advertising information

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

Fight holiday hacker mischief with these tips

December 22, 1998
Web posted at: 1:20 PM EST

by Stuart McClure & Joel Scambray

From...

(IDG) -- Last week's exploration of the impact of Trojan code such as Netbus (see "Netbus hacker tool presents a greater threat to Windows shops than BackOrifice,) got us thinking: What better time of year than the holidays for a planned epidemic of Internet mischief?

Envision with us a dancing Santa JPEG that silently wipes your hard drive clean when you click on an innocuous-looking electronic greeting card attachment.

How about a Web site link to an animated Rudolph Java file that recites "ho, ho, ho!" while a hidden executable installs BackOrifice and broadcasts your IP address to a well-trodden hacker chat room.

MORE COMPUTING INTELLIGENCE
  IDG.net home page
  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
 News Radio
  Fusion audio primers
  Computerworld Minute
   

Maybe you don't ever open those troublemakers on production machines, but what about your users?

With this in mind, here are a few tips to make this season a safe one for your network, and some pointers to products and technologies that will keep you free of hostile code hassles throughout the new year.

Web resources

The respected mobile-code security experts at Finjan recently made available a helpful list of tips to assist network administrators in dealing with the deluge of holiday goodwill sure to come flooding across their networks (www.finjan.com). These are mostly basic precautions, but they are nonetheless important to consider. You might even want to distribute these tips to your user community. Some of these issues, such as shopping on the Net at work instead of home or using browser history files to track the source of miscreant downloads, are good policy for any company.

Finjan also recommends that network users become aware of many recent security flaws discovered in commercial Web browsers that could allow malicious content to drop down chimneys across the corporate landscape. Check out www.microsoft.com/windows/ie/security for an updated list of security vulnerabilities in Microsoft's Internet Explorer and sitesearch.netscape.com/products/security/resources/notes.html for Netscape's security bulletins.

Product helpers

Who can forget the recent flare-up of e-mail client buffer-overflow exploits and JavaScript bugs that affected Explorer, Navigator, and Qualcomm's Eudora? We've recently been bombarded by a number of press releases from the likes of Content Technologies, Worldtalk, and Sybari Software, which offer products to keep your e-mail server security as clean as December snow. Perhaps they've been gearing up in anticipation of the hefty payload of holiday-related executable content that will likely flood potential customers running mail servers with thousands of users.

Of course, one of the best places to apply a content-based security strategy is at the corporate firewall. Indeed, we look forward to an early Christmas present from the multivendor initiative behind the Common Content Inspection API, which is aimed at hammering out a unified mechanism for inspecting content that's traversing firewalls. The contribution of Check Point's Content Vectoring Protocol API to the group should also prove interesting. Stay tuned to www.stardust.com/cciapi for updates. Those interested in the development side of content security should check out 12 rules for writing security-critical Java code, by which all Java developers should abide. Gary McGraw and Edward Felten, the authors of this list, maintain a Java security resource page at www.rstcorp.com/javasecurity/index.html. Felten has also placed a page comparing Java and ActiveX security at www.cs.princeton.edu/sip/java-vs-activex.html. Microsoft's thoughts on software component security can be found at www.microsoft.com/security/tech/authenticode.

False alarms

Now that we've got your eggnog curdled with content-security nightmares, we should remind everyone that this time of year also brings with it an increase in the number of hoaxes and false alarms about malicious viruses and other crank code. It's important to be informed about these issues and be prepared for that terrified user's inevitable forwarded e-mail with the subject line "Don't open this mail attachment!" -- asking you for advice.

If you have some time, you can check out the Computer Emergency Response Team at Carnegie Mellon University for vulnerability confirmation, and Finjan, Network Associates, or Symantec's AntiVirus Research Center for virus hoaxes.

Do the holidays look as appealing to your support staff as a fruitcake from 1985? Send us your nonexecutable holiday greetings at security_watch@infoworld.com.

Stuart McClure, a senior manager at Ernst & Young's Information Security Services, and InfoWorld Technology Analyst Joel Scambray have managed information security in academic, corporate, and government environments for the past nine years.

Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

SEARCH CNN.com
Enter keyword(s)   go    help

  
 

Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.