MESSAGE
| DATE | 2003-07-30 |
| FROM | From: "Inker, Evan"
|
| SUBJECT | Subject: [hangout] Judge orders Interior to shut off Internet connections
|
Mike,
Looks like someone took your earlier advise....
Judge orders Interior to shut off Internet connections
07/28/03
By Wilson P. Dizard III,
GCN Staff
Judge Royce C. Lamberth of the U.S. District Court for the District of
Columbia late this afternoon issued a preliminary injunction requiring the
Interior Department to disconnect its IT systems from the Internet, with
some exceptions.
The preliminary injunction followed a hearing this morning in which the
plaintiffs in the Cobell v. Norton litigation, who represent American Indian
trust beneficiaries, sought the injunction. The goal of the injunction is to
protect American Indian trust accounts from intrusion via the Internet.
Lamberth wrote in today's order that Interior will not have to disconnect
any system "essential for protection against fires or other threats to life
or property." He required the department to identify and certify such
systems within 10 days and provide specific justifications for keeping them
online.
The order to remove Interior systems from the Internet was the second the
judge handed down in two years. He issued a similar order on Dec. 5, 2001,
to address similar security concerns with the trust accounts.
The judge also exempted systems that do not provide access to American
Indian trust data or are secure from unauthorized entry. Lamberth allowed
the department 15 days to certify that the systems are secure or do not
provide access to the trust data.
Lamberth ordered Interior to provide a plan within 30 days of how the court
could approve reconnections of individual systems to the Internet, and
determine whether reconnected systems should stay connected.
The reconnection plan must provide a method for the court to determine that
the reconnected systems are secure, according to the preliminary injunction.
Lamberth ruled that the court itself would decide whether reconnected
systems should stay connected to the Internet. In doing so, he eliminated
the role of special master Alan Balaran, a court official who has been
overseeing the reconnection and security testing of Interior's systems since
December 2001, when Lamberth first ordered Interior to disconnect the
systems to protect trust data. Balaran's role was established in a Dec. 17,
2001, consent order that Lamberth suspended in today's preliminary
injunction.
Interior spokesman Dan Dubray said 20 percent of the department's systems
were already disconnected from the Internet due to previous court orders. He
said he could not comment on the preliminary injunction because he had not
seen it.
Sent: Wednesday, July 30, 2003 2:54 PM
To: 'Inker, Evan'; 'hangout-at-nylxs.com'
Subject: RE: [hangout] Rogue Linux Installs on the Rise
Unplug all the computers and no more computer problems. -----Original
Message-----
From: Inker, Evan [mailto:EInker-at-gam.com]
Sent: Wednesday, July 30, 2003 2:52 PM
To: 'hangout-at-nylxs.com'
Subject: [hangout] Rogue Linux Installs on the Rise
Rogue Linux Installs on the Rise
http://computerworld.com/securitytopics/security/story/0,10801,83406,00.html
By MATHIAS THURMAN
JULY 28, 2003
A recent encounter with the Mumu worm continues to cause my company's
security team great frustration, because new infection reports keep
trickling in. And as if viruses weren't enough, we now have another problem.
As for Mumu, most of the company is aware of the outbreak. We've
communicated specific instructions via e-mail and an intranet Web page on
how to detect and remove the virus. And at this point, the desktop support
department has taken over responsibility for dealing with this issue.
But while cleaning up Mumu in remote offices, we discovered something else:
We have a growing number of unofficial Linux installations on desktops and
servers throughout the company, and they aren't configured for optimum
security.
The weaknesses from the rogue installs don't necessarily stem from the Linux
operating system itself. Rather, they come from the installation of
third-party applications and utilities, which can leave a desktop or server
vulnerable to attack if set up incorrectly.
Growing in Popularity
Until now, we haven't had a policy on using Linux because there wasn't a
need. One year ago, only a small subset of users ran Linux. The Linux
desktops mostly belonged to developers or quality assurance and technical
support staffers responsible for supporting our company's software on Linux.
Now there are many more. Employees are installing Linux on their desktops,
either as the primary operating system or as a second one alongside Windows
2000, our corporate standard.
Staff members are doing this using VMware from Palo Alto, Calif.-based
VMware Inc. and other programs that allow multiple operating systems to run
on the same machine.
Also, my company is using Red Hat Linux for more of its application servers.
For example, we recently purchased an application for conducting surveys
that runs only on Linux.
With the increased emphasis on Linux, some departments within the company,
including mine, are considering using more open-source tools to help with
day-to-day operations. I'm looking at a Linux-based knowledge base engine
for the IT security department.
Knowledge base applications are good to have, especially in a department
that has many applications to support. Certain configuration problems and
associated remedies can be stored within the knowledge base system for
future reference.
I'm also looking at security incident reporting programs to keep track of
problems that occur frequently. One thing that frustrates me is having to
read through incident reports - we generate more than 300 of them per year
-- looking for anomalies.
Currently, we write incident reports in Microsoft Word using a template and
save them on a shared drive accessible only to the security team. When an
incident occurs that might be similar to something that happened in the
past, the only way to find such incidents is to do word searches or read
through past reports.
An incident reporting and tracking system would ease that data collection
and correlation burden. I found several open-source programs that could
help, but not everyone in the company wants us to use them. One of the
problems management has with open-source is the lack of traditional support
-- the ability to call in to the software vendor's help desk. My team is
technically savvy, so we don't mind accessing forums, knowledge base sites
and other online resources to get answers.
Another objection is that troubleshooting usually requires some technical
knowledge of the operating system and programming. But for the most part, if
the application is department-specific and not mission-critical, my team and
I don't have a problem getting approval to use open-source tools.
In addition to open-source, we've deployed commercial enterprise
applications on Linux. It's a lot cheaper to run an application on Linux and
a standard PC than to purchase Solaris and a Sun server. The problem is that
each Linux installation is different, and that's a security issue. There are
so many Linux distributions that it would be difficult to create and manage
standard configurations for each.
Therefore, we're standardizing on Red Hat Linux. It offers strong vendor
support, and many enterprise applications are written specifically for it.
We will also standardize on certain applications, such as Web server,
monitoring and security software.
Vulnerable Programs
Red Hat Linux itself seems to be fairly secure, but the same can't be said
for programs that run on top of it. For example, there always seem to be
vulnerabilities associated with programs such as file transfer protocol,
sendmail and Apache. And other open-source software is vulnerable,
especially when the developer hasn't written the program with security in
mind.
One of the most common mistakes I have seen is when the developer doesn't
write the program to sanitize it or restrict dangerous data from being
passed to it. This is usually the cause of vulnerabilities such as SQL
Injection, authentication bypass, buffer overflow and other Web application
exploits.
We can't eliminate Linux, so the solution is to create standard baselines
for our Linux systems, just as we do for Solaris and Windows. We'll start by
doing this for our Linux-based Web, application and database servers. As
with our Solaris and Windows systems, we will use imaging software and
create a "jump-start" system configuration that will serve as the baseline
configuration for all machines. Hopefully, this will keep security problems
to a minimum.
Source: Computerworld
Regards,
Evan M. Inker
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system. E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
or contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version. This message
is provided for informational purposes and should not be construed as an
invitation or offer to buy or sell any securities or related financial
instruments. GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
____________________________
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
____________________________
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc
|
|
