- Email: [email protected]
Hewlett Packard — rage after Tru64 disclosure
printlayout.qxd
8/13/02
10:26 AM
Page 3
news the deployment of such technologies. This is just another effort to tackle the issue of Internet piracy; pressure is mounting, as different groups with different interests battle to control the Internet. Organizations such as the Motion Picture Association of America feel the need to deploy technology to actively stop piracy. The Motion Picture Association of America is conversing with computer executives from companies such as IBM, HP and Microsoft to gain their support in implementing technological measures to control file sharing. Coincidentally, in this time of controversy regarding piracy, the Recording Industry Association of America Inc.’s (RIAA) website experienced a denial-of-service attack knocking the website down for intervals over a period of three days towards the end of July. The denial-of-service attack began a day after Berman introduced the new bill in Congress. An RIAA spokesperson has commented that the RIAA is not aware of any connection between the DOS attack and the new proposed bill.
government news
US Homeland Security Bill The US Homeland Security Bill is being accelerated along at a frenzied rate to defend the US from terrorism efforts. With the anniversary of 11 September beckoning it is important to show that benchmarks have been
implemented to defend the US. So great is the panic and urges from the president to pass the US Homeland Security Bill that Robert Byrd, the Appropriations Committee Chairman said, “I urge everyone involved in this thing to slow down.” When President Bush originally announced plans to obtain congressional approval for a new Department of Homeland Security he declared that it is “the most extensive” reorganization of the federal bureaucracy since the late 1940s. These changes will have a huge influence on the US cybersecurity efforts. The president has proposed integrating 22 agencies and offices into the Department of Homeland Security. Some of the existing multitude of agencies involved in computer and network security are slated to move to the new DHS while others will remain in their current positions. Those agencies that are slated to move across include the National Infrastructure Protection Center (NIPC), The Federal Computer Incident Response Center (FEDCIRC), the Critical Infrastructure Assurance Office (CIAO) the National Communications System (NCS) National Coordinating Center and the Department of Treasury. There is also widespread debate regarding whether the National Institute of Standards and Technology (NIST) will be swallowed up by the new Department of Homeland Security. As this organization is involved in the
development of security standards critics feel that this should not be part of the law enforcement umbrella because it requires neutrality and detachment to fulfil its role of creating unbiased standards. Another recent proposal, as part of the new bill, is to grant private companies exemption from the Freedom of Information Act (FOIA) if they share information regarding security breaches and vulnerabilities with the US Government.
vulnerability news
Hewlett Packard — rage after Tru64 disclosure Hewlett Packard has reacted adversely to a security researcher posting details on BugTraq about a vulnerability in Tru64 UNIX systems. HP has threatened to use the Digital Millenium Copyright Act in response to the vulnerability posting, which was released prematurely without a suggested workaround or fix available. After SnoSoft talked to CNET detailing how they received a threatening letter from HP vice president, HP backed down and withdrew the threats. HP declared that the letter to Snosoft was not “consistent or indicative of HP’s policy”. The vulnerability was a buffer overflow associated with the su utility on Tru64 systems. SnoSoft contacted HP about the vulnerability in advance of the premature announcment. HP has now released a fix.
In Brief A Trojan Horse has poisoned OpenSSH available as a free download on popular sites. OpenSSH versions 3.2.2p1/3.4p1/3.4 have been infected on the OpenBSD ftp server and could have been spread via the mirroring process to other ftp servers. The code was inserted between 30-31 July and OpenSSH replaced the infected files on 1 Aug. Sensitive computer data from Japan’s Defence agency may have been leaked, the Japanese Government told Reuters. “We have received a report from Fujitsu that data relating to the computer network they created for the army and air force may have been leaked to outside parties,” said Chief Cabinet Secretary Yasuo Fukuda. A group attempted to blackmail Fujitsu, promising to return copies of network diagrams and other informtion in return for a ransom sum. It is not clear whether the information has been leaked or not. Fujitsu reportedly has commented that intruders could not penetrate the network as it isn’t connected to the Internet. An elite US university, Yale has been hacked by another rival university, Princeton. The associate Dean of Admissions, Stephen Le Menager is under investigation because computers in Princeton were used to hack into the Yale University admissions website.
3
8/13/02
10:26 AM
Page 3
news the deployment of such technologies. This is just another effort to tackle the issue of Internet piracy; pressure is mounting, as different groups with different interests battle to control the Internet. Organizations such as the Motion Picture Association of America feel the need to deploy technology to actively stop piracy. The Motion Picture Association of America is conversing with computer executives from companies such as IBM, HP and Microsoft to gain their support in implementing technological measures to control file sharing. Coincidentally, in this time of controversy regarding piracy, the Recording Industry Association of America Inc.’s (RIAA) website experienced a denial-of-service attack knocking the website down for intervals over a period of three days towards the end of July. The denial-of-service attack began a day after Berman introduced the new bill in Congress. An RIAA spokesperson has commented that the RIAA is not aware of any connection between the DOS attack and the new proposed bill.
government news
US Homeland Security Bill The US Homeland Security Bill is being accelerated along at a frenzied rate to defend the US from terrorism efforts. With the anniversary of 11 September beckoning it is important to show that benchmarks have been
implemented to defend the US. So great is the panic and urges from the president to pass the US Homeland Security Bill that Robert Byrd, the Appropriations Committee Chairman said, “I urge everyone involved in this thing to slow down.” When President Bush originally announced plans to obtain congressional approval for a new Department of Homeland Security he declared that it is “the most extensive” reorganization of the federal bureaucracy since the late 1940s. These changes will have a huge influence on the US cybersecurity efforts. The president has proposed integrating 22 agencies and offices into the Department of Homeland Security. Some of the existing multitude of agencies involved in computer and network security are slated to move to the new DHS while others will remain in their current positions. Those agencies that are slated to move across include the National Infrastructure Protection Center (NIPC), The Federal Computer Incident Response Center (FEDCIRC), the Critical Infrastructure Assurance Office (CIAO) the National Communications System (NCS) National Coordinating Center and the Department of Treasury. There is also widespread debate regarding whether the National Institute of Standards and Technology (NIST) will be swallowed up by the new Department of Homeland Security. As this organization is involved in the
development of security standards critics feel that this should not be part of the law enforcement umbrella because it requires neutrality and detachment to fulfil its role of creating unbiased standards. Another recent proposal, as part of the new bill, is to grant private companies exemption from the Freedom of Information Act (FOIA) if they share information regarding security breaches and vulnerabilities with the US Government.
vulnerability news
Hewlett Packard — rage after Tru64 disclosure Hewlett Packard has reacted adversely to a security researcher posting details on BugTraq about a vulnerability in Tru64 UNIX systems. HP has threatened to use the Digital Millenium Copyright Act in response to the vulnerability posting, which was released prematurely without a suggested workaround or fix available. After SnoSoft talked to CNET detailing how they received a threatening letter from HP vice president, HP backed down and withdrew the threats. HP declared that the letter to Snosoft was not “consistent or indicative of HP’s policy”. The vulnerability was a buffer overflow associated with the su utility on Tru64 systems. SnoSoft contacted HP about the vulnerability in advance of the premature announcment. HP has now released a fix.
In Brief A Trojan Horse has poisoned OpenSSH available as a free download on popular sites. OpenSSH versions 3.2.2p1/3.4p1/3.4 have been infected on the OpenBSD ftp server and could have been spread via the mirroring process to other ftp servers. The code was inserted between 30-31 July and OpenSSH replaced the infected files on 1 Aug. Sensitive computer data from Japan’s Defence agency may have been leaked, the Japanese Government told Reuters. “We have received a report from Fujitsu that data relating to the computer network they created for the army and air force may have been leaked to outside parties,” said Chief Cabinet Secretary Yasuo Fukuda. A group attempted to blackmail Fujitsu, promising to return copies of network diagrams and other informtion in return for a ransom sum. It is not clear whether the information has been leaked or not. Fujitsu reportedly has commented that intruders could not penetrate the network as it isn’t connected to the Internet. An elite US university, Yale has been hacked by another rival university, Princeton. The associate Dean of Admissions, Stephen Le Menager is under investigation because computers in Princeton were used to hack into the Yale University admissions website.
3