-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Thursday, April 17, 2003 7:49 AM To: Information Technology Subject: [Information_technology] Daily News 04/17/03 April 16, Microsoft Microsoft Security Bulletin MS03-013: Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges. The Windows kernel is the core of the operating system. It provides system level services such as device and memory management, allocates processor time to processes and manages error handling. There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system. For an attack to be successful, an attacker would need to be able to logon interactively to the system, either at the console or through a terminal session. Also, a successful attack would require the introduction of code in order to exploit this vulnerability. Because best practices recommends restricting the ability to logon interactively on servers, this issue most directly affects client systems and terminal servers. Microsoft has assigned a risk rating of "Important" to this vulnerability. A patch is available at the Microsoft website. Source: http://www.microsoft.com/technet/treeview/default.asp?url=/t echnet/security/bulletin/MS03-013.asp April 15, CNET News.com Alliance takes security call to boardroom. TechNet, a lobbying group of more than 150 information technology companies, said Tuesday that it would work with the Internet Security Alliance and the four large accounting firms to create guidelines and best practices that they say executives need in order to secure their companies. The accounting firms are KPMG, PricewaterhouseCoopers, Deloitte & Touche and Earnst & Young. The starting point will be a top-10 list of security steps for executives that the Internet Security Alliance has already created. "We wanted to aim at the top because we believe that at the top, with boardroom involvement and (policy) trickling down, we can get the best results," said John Shaughnessy of the Internet Security Alliance. President George W. Bush in February 2003 said the United States government would not regulate technology companies, but rather would promote cooperation between the industry and the government to secure infrastructure. The groups plan to release the guidelines and then to set a date by which its membership should comply with the security steps. Source: http://news.com.com/2100-1009-996997.html April 15, AtNewYork.com "Internet Insecurity Index" unveiled at conference. Online encryption firm RSA Monday launched its "Internet Insecurity Index" -- a simple one-to-ten scale that measures how secure electronic data is each year. Given the amount of attacks, Jim Bidzos of RSA currently ranks 2003 at about a 6 and a half. Bidzos pointed to more than 62,000 hacking incidents last year as a rally cry for better safeguards. In addition to commonplace server strikes, Bidzos said ATM and wireless networks are the new target of hackers. "Part of the price is not having security designed in the first place," Bidzos said. "We found 30 percent of ISPs have no info security plans in place with 33 percent deciding that online security is not a priority." The threat index also identifies last year's $59 billion in data theft as a major impact on how safe the Internet is. The one bright area, according to RSA's index report was the U.S. government. Bidzos said the creation of the Department of Homeland Security and a national strategy to secure cyberspace marked a turning point in how the government is dealing with online threats. California's move to require companies to publicly disclose security breaches may also have a major impact on how well companies secure their networks and data. Source: http://www.atnewyork.com/news/article.php/2191131 April 15, Reuters More talk, little action in war on cyber terrorism. At a time when war in Iraq has heightened fears of terrorism, the technology industry is not moving quickly enough to guard against intrusions from hackers, identity thieves and more concerted attacks by rogue governments, computer experts said Tuesday at the RSA conference in San Francisco. Howard Schmidt, the White House cyber security adviser who is working with the technology industry to improve security, said that work to date had been strong on new ideas to improve security, but slow to execute. Despite repeated warnings of rogue nations preparing for cyber-attacks that could cripple vital computer-run U.S. infrastructure, no such attacks are known to have occurred to date. If computer systems have so far been spared a massive terrorist attack, smaller security breaches from hackers and pranksters with no political agenda occur on a daily basis. The Computer Emergency Response Team (CERT) tracked some 52,658 online security "incidents" in 2001, more than double the 21,756 reported in 2000, and way up from 9,859 in 1999. Members of the high-tech advocacy group TechNet said that while the threat of a political-based cyber terrorist attack may have been overstated, random pranksters had the ability to do much damage. Source: http://www.reuters.com/newsArticle.jhtml?type=technologyNews /a> April 14, eWEEK Feds mull IT disclosure. Momentum is building in Washington to require all public companies to annually report the performance of their IT security initiatives, not just the financial services and health care industries that face scrutiny now. The Bush administration considered requiring companies to report on network security during the crafting of the National Strategy to Secure Cyberspace. But the idea was unpopular in many enterprises and did not make the final plan, released in February. Last week, former presidential adviser for cyberspace Richard Clarke, who spearheaded the strategy, urged Congress to act quickly to legislate such obligations. Enterprises object to the suggestion of broad reporting requirements, but some see a certified audit process reflected in annual Securities and Exchange Commission filings as beneficial. Possible requirements include disclosing measures taken to secure systems, identifying IT security auditors and detailing breaches. Source: http://www.eweek.com/article2/0,3959,1022906,00.asp Virus: #1 Virus in USA: WORM_LOVGATE.F Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports: 137 (netbios-ns), 80 (www), 1434 (ms-sql-m), 113 (ident), 25 (smtp), 445 (microsoft-ds), 139 (netbios-ssn), 3136 (---), 7088 (---), 4662 (eDonkey2000) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 10:41:31 PDT