[iwar] [fc:U.S..Cyber.Security.Weakening]

From: Fred Cohen (fc@all.net)
Date: 2002-01-08 13:16:03


Return-Path: <sentto-279987-4251-1010524530-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 08 Jan 2002 13:18:08 -0800 (PST)
Received: (qmail 17189 invoked by uid 510); 8 Jan 2002 21:15:51 -0000
Received: from n24.groups.yahoo.com (216.115.96.74) by all.net with SMTP; 8 Jan 2002 21:15:51 -0000
X-eGroups-Return: sentto-279987-4251-1010524530-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.162] by n24.groups.yahoo.com with NNFMP; 08 Jan 2002 21:15:30 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_1_3); 8 Jan 2002 21:15:30 -0000
Received: (qmail 73584 invoked from network); 8 Jan 2002 21:15:29 -0000
Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 8 Jan 2002 21:15:29 -0000
Received: from unknown (HELO red.all.net) (12.232.125.69) by mta1.grp.snv.yahoo.com with SMTP; 8 Jan 2002 21:15:29 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g08LG4N11122 for iwar@onelist.com; Tue, 8 Jan 2002 13:16:04 -0800
Message-Id: <200201082116.g08LG4N11122@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 8 Jan 2002 13:16:03 -0800 (PST)
Subject: [iwar] [fc:U.S..Cyber.Security.Weakening]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

U.S. Cyber Security Weakening  
Reuters, 1/8/2002 http://www.wired.com/news/print/0,1294,49570,00.html

U.S. computer systems are increasingly vulnerable to cyber attacks,
partly because companies are not implementing security measures already
available, according to a new report released Tuesday. 
"From an operational standpoint, cyber security today is far worse that
what known best practices can provide," said the Computer Science and
Telecommunications Board, part of the National Research Council. 
"Even without any new security technologies, much better security would
be possible today if technology producers, operators of critical
systems, and users took appropriate steps," it said in a report released
four months after the events of Sept. 11. 
Experts estimate U.S. corporations spent about $12.3 billion to clean up
damage from computer viruses in 2001. Some predict viruses and worms
could cause even more damage in 2002. 
The report said a successful cyber attack on the U.S. air traffic
control system in coordination with airline hijackings like those seen
on Sept. 11 could result in a "much more catastrophic disaster
scenario." 
To avert such risks, the panel urged organizations to conduct more
random tests of system security measures, implement better
authentication systems and provide more training and monitoring to make
information systems more secure. All these measures were possible
without further research, it said. 
Investments in new technologies and better operating procedures could
improve security even further, it noted. 
Herbert Lin, senior scientist at the board, said information
technologies were developing at a very rapid rate, but security measures
had not kept pace. 
In fact, he said, recommendations for improving security made by the
panel a decade ago were still relevant and timely. 
"The fact that the recommendations we made 10 years ago are still
relevant points out that there is a real big problem, structurally and
organizationally, in paying attention to security," Lin said. 
"We've been very frustrated in our ability to get people to pay
attention, and we're not the only ones," he added. 
Increased security concerns after the Sept. 11 attacks on New York and
Washington could provide fresh impetus for upgrading computer security,
Lin said. 
But he warned against merely putting more federal funds into research,
noting that it was essential to implement technologies and best
practices already available. 
"The problem isn't research at this point. We could be so much safer if
everyone just did what is possible now," Lin said. 
For instance, the report notes that passwords are the most common method
used today to authenticate computer users, despite the fact that they
are known to be insecure. 
A hardware token, or smart card, used together with a personal
identification number or biometrics, would provide much better security
for the computer system, the report said. 
The report urged vendors of computer systems to provide well-engineered
systems for user authentication based on such hardware tokens, taking
care to make sure they were more secure and convenient for users. 
In addition, it said vendors should develop simple and clear blueprints
for secure operation and ship systems with security features turned on
so that a conscious effort was needed to disable them. 
One big problem was the lack of incentives for companies to respond
adequately to the security challenge, the report said. 
It said one possible remedy would be to make software companies, system
vendors and system operators liable for system breaches and to mandate
reporting of security breaches that could threaten critical social
functions. 
Copyright © 2001 Reuters Limited.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST