Security Web Digest: Security Incidents Rising Dramatically

CERT says buffer overflows still far too common Equinux releases Mac OS X VPN client BSA says software piracy declines Web Filtering Software sales on the upswing


By some accounts, it has been a bad year for Internet security so far: The number of incidents reported in the first half of 2003 climbed to 76,404 -- just a little shy of the 82,094 reported for the entire year of 2002, according to the CERT Coordination Center of the Software Engineering Institute at Carnegie Mellon University. For the most part, the vulnerabilities and attacks occurring on the Internet have become familiar types of disturbances, said Brian King, Internet security analyst at CERT. "The activity we see is not new or groundbreaking," he said. Buffer overflows, for example, have been known about for 20 or 30 years, he said. The problem is that computer scientists are not taught how to write secure code, and vendors do not take the time to insert the extra code to accomplish tasks like verifying user input, a step that would stop an attack like a buffer overflow.

Equinux this week released version 2.1 of its VPN Tracker, a VPN client for Mac OS X that adds security options using IPSec. VPN Tracker supports key lengths for IPsec phase 1 and 2 at 128, 192 and 256 bits. Version 2.1 includes support for of the Advanced Encryption Standard (AES), the highest level of encryption commercially available. Pricing for the professional edition begins at $200; the personal edition starts at $90.

Intellectual Property

Software piracy declined two percentage points in the United States in 2002, according to a study commissioned by the Business Software Alliance (BSA). According to the annual report, the software piracy rate declined from 25 percent in 2001 to 23 percent in 2002. The nine states with the lowest piracy rates in 2002 were Illinois, Michigan, Ohio, Indiana, New York, Connecticut, New Jersey, Washington and Virginia, as well as the District of Columbia. The state-by-state study was conducted by International Planning & Research Corp.


The threat of lost productivity and exposure to legal liability is boosting sales of Web filtering packages. Frost & Sullivan forecasts global sales of Web filtering technology will grow from $247.2 million in 2002 to $776.9 million in 2007. Media coverage of legal or disciplinary proceedings and high-profile dismissals as a consequence of downloading illegal material -- such as pornography -- are driving growth in the market, the analyst firm says. However Frost & Sullivans study concedes that companies have more pressing security and infrastructure requirements, such as protecting systems against malicious code.

Homeland Security

The markets for e-commerce and homeland security have at least one thing in common: It helps if you know someone. Thats the conclusion of executives at CellExchange Inc., who have experience in both fields. The Cambridge company just wrapped up a $4.6 million project developing security software for domestic military bases, but the bulk of its work remains building information-sharing systems for large civilian companies. John J. Donovan, a CellExchange founder, said the company wouldnt have gotten the security work except for the crucial contacts made through other clients. The bulk of the spending is channeled through larger federal contractors such as EDS Corp. "For smaller companies, its harder to get the work because of the need to have the contacts and actually penetrate the agencies to reach the people who can digest what someone is offering to sell them," said Richard D. Rudman, who is organizing a homeland-security security law practice at the firm Piper, Rudnick in Boston.