- Email: [email protected]
RSA challenge
A/etwork Security
February 7998
Windows NT and other key corporate computing systems. The system immediately alerts IT managers of an intrusion and then it will automatically begin implementing a series of preconfigured actions to stop further interference. The product monitors the alarms and the audit trails of distributed systems for ‘footprints’ that signal suspicious or unauthorized activity. For further information, contact Susan Riley, Axent Technologies Ltd on: +44 1372 729655; fax: +44 1372 729650; E-mail: sriley@ axent. co. uk.
Netect’s detection tool Barbara Gengler
latest security the on vulnerabilities, Netect helps ensure that customers are protected on an on-going basis against new security threats.” Netective identifies and resolves security vulnerabilities at both the operating system level and the network level to protect against both internal and external cyber threats. It also monitors key system files for unauthorized changes and by referencing a one million word dictionary, it vulnerable user identifies passwords through a variety of cracking techniques. Once the network vulnerabilities are identified the product automatically provides users with a corrective solution from its extensive library. The database includes an up-todate operating system and networking vulnerabilities, detailed corrective solutions, security recommendations as well as patches.
A start-up company called Netect has a new intrusion detection tool that simulates attacks on the network. It then automatically generates a vulnerability report that can be used by IT managers as well as security experts. Netective is based on a security database architecture and uses push technology to automatically deliver updates to users to protect them from the latest hacking techniques.
An IDC 1997 Computer Crime & Security survey found that organizations experiencing data and network sabotage from external or internal hacking could lose up to a million dollars on a per incident basis. ‘As the availability of hacker tools continues to increase, the volume of corporate data residing on networks has become more vulnerable than ever before”, said Marc Camm, CEO at Netect.
“The company’s entry into the emerging security assessment companies market helps maintain a secure network computing environment”, said Ted Julian, research manager for Internet Security at International Data Corporation (IDC). “By delivering automated updates
“Organizations, whether they employ a security expert or not, need a comprehensive solution to protect against the constant onslaught of internal and external cyber threats.”
0 1998 Elsevier Science Ltd
Using the Internet as a distribution vehicle, Netective. employs push
technology to seamlessly and its update automatically database. The new tool also creates HTML-based reports that can receive live updates of from vulnerabilities data Netective. According to beta users, Netective goes beyond the capabilities provided by shareware tools such as Security Administrator Tool for Analyzing Networks (SATAN) or Tripwire. ‘Netective gives you a picture of what a hacker sees on your network”, said David Chaloner, product manager for Netect tool. ‘It maps ports at the server level to let you know what ports are available to the outside world. Then it attempts to break into each port, looking for security holes,” he said. In addition, the tool attacks operating systems at the root level looking across file configurations to see how directories are set up. Other security reporting and management capabilities are provided in Netective Site, which lets administrators centrally manage an entire site of servers protected by Netective.
RSA challenge Ed Wehde Starting 13 January 1998, security software company RSA Data Security is kicking off a second series of contests to discredit the US Government’s crypt0 policy by exposing the vulnerability of its own software. The company is offering up to $10 000 in prize money. The new contests, dubbed DES Challenge II, come in the wake of last year’s DES Challenge which was intended to show that 56-bit security offers
5
Network Security
little protection against determined hacker.
February 7998
a
The Commerce Department claims that 56-bit encryption offered by the Government’s Data Encryption Standard (DES) is adequate for protecting data. Anything stronger requires built in ‘key recovery’, a system that allows access to the encrypted data by third parties. including law enforcement. The key that was used for the encryption of the original DES Challenge was recovered in six months, thereby demonstrating the point that the system is inadequate, according to RSA. The goal of the next contests is to see how fast it can be done. “Our original DES Challenge showed DES was crackable using an exhaustive search attack,” said Jim Bidzos, president of RSA. “Now the goal is to see how quickly an exhaustive search attack can be accomplished to help judge the true vulnerability of DES.” For the latest contest, RSA will pose a new challenge to the encryption community twice a year, on 13 January and 13 July, at 9 am Pacific Time, on the company’s Web page. The challenge will consist of the cipher text that was produced by DES-encrypting an unknown plaintext message. The key used for the encryption will be generated at random and destroyed within the generating software. The key will not be revealed to anyone, including the contest administrators, according to RSA. The goal of the challenge is to recover the secret key faster than was accomplished in the previous challenge in the series. Prizes will be awarded for the first correct entry. If the time required
6
to solve the challenge is less than or equal to 25% of the previous best time, $10 000 will be awarded. A time of 2550% of the previous time will earn $5000, and a time of 50-75% will earn $1000. No cash will be awarded if the time is greater than 75% of the previous winning time. RSA’s Web site can be accessed at http://www.rsa.com.
He Cisco secure Ed Wehde Cisco Systems and Hewlett Packard have joined forces to combine a firewall, a secure Web server and a network load balancer to form a solution which is designed to increase online business security. Secure Web Transaction Solution (SWTS), as the companies are calling it, combines the Cisco PIX Firewall with the HP VirtualVault Web server to foil Internet-based attacks on private networks and increase security for online commerce. However, at least one consultant thinks the new solution is nothing significant. In the coordinated configuration, a firewall screens out traffic not sanctioned by the company’s security policy. The PIX Firewall then directs all active content Web traffic to the Cisco LocalDirector, an application which monitors and sends the traffic to the most available HP VirtualVault server. This solution, according to the companies, allows customers to conduct critical business processes, such as E-commerce, financial services and supply chain management, securely over the Internet while impeding intruders from gaining access restricted data.
The SWTS solution can be managed from a central HP OpenView console. That console monitors the status of each component and alerts administrators of important events, such as normal, error and critical events, which can then be acted upon automatically or manually. The console can be viewed from a Web browser so that managers can always be aware of what is occurring in their systems. Cisco claims that this bundled solution will increase security for E-commerce users. ‘If there is breach in Ea security commerce, it brings the whole house of cards down,” said Bill Laller, global license manager for Cisco. The development of this solution is positive, but hardly earthshattering, according to Winn Schwartau, chief operating officer of The Security Experts Inc. ‘You want companies working together. But this is just another deal,” he said. ‘It’s a huge fallacy that E-commerce is unsafe. It’s already safe. This is just another twist, another bell.” He said that consumers need to ask themselves whether it would be easier for someone to usurp their credit card number over the Internet or by any number of workers at a local diner. Schwartau said that fear, uncertainty and doubt prevent consumers from engaging in E-commerce and security vendors use that to sell their products. Solutions such as this one are not what it will take to get the masses do business over the Internet. He said that will happen when systems are more common and easier to use.
0 1998 Elsevier Science Ltd
February 7998
Windows NT and other key corporate computing systems. The system immediately alerts IT managers of an intrusion and then it will automatically begin implementing a series of preconfigured actions to stop further interference. The product monitors the alarms and the audit trails of distributed systems for ‘footprints’ that signal suspicious or unauthorized activity. For further information, contact Susan Riley, Axent Technologies Ltd on: +44 1372 729655; fax: +44 1372 729650; E-mail: sriley@ axent. co. uk.
Netect’s detection tool Barbara Gengler
latest security the on vulnerabilities, Netect helps ensure that customers are protected on an on-going basis against new security threats.” Netective identifies and resolves security vulnerabilities at both the operating system level and the network level to protect against both internal and external cyber threats. It also monitors key system files for unauthorized changes and by referencing a one million word dictionary, it vulnerable user identifies passwords through a variety of cracking techniques. Once the network vulnerabilities are identified the product automatically provides users with a corrective solution from its extensive library. The database includes an up-todate operating system and networking vulnerabilities, detailed corrective solutions, security recommendations as well as patches.
A start-up company called Netect has a new intrusion detection tool that simulates attacks on the network. It then automatically generates a vulnerability report that can be used by IT managers as well as security experts. Netective is based on a security database architecture and uses push technology to automatically deliver updates to users to protect them from the latest hacking techniques.
An IDC 1997 Computer Crime & Security survey found that organizations experiencing data and network sabotage from external or internal hacking could lose up to a million dollars on a per incident basis. ‘As the availability of hacker tools continues to increase, the volume of corporate data residing on networks has become more vulnerable than ever before”, said Marc Camm, CEO at Netect.
“The company’s entry into the emerging security assessment companies market helps maintain a secure network computing environment”, said Ted Julian, research manager for Internet Security at International Data Corporation (IDC). “By delivering automated updates
“Organizations, whether they employ a security expert or not, need a comprehensive solution to protect against the constant onslaught of internal and external cyber threats.”
0 1998 Elsevier Science Ltd
Using the Internet as a distribution vehicle, Netective. employs push
technology to seamlessly and its update automatically database. The new tool also creates HTML-based reports that can receive live updates of from vulnerabilities data Netective. According to beta users, Netective goes beyond the capabilities provided by shareware tools such as Security Administrator Tool for Analyzing Networks (SATAN) or Tripwire. ‘Netective gives you a picture of what a hacker sees on your network”, said David Chaloner, product manager for Netect tool. ‘It maps ports at the server level to let you know what ports are available to the outside world. Then it attempts to break into each port, looking for security holes,” he said. In addition, the tool attacks operating systems at the root level looking across file configurations to see how directories are set up. Other security reporting and management capabilities are provided in Netective Site, which lets administrators centrally manage an entire site of servers protected by Netective.
RSA challenge Ed Wehde Starting 13 January 1998, security software company RSA Data Security is kicking off a second series of contests to discredit the US Government’s crypt0 policy by exposing the vulnerability of its own software. The company is offering up to $10 000 in prize money. The new contests, dubbed DES Challenge II, come in the wake of last year’s DES Challenge which was intended to show that 56-bit security offers
5
Network Security
little protection against determined hacker.
February 7998
a
The Commerce Department claims that 56-bit encryption offered by the Government’s Data Encryption Standard (DES) is adequate for protecting data. Anything stronger requires built in ‘key recovery’, a system that allows access to the encrypted data by third parties. including law enforcement. The key that was used for the encryption of the original DES Challenge was recovered in six months, thereby demonstrating the point that the system is inadequate, according to RSA. The goal of the next contests is to see how fast it can be done. “Our original DES Challenge showed DES was crackable using an exhaustive search attack,” said Jim Bidzos, president of RSA. “Now the goal is to see how quickly an exhaustive search attack can be accomplished to help judge the true vulnerability of DES.” For the latest contest, RSA will pose a new challenge to the encryption community twice a year, on 13 January and 13 July, at 9 am Pacific Time, on the company’s Web page. The challenge will consist of the cipher text that was produced by DES-encrypting an unknown plaintext message. The key used for the encryption will be generated at random and destroyed within the generating software. The key will not be revealed to anyone, including the contest administrators, according to RSA. The goal of the challenge is to recover the secret key faster than was accomplished in the previous challenge in the series. Prizes will be awarded for the first correct entry. If the time required
6
to solve the challenge is less than or equal to 25% of the previous best time, $10 000 will be awarded. A time of 2550% of the previous time will earn $5000, and a time of 50-75% will earn $1000. No cash will be awarded if the time is greater than 75% of the previous winning time. RSA’s Web site can be accessed at http://www.rsa.com.
He Cisco secure Ed Wehde Cisco Systems and Hewlett Packard have joined forces to combine a firewall, a secure Web server and a network load balancer to form a solution which is designed to increase online business security. Secure Web Transaction Solution (SWTS), as the companies are calling it, combines the Cisco PIX Firewall with the HP VirtualVault Web server to foil Internet-based attacks on private networks and increase security for online commerce. However, at least one consultant thinks the new solution is nothing significant. In the coordinated configuration, a firewall screens out traffic not sanctioned by the company’s security policy. The PIX Firewall then directs all active content Web traffic to the Cisco LocalDirector, an application which monitors and sends the traffic to the most available HP VirtualVault server. This solution, according to the companies, allows customers to conduct critical business processes, such as E-commerce, financial services and supply chain management, securely over the Internet while impeding intruders from gaining access restricted data.
The SWTS solution can be managed from a central HP OpenView console. That console monitors the status of each component and alerts administrators of important events, such as normal, error and critical events, which can then be acted upon automatically or manually. The console can be viewed from a Web browser so that managers can always be aware of what is occurring in their systems. Cisco claims that this bundled solution will increase security for E-commerce users. ‘If there is breach in Ea security commerce, it brings the whole house of cards down,” said Bill Laller, global license manager for Cisco. The development of this solution is positive, but hardly earthshattering, according to Winn Schwartau, chief operating officer of The Security Experts Inc. ‘You want companies working together. But this is just another deal,” he said. ‘It’s a huge fallacy that E-commerce is unsafe. It’s already safe. This is just another twist, another bell.” He said that consumers need to ask themselves whether it would be easier for someone to usurp their credit card number over the Internet or by any number of workers at a local diner. Schwartau said that fear, uncertainty and doubt prevent consumers from engaging in E-commerce and security vendors use that to sell their products. Solutions such as this one are not what it will take to get the masses do business over the Internet. He said that will happen when systems are more common and easier to use.
0 1998 Elsevier Science Ltd