[iwar] [fc:IT.Scorecard:.Hackers.Still.Ahead.of.Security.Gurus.-.[With.comments]]

From: Fred Cohen (fc@all.net)
Date: 2002-05-22 07:29:11


Return-Path: <sentto-279987-4703-1022077643-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 22 May 2002 07:30:08 -0700 (PDT)
Received: (qmail 28715 invoked by uid 510); 22 May 2002 14:27:18 -0000
Received: from n21.grp.scd.yahoo.com (66.218.66.77) by all.net with SMTP; 22 May 2002 14:27:18 -0000
X-eGroups-Return: sentto-279987-4703-1022077643-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.66.95] by n21.grp.scd.yahoo.com with NNFMP; 22 May 2002 14:27:23 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_3_2); 22 May 2002 14:27:22 -0000
Received: (qmail 46581 invoked from network); 22 May 2002 14:27:22 -0000
Received: from unknown (66.218.66.216) by m7.grp.scd.yahoo.com with QMQP; 22 May 2002 14:27:22 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 22 May 2002 14:27:22 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g4METBu07124 for iwar@onelist.com; Wed, 22 May 2002 07:29:11 -0700
Message-Id: <200205221429.g4METBu07124@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 22 May 2002 07:29:11 -0700 (PDT)
Subject: [iwar] [fc:IT.Scorecard:.Hackers.Still.Ahead.of.Security.Gurus.-.[With.comments]]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

[FC - This is, in my view, a very irresponsible story. - Comments
in brackets.]

IT Scorecard: Hackers Still Ahead of Security Gurus

James Hollander, www.NewsFactor.com, 5/21/02
<a href="http://story.news.yahoo.com/news?tmpl=story&cid=75&ncid=75&e=1&u=/nf/20020521/tc_nf/17850">http://story.news.yahoo.com/news?tmpl=story&cid=75&ncid=75&e=1&u=/nf/20020521/tc_nf/17850>

The hack occurred sometime between April 2001 and February 2002, Federal
Bureau of Investigation special agent Dawn Clenney told NewsFactor. She
was referring to one of the most significant computer network hacks to
make the news recently.

[FC - What is significant about another credit card break-in?]

Last week, 13,000 consumers were notified by Ford Motor Credit that
their personal information -- including Social Security (news - web
sites) number, address, account number and payment history -- had been
accessed by hackers who broke into a database belonging to the Experian
credit reporting agency.

[FC - This happens every few years - at one place or another.]

The bottom line is that hackers are still at least one step ahead of
even the best-funded and most sophisticated IT departments in the world,
such as those of Ford and Experian. The message to consumers: Be afraid.
Be very afraid. Hackers, at least for the moment, are way ahead of
corporate IT departments, and are even outpacing the top cybercrime
fighters in federal law enforcement.

[FC - This is rediculous.  In what sense does Ford or Experian have the
best-funded and most sophisticated IT departments in the world? They are
standard commercial companies - optimized for profits, not for security.]

Risking Privacy

"A lot of people depending on the Internet for commerce are putting
their privacy at risk," Electronic Privacy Information Center (EPIC)
director Marc Rotenberg told NewsFactor.  Indeed, it seems they are
risking more than just their privacy -- consumers are putting their most
critical data within reach of elusive cyber thieves. 

One salient point not lost on many in the IT industry is that in her
statement, Agent Clenney revealed much more than a simple timeline for
an unsolved crime.  She revealed that the FBI (news - web sites)'s
investigation is stuck in first gear. 

It does not take a sleuth to realize that if the FBI's cybercrime
experts cannot determine the date of the network breach more precisely
than a 10-month window, resolution of the case is nowhere in sight. 

[FC - How rediculous.  Do we really believe that the FBI can't tie it
down to within 10 months? IT should be relatively easy to do - if only
because of the rate of change of the records...]

Meanwhile, there is a tempest of activity at the network security
software level, with some of the IT industry's top dogs vying to prevent
hackers from accessing sensitive data servers.  Two companies offering
different approaches are McAfee and IBM (NYSE: IBM - news). 

[FC - Here comes the marketing pitch - who pays this writer?]

Server Array

McAfee has unveiled a grid-like array of computer servers that,
together, aim to restrict access to the central hub where sensitive
consumer data is stored. Each of the computers on the protective grid
must identify itself to the next one by authenticating its identity.
Thus, it is hoped, an unauthorized intruder will be identified and
stopped before reaching the central hub.

"Grid Security Services are a response to the rapidly evolving need to
continuously protect users on the Internet by leveraging the massively
distributed capability afforded by it," said McAfee president and CEO
Srivats Sampath.

True, but will this novel grid approach really work? So far, industry
experts have told NewsFactor that they are "reserving judgment." In
other words, the concept sounds plausible, but only time will tell.

IBM's New Approach

To deal with the ongoing problem of unauthorized intruders, IBM also has
announced a new approach to network security. Big Blue's newest
operating system for its eServer mainframe will have built-in digital
authentication capabilities to counter security threats.

The system relies on a concept known as "digital certificates," which
requires users to identify themselves by presenting such a certificate
to the server before they are granted access to sensitive information.

In technical terms, digital certificates are password-protected files
that are attached to electronic messages and that specify key components
of a user's identity. Signed and encrypted messages are routed to the
certificate issuer during Internet transactions, where they are verified
before the transaction can continue.

While digital certificates have been used for years, their integration
into the operating system itself is a new step taken by IBM to secure
its servers.

Consumers Brace

As we have seen, the trend to beat hackers, as demonstrated by solutions
from companies like IBM and McAfee, relies on the principle of
identifying the source of a request for database information.

But until methods of intrusion are identified by network security
experts in corporate IT departments -- or by the FBI -- we cannot be
sure that proper identification is the right solution for the problem.

So, for now, the hackers remain ahead of their network security
opponents, while consumers brace for more mishaps.

[FC - This sort of thing is rank amaturism - not even a close
approximation of real journalism.  Someone should do a story about how
much Mac-a-fee and IBM must have paid for this sort of newsish PR.]

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Save 30% on Web addresses! Get with the times, get a web site. Share information, pictures, your hobby, or start a business. Great names are still available- get yours before someone else does!
http://us.click.yahoo.com/XmK3jA/nFGEAA/sXBHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT