Re: [ISN] FBI to release computer-security updates

From: InfoSec News (isnat_private)
Date: Wed Oct 02 2002 - 01:32:05 PDT

  • Next message: InfoSec News: "[ISN] DOD keeps wireless on hold"

    Forwarded from: security curmudgeon <jerichoat_private>
    > By Robert Lemos 
    > Staff Writer, CNET
    > September 30, 2002, 5:50 PM PT
    > The FBI and a prestigious computer-security research group are set
    > to announce new initiatives to keep companies up to date on the most
    > threatening software vulnerabilities, CNET has learned.
    > The SANS-FBI efforts will try to improve how companies deal with the
    > multitude of security flaws software companies announce every week.  
    > The focus of the initiatives is on identifying security holes and
    > delivering tools so companies can plug them, a practical approach
    Identifying security holes? SANS has released how many advisories
    identifying bugs and vulnerabilities to date?
    Release tools? Anything like the PR disaster the FBI ran into when
    they released a binary to fix a security hole, but didn't provide
    source code?
    > While Paller wouldn't provide specifics, has learned that
    > in addition to releasing its latest annual list of the Top 20
    > vulnerabilities for Windows and Unix systems, the two groups will,
    > within the next four months, release an expanded list of the most
    > common and dangerous software flaws.
    All of which is readily available to those looking for such
    > The organizations may also release a critical vulnerability analysis
    > (CVA) report on a weekly basis, which would describe newly
    > discovered flaws and how companies have dealt with them. The plans
    > for the weekly report are currently in flux, however, and Paller
    > would not comment on its status.
    Exactly what SecurityFocus and half a dozen other security newsletters
    already do...
    > Although he wouldn't name specific companies, Paller said five
    > security firms will participate by building new features into their
    > systems to scan corporate networks for vulnerabilities on the Top 20
    > list. has learned that Internet Security Systems,
    > Foundstone, Qualys, and TippingPoint are four of the five.
    This is misleading at best. So these security companies will build NEW
    features into their products that detect the Top 20 vulnerabilities..
    Does that mean the ISS scanner and others don't currently check for
    the Top 20? I imagine they do. And how exactly do these scanners plan
    to identify and warn for SANS Top 20 vulnerabilities like G3.1 and
    > Gerhard Eschelbeck, vice president of engineering for security
    > service provider Qualys, said the company would offer a free scan
    > for the SANS-FBI Top 20 vulnerabilities to any network owner. While
    > he didn't comment on whether Qualys would support the expanded list
    > of flaws the organizations plan to release later, Eschelbeck did
    > stress that it wouldn't be hard to do so.
    > "The beauty of the service-based model that we have is that we can
    > distribute signatures with a click of a mouse," Eschelbeck said.
    Ahh yes, just like the anti-virus world and virus signatures! This has
    worked well to combat the 80 gajillian dollars of damage (or however
    much damage was claimed) for the past year or two of worms.
    > To show how effective such tools can be, the SANS Institute and the
    > FBI will point to system administrators at NASA, who used a
    > vulnerability-focused approach to eliminate security problems with
    > their network. Details from that study haven't yet been released.
    > "NASA is the poster child for this," said Paller.
    Oh shit, we're doomed. Anyone care to do a quick search for how many
    NASA servers have been defaced? How many more have been compromised
    and not reported in a public fashion? Has the NASA reputation of being
    a hacker playground really gone away in the last five years?
    > Lists of confusion
    > Not everyone is enamored of the new initiatives, however.
    Go figure!
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 03:52:39 PDT