Abstracts of Recent Articles and Literature

hackers made use of an outdated administrator’s account and a dial-up server to access other servers that had weak or no passwords. Had the account been disabled then it is unlikely that the attack would have succeeded.The attack is being investigated, but appar- ently the hacker installed vulnerability detection soft- ware to probe for further security holes. LQ~lilork :%~ra,

28 October, 1998, p. 4.

Microsoft backs feds’ encryption standard, Lt71w7 DiDio. Microsoft has announced that Windows NT will support US government-mandated cryptograph- ic standards, FIPS 140-I and Fortezza by the end of the ycar.The NIST released FIPSl40-I in June 1997, and the US government had mandated that after that time, all agencies and companies doing business with them should acquire only encryption products that support- ed FIPS 140-and FIB compliant standards. According to Karan Khanna. Microsoft’s Windows NT security product manager, the company will bundle support for FIPS 140-I and the Fortczza specification (part of the NSAS Multilevel Information Systems security 1nitiative)at no cost in Windows NT. However, as fif- teen months have already passed since compliance to FIPS 140-I was mandated, Microsoft has lost out on contracts to its rivals because NT, Internet Explorer and Internet Information Server have not supported FIPS 140-I. An added incentive for Microsoft to become compliant is that ANSI is considering basing new cryptographic standards for financial institutions on FIPS 140-I. Cot~l~l~tert~~orl~, Septcttdw 7, 1998, 11. 17.

Firewalls stand the heat, Guy Anths. Computerworld and Federal Computer Week carried out an attack test against the products of four leading firewall vendors.

The products tested were the Axent Raptor Firewall 5.0; SCC’s Firewall for NT Version 3.1: NetGuard’s Guardian and Compaq’s AltaVista Firewall ‘9X. Attacks were carried out by three teams, from Deloittr & Touche, Ernst & Young and Security Design International. Although the products performed much as advertised. protecting internal systems from pene- tration; all the attack teams gleaned useful information about the systems behind the firewalls, and there were problems with the performance of the firewalls as a result of inherent flaws, flaws in the operating system

or suboptimum configuration by the user. One of the firewalls, although not penetrated, was knocked out by a denial-of-service attack using the freeware attack toolTarga, and a second machine only withstoodTarga as it had the very latest NT security patches applied. “If you’re going to use technology that forces all nct- work traffic through a choke point - and for good reason - you’d better make sure it stays up in the face

of adversity,” commented Bob Stratton, Security I>esign International’s vice president of technology. The teams also learnt more about the systems behind the firewalls than should be allowed in the interest of xcurity. One team was able to learn the identities of the LAN server and services running off it, the address of the internal network, and the status of various NT ports. “You gather bits and pieces of information that by themselves seem innocuous, and all ofa sudden you can build a picture of what this thing looks like,“. “The more information you have. the higher the like- lihood that eventually you’ll be successful.“, com- mented Fred Rica a partner with Deloitte & Touche. A firewall may even confer a false sense of security by causing users to overlook flaws in the underlying operating system, particularly Windows NT, said Stratton. The denial-of-service attack succeeded because of a flaw in NT that could have been fixed if the user had applied the latest patches. ‘yust because you have a corporate policy for NT on the desktop doesn’t mean you should have it on your tirewall” , said Stratton. Co~r~~z~f~x~or~~, September 7, 1998, ~>jx 62- 64.

Data protect and survive, Nirk Fmxll. UK compa- nies risk prosecution if they do not review their intranet and IT security in the face of the new Data Protection Act that comes into force next year. Under the new act, the UK government’s security standard US7799 is a minimum standard, which requires the establishment of a security policy, the appointment of a security manager and the detailing of approaches to every type of security breach. prior to the installation of security software. Despite this, a Department of Trade and Industry survey conducted in 1997 indicat- ed that only 15% of companies were using BS7799 and 75% of companies had never heard of it. One sig- nificant change in the legislation from the 1984 Act is the ban on the export of data to countries that do not

716

Computers & Security, Vol. 17, No. 8

have data protection rules, and this could include E- mail routed through these countries, even by accident. Neil Barrett, security expert at Bull Information Systems commented, “Companies are going to have to make sure that every item of data on their intranet does not end up on a foreign server. Or they need to take steps to protect the data being use din that coun- try in a way that would breach the act.” This could cause problems for users of US-based ISPs which pro- cess all their E-mail through a central US sorting ofhce before returning it to the UK. Barrett com- mented that IT managers are “woefully ignorant” of the amount of work the new law will generate. Comprrtiyy, September 10, 1998, p. 22.

Rich pickings for hackers, Lisa Kelly. Information security consultancy Diligence has stated that around 90% of Web sites can be penetrated and shut down within ten minutes. This vulnerability puts corporate reputations and assets at stake. Harry Kam, Diligence’s director of communications stated that, “It is usually only a matter of hours before the hacker can gain access to the entire IT system.” According to Rob Hailstone, research director at Bloor Research, organi- zations should report hacking attacks in order to act as a deterrent to other hackers, yet more often than not attacks are not publicized as companies regard them as embarrassing. One unnamed research company had its system violated via the Web with the result that every PC on the network had its hard disk wiped. Computiq, October 8, 1998, p. 4.

Symantec buys anti-virus line, Arzdy Suntoni.

Symantec has purchased Intel’s anti-virus business and has licensed Intel system-management technology. Symantec will use the technology to assist in building its Digital Immune System (DIS) in conjunction with IBM. DIS combines Symantec’s products with neural network technology from IBM designed at creating an automated environment to keep systems running. Norton AntiVirus engine technology will be integrat- ed into a product that Intel already has under devel- opment, which will in turn be integrated with Intel LANDesk Management Suite and launched as a new Norton AntiVirus product. The product will include management functionality such as: distribution, con- figuration, lockdown, remote operations and event

management and logging. Intel will honor all existing support and maintenance agreements for the current versions of LANDesk Virus Protect, and with Symantec will continue to sell Version 5.0 until the new product is available. lrlfotu&i, October 5, 1998,

p.41.

Network security under attack? Buy insurance, Bob Wallace. Insurance companies are starting to team up with IT vendors to offer coverage for network security problems, provided that organizations take adequate security measures to make themselves insur- able. “It is definitely a new area for insurance compa- nies, one that helps them diversify and offer new prod- ucts and services to corporations”, commented John Santucci, director of IT insurance practice at KPMG Peat Marwick LLP. “It’s important for them to partner with technology companies to understand the risks and the lay of the land for the industry they’re enter- ing.” Cigna has teamed up with NetSolve and Cisco Systems to offer insurance which covers companies for computer crime that involves: theft of money securi- ties and property, damage by hackers to a company’s data or software, and business losses stemming from attacks on a company’s computer system. Although it does not cover bugs in software or damage done by viruses. In another move, Sedgewick has teamed with IBM and offers security insurance and coverage for hacker damages to Web sites. Computerworld, October 5,

1998, p. 4.

Low flying hackers pose growing threat. System administrators are slowly becoming aware of a type of hacking that has been taking place which is slipping under the radar of traditional firewalls. Low-band- width hacking involves a number of hackers working together from varying locations, intermittently send- ing sets of IP packets against a network to test for vul- nerabilities. As these packets come from different hosts at varying intervals, they are not detected by the majority of intrusion-detection applications currently on the market. Although low-bandwidth hacking may have been going on for some time, it only came out into the light recently when it was documented by the Shadow project of the US Department of the Navy’s Surface Warfare Center. “We’re still not sure. Our logs seemed to indicate that someone had been poking at

717