In-Depth

News in Brief

Kerberos hole; broadband account attacks grow; new Homeland Security staff; master's degree in security informatics

• By Mathew Schwartz
• 04/02/2003

Kerberos Vulnerability

MIT released a patch for Kerberos. A newly discovered vulnerability allows an attacker with control of a cross-realm key to impersonate a principal in any of the connected realms. Kerberos version 4, and versions of Kerberos 5 built on version 4, are affected. Exploiting the vulnerability, an attacker could also compromise the key distribution center at the root level.

Details: http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz

CERT: Broadband Targeted for Net Attacks

Having fun yet? The year is young, but the CERT Coordination Center at Carnegie Mellon says we’re already teetering on the brink, with increased attacks in recent weeks against computers running Windows 2000 and XP. In particular, intruders are targeting non-existent or weak administrator passwords on server message block (SMB) file shares used on systems running those two operating systems. As a result, thousands of systems have been compromised.

In particular, worms such as W32/Deloder and W32/Slackor, and IRC bots GT-bot and sdbot, are the common tools of attack. Those thousands of servers create an ideal launching point for massive, distributed denial of service attacks.

Another problem, says CERT: “intruders specifically targeting Internet address ranges known to contain a high density of weakly protected systems … The intruders’ efforts commonly focus on addresses known to be used by home broadband connections.”

Home users in particular should read CERT’s "Home Network Security" guide (http://www.cert.org/tech_tips/home_networks.html), which advises users to:

1. Disable or secure file shares
2. Use strong passwords
3. Run and maintain an anti-virus product
4. Not run programs of unknown origin
5. Deploy a firewall
6. Use ingress/egress filtering

After that, navigate over to CERT and the Secret Service’s 2002-2004 Survey of Network Security and Insider Threats (https://www.survey.cert.org/InsiderThreat/), an anonymous survey that wants to know all about companies’ “malicious insiders.” It should take 10 minutes to complete. Any insider intrusions—including former employees breaking in—between September 1, 2000 and August 31, 2002 qualify.

Homeland Security Staffs Up

The Bush administration is tapping two intelligence veterans to fill top posts in the new Department of Homeland Security. The new assistant secretary of infrastructure protection will be Robert Liscouski, director of information assurance for Coca-Cola and also on the CIA’s Intelligence Science Board. The new assistant secretary for information analysis will be a former chief of CIA counterintelligence, Paul Redmond.

To date, no one has been named to head the DHS’s Information Analysis and Infrastructure Protection (IAIP) directorate. News reports suggest that the job of undersecretary for information analysis and infrastructure protection will go to New York City’s counter-terrorism director Frank Libutti.

Master's Degree in Security Informatics from Johns Hopkins

Johns Hopkins University is offering a new master's degree program in information security that blends computer technology courses with an analysis of ethical, legal, and public policy aspects of privacy and information protection. The university's Information Security Institute will offer the program; this fall’s inaugural class will have 20 students. The program will take about a year and a half to finish.

"We've already received inquires from about 75 students, and we plan to continue to spread the word at computer science and technology centers throughout the country," says Gerald Masson, director of the two-year-old institute, which is based in the university's Whiting School of Engineering but is linked to other university divisions, such as the School of Arts and Sciences. “These connections to a broad range of experts throughout the university will help distinguish us from other programs offering information security degrees.”

Details: http://www.jhuisi.jhu.edu/education/index.html