Computers & Security, Vol. 17, No. 8

have data protection rules, and this could include E- mail routed through these countries, even by accident. Neil Barrett, security expert at Bull Information Systems commented, “Companies are going to have to make sure that every item of data on their intranet does not end up on a foreign server. Or they need to take steps to protect the data being use din that coun- try in a way that would breach the act.” This could cause problems for users of US-based ISPs which pro- cess all their E-mail through a central US sorting ofhce before returning it to the UK. Barrett com- mented that IT managers are “woefully ignorant” of the amount of work the new law will generate. Comprrtiyy, September 10, 1998, p. 22.

Rich pickings for hackers, Lisa Kelly. Information security consultancy Diligence has stated that around 90% of Web sites can be penetrated and shut down within ten minutes. This vulnerability puts corporate reputations and assets at stake. Harry Kam, Diligence’s director of communications stated that, “It is usually only a matter of hours before the hacker can gain access to the entire IT system.” According to Rob Hailstone, research director at Bloor Research, organi- zations should report hacking attacks in order to act as a deterrent to other hackers, yet more often than not attacks are not publicized as companies regard them as embarrassing. One unnamed research company had its system violated via the Web with the result that every PC on the network had its hard disk wiped. Computiq, October 8, 1998, p. 4.

Symantec buys anti-virus line, Arzdy Suntoni.

Symantec has purchased Intel’s anti-virus business and has licensed Intel system-management technology. Symantec will use the technology to assist in building its Digital Immune System (DIS) in conjunction with IBM. DIS combines Symantec’s products with neural network technology from IBM designed at creating an automated environment to keep systems running. Norton AntiVirus engine technology will be integrat- ed into a product that Intel already has under devel- opment, which will in turn be integrated with Intel LANDesk Management Suite and launched as a new Norton AntiVirus product. The product will include management functionality such as: distribution, con- figuration, lockdown, remote operations and event

management and logging. Intel will honor all existing support and maintenance agreements for the current versions of LANDesk Virus Protect, and with Symantec will continue to sell Version 5.0 until the new product is available. lrlfotu&i, October 5, 1998,

p.41.

Network security under attack? Buy insurance, Bob Wallace. Insurance companies are starting to team up with IT vendors to offer coverage for network security problems, provided that organizations take adequate security measures to make themselves insur- able. “It is definitely a new area for insurance compa- nies, one that helps them diversify and offer new prod- ucts and services to corporations”, commented John Santucci, director of IT insurance practice at KPMG Peat Marwick LLP. “It’s important for them to partner with technology companies to understand the risks and the lay of the land for the industry they’re enter- ing.” Cigna has teamed up with NetSolve and Cisco Systems to offer insurance which covers companies for computer crime that involves: theft of money securi- ties and property, damage by hackers to a company’s data or software, and business losses stemming from attacks on a company’s computer system. Although it does not cover bugs in software or damage done by viruses. In another move, Sedgewick has teamed with IBM and offers security insurance and coverage for hacker damages to Web sites. Computerworld, October 5,

1998, p. 4.

Low flying hackers pose growing threat. System administrators are slowly becoming aware of a type of hacking that has been taking place which is slipping under the radar of traditional firewalls. Low-band- width hacking involves a number of hackers working together from varying locations, intermittently send- ing sets of IP packets against a network to test for vul- nerabilities. As these packets come from different hosts at varying intervals, they are not detected by the majority of intrusion-detection applications currently on the market. Although low-bandwidth hacking may have been going on for some time, it only came out into the light recently when it was documented by the Shadow project of the US Department of the Navy’s Surface Warfare Center. “We’re still not sure. Our logs seemed to indicate that someone had been poking at

717

Abstracts of Recent Articles and Literature

us over a couple of weeks. I don’t think they got in, but if they had found any [vulnerabilities], I don’t think we would have known about it,” commented the administrator for a Midwestern US bank.Vendors are already seeking to address the problem, however, if intrusion-detection is adjusted to catch the packets used in such an attack, then normal IP traffic will set off false alarms. In order to detect low-bandwidth attacks, intrusion-detection software has to have pat- tern recognition or neural network technologies. Amongst the vendors working on new detection soft- ware are: Network Associates with its Active Firewall technology, and Internet Security Systems with RealSecure 3.0. In addition there is also freeware in development from the Navy’s Shadow project, although this will probably trade-off performance for security. Until such products are available, network administrators should ensure that internal 11’ addresses are hidden by firewalls, otherwise they may well invite low-bandwidth attacks. KM&k, Octohev 20, 1998, p.

26.

Hacks gain in malice, frequency, Skartvz G&irl. The US Naval Surface Warfare Center and the US Army Research Laboratory are studying the latest intrusion trend s in hits against government sites, and are seeing a move from benevolent and juvenile hack- ing to malicious intrusions-for-hire.They also indicate that the corporate arena is seeing the same change in attack types. “A year ago, almost 100% of the hackers just wanted to break in and touch a machine to say they’d been there. Over the last six months, we’ve found that hackers are making money off their fun. They break into a system, cop some information and sell it. Today it’s about organized crime and espi- onage,” said Stephen Northcutt, head of intrusion detection at the Naval Surface Warfare Center. There have been considerable improvements in the power and availability of hacker tools.These are developed by experienced hackers and then posted on Web sites for everyone to use. Low-bandwidth attacks and the use of probe attack tools are amongst the newest tech- niques which are extremely difficult to detect. In TCP/IP, flags, such as ‘s’ for start and ‘f’ for finish, need to appear in specific places in the packet. Hackers put tlags in incorrect spots and can tell by the response a system makes to the bad flags what kind of system it

is. Identifying a system makes it much easier to crack. The US Do11 was hit by 350 000 attacks last year according to the General Accounting Office. “These attacks are often successful, and the number doubles each year as Internet use increases and hackers become

more sophisticated.” Northcutt said. Cort~putcrwovld,

Octohcv 12, 1998, pp. 3 7-38.

Fraud artists surf new turf - cyberspace, K&vie Luwtoll. Canadian authorities say that they are collect- ing a small but growing list of complaints about fraud carried out over the Internet.The fi-aud usually entails the payment for services or product over the Net, the payment is taken but the products never arrive. According to a report by the OECl>, E-commerce is expected to grow dramatically over the next seven years, jumping to a worldwide value of some $1 tril- lion. Much attention has been devoted to easing con- sumer fears about using credit cards in cyberspace, but fraud on the Internet is likely to be high-tech versions of very old cons. Staff Sergeant Fred Pratt, a top Royal Canadian Mounted Police fraud officer, expressed concern as to how well prepared the police were to tackle the problem. “We can’t really address what we have; how are we going to address anything that’s new and expanding out there unless we shut down entire- ly certain other areas of the programme?” In the US, Internet Fraud Watch collected over 1100 complaints last year, three times the level of the year before. People have complained of losses ranging from $10 - $10 000; arising from such scams as: Web auctions, goods that are never delivered, charges for Internet services that are supposedly free, empty promises of large profits from business opportunities or work-at- home plans, and bogus charitable organizations. The US Federal Trade Commission is addressing the prob- lem, with aggressive law enforcement, including 40 federal actions against cyber-fraud since 1994. “Our goal is to nip Internet fraud in the bud,” says Paul Luehr. head of the FTC’s Internet coordinating com- mittee. Tororlto Star, Octohcv 7, 1998.

Quick cracking of secret code. A custom built computer costing less than $250 000 needed only 56 hours to crack DES in a contest sponsored by RSA Data Security. The computer, designed and built by Paul Kocher of Cryptography Research in San

718