

For a 12 kilobyte Beagle, you get total system compromise, plus a highly effective spam engine.

The latest code that brings a Microsoft computer to its knees is small enough that it could be silk-screened onto an extra-large t-shirt: a walking time bomb, if you will.

With today’s monolithic software programs and operating systems, often barely fitting compressed on a CD-ROM, it’s easy to see how small bits of malicious code can slip under the radar.

I still remember the days, many computer-years ago now, when BackOrifice and SubSeven Trojans first came out.

At just over 100kb, they were impressive in their day.

Back then most people were running Windows 98, and a small 100kb email attachment could easily slip into the operating system and wreak havoc without ever being noticed.

Today these are 100kb Trojans are monolithic in comparison to our modern email-based worm-virus-backdoor-spam-engines that tend to be under 20kb; these old relics are still a useful footnote, however, for watching the long-term evolution of malicious code.

Speaking of monolithic: Windows XP Home Edition requires approximately 1,572,864 kilobytes (1.5Gbytes) for a typical install, according to Microsoft.

Of course, it’s better/faster/easier-to-use than previous versions, as the advertisements say, and if you believe the literature too it’s also less buggy and significantly more secure.

The public relations spin machine for such a large company is fascinating to me Windows has become bloated into millions and millions of lines code, yet it only takes a mere 12 kilobytes to provide full system compromise and an annoying spam engine.

The divide between David and Goliath has never been greater.

Consider an analogy on the size of modern malicious code: if Windows XP were the size of the Empire State Building, then the little barking Beagle virus – the size of a small dog – can come in through the front door, lift its leg, deliver its payload, and somehow cause the entire building to come crumbling down.

The latest craze in the virus-worm-spam war has seen computer worms crawling inside of other computer worms – like watching maggots crawl on top of each other as they make their way through a tender piece of meat.

Some of the latest worms found in the wild have multi-vector propagation algorithms and also make use of previous viral infections by Beagle and Mydoom.

I do not know to what extent Microsoft’s code is scrutinized through an exhaustive security audit, but two years after Bill Gates’ long-heralded announcement the holes in the cheese are larger than they’ve ever been.

For now we’re stuck with millions and millions of lines code compiled into a giant operating system that can be wiped out of existence remotely with nothing but a small 12 kilobyte piece of code, launched by someone in his underwear on the other side of the world.

http://www.theregister.co.uk/content/55/36345.html

Bridging the gap between security and developers

Posted on April 6, 2004December 30, 2021 by admini

Peter Wood, partner and chief of operations at First Base Technologies, said that because developers are not security professionals, their application development stresses functionality, not security, and there is a lack of awareness of security issues.

Application vulnerabilities occur, said Wood, because common coding techniques do not necessarily include security; input is assumed to be valid, but untested; and inappropriate file calls can reveal source code and system files.

To bring security to the development environment, said Wood, it is necessary to create and enforce secure coding practices, self-assess code during development, implement security checks into the quality assurance cycle and consider security during change control.

The challenge of achieving this in global organisations was addressed by Andy MacGovern, global security awareness manager at Reuters.

He said that security is often seen as a “hold up” in the product development lifecycle, where products have to be delivered faster in a climate of increased customer expectations, more complex products, reduced budgets, fewer resources and a tougher legislative environment.

Similarly, you should identify and adopt an appropriate security framework and develop policies appropriate to the organisation, said MacGovern.

Reuters has developed an extended practice that takes into account limited security resources, and aims to have two “streams”: replication of security consulting resources, and the development of so-called “security evangelists” – people who understand the need for security.

In his presentation, Stuart King, security consultant at Reed Elsevier, highlighted the most common vulnerabilities in corporate IT infrastructure: buffer overflow, web servers, database servers, cookie poisoning, parameter tampering, SQL injection and cross-site scripting.

http://www.microscope.co.uk/articles/article.asp?liArticleID=129648&liArticleTypeID=20&liCategoryID=2&liChannelID=22&liFlavourID=2&sSearch=&nPage=1