Forwarded from: security curmudgeon <jerichoat_private> > http://news.com.com/2100-1001-960215.html > > By Robert Lemos > Staff Writer, CNET News.com > September 30, 2002, 5:50 PM PT > > The FBI and a prestigious computer-security research group are set > to announce new initiatives to keep companies up to date on the most > threatening software vulnerabilities, CNET News.com has learned. > The SANS-FBI efforts will try to improve how companies deal with the > multitude of security flaws software companies announce every week. > The focus of the initiatives is on identifying security holes and > delivering tools so companies can plug them, a practical approach Identifying security holes? SANS has released how many advisories identifying bugs and vulnerabilities to date? Release tools? Anything like the PR disaster the FBI ran into when they released a binary to fix a security hole, but didn't provide source code? > While Paller wouldn't provide specifics, News.com has learned that > in addition to releasing its latest annual list of the Top 20 > vulnerabilities for Windows and Unix systems, the two groups will, > within the next four months, release an expanded list of the most > common and dangerous software flaws. All of which is readily available to those looking for such information.. > The organizations may also release a critical vulnerability analysis > (CVA) report on a weekly basis, which would describe newly > discovered flaws and how companies have dealt with them. The plans > for the weekly report are currently in flux, however, and Paller > would not comment on its status. Exactly what SecurityFocus and half a dozen other security newsletters already do... > Although he wouldn't name specific companies, Paller said five > security firms will participate by building new features into their > systems to scan corporate networks for vulnerabilities on the Top 20 > list. News.com has learned that Internet Security Systems, > Foundstone, Qualys, and TippingPoint are four of the five. This is misleading at best. So these security companies will build NEW features into their products that detect the Top 20 vulnerabilities.. Does that mean the ISS scanner and others don't currently check for the Top 20? I imagine they do. And how exactly do these scanners plan to identify and warn for SANS Top 20 vulnerabilities like G3.1 and G6.1? > Gerhard Eschelbeck, vice president of engineering for security > service provider Qualys, said the company would offer a free scan > for the SANS-FBI Top 20 vulnerabilities to any network owner. While > he didn't comment on whether Qualys would support the expanded list > of flaws the organizations plan to release later, Eschelbeck did > stress that it wouldn't be hard to do so. > > "The beauty of the service-based model that we have is that we can > distribute signatures with a click of a mouse," Eschelbeck said. Ahh yes, just like the anti-virus world and virus signatures! This has worked well to combat the 80 gajillian dollars of damage (or however much damage was claimed) for the past year or two of worms. > To show how effective such tools can be, the SANS Institute and the > FBI will point to system administrators at NASA, who used a > vulnerability-focused approach to eliminate security problems with > their network. Details from that study haven't yet been released. > > "NASA is the poster child for this," said Paller. Oh shit, we're doomed. Anyone care to do a quick search for how many NASA servers have been defaced? How many more have been compromised and not reported in a public fashion? Has the NASA reputation of being a hacker playground really gone away in the last five years? > Lists of confusion > > Not everyone is enamored of the new initiatives, however. Go figure! - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 03:52:39 PDT