Liudvikas Bukys

MS to force IT-security censorship. The Register Nov 2 2001 12:34AM ET [Computer security news]

Security Focus (Neohapsis):

Microsoft released a new version of HFNetChk today.

A couple of errors were fixed with the utility itself, and the
readme.txt file was updated to include instructions on using HFNetChk if
you cannot or do not want to update to at least MS Internet Explorer 5.0
(these instructions might have been there before, but I don’t recall
seeing them).

If you are not familiar with HFNetChk, it is an excellent tool for
determining whether your WinNT or Win2k systems (workstations and
servers) have the recommended hotfixes installed. You run it from a
Command Prompt and HFNetChk downloads the current patch list from
Microsoft then checks to see if the system is up-to-date. (The patch
list, in XML format, is saved to the default directory, so you can also
test systems that aren’t on the network.) Not only is the operating
system itself checked, but HFNetChk also knows how to check Exchange,
SQL and IIS. You can check systems across the network and can specify
multiple systems to be checked with one command. The output can be
redirected to file for detailed review and historic documentation
purposes.

Using HFNetChk alone won’t completely secure your system, but it does
make the process of checking for missing patches more manageable.

See http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31154 and
the links therein for more info.

— Mark Medici mark@dbma.com

Brad Templeton:
Sample of Larry Ellison’s new National ID Card
“If you’re innocent, you have nothing to hide.”

WLAN VPN Support for Handhelds Ships. allNetDevices Oct 17 2001 3:58AM ET [Computer security news]

Major vendors tighten WLAN security
Oct 17, 2001 CNET

As part of the 802.1x standard, which has been approved but not implemented within 802.11b, the Windows XP client natively supports Extensible Authentication Protocol (EAP), which provides dynamic, session-specific wireless encryption keys, central user administration via specialized third-party Remote Authentication Dial-In User Service (RADIUS) servers, and mutual authentication between client and Access Point (AP) and AP to RADIUS server.

Windows XP is also compatible with EAP-Transport Level Security (EAP-TLS), which uses digital certificates for authentication. Windows XP’s integration of these features will significantly ease deployment of EAP solutions because separate client utilities will no longer be necessary. These capabilities will reduce the risk involved in using 802.11b within a corporate network.

Safeweb is a Fed Front. An enterprising Cryptome reader has discovered that the vaunted web privacy provider (already known to have CIA funding) Safeweb utilizes a Department of Defense server(s?) (anongo.com) as a proxy for user requests. [kuro5hin.org]

New York Times:

Attacks Expose Telephone’s Soft Underbelly
[via Slashdot]

Robert Fleck, Cigital: Wireless insecurity + ARP Poisoning (pdf) (FAQ)

Observations:

Related article:

DowJones: Security Experts Are on Alert Over Wireless-Hacking Technique. Quicken.com Oct 15 2001 6:32AM ET

“Mr. Fleck of Cigital combined those wireless vulnerabilities with an attack that has been identified and addressed in most wired networks. Known as ARP poisoning, from the acronym for address resolution protocol, the attack manipulates software in the circuit boards that connect computers to corporate networks. That software contains addresses of other connected machines; a skilled hacker can fool the software to make it seem like his machine has an authorized address to receive data packets on the network. An attacker who understood both techniques, Mr. Fleck said, could use a laptop with a wireless connection to enter a company’s wireless network, and then effectively tell machines on the wired portion of the network to pass all data packets through his laptop.

“The most obvious solution to the problem is to segregate the gateway device that acts as the front door for machines making wireless connections to a network. That can be done using routing devices or filtering programs known as firewalls.”


[via Moreover Computer security news]

USA ACT (PDF):

SEC. 217. INTERCEPTION OF COMPUTER TRESPASSER COM-

MUNICATIONS.

Chapter 119 of title 18, United States Code, is

amended—

(1) in section 2510—

(A) in paragraph (17), by striking ‘‘and’’

at the end;

(B) in paragraph (18), by striking the pe-

riod and inserting a semicolon; and

(C) by inserting after paragraph (18) the

following:

‘‘(19) ‘protected computer’ has the meaning set

forth in section 1030; and

‘‘(20) ‘computer trespasser’—

‘‘(A) means a person who accesses a pro-

tected computer without authorization and thus

has no reasonable expectation of privacy in any

communication transmitted to, through, or from

the protected computer; and

‘‘(B) does not include a person known by

the owner or operator of the protected computer

to have an existing contractual relationship with

the owner or operator of the protected computer

for access to all or part of the protected com-

puter.’’; and

(2) in section 2511(2), by inserting at the end

the following:

‘‘(i) It shall not be unlawful under this chapter for

a person acting under color of law to intercept the wire

or electronic communications of a computer trespasser,

if—

‘‘(i) the owner or operator of the protected com-

puter authorizes the interception of the computer

trespasser’s communications on the protected com-

puter;

‘‘(ii) the person acting under color of law is

lawfully engaged in an investigation;

‘‘(iii) the person acting under color of law has

reasonable grounds to believe that the contents of

the computer trespasser’s communications will be

relevant to the investigation; and

‘‘(iv) such interception does not acquire commu-

nications other than those transmitted to or from

the computer trespasser.’’.

TechRepublic:
Groups vie for superiority in security standards competition

Oct 8, 2001

Judith N. Mottl

• The National Information Assurance Partnership (NIAP)
  The NIAP was created in 1997 to join the efforts of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to meet the security testing, evaluation, and assessment needs of both IT producers and consumers. Its long-term goal is to boost consumer confidence in their information systems and networks. Agencies such as the Federal Aviation Administration are starting to work with NIAP to better define their security requirements, and NIAP is looking for other target communities where the organization can serve as a catalyst to spur security requirements and standardization of rules.
• Generally Accepted System Security Principles (GASSP)
  The GASSP effort began in mid-1992 in response to a 1990 recommendation from the National Research Council. The effort is sponsored by the International Information Systems Security Certification Consortium ((ISC)²), an international common criteria effort to develop IT product-related information security principles. Its objectives include promoting good practices and providing an authoritative point of reference for IT professionals and a legal reference for the rest of the world for information security principles, practices, and opinions. The GASSP Pervasive Principles have been developed, and work has begun on defining and mapping the GASSP Broad Functional Principles.
• The Center for Internet Security
  The Center, founded in October 2000, is focused on helping organizations worldwide efficiently manage information-security risk. The group, which is vendor neutral, provides tools to measure, monitor, improve, and compare the security status of Internet-connected appliances and systems. Nearly 200 members help identify the top security threats and participate in creating practical methods to reduce those threats.
• British Standard (BS) 7799
  This enterprise security policy standard is popular in several European countries. BS 7799 has two main parts: a code of practice for information security management and a specification for information security management systems. It prescribes a specific process to determine what policies should be in place, how to document them, and how to develop those that are not specifically identified in the model. It hasn’t been widely adopted within the U.S. IT community, as the International Organization for Standardization (ISO) community considers it incomplete and too restrictive. The ISO, established in 1947, is a non-government, worldwide federation of national standards bodies from some 140 countries.
• Commonly Accepted Security Practices & Recommendations (CASPR)
  The CASPR project, launched in August 2001, focuses on distilling expert information through a series of free papers available via the Internet. With the open source movement as a guide, CASPR has nearly 100 certified security professionals involved and is actively recruiting subject matter experts in all areas of information security.