Hacking rises despite increased security spending Spending more for computer security alone won't protect your network from hackers and cybersaboteurs, according to a recent survey published in Information Security magazine. While the money US companies are spending for security products and services is up 188 per cent over the last two years, so are cyberattacks: eight out of 10 companies have been hit this year in the US, the survey said.
The number of companies spending more than $US1 million a year on computer security has nearly doubled in 2000, compared with 1999, yet internal and external security breaches continue to rise, because of employee carelessness and increased hacker activity.
The consulting industry spent the most on security, topping the chart with $2 million in the average budget, followed by banking and finance firms, which averaged $950,000. Post-secondary education institutions spent the least for security, with an average security budget of $100,000.
The study, titled "The 2000 Information Security Industry Survey", surveyed 1897 high-tech and infosecurity professionals. It was co-sponsored by ICSA.net and Global Integrity and appeared in the September 2000 issue of Information Security, ICSA.net's independent magazine.
According to the survey, companies need to devote more attention to cybersabotage, as well as hacking. Nearly twice as many companies experienced insider attacks, such as theft, sabotage or intentional destruction of computer property, as compared to 1999. Meanwhile, 41 per cent more companies had to deal with employees who intentionally disclosed or destroyed proprietary corporate information.
The installation and use of unauthorised software accounted for 76 per cent of the breaches experienced in the past year, followed by virus infection (70 per cent), use of company computers for illegal or illicit purposes (63 per cent), abuse of computer access controls (58 per cent), installation and use of unauthorised hardware (54 per cent), use of company computing resources for personal profit (50 per cent), physical theft or sabotage (42 per cent), electronic theft or sabotage (24 per cent) and fraud (13 per cent).
Outsider breaches experienced in the past 12 months included viruses, trojans and worms, which affected 80 per cent of survey respondents, followed by denial of service attacks (37 per cent), active program scripting or code "exploits" (37 per cent), insecure password attacks (25 per cent), buffer overflows (24 per cent) and attacks on Web server bugs (24 per cent).
Companies engaging in business-to-business or business-to-consumer electronic commerce were easier targets, the survey said. In fact, companies involved in e-commerce were twice as likely to have their Web servers attacked by hackers as those not involved in e-commerce. And e-commerce sites experienced more attacks in 15 out of 16 categories than sites not involved in e-commerce, said Andy Briney, editor-in-chief of Information Security.
Information Security's study also indicated that the best defence against security attacks is a layered defence, which uses overlapping computer technologies to detect and react to security breaches. Companies that deploy multiple computer-security measures detect a far greater number of attacks than those using fewer controls, which helps the companies fight cybercrime more effectively, according to Briney.
The lesson in all this is that companies need to spend more time thinking about security, not just throwing more money at it, Briney said.
Complete results of the survey are available at http://www.infosecuritymag.com/.
CA backup software ships with Red Hat LinuxRed Hat and Computer Associates International have announced that a trial version of CA's backup software would be included with each copy of Red Hat Linux 7.
ARCserveIT 6.61 for Linux provides backup and restore functionality to a number of devices and tape libraries. It has a Web-based interface that allows network administrators of heterogeneous networks to back up Windows NT, Windows 2000, NetWare, Unix or Linux servers from a single management interface. ARCserveIT already runs on Red Hat, SuSE, Caldera and TurboLinux versions of the operating system.
Computer Associates got into Linux development at the beginning of this year. The company's CA Unicenter-TNG runs on Red Hat and SuSE Linux. CA's virus protection package, InoculateIT, also runs on Linux networks.
The company also has a range of services to help companies to install and deploy Linux in their enterprises. The trial copy of ARCserveIT for Red Hat Linux can be upgraded to a full Advanced Edition when needed. ARCserveIT for Linux is available immediately.
First Linux development standards spec releasedThe first version of a new Linux Development Platform Specification has been released, clearing the way for the adoption of standards that will make participating Linux platforms work together seamlessly.
The announcement was made by the nonprofit Free Standards Group at the Third Annual Linux Showcase & Conference in Atlanta.
The new LDPS standards will be adhered to by some of the largest Linux distribution companies, including Caldera Systems, Corel, Red Hat, SuSE Linux, TurboLinux and VA Linux Systems, the group said.
"This is a big thing," said Scott McNeil, an open-source strategist at VA Linux Systems. "Pre-dating Linux, Unix was always trying to be unified, with no success." Now, with the adoption of Linux specifications, the future of Linux standardisation looks brighter, he said. "To come out with the first version of a new standard is big stuff."
The new specifications will mean that Linux developers will be able to work with standardised tools, kernels and libraries that will allow their work to function properly across other Linux distributions, McNeil said.
By using the LDPS, developers will be able to create and distribute software more quickly across the spectrum of Linux distributions, including Caldera OpenLinux 2.4, Conectiva Linux 5.1, Corel Linux OS Second Edition, Debian GNU/Linux 2.2, Linux-Mandrake 7.0, Red Hat Linux 6.2, SuSE Linux 6.4 and TurboLinux 6.0, according to the Free Standards Group.
Dan Quinlan, president of the Free Standards Group, said in a statement that "LDPS is but the first of many planned specifications that are aimed to help both open-source developers and companies port applications to Linux. Having a single development reference to work from will greatly simplify the process of building Linux-based applications."
Cellphones get in the picture
It's always the way: you see a great photo opportunity but you never have a camera to hand. The latest innovation from two of Japan and South Korea's main cellular handset makers is about to change all of that however - the companies are building digital camera functions into mobile phones.
First to do it was Samsung which announced a picture-taking model in June.
Equipped with a 380mm colour TFT (thin film transistor) LCD (liquid crystal display), the telephone incorporates a digital camera with 350,000-pixel resolution. That's good enough for VGA (640 x 480 pixel) resolution images, but is not a match for today's latest digital still cameras that boast 3 million or even 4 million pixels. Samsung hopes the resolution is enough to amuse young people - the prime audience for the cell phone.
Samsung said the phone can store 20 standard resolution pictures, or 26 if a higher compression level is used, and has a macro text mode which allows for clear images of written text to be taken. Images can be transferred to a personal computer via a supplied cable. The phone, which has been available in South Korea since June, has a battery life of 200 hours for the camera, 30 minutes longer than the maximum talk time.
In Japan, where cell phones are every bit as popular as in South Korea, and where getting the latest model is almost a national pastime among teenagers, local vendors have yet to integrate a camera into a cell phone. However, Kyocera has done the next best thing and announced miniature cameras that can plug into handsets.
The company recently announced a new add-on for users of its cellular telephones. To go on sale from November 8, the Treva is a low-quality digital still camera add-on that can be plugged into telephones offered by DDI's PHS (personal handyphone system) service.
Sweeper gives skin flick
Content Technologies has launched PORNsweeper, image analysis software which allows organisations to prevent images they deem unacceptable, including pornography, being e-mailed into or out of their networks.
PORNsweeper is an add-on module for Content Technologies' MAILsweeper for SMTP. It works by scanning the contents of image files attached to e-mails or embedded within e-mail attachments.
Nude or pornographic images contain more skin pixels than other images where skin is present. PORNsweeper analyses the skin pixels to determine various statistics about the image. It searches the file for the colour of human pigmentation in the pixels and analyses whether the image is a portrait photograph or an unacceptable image through "face detection" technology. Its sensitivity can be adapted so that users in sectors which have a high propensity to distribute human images [eg marketing departments] can still use it to detect unacceptable images.
CERT stepping up disclosure of security holesCarnegie Mellon University's CERT Coordination Center security advisory service has instituted a new policy under which it plans to publicly disclose all software flaws and vulnerabilities 45 days after they're first reported to the organisation - regardless of whether the problems have been fixed by the vendors whose products are affected by the security holes.
The policy builds on CERT's usual practice of issuing periodic security advisories to its clients. Until now, such advisories have been restricted to vulnerabilities that the centre considers to be particularly serious and in need of immediate attention by users. But as part of the new policy, CERT now will start issuing what are expected to be far more frequent "vulnerability reports" on all security problems that are reported to the centre and are verifiably true.
CERT, which has posted the details of the new policy on its Web site, said it will continue to pass on all relevant information about a specific security problem to the appropriate software vendor before making any public disclosures.
But after 45 days, the information will be released to the public along with any available fixes and workarounds that users can implement. Information about vulnerabilities that are considered particularly serious, or that would be easy for malicious attackers to exploit, will be released even earlier if the situation warrants an accelerated disclosure, said CERT member Shawn Hernan.
The idea is to provide software users with responsible, qualified disclosures while still giving vendors a reasonable amount of time to plug security holes, Hernan said. "The policy is really an attempt to balance the needs of the vendors with those of the general public," he added.
Meanwhile, the more selective security advisories that CERT currently issues will continue to be restricted to the most serious security problems and should be released at about the same pace as they are now, according to Hernan. CERT issued 17 advisories last year and has released about the same number so far this year. "When someone receives a CERT advisory, we want them to take it very seriously," he said.
CERT's plan to start making more frequent disclosures of software vulnerabilities comes at a time when some security experts are questioning the wisdom of releasing such information before vendors have a chance to fix the holes.
During a keynote speech at July's Black Hat Briefings security conference in Las Vegas, for example, security researcher Marcus Ranum charged that the full-disclosure approach isn't improving computer security. Instead, Ranum said, it's only encouraging more attacks - a contention that was challenged by other conference attendees.
CERT will try to publish reports about as many vulnerabilities as necessary under its new policy, Hernan said.
But in an attempt to minimise the possibility of attacks resulting from the disclosures, he added, the organisation doesn't plan to publicly disclose any information that could be used by malicious hackers to exploit security holes.
CERT's change in policy is a step in the right direction, said Ryan Russell, an MIS manager at SecurityFocus.com, a rival online bulletin board and security portal. Last year, the SecurityFocus site posted a total of 575 vulnerability reports.
"I'm firmly in the full-disclosure camp," Russell said. Giving users as much detailed information about vulnerabilities as quickly as possible helps companies take appropriate action to mitigate risks and protect themselves from attacks, he added.
McAfee: updates create solid contender
Utility suites are among the most popular additions to Windows because they provide essential tools for dealing with PC disasters, such as lost data, hacker attacks, and viruses that can corrupt your files. Norton SystemWorks has been the long-time leader in the utility suite category, but a new version of McAfee Office offers a vastly improved set of utilities over versions past.
Office 3.11 contains a core set of essential utilities, including McAfee VirusScan Version 5.0, McAfee Utilities Version 3.0, and McAfee UnInstaller Version 6.0. McAfee Utilities is almost a suite in itself: Among other functions, it's designed to organise your hard drive, run maintenance checks, make backups of essential system files, repair damaged files on your hard disk and recover deleted files. UnInstaller detects unneeded files that would be left on your hard drive by Windows' uninstall function.
In addition, the company has bolstered the suite with three new utilities that were formerly sold separately: Internet Guard Dog Pro Version 3.0 blocks cookies and protects your personal information (such as credit card numbers and financial data), McAfee Firewall Version 2.0 lets you set rules to protect your PC from hackers and other Internet hazards, and the updated PGP (Pretty Good Privacy) Security 6.5.8 handles encryption. (The original release of McAfee Office version 3.0 included version 6.5.3 of PGP.)Calling all researchersThe US Social Science Research Council is offering short-term fellowships for innovative research in the fields of information technology, international cooperation and global security. Open to Ph.D students and faculty from any academic discipline and of any nationality, the in-residence fellowships must be taken during the northern hemisphere's summer 2001 next year.
They are designed for researchers who currently work on cooperation and security issues and who want to explore the role and impact of IT in this area, or for researchers who work in IT and want to explore its relationship to cooperation and security.
International cooperation and global security involve a wide range of issues including new forms of global regulation and surveillance; transboundary advocacy and global civil society; economic and political "crisis" and transformation; unequal access to goods and services; transnational identity politics; conflict and transboundary intervention; military and warfare practices; and power and authority in the global realm.
IT issues could involve the Internet and related technologies such as those associated with telecommunications, data processing, encryption, and systems of code; robotics, automation, and simulation; and concerns bearing directly on connectivity and content such as structures of information flow and processes of disinformation and dissemination.
Applications must be received by January 22, 2001. For more information, or visit: http://www.ssrc.org or e-mail: Itcoop@ssrc. org