- Email: [email protected]
Outsiders break into Fortune 1000 companies
Network Security
May 7998
The product makes it possible to provide Web-based access to individualized database information once authenticated with SecurlD tokens - a good solution for delivering customized information to business partners or customers over the Internet. It also provides a new capability to segment Web page access based on group membership to protect information on a Web server easily, and then grant access to different pieces of information for different groups of users based solely on SecurlD authentication. The secure logon functionality in the ACE/Agent for Windows NT, allows customers to safely secure shared desktops or enforce a security policy where all access to corporate resources must be secured. The product assumes control of the logon sequence from Windows NT to allow SecurlD authentication of an end user attempting to direct access to an NT workstation. This authentication during the local logon process ensures only authorized users have access to a given server or workstation within a company’s Windows NT environment. The product allows administrators to replace the weak password protection on Windows NT systems with strong, two-factor SecurlD protection. For further information, contact Amanda Sills, Security Dynamics Inc. on: +44 1 I8 936 2600; http://www.securitydynamics. corn.
Cryptographic solution fo&c6mtierce security Zergo is making claims that it is set to challenge the domination of
0 1998 Elsevier Science
Ltd
US companies in the rapidly expanding market for secure Internet-based electronic commerce and enterprise security systems. The company intends to make its challenge with the ‘Zergo Secure Suite’. Developed in Europe and Australia, and based on PKI, these products use strong encryption to enable safe electronic business activity. The Zergo Secure Suite, claims offers a the company, comprehensive, standardscompliant, cryptographic solution, from the desktop to the mainframe, addressing both business enterprise and businessto-business E-commerce needs. The product suite uses strong encryption and digital signature technology together with highspeed processors and a range of security modules, with fully integrated PKI. For further information, contact Duncan Reid, Zergo Ltd on: +44 1442 243 600; E-mail: marketing @zergo.com.
Outsiders break into Fortune 1000 companies Barbara Gengler WarRoom Research LLC found that the vast majority of Fortune have 1000 companies experienced a successful breakin by an outsider in the past year. More than half of those companies have experienced system penetrations which exceed 30 in the past 12 months. This compares with 16% who reported between 15 and 30
outside intrusions in WarRoom’s survey published in 1996. In defiance of recent security product and technology developments, computer networks are more vulnerable to outside attacks, not less. Yet according to the new WarRoom study, only about 12% of the companies that detect system break-ins actually report the crime. “The conventional wisdom that says the internal threat is turning out to be conventional naivety”, said Mark Gembicki, executive vice president of WarRoom Research. “The audit trails for internal intrusions are much better and the perpetrators are easier to find, so the numbers are skewed that way. But a lot of external intrusions are never found and those that are, usually go unreported.” IT managers say they are worried about hackers and computer criminals, but they sometimes feel at a loss to stop them. In a study to be published in April, WarRoom Research found that nearly 60% said that they lost $200 000 or more as a result of each intrusion. Several corporations said that they lost $10 million or more in a single break-in. In the company’s survey from 1996, 22% reported the actual cost to its organization of each successful intrusion by an insider was between $50 001 and $200 000. Of the respondents, 19% said that the cost of intrusion by an outsider ranged from $200 001 to $500 000. Fifteen percent reported the cost to be in the $500 000 to $1 million range. When asked if the organization has been the target of information espionage, the new
5
Network Security
study reported 69% said “yes” as opposed to 53% who said “yes” in the 1996 survey. Of the “yes” respondents in the above question, 86% said “no” they did not report these incidents to law enforcement, This compares with 83% who did not report similar break-ins in 1996. During the life of this project, WarRoom Research conducted interviews and surveys from 320 Fortune 1000 organizations. The full report will be released in three phases the first of which was in April 1998. In a separate study published in March by the Computer Security Institute and the FBI, 520 US companies reported a total loss of $136 million from computer crime and security breaches in 1997. This was an increase of 36% from the year before.
Ascend router security concerns Thomas Ziuo A warning that hackers could penetrate equipment from Ascend Communications’ sent the company into a flurry of activity. The flaws in Ascend’s MAX and Pipeline products were discovered by consultancy Secure Networks Inc. (SNI) of Calgary, Alberta, Canada which issued a security advisory warning that the widely used Ascend equipment was vulnerable to attacks from hackers. According to SNI one problem discovered would enable a hacker to send a ‘denial-ofservice’ code to Ascend Pipeline or MAX equipment and cause
6
May 7998
the remote access and routing hardware to fail. A hacker could easily send a specialized packet, which basically would cause Ascend’s equipment to lock up and crash. The second vulnerability concern was a hole in Ascend’s implementation of a Simple Network Management Protocol allowing a would-be hacker the opportunity to gain access to the configuration information such as passwords and remote dial-in numbers. The more significant problem of the two would allow a hacker the capability to download and view the full router configuration and use it as a type of ‘sniffer’, achieving access to the privileged information. A detailed security advisory from SNI is available at: http://www.secnet.com/sniadvisories/sni-26,ascendrouter. advisory.html “It’s one of the worst router vulnerabilities I’ve ever seen”, said Alfred Huger, a project manager at SNI. Ascend equipment using variants of version 5.0 of the company’s operating system are those at risk. In response Ascend Communications it said believed that ‘all routers are inherently vulnerable when default configurations are left in place and when enhanced security features are not implemented”. Ascend added that these security concerns could be dealt with by using a common sense network management approach such as changing the basic password configuration and by implementing a static filter on their products. The fix provided by
Ascend prevents the hacked packet from resetting the MAX or Pipeline. The fix is a local packet filter that needs to be implemented for every active interface that is not otherwise protected against UDP port 9 access externally. All of the connection profiles should have this filter implemented. Ascend has also made detailed instructions available via their Web site at http://www.ascend. com/securityreport. Ascend also offers numerous specialized filter configurations, as well as its Secure Access Firewall. The company also plans to update the filter fix with a software fix that will be available shortly, with the same level of security as the packet filter and will restore normal functionality to the Java-Based Ascend Configurator, MAXDial, and MAXLink Pro. Despite the concerns of the discovered vulnerabilities, Huger said that the problem for most users was easy to find and could be fixed relatively quickly. ‘It’s pretty painless stuff”, he said.
Key Escrow flawed Wayne Madsen According to a recently released US Department of Commerce memorandum from William A. Reinsch, the Undersecretary of Commerce for Export Administration, key escrow products have such a significant flaw police forces in the United States and abroad are reluctant to use escrowed encryption products. The
0 1998 Elsevier Science Ltd
May 7998
The product makes it possible to provide Web-based access to individualized database information once authenticated with SecurlD tokens - a good solution for delivering customized information to business partners or customers over the Internet. It also provides a new capability to segment Web page access based on group membership to protect information on a Web server easily, and then grant access to different pieces of information for different groups of users based solely on SecurlD authentication. The secure logon functionality in the ACE/Agent for Windows NT, allows customers to safely secure shared desktops or enforce a security policy where all access to corporate resources must be secured. The product assumes control of the logon sequence from Windows NT to allow SecurlD authentication of an end user attempting to direct access to an NT workstation. This authentication during the local logon process ensures only authorized users have access to a given server or workstation within a company’s Windows NT environment. The product allows administrators to replace the weak password protection on Windows NT systems with strong, two-factor SecurlD protection. For further information, contact Amanda Sills, Security Dynamics Inc. on: +44 1 I8 936 2600; http://www.securitydynamics. corn.
Cryptographic solution fo&c6mtierce security Zergo is making claims that it is set to challenge the domination of
0 1998 Elsevier Science
Ltd
US companies in the rapidly expanding market for secure Internet-based electronic commerce and enterprise security systems. The company intends to make its challenge with the ‘Zergo Secure Suite’. Developed in Europe and Australia, and based on PKI, these products use strong encryption to enable safe electronic business activity. The Zergo Secure Suite, claims offers a the company, comprehensive, standardscompliant, cryptographic solution, from the desktop to the mainframe, addressing both business enterprise and businessto-business E-commerce needs. The product suite uses strong encryption and digital signature technology together with highspeed processors and a range of security modules, with fully integrated PKI. For further information, contact Duncan Reid, Zergo Ltd on: +44 1442 243 600; E-mail: marketing @zergo.com.
Outsiders break into Fortune 1000 companies Barbara Gengler WarRoom Research LLC found that the vast majority of Fortune have 1000 companies experienced a successful breakin by an outsider in the past year. More than half of those companies have experienced system penetrations which exceed 30 in the past 12 months. This compares with 16% who reported between 15 and 30
outside intrusions in WarRoom’s survey published in 1996. In defiance of recent security product and technology developments, computer networks are more vulnerable to outside attacks, not less. Yet according to the new WarRoom study, only about 12% of the companies that detect system break-ins actually report the crime. “The conventional wisdom that says the internal threat is turning out to be conventional naivety”, said Mark Gembicki, executive vice president of WarRoom Research. “The audit trails for internal intrusions are much better and the perpetrators are easier to find, so the numbers are skewed that way. But a lot of external intrusions are never found and those that are, usually go unreported.” IT managers say they are worried about hackers and computer criminals, but they sometimes feel at a loss to stop them. In a study to be published in April, WarRoom Research found that nearly 60% said that they lost $200 000 or more as a result of each intrusion. Several corporations said that they lost $10 million or more in a single break-in. In the company’s survey from 1996, 22% reported the actual cost to its organization of each successful intrusion by an insider was between $50 001 and $200 000. Of the respondents, 19% said that the cost of intrusion by an outsider ranged from $200 001 to $500 000. Fifteen percent reported the cost to be in the $500 000 to $1 million range. When asked if the organization has been the target of information espionage, the new
5
Network Security
study reported 69% said “yes” as opposed to 53% who said “yes” in the 1996 survey. Of the “yes” respondents in the above question, 86% said “no” they did not report these incidents to law enforcement, This compares with 83% who did not report similar break-ins in 1996. During the life of this project, WarRoom Research conducted interviews and surveys from 320 Fortune 1000 organizations. The full report will be released in three phases the first of which was in April 1998. In a separate study published in March by the Computer Security Institute and the FBI, 520 US companies reported a total loss of $136 million from computer crime and security breaches in 1997. This was an increase of 36% from the year before.
Ascend router security concerns Thomas Ziuo A warning that hackers could penetrate equipment from Ascend Communications’ sent the company into a flurry of activity. The flaws in Ascend’s MAX and Pipeline products were discovered by consultancy Secure Networks Inc. (SNI) of Calgary, Alberta, Canada which issued a security advisory warning that the widely used Ascend equipment was vulnerable to attacks from hackers. According to SNI one problem discovered would enable a hacker to send a ‘denial-ofservice’ code to Ascend Pipeline or MAX equipment and cause
6
May 7998
the remote access and routing hardware to fail. A hacker could easily send a specialized packet, which basically would cause Ascend’s equipment to lock up and crash. The second vulnerability concern was a hole in Ascend’s implementation of a Simple Network Management Protocol allowing a would-be hacker the opportunity to gain access to the configuration information such as passwords and remote dial-in numbers. The more significant problem of the two would allow a hacker the capability to download and view the full router configuration and use it as a type of ‘sniffer’, achieving access to the privileged information. A detailed security advisory from SNI is available at: http://www.secnet.com/sniadvisories/sni-26,ascendrouter. advisory.html “It’s one of the worst router vulnerabilities I’ve ever seen”, said Alfred Huger, a project manager at SNI. Ascend equipment using variants of version 5.0 of the company’s operating system are those at risk. In response Ascend Communications it said believed that ‘all routers are inherently vulnerable when default configurations are left in place and when enhanced security features are not implemented”. Ascend added that these security concerns could be dealt with by using a common sense network management approach such as changing the basic password configuration and by implementing a static filter on their products. The fix provided by
Ascend prevents the hacked packet from resetting the MAX or Pipeline. The fix is a local packet filter that needs to be implemented for every active interface that is not otherwise protected against UDP port 9 access externally. All of the connection profiles should have this filter implemented. Ascend has also made detailed instructions available via their Web site at http://www.ascend. com/securityreport. Ascend also offers numerous specialized filter configurations, as well as its Secure Access Firewall. The company also plans to update the filter fix with a software fix that will be available shortly, with the same level of security as the packet filter and will restore normal functionality to the Java-Based Ascend Configurator, MAXDial, and MAXLink Pro. Despite the concerns of the discovered vulnerabilities, Huger said that the problem for most users was easy to find and could be fixed relatively quickly. ‘It’s pretty painless stuff”, he said.
Key Escrow flawed Wayne Madsen According to a recently released US Department of Commerce memorandum from William A. Reinsch, the Undersecretary of Commerce for Export Administration, key escrow products have such a significant flaw police forces in the United States and abroad are reluctant to use escrowed encryption products. The
0 1998 Elsevier Science Ltd