[I thought I'd forward this along just the once... --Perry] Security Wire Digest is a weekly e-mail newsletter brought to you by Information Security magazine, an ICSA.net publication. TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE. ===================================================== CONTENTS 1. INFOSEC WEEK IN REVIEW *Administration Seeks Legislative Okay for Cyberspace Scrutiny *Programmer Cracks French Banking Smart Card System 2. INDUSTRY UPDATES *RSA Patent Expiration Looming 3. IN BRIEF *Check Point Beefs Up SVN *HP Releases B-to-B Extranet Tools *Tripwire Launches TEC Agents/Console *Cylink Unveils VPN, PKI Solutions *Intel Rolls Out Crypto Boards *Netegrity to Provide Solutions for Internet Start-Ups *Axent and Cobalt Team Up to Provide Linux Firewall/VPN Appliance *e-Security's OeSP Integrates With 29 Security Products 4. HAPPENINGS ===================================================== THIS ISSUE OF SECURITY WIRE DIGEST IS SPONSORED BY... Hurwitz Group Inc. - Strategists for e-business With change comes challenge. In the e-business world the benefits of easy, instant access and full-time availability are the very same elements that make e-business risky business. Protecting your enterprise is one of your greatest challenges. The Hurwitz Group report, "Enterprise Security Methodology and Architecture for e-Business," gives CIOs, IT managers and enterprise architects a road map for planning the optimal security infrastructure of the e-business. Download it FREE at http://www.hurwitz.com/infosec ===================================================== 1. INFOSEC WEEK IN REVIEW *ADMINISTRATION SEEKS LEGISLATIVE OKAY FOR CYBERSPACE SCRUTINY The U.S. Attorney General, Commerce Secretary and a deputy Secretary of Defense are calling on Congress to pass the Cyberspace Electronic Security Act (CESA) to gain an advantage against criminals using advanced encryption. CESA is a response to the administration's recent relaxing of controls on the export of products that allow strong encryption. In a letter addressed to House Majority Leader Dick Armey (R-Texas), Attorney General Janet Reno asserted that CESA was "critical" to the administration's new security policies. Since criminals now presumably have freer access to encryption techniques that could allow them to shield communications from the scrutiny of law enforcement agencies, the administration feels that those agencies should have more powers to fight criminals. The original version of CESA would have allowed law enforcement officials to obtain search warrants to secretly enter a suspect's home and either install software or obtain encryption information that would allow decryption of encrypted communications, without notifying the suspect for 30 days. This would be similar to the existing ability of law enforcement to obtain warrants that permit wiretapping telephones without the suspect's knowledge. However, objections from civil liberties advocates and Representative Armey caused the administration to withdraw these provisions from CESA. In a letter to Congress urging support for CESA, Reno, Commerce Secretary William Daley and deputy Defense Secretary John Hamre reiterated the need to "search for keys" to decrypt communications by criminal and terrorist suspects. Nevertheless, they expressed the belief that no new extraordinary powers are required and that "general authorities" are sufficient to meet the threat. Civil liberties groups continue to be wary, however. "Secret searches are fundamentally contrary to the letter and spirit of the Constitution," says Jim Dempsey, senior staff counsel for the Washington, D.C.-based Center for Democracy and Technology. "Cyberspace and encryption technology doesn't change that." Modifications to the bill are expected to continue before it comes to a vote later this year. *PROGRAMMER CRACKS FRENCH BANKING SMART CARD SYSTEM A French programmer is being tried for counterfeiting and fraudulent entry into an automated banking system after demonstrating his ability to obtain goods without payment using a homemade smart card. He could face a two-year suspended jail sentence and a fine of 50,000 francs. Serge Humpich set himself the task of cracking the smart card system used throughout France for purchases and cash advances. He realized that the smart card readers often query the smart card to determine if the manually entered PIN is correct, without performing any checks with the credit card network. The PIN is encoded on the smart card using what is described as 640-bit RSA encryption. Humpich was able to perform the factoring using a quadratic sieve, after discovering that the public key had special properties he could exploit. He then purchased hardware -- including smart card readers -- to create and test his own smart cards. At this point, Humpich notified the Cartes Bancaires consortium of his discovery and offered to tell them how to close the security hole for some 10 million francs. Cartes Bancaires entered into negotiations with Humpich, finally demanding a demonstration. Humpich complied by using his smart cards to purchase Metro tokens, retaining the receipts to prove that Cartes Bancaires had no record of his purchase. Cartes Bancaires then had him arrested for fraud and counterfeiting. There are, of course, several sides to the matter. Humpich claims he was selling security consultation services; Cartes Bancaires says he was blackmailing them. Cartes Bancaires says that he obtained the tokens illegally; Humpich insists he only made the purchase at Cartes Bancaires' behest. What's clear is that the simple use of 640-bit RSA encryption is not sufficient to secure a smart card system. Bruce Schneier, founder and CTO of Counterpane Internet Security, points out that key length has no correlation with the strength of the encryption. "Even with strong encryption, there are often other ways around the system security," notes Schneier. This lesson is especially important as government and business organizations -- such as American Express -- make plans to roll out smart cards in the United States. ===================================================== 2. INDUSTRY UPDATES *RSA PATENT EXPIRATION LOOMING With RSA Security's encryption patent set to expire Sept. 21, 2000, there's speculation as to what effect it will have on the industry. Possible outcomes include a challenge to RSA's market penetration and lower prices for software incorporating its encryption technology. Twenty years ago, with U.S. government funding, RSA pioneered the public-key technology that is the foundation for the Secure Socket Layer (SSL) protocol used today to secure Web transactions. The company's BSAFE cryptography tool kit has been reported to be licensed to 90 percent of all products sold with encryption. "Our competitors have been making a big deal about the patent expiring, but I don't see it having any real impact on our business," John D. Worrell, RSA Security SecurID director of product marketing, told Information Security magazine at the recent RSA Conference 2000. Despite the company's optimism, there are competitors lining up to step in once technology becomes public domain. For example, Certicom, whose elliptic curve cryptography (ECC) is used in small wireless devices, plans to introduce a competitive product this year, according to Certicom CEO Rick Dalmazzi. http://www.rsasecurity.com http://www.certicom.com ===================================================== 3. IN BRIEF *CHECK POINT BEEFS UP SVN Firewall and VPN mainstay Check Point Software Technologies has released a 2000 edition of its Secure Virtual Networking (SVN) solution. The updated version natively supports multiple client-side authentication options including RADIUS, TACACS+ and SecurID tokens, as well as biometrics and proximity tokens through its Secure Authentication API (SAA). Check Point 2000 also introduced a High Availability module for redundancy and automatic failover of VPN-1 connections; and new administrative functionality through a Visual Policy Editor, which creates a visual representation of the enterprise VPN architecture, allowing admins to visualize and manage VPN security policies across extended WANs. http://www.checkpoint.com *HP RELEASES B-TO-B EXTRANET TOOLS Hewlett-Packard (HP) has unveiled several new tools aimed to help companies strengthen their b-to-b extranets. Each of the new offerings will be added to HP's Praesidium portfolio of Internet security products. The new Domain Guard Enterprise 1.0 ($2,995 per 100 users) allows IT managers to centrally control access to WinNT 4.0, HP-UX and Sun Solaris-based Web servers. Domain Guard also provides Web single sign-on functions and user self-registration, and capabilities to delegate user and policy administration. HP also released its new Web Enforcer software ($2,995 per server; $695 for annual security update), which fixes known NT vulnerabilities and provides security updates. http://www.hp.com/security *TRIPWIRE LAUNCHES TEC AGENTS/CONSOLE Tripwire has rolled out a central management module called Tripwire Enterprise Control (TEC) Manager. The module is the central feature of version 2.2.1 of its file integrity assessment software, released in January. TEC deploys agents across eight host platforms (NT and seven UNIX flavors), monitoring system files, directories and registries for modifications, additions or deletions. Changes are reported to the TEC console, which runs on NT and can manage up to 250 agents from a central location. Pricing was not announced. http://www.tripwire.com *CYLINK UNVEILS VPN, PKI SOLUTIONS Cylink announced its NetHawk IPSec-based VPN, a hardware complement to its existing Private Wire software solution. The NetHawk supports Triple-DES encryption and is offered in four models, from 10 Mbps Ethernet (supporting 5,000 simultaneous connections) to 100 Mbps Fast Ethernet (20,000 connections). The VPN is centrally managed through the company's existing PrivaCy Manager interface. Cylink also unveiled its NetAuthority PKI solution. Both products will ship in March. http://www.cylink.com *INTEL ROLLS OUT CRYPTO BOARDS Continuing its foray into the infosec space, Intel announced its PRO/100 S line of network security-enabled adapter cards for the desktop and server. The Layer 2 devices are designed to encrypt IP traffic and offload cryptographic functions from server and PC processors. The announcement follows Intel's recent acquisition of crypto accelerator company IPivot. The PRO/100 S Management Adapter for the desktop retails at $112 per board, while the Server adapter runs at $139. http://www.intel.com *NETEGRITY TO PROVIDE SOLUTIONS FOR INTERNET START-UPS Netegrity introduced Startup.Com, a new program that delivers e-business solutions and services designed for consumer dot-com companies. The program provides start-ups with a bundle of secure user access and personalization software along with educational and consulting services, enabling them to launch and manage their e-commerce sites. Startup.Com includes a subscription-based license of SiteMinder, Netegrity's flagship product, which provides centralized control of users accessing corporate intranet and extranet sites. It also includes 12x5 technical support, three days of product training and onsite installation and configuration consulting. Pricing was not announced. http://www.netegrity.com *AXENT AND COBALT TEAM UP TO PROVIDE LINUX FIREWALL/VPN APPLIANCE E-security provider Axent Technologies announced an agreement with Cobalt Networks under which the companies will jointly develop a Linux firewall and VPN appliance. Targeted for small- to medium-sized businesses, branch offices and service providers, the product will be based on Axent's Raptor and PowerVPN software and Cobalt's RaQ 3 server appliance. It will also include a Raptor management console that manages geographically dispersed appliances on the WAN via the Web. This feature allows larger companies to manage branch offices' firewalls from a central location. The firewall, which will be available in Q3 2000, will be priced at approximately $5,000. http://www.axent.com http://www.cobalt.com *E-SECURITY'S OESP INTEGRATES WITH 29 SECURITY PRODUCTS e-Security announced that its Open e-Security Platform (OeSP)software now integrates with 29 multivendor security products and devices, allowing companies to conduct real-time surveillance of their enterprise environment from a single console. The integration will include products and services such as firewalls, intrusion detection, operating systems, antivirus, Web servers, databases, policy monitoring, vulnerability assessment and authentication. Companies involved in the OeSP integration include: Axent Technologies, Cisco Systems, Hewlett-Packard, IBM, Internet Security Systems (ISS), Microsoft, Network Flight Recorder, Symantec and Trend Micro. http://www.esecurityinc.com ===================================================== *ADVERTISEMENT* MIS Training Institute presents: InfoSec World 2000 M-W, April 3-5, 2000 Orlando, Fla. (April 1, 2, 6, 2000 Optional Workshops) This annual event is where serious infosecurity professionals go for serious learning. Focusing exclusively on information security, InfoSec World 2000 features hands-on experts and is attended by decision-making infosecurity professionals from high-profile companies and government. InfoSec World Expo is one of the largest vendor exhibits in the industry. Get conference details at: http://www.misti.com/conference_show.asp?id=ISW00 ===================================================== 4. HAPPENINGS FEBRUARY Implementing Web Security Tu-F, Feb. 1-4, Reston, Va. http://www.learningtree.com Network and Distributed System Security (NDSS) Symposium W-F, Feb. 2-4, San Diego, Calif. http://www.isoc.org/ndss2000 Information Assurance Technical Framework--Defend the Network Th-F, Feb. 3-4, Linthicum, MD http://www.iatf.net Certificate Authorities and Public Key Infrastructures M-W, Feb. 7-9, Orlando, Fla. http://www.misti.com How to Become an Effective Information Security Professional Tu-W, Feb. 8-9, Gaithersburg, Md. http://www.gocsi.com A Practical Guide to Encryption and Certificate Authorities Th-F, Feb. 10-11, Gaithersburg, Md. http://www.gocsi.com ===================================================== Security Wire Digest and Information Security magazine are published by ICSA.net, the world's leader in Internet security services. Copyright (c) 2000. All rights reserved. Redistribution of this newsletter is permitted provided all content is reproduced verbatim. ===================================================== To SUBSCRIBE to Security Wire Digest, go to: http://www.infosecuritymag.com/newsletter To UNSUBSCRIBE to Security Wire Digest, go to: http://custserv.emailch.com/removeme/unsub.cfm?j=12068&[EMAIL PROTECTED] To CHANGE your e-mail address, go to: http://polaris.emailch.com/infosecurity/questionnaire.cfm?[EMAIL PROTECTED] ... email integration by EmailChannel, Inc. For more information, send email to [EMAIL PROTECTED] or please visit http://www.emailch.com
SECURITY WIRE DIGEST, VOL. 2, NO. 4, JAN. 31, 2000
by way of Michael Paul Johnson <[EMAIL PROTECTED]> Mon, 31 Jan 2000 08:09:17 -0800
