Computer Security Weekly, February 21, 2000


A couple more comments on the distributed denial of service (DDoS) attacks. Despite stenuous efforts by, and numerous press conferences from, the FBI, the major leads still seems to be coming from the net community. The "evidence" that Germany was involved is limited to the fact that "Mixter," a German national, wrote TFN (Tribe Flood Network) and TFN2K. The Canadian connection seems very thin indeed, and involves the discovery by a Canadian ISP that someone using the handle "mafiaboy" might have been involved in a minor copycat attack.

The US government is following a rather disturbing trend: security by press conference. Yes, there have been announcements of various budget initiatives for security, but few facts have been available. One of the announcements promoted a two billion dollar budget, but one of the items was that $240 million would be devoted to wiretap technology. Wiretaps have nothing to do with this. Clinton's press conference meeting on security had as a major recommendation the sharing of security tips. (Does this mean I get a cut of that $2 billion?)

An odd, and not very informative report, seems to indicate that US banks had some warning of the pending attacks, but the security agreements that they have prevented them from sharing this information. Clever, guys.

MSNBC story

Finally, Yahoo, in it's haste to patch the security hole, introduced a bug that created problems with its email system.

cnet story

More than a year after Melissa, some places still haven't put protection in place. The Snohomish County government email system got flooded and had to be shut down last week.
Sherlock, the new search engine in MacOS 9, has Internet search capabilities built into it as well. It also has options for plug-in modules, presumably to add new search engines. Unfortunately, under certain conditions, Sherlock will transmit the user's email address via the Internet, without the user's knowledge. Sherlock plug-ins can be written to send the address to a specific server.
A Bugtraq reader recently noted that, given all the problems with various versions of Internet Explorer, Microsoft has made the product nearly impossible to secure. There is no single service pack available, as there is for the operating systems that IE is supposedly a part of, and no accurate list of hotfixes to apply. Indeed, some of Microsoft's bulletins given incorrect information about which patches need to be applied to fix specific problems.
The copyright of the article Computer Security Weekly, February 21, 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, February 21, 2000 in print or online must be granted by the author in writing.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic