Upload File

microsoft backs feds' encryption standard

1
Abstracts of Recent Articles and Literature hackers made use of an outdated administrator’s account and a dial-up server to access other servers that had weak or no passwords. Had the account been disabled then it is unlikely that the attack would have succeeded.The attack is being investigated, but appar- ently the hacker installed vulnerability detection soft- ware to probe for further security holes. LQ~lilork :%~ra, 28 October, 1998, p. 4. Microsoft backs feds’ encryption standard, Lt71w7 DiDio. Microsoft has announced that Windows NT will support US government-mandated cryptograph- ic standards, FIPS 140-I and Fortezza by the end of the ycar.The NIST released FIPSl40-I in June 1997, and the US government had mandated that after that time, all agencies and companies doing business with them should acquire only encryption products that support- ed FIPS 140-and FIB compliant standards. According to Karan Khanna. Microsoft’s Windows NT security product manager, the company will bundle support for FIPS 140-I and the Fortczza specification (part of the NSAS Multilevel Information Systems security 1nitiative)at no cost in Windows NT. However, as fif- teen months have already passed since compliance to FIPS 140-I was mandated, Microsoft has lost out on contracts to its rivals because NT, Internet Explorer and Internet Information Server have not supported FIPS 140-I. An added incentive for Microsoft to become compliant is that ANSI is considering basing new cryptographic standards for financial institutions on FIPS 140-I. Cot~l~l~tert~~orl~, Septcttdw 7, 1998, 11. 17. Firewalls stand the heat, Guy Anths. Computerworld and Federal Computer Week carried out an attack test against the products of four leading firewall vendors. The products tested were the Axent Raptor Firewall 5.0; SCC’s Firewall for NT Version 3.1: NetGuard’s Guardian and Compaq’s AltaVista Firewall ‘9X. Attacks were carried out by three teams, from Deloittr & Touche, Ernst & Young and Security Design International. Although the products performed much as advertised. protecting internal systems from pene- tration; all the attack teams gleaned useful information about the systems behind the firewalls, and there were problems with the performance of the firewalls as a result of inherent flaws, flaws in the operating system or suboptimum configuration by the user. One of the firewalls, although not penetrated, was knocked out by a denial-of-service attack using the freeware attack toolTarga, and a second machine only withstoodTarga as it had the very latest NT security patches applied. “If you’re going to use technology that forces all nct- work traffic through a choke point - and for good reason - you’d better make sure it stays up in the face of adversity,” commented Bob Stratton, Security I>esign International’s vice president of technology. The teams also learnt more about the systems behind the firewalls than should be allowed in the interest of xcurity. One team was able to learn the identities of the LAN server and services running off it, the address of the internal network, and the status of various NT ports. “You gather bits and pieces of information that by themselves seem innocuous, and all ofa sudden you can build a picture of what this thing looks like,“. “The more information you have. the higher the like- lihood that eventually you’ll be successful.“, com- mented Fred Rica a partner with Deloitte & Touche. A firewall may even confer a false sense of security by causing users to overlook flaws in the underlying operating system, particularly Windows NT, said Stratton. The denial-of-service attack succeeded because of a flaw in NT that could have been fixed if the user had applied the latest patches. ‘yust because you have a corporate policy for NT on the desktop doesn’t mean you should have it on your tirewall” , said Stratton. Co~r~~z~f~x~or~~, September 7, 1998, ~>jx62- 64. Data protect and survive, Nirk Fmxll. UK compa- nies risk prosecution if they do not review their intranet and IT security in the face of the new Data Protection Act that comes into force next year. Under the new act, the UK government’s security standard US7799 is a minimum standard, which requires the establishment of a security policy, the appointment of a security manager and the detailing of approaches to every type of security breach. prior to the installation of security software. Despite this, a Department of Trade and Industry survey conducted in 1997 indicat- ed that only 15% of companies were using BS7799 and 75% of companies had never heard of it. One sig- nificant change in the legislation from the 1984 Act is the ban on the export of data to countries that do not 716

Upload: john-meyer

Post on 02-Jul-2016

215 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Microsoft backs feds' encryption standard

Abstracts of Recent Articles and Literature

hackers made use of an outdated administrator’s account and a dial-up server to access other servers that had weak or no passwords. Had the account been disabled then it is unlikely that the attack would have succeeded.The attack is being investigated, but appar- ently the hacker installed vulnerability detection soft- ware to probe for further security holes. LQ~lilork :%~ra,

28 October, 1998, p. 4.

Microsoft backs feds’ encryption standard, Lt71w7 DiDio. Microsoft has announced that Windows NT will support US government-mandated cryptograph- ic standards, FIPS 140-I and Fortezza by the end of the ycar.The NIST released FIPSl40-I in June 1997, and the US government had mandated that after that time, all agencies and companies doing business with them should acquire only encryption products that support- ed FIPS 140-and FIB compliant standards. According to Karan Khanna. Microsoft’s Windows NT security product manager, the company will bundle support for FIPS 140-I and the Fortczza specification (part of the NSAS Multilevel Information Systems security 1nitiative)at no cost in Windows NT. However, as fif- teen months have already passed since compliance to FIPS 140-I was mandated, Microsoft has lost out on contracts to its rivals because NT, Internet Explorer and Internet Information Server have not supported FIPS 140-I. An added incentive for Microsoft to become compliant is that ANSI is considering basing new cryptographic standards for financial institutions on FIPS 140-I. Cot~l~l~tert~~orl~, Septcttdw 7, 1998, 11. 17.

Firewalls stand the heat, Guy Anths. Computerworld and Federal Computer Week carried out an attack test against the products of four leading firewall vendors.

The products tested were the Axent Raptor Firewall 5.0; SCC’s Firewall for NT Version 3.1: NetGuard’s Guardian and Compaq’s AltaVista Firewall ‘9X. Attacks were carried out by three teams, from Deloittr & Touche, Ernst & Young and Security Design International. Although the products performed much as advertised. protecting internal systems from pene- tration; all the attack teams gleaned useful information about the systems behind the firewalls, and there were problems with the performance of the firewalls as a result of inherent flaws, flaws in the operating system

or suboptimum configuration by the user. One of the firewalls, although not penetrated, was knocked out by a denial-of-service attack using the freeware attack toolTarga, and a second machine only withstoodTarga as it had the very latest NT security patches applied. “If you’re going to use technology that forces all nct- work traffic through a choke point - and for good reason - you’d better make sure it stays up in the face

of adversity,” commented Bob Stratton, Security I>esign International’s vice president of technology. The teams also learnt more about the systems behind the firewalls than should be allowed in the interest of xcurity. One team was able to learn the identities of the LAN server and services running off it, the address of the internal network, and the status of various NT ports. “You gather bits and pieces of information that by themselves seem innocuous, and all ofa sudden you can build a picture of what this thing looks like,“. “The more information you have. the higher the like- lihood that eventually you’ll be successful.“, com- mented Fred Rica a partner with Deloitte & Touche. A firewall may even confer a false sense of security by causing users to overlook flaws in the underlying operating system, particularly Windows NT, said Stratton. The denial-of-service attack succeeded because of a flaw in NT that could have been fixed if the user had applied the latest patches. ‘yust because you have a corporate policy for NT on the desktop doesn’t mean you should have it on your tirewall” , said Stratton. Co~r~~z~f~x~or~~, September 7, 1998, ~>jx 62- 64.

Data protect and survive, Nirk Fmxll. UK compa- nies risk prosecution if they do not review their intranet and IT security in the face of the new Data Protection Act that comes into force next year. Under the new act, the UK government’s security standard US7799 is a minimum standard, which requires the establishment of a security policy, the appointment of a security manager and the detailing of approaches to every type of security breach. prior to the installation of security software. Despite this, a Department of Trade and Industry survey conducted in 1997 indicat- ed that only 15% of companies were using BS7799 and 75% of companies had never heard of it. One sig- nificant change in the legislation from the 1984 Act is the ban on the export of data to countries that do not

716

Feds christmas gift 2015

PARTE I - Busted by the Feds

Feds Sue Financial Institutions Over Bad Mortgages

Half Backs

Will the Feds Preserve Electricity Market Competition?

Can Feds KISS?

Feds alleging local company overcharged government

(Ajedrez) - FEDS

State, feds focus on sage grouse

Feds Telework 2011

1-26-2011 Feds Motion to Dismiss

Feds Student Handbook 2010-2011

Feds use AZ_

type Backs draft

► FEDS INTO THE FUTURE

Transformation 13 Feds Forests Fire 2005

Roman Marciniak Senior FEDS/GSAXcess TM Analyst GSA, Federal Supply Service 4 Feb 2004 Accessing FEDS A New Approach

Funding from the Feds - Procurement 101

Malifaux v2 Backs

Feds vs. antifeds

SDNB HEALTHY BACKS

FEDS - 2011 Election Wrap

Feds Harpys RICO South L.A. gang indictment

Feds Memo Ambush

TX v Feds

Feds dismantle heroin ring in Oklahoma City

ALLIED SUED BY FEDS FOR TREBLE DAMAGES AND THE FEDS SUING JIM HODGE--MASSIVE FRAUD SCHEME

ADAPTABLE AERIAL IMAGING - FEDS

2011 Sept Feds Spending on Spill Discovery

Are the Feds Sniffing Your Re-Mail?

6.6.2014 Feds and Intervenors Reply

Feds Deny Calderon Leak Allegations

The Feds LeadThe Feds Lead and Fl id ’ M ldFlorida’s Mold€¦ · The Feds LeadThe Feds Lead and Fl id ’ M ldFlorida’s Mold Florida Healthcare Engineering Association M 5

CREATIVE PAPER BACKS

Us Credit Crisis and Feds Response