Computer Security Weekly, December 27, 1999

Another fight looming on the cracker/security front. (These happen with depressing regularity.) l0pht is a rather informal group that produces security testing utilities. These tools are rather rough and ready, and, as with most software of this type, can be used both to try and tighten up your own security, or to try and penetrate someone else's. Recently, some of the minor names in the security field have been publishing opinion pieces condemning l0pht. Now some of the larger antivirus vendors have started identifying l0pht's tools as trojans when scanning for viruses ...

---

Encryption is at the heart of almost all security. Commercial encryption has tended to rely on a "Certification Authority" for key management, which is vital to encryption. Now the largest certificate authority, VeriSign, has purchased the second largest, Thawte. The newly expanded VeriSign will control very close to 100% of all certificate authority business. There is concern that having such a concentration in the market could lead to overpricing and, more importantly, possible weakness in encryption schemes.

http://www.csl.sri.com/neumann/insideris... http://www.verisign.com http://www.thawte.com

---

IMail is one of the POP3 agents for Windows NT. Since it is for NT, it is set up for use by multiple users, with password protection. However, the passwords are stored in the Registry, and are thus available to all users. They are stored in encrypted form, but the encryption is quite weak, and the crack has been posted to the net. The security can be enhanced by setting access controls on each key containing a password.

http://www.w00w00.org/advisories.html http://www.w00w00.org/imail_map.txt

---

Mailing lists are one of the oldest and most useful applications on the Internet. It used to be that you had to have access to mailing list and mail agent software in order to create one, but these days there are both paid and free outfits that will provide mailing list functions. A number of people are willing to pay for mailing list operations, because moderators have greater control over the use of the mailing list, and particularly the privacy of those on the list.

That assumption may now be in doubt. Esosoft, one of the paid mailing list providers, has now sold its entire operation, including all lists, to Topica, one of the free list operators. Topica does not have the same usage guidelines as Esosoft, and, in fact, states that it reserves the right to use the address lists on its system for any purpose, including marketing. The moderators of the various lists on Esosoft were not informed of the pending sale until after it was complete, and all list information had been transferred to Topica. One moderator contacted Topica, requested that the list be eliminated, and was assured that it would be. He subsequently found that the list was still intact, and operating, on Topica.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic