From: Mark Neely <[EMAIL PROTECTED]> - - - - - - - - - - - - - - - - - - - - Net-Alert 3 August, 1999 If you have any questions, comments or other feedback concerning Net-Alert articles, contact the Editor at <mailto:[EMAIL PROTECTED]> Previous editions of Net-Alert are available at http://www.onelist.com/arcindex.cgi?listname=net-alert Subscription and unsubscription details are available at the end of this newsletter. ____________________ Contents: ## Fidnet controversy ## Cisco caught out ## Natural language support for Windows 98 users ## More Y2K worries ## New Microsoft Office security flaw ## Encrypted email services gain momentum ## Pitfalls with anti-spam service ____________________ Fidnet controversy Leaked Clinton Administration plans for a network monitoring system, known as Fidnet (Federal Intrusion Detection Network), have received considerable media attention in the last week or so. The proposed system, to be operated by the FBI, would be tasked with monitoring government networks used by banking, telecommunications, transportation and other industries, with a view to examining "patterns of patterns" of activities in order to guard against terrorist and criminal activities. Civil libertarians were quick to point out the risks involved with such monitoring, in particular, that the surveillance was being undertaken for non-specific purposes and might indirectly affect private (that is, non-government) networks. Interestingly, the plan was given the "thumbs down" by Congress over the weekend. The House Appropriations Committee, in approving a $36 billion budget for the Dept. of Justice, Commerce, and State, specifically prohibited the use of any portion of the budget on Fidnet. A copy of the plans have been made available on the Center for Democracy and Technology Web site. URLs: Center for Democracy and Technology http://www.cdt.org/ Fidnet Plan http://www.cdt.org/policy/terrorism/fidnet/ ____________________ Cisco caught out Cisco Systems, a leading supplier of networking equipment to the Internet industry, has allegedly published marketing materials that tout the ability of certain Cisco network products, designed for use in conjunction with the provision of cable Internet access, to restrict or slow down access to nominated Web sites, while speeding access to other Web sites. With such equipment, cable Internet access providers could discourage their users from visiting certain sites (such as those operated by competitors). ____________________ Natural language support assistance Microsoft Corp. has released a new "Automated Personal Support Assistant" that uses natural language technology to interpret questions submitted in ordinary English, such as "Where are dial up networking scripts stored?". The site is still undergoing testing, so it hasn't been given a "dedicated" URL. For the time being, it only supports questions about Windows 98, and the database of solutions is still growing, but it is good to see that large companies are starting to understand the benefits of using natural language query technology in customer support offerings. URL: Microsoft Automated Personal Support Assistant http://206.132.93.108/ ____________________ More Y2K worries Just as businesses around the globe are starting to express confidence in their preparedness for the Y2K "millennium bug" problem, a new security risk have been highlighted: contract programmers hired to update the hundreds of millions of lines of code used in legacy computer system may themselves install malicious code in a deliberate attempt to sabotage computer systems, keep themselves in a job post-2000 or to provide themselves with access to sensitive systems after the end of their contract. URL: Nando Media article http://www.techserver.com/noframes/story/0,2294,75408-119156-84 4998-0,00.html ____________________ New Microsoft Office security flaw Millions of PC users could be exposed to malicious pranksters and computer criminals, thanks to a newly discovered security flaw in the Microsoft Office suite of software. Juan Carlos Cuartango, a programmer who has previously discovered and publicised flaws in Microsoft's software, announced last week a flaw involving the way in which the Internet Explorer and Netscape Navigator Web browsers interact with Word, Excel, Powerpoint and other Office documents. In essence, the browsers are configured to "trust" these programs, with the result that they may be used in a trojan horse-style way to deliver malicious code to a computer in a manner that would by-pass most anti-virus protection mechanisms. According to a recent Microsoft Security Bulletin: On July 27, 1999, Microsoft became aware of a security issue involving the ODBC database driver that is installed as a part of Excel 97. It is possible that a malicious coder could create an Excel 97 spreadsheet that exploits a vulnerability in this database driver to delete files and perform other malicious acts. A user could encounter this problem by opening a spreadsheet attached to an email message or linked from a Web site. Office 97 applications, including Excel, warn users before running macros, and allow them to decide whether or not to disable the macros. However, this vulnerability is not associated with macros, and as a result, the user would not receive any warning upon opening the spreadsheet. Microsoft is expected to release a patch that fixes this flaw shortly. URLs: Microsoft Security Bulletin http://officeupdate.microsoft.com/Articles/mdac_typ.htm Nando Times article http://www.nando.net/noframes/business/story/0,2469,76412-12068 7-854308-0,00.html ____________________ Encrypted email services gain momentum 1on1 Lite is a free email service that allows users to send email messages and attachments using "military level" (2048 bit) encryption, based on RSA Public Key encryption. The service operates in the same manner as several other free, Web-based email security services, but it has a number of novel twists: - It uses an email client interface, which means that you don't have to connect to a specific Web site to send email - It can track when email messages are sent and read, allowing users to certify that messages were send or read. - Messages can be flagged to automatically "self-destruct" (that is, be deleted) once they have been read, or if they are not read within a specified period of time. - Messages can be flagged to be "shredded" (that is, all evidence of the email is removed from your computer) after it is sent - Messages can be "anonymised" (i.e. sender and recipient details are removed). 1on1 Lite will automatically encrypt messages and attachments, however it requires that both sender and receiver have the relevant software interface software installed on their computer. According to a recent Press Release: 1on1 is [f]ree, transmits virtually instantaneously and is so secure it would take one and a half Million Trillion years to decrypt a single key. URL: 1on1 Lite http://www.1on1mail.com ____________________ Pitfalls with anti-spam service I am as anti-spam as they come. So when I first heard about a new service offered free to Internet users by BrightLight (a company that works with ISPs to reduce spam messages being sent to their members), I was quite interested. The product is BrightMail. Bright Light produces what is in essence an industrial-strength spam filter. It has a team of employees that work around the clock, analysing spam messages, and publishes a large database of spam messages, updated hourly. ISPs can pay to have access to this database, and use it to filter incoming email and block spam. It is quite an effective service. Now users can elect to have their email boxes "filtered" by BrightMail, even if their ISP is not a subscriber to the BrightLight service. The service works this way: Step 1. You register with BrightMail. They ask you for your email account username & password (i.e. for your mailbox details with your existing ISP). Step 2. Brightmail creates an mailbox on it's Mail Server for you. Step 3. You reconfigure your email program to retrieve your incoming email from BrightMail's Mail Server. Step 4. When you check for new messages, BrightMail's Mail Server communicates with your ISP's Mail Server, retrieves any incoming messages, filters them and discards offending messages. The filtered messages are then sent to your email program. The service claims a success rate of better than 90% in cleaning spam messages, which certainly makes it worth investigating. Only there's one problem. To use the service, you are obliged to hand over the username and password for your Internet account. There are obvious security risks involved in disclosing your password. Many ISPs specifically ban such a disclosure in their Terms of Service. While I have no reason to doubt the bona fides of BrighLight (they are a well known and respected company), it does constitute a security risk. No doubt the database of user's passwords that they will amass will be an attractive target for computer criminals. To sum up: a very useful service, but there is a risk. URL: BrightMail http://www.brightmail.com/ ____________________ Send a copy of Net-Alert to a friend. Forwarding this newsletter to friends and colleagues is encouraged, providing the message is forwarded in its entirety, including the copyright notice. ____________________ If you received this copy of Net-Alert from a friend, you can subscribe by visiting the following URL: http://www.onelist.com/subscribe/net-alert or by sending a blank email to [EMAIL PROTECTED] To UNSUBSCRIBE, send a blank email to [EMAIL PROTECTED] ____________________ Net-Alert is copyright (c) Mark Neely 1999. Forwarding this message to friends and colleagues is encouraged, providing the message is forwarded in its entirety, including this copyright notice. - - - - - - - - - - - - - - - - - - - - --------------------------- ONElist Sponsor ---------------------------- Having difficulty getting "in synch" with list members? http://www.onelist.com Try ONElist's Shared Calendar to organize events, meetings and more! ------------------------------------------------------------------------
