Security: Briefs

IT pros foresee major cyberattacks on horizon

The risk of the typical U.S. company suffering at least one major cyberattack within the next year is strong, and not enough businesses are taking appropriate steps to defend themselves, according to the results of a survey released recently by the Business Software Alliance (BSA).

The survey polled 602 IT professionals. Of those professionals responsible for security issues, 60 per cent feel it is likely companies will get hit with at least one major cyberattack within the next year. While more than half of all IT professionals surveyed felt U.S. businesses have improved their security defenses since the Sept. 11 terrorist attacks, 45 per cent said companies are still not prepared for a major cyberattack. The survey did not specifically define what constitutes a “major” cyberattack. Respondents were left to decide what that constitutes, BSA said. U.S. businesses are devoting less resources toward defending themselves against cyberattacks than they did attempting to solve the Y2K problem, according to 47 per cent of IT professionals surveyed. On the positive side, nearly every IT professional surveyed, 94 per cent, said every computer at their company had antivirus software.

OASIS forms WS-Security committee

Microsoft Corp. and IBM Corp. recently moved one step closer to turning their security specification into a standard.

Clearing a significant hurdle for the WS-Security standard to gain recognition as a trusted means for applying security to Web services, standards body OASIS (Organization for the Advancement of Structure Information Standards) formed a technical committee to give vendors a crack at the immature specification. First published in April as part of a working partnership between Microsoft, IBM and VeriSign Inc., the WS-Security specification defines a standard set of SOAP extensions, or message headers, which can be used to set and unify multiple security models, mechanisms and technology – such as encryption and digital signatures for instance – onto Web services applications which traverse the Internet. Aside from an initial WS-Security roadmap, the trio also proposed specifications yet to come that address a variety of other security, policy, messaging, and trust issues associated with Web services security. They include WS-Policy, WS-Trust, WS-Privacy, WS-Secure Conversation, WS-Federation, and WS-Authorization.

Exchange Server flaw uncovered

Microsoft Corp. and Internet Security Systems Inc. (ISS) teamed up to issue a warning to computer users recently to address a remote buffer overflow hole found within Microsoft Exchange Server Version 5.5.

By taking advantage of a flaw associated with how the server’s Internet Mail Connector (IMC) interprets responses to the “EHLO” command within Simple Mail Transfer Protocol (SMTP) service, assailants can launch an attack and crash Exchange by blocking bi-directional e-mail traffic or could seize total control of the machine, said Dan Ingevaldson, X-Force research and development team leader at Atlanta-based ISS. Microsoft Exchange 2000 servers are not currently at risk from the remote buffer overflow vulnerability, he said.

The EHLO command is a function of IMC used to query other servers to obtain a list of supported SMTP operations for e-mail client and server identification to perform e-mail delivery. Microsoft has a patch available to correct the vulnerability, which can be found at But for the patch to be effective, Microsoft Exchange Server Pack 3 must be installed.