[ISN] Symantec PR bunnies score Slammer own goal
http://www.theregister.co.uk/content/56/29340.html By John Leyden Posted: 14/02/2003 at 20:40 GMT Symantec says it discovered the prolific Slammer worm hours before it began rapidly propagating. The claim, contained in a press release extolling the company's DeepSight Threat Management System, suggests that Symantec notified its own customers of a serious threat hours before the wider Internet community knew anything was amiss. Wired takes Symantec to task for this apparent lapse in ethics. Symantec spokesman Yunsun Wee told Wired that it issued an alert about Slammer to its early warning list subscribers at approximately 9pm PST on Friday, January 24. News of the worm began to filter onto security mailing lists at 10pm PST, the magazine reports. Well-established practices among AV vendors call for virus samples to be rapidly exchanged between rival vendors, so that users can be protected as soon as possible. But did Symantec really sit on the problem? The company's claims are inconsistent: a Silicon Defence analysis shows that Slammer infected more than 90 per cent of vulnerable hosts within 10 minutes. This analysis is supported by first-person accounts of telecom security experts contacted by us, as well as security consultant Robert Graham's excellent review of the spread of the worm. So we think this is more a case of Symantec shooting itself in the foot with inflated marketing claims for its early warning service rather than anything more sinister. If it knew about Slammer before everyone else (which is questionable) then we doubt it knew it was anything like as vicious as it turned out to be. At least we hope so, but without been able to discuss the sequence of events or Symantec's wider alerting policy with anyone from the company its hard to know for sure. Despite numerous calls to Symantec today the best its UK staffers could do was to point us towards its press release. Pathetic. Promises that its US team would be in touch came to nothing, but once they get in touch we'll be sure to update this story with what the company has to say. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
Re: [ISN] Mitnick Banned From Security Group
Forwarded from: Tom Perrine [EMAIL PROTECTED] On Fri, 14 Feb 2003 01:30:21 -0600 (CST), InfoSec News [EMAIL PROTECTED] said: IN Forwarded from: Robert G. Ferrell [EMAIL PROTECTED] IN At 03:33 AM 2/13/03 -0600, InfoSec News wrote: It didn't last long. Mitnick's password was quickly revoked, and a few days later he received a letter in certified mail from the ISSA's headquarters informing him that news of his acceptance was greatly exaggerated. The ISSA has determined that your past behavior does not comply with the ISSA Code of Ethics, therefore we cannot accept your application at this time, reads the unsigned letter. OK, at what point does a person who has been convicted, and served their time, get rehabilitated? Even a convicted felon gets their civil rights back at some point, right? IN This is just a shot in the dark, but I'll betcha if we exposed all the IN ISSA's members to the same level of scrutiny that Kevin's past has IN received, there'd be a lot more of these letters sent out. I'm not an ISSA member, but I would welcome this kind of scrutiny for their members, and the members of some other organizations. The stuff I've seen proposed by people with ISSA, and CISSP after their name has sometimes been, interesting. The ligetimacy that these organizations and certifications are intended to confer on their members/recipients deserves more scrutiny. -- Tom E. Perrine [EMAIL PROTECTED] | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Rick no longer providing columns for Securityfocus
Forwarded from: Richard Forno [EMAIL PROTECTED] 14 February 2003 Hello, all -- Effective immediately, I will no longer be providing a monthly column for Securityfocus.Com, which was acquired in 2002 by Symantec. The issue came down to questioning of the byzantine Industrial Age process through which Symantec - a billion dollar company allegedly in-tune with the Information Age - pays its recurring, monthly columnists. Although grumbling about the situation to my editor over the holidays (and hearing some of his complaints about the Symantec merger as well) I decided that enough was enough. The other day, I composed a polite, formal letter to Symantec's executive management regarding this situation. Yesterday, as a professional (and personal) courtesy, I sent a draft copy of my complaint to my editor since he's been a fair person to work with. I asked for his comments or thoughts on it before I sent it via postal mail to the company. Today, via phone, my editor informs me that my column is being cancelled as a result of my attitude these past few months (regarding the archaic payment process) and also for the quality of my work -- which really surprised me, particularly since we've had a very candid working relationship these past two years and aside from typical editorial comments, he seldom complained about my work. One would think if the editorial problem was *that* serious, given how we've worked together these past few years, if such a problem existed, he would have brought it to my attention sooner. I suspect this is simply a more convenient way of justifying the termination of my contract -- or else why bring it up now - retroactively - without any warning or opportunity for improvement? Was it inappropriate wanting to contact executive management about this problem? Perhaps. However, since my editor never provided me a middle-management person to discuss this situation with when asked, I felt justified in seeking answers from elsewhere in the company. Suffice it to say, the letter never got sent, because (for me, at least) there's no reason to send it now. Thus, I am moving on with no regretsand wish my (formerly) fellow Securityfocus columnists well as they continue working in the shadow of the Symantec behemoth. I also hope that Symantec learns to embrace the Information Age in practice as well as in buzzwords. Billion-dollar-business or not, there's always room for common sense. Cheers, Rick infowarrior.org For those interested, a copy of my draft letter to Symantec can be found at: http://www.infowarrior.org/symantec/symantec-lackingcommonsense.html - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Cyber-Security Strategy Depends on Power of Suggestion
http://www.washingtonpost.com/wp-dyn/articles/A10274-2003Feb14.html By Jonathan Krim Washington Post Staff Writer February 15, 2003 The Bush administration yesterday announced its strategy for protecting computer systems from attacks by hackers or terrorists, but it backed away from proposals by several security experts for government requirements and funding. Instead, the plan suggests how individuals, businesses and governments can meet the growing threat of cyber-attacks on computer networks. Of primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our nation's critical infrastructures, economy or national security, said the plan, released by the Department of Homeland Security. The plan encourages companies to regularly review their technology security plans, and individuals who use the Internet to add firewalls and anti-virus software to their systems. It calls for a single federal center to help detect, monitor and analyze attacks, and for expanded cyber-security research and improved government-industry cooperation. The report is markedly different from early drafts that included proposals championed by Richard A. Clarke, who recently resigned as President Bush's adviser on cyberspace security. Among them were suspending wireless Internet service until security holes were addressed, requiring Internet service providers to include firewall software and recommending that government agencies use their power as major purchasers of computer programs to push software makers to improve the security of their products. Leaving it to the vendors is basically the path we've been following . . . and the whole reason we have the problems that we have, said Eugene H. Spafford, a security expert and professor at Purdue University who frequently consults with the government. Clarke could not be reached for comment. Peter G. Neumann, chief computer scientist with SRI International, a nonprofit research group in Silicon Valley, said the recommendations were like saying, If you put duct tape around your computer, you'll be secure. Technology and telecommunications companies lobbied hard against regulation, arguing that the private sector is better qualified to develop the most effective security. The report was scheduled for release last September but the government said more input from industry was needed. It's a wonderful statement of the problem, said Allan Paller, director of the SANS Institute, a computer security think-tank and education center. But it's missing some of the best ideas that people had. Paller said that through the various drafts the report went from companies should do something, to companies should consider, and in some cases to no recommendations at all. Democrats, too, were disappointed. When it comes to cyber-security, we're running at a punch-card pace when we need Pentium speed, said Sen. Charles E. Schumer (D-N.Y.), who is the Senate Democrats' point man on homeland security. The administration has been working on this proposal for months and should have come out with a specific plan of action, not a vague set of broad principles that has no money backing it up. Of particular concern to computer specialists is pushing the technology industry to develop more secure products. You need much stronger stuff, and you can't get it, Neumann said. There's no accountability. Among the ideas that were discussed were financial incentives for improving security and legal liability for failing to meet basic security standards. Technology companies supported the report yesterday. The national strategy challenges our traditional focus on technology as the 'silver bullet,' and highlights more fundamental behavioral matters -- like IT training and certification -- that can make America's computer networks safer, said Michael Wendy, policy counsel for CompTIA, a technology trade association. Sources familiar with discussions between the industry and the administration said some tech companies would have supported a more concrete plan. But White House advisers held fast to their philosophical reluctance to regulate free markets or to impose industry standards that might favor one sector over another, the sources said. Mark D. Rasch, chief security counsel for Solutionary Inc., a computer services firm, said the report was an important first step. But critical industries such as banking and utilities should be subject to mandatory security audits, he said. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.