cvemitre.org
Date: Wed Dec 29 2004 - 16:20:58 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as
new versions, upcoming conferences, new Web site features, etc. right
to your emailbox. Common Vulnerabilities and Exposures (CVE) is a list
or dictionary that provides common names for publicly known
information security vulnerabilities and exposures. CVE content
results from the collaborative efforts of the CVE Editorial Board,
which is comprised of leading representatives from the information
security community. Details on subscribing (and unsubscribing) to the
email newsletter are at the end. Please feel free to pass this
newsletter on to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/December 29, 2004
-------------------------------------------------------

Contents:

1. Feature Story
2. Hot Topic #1
3. Hot Topic #2
4. Latest Compatible Products/Services
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Included in Article Advocating Proactive Network Security on 'ZDNet'

CVE was mentioned throughout a November 30, 2004 article on 'ZDNet'
entitled "A guide to proactive network security." In the article the
author uses CVE names as a synonym for computer vulnerabilities:
". . . a single enterprise can spend thousands on firewalls, VPNs,
antivirus and IDS systems, while the real network security culprits,
"Common Vulnerabilities and Exposures" (CVEs), go largely
undetected. CVEs are essentially holes in applications that can be
attacked by hackers and cyber terrorists to steal information or bring
down networks. CVEs are a real problem and according to the 2004
E-Crime Survey are the systemic cause of over 90 percent of all
network security breaches."

The author advocates a number of steps to proactive network security
including developing and employing a security policy, locking down
mobile devices, turning on wireless encryption, using and patching
routers, using firewalls, downloading and installing commercial-grade
security tools, disabling potentially exploitable browser objects,
constantly keeping up with the latest threats, and closing known
vulnerabilities. The author states: "But preventing the attack with a
vulnerability management system to eliminate CVEs is the most
important component [of proactive network security]."

Regarding closing known vulnerabilities the author states: "Known
weaknesses in systems are called Common Vulnerabilities and Exposures
(CVEs), compiled and documented by the MITRE organization. These
vulnerabilities should be eliminated from every system on your network
by applying patches or taking other actions, as required. Technology
is available to automatically detect and eliminate CVEs. More
information is detailed at the cve.mitre.org Web site."

LINKS:

'ZDNet' article - http://news.zdnet.com/2100-1009_22-5470877.html

CVE Web site - http://cve.mitre.org

-------------------------------------------------------------
HOT TOPIC #1:

CVE Mentioned in Article about Developers Preventing Security Problems
in "eWeek"

CVE was mentioned in a December 2004 article in "eWeek Magazine"
entitled "An Applications View on Security." The main topic of the
article is a discussion about developers preventing security problems
and that "three application firewall vendors -- Teros Inc.,
NetContinuum Inc. and Imperva Inc. -- threw down a challenge to other
security vendors to submit their products to independent testing by
International Computer Security Association Labs (a division of
TruSecure Corp.) to determine their effectiveness against
application-level attacks."

CVE was mentioned in a quote by Gary Miliefsky, CEO of PredatorWatch
Inc., who states: "Most developers don't make adequate use of the
Common Vulnerabilities and Exposures data at www.cve.mitre.org. I was
speaking to a group the other night, and I said, 'Raise your hand if
you know what a CVE is.' No one raised their hand. A developer needs
to know when a product is opening a port or using any other resource
what vulnerabilities it's opening.'"

PredatorWatch, Inc. is listed on the CVE-Compatible Products and
Services page and its PredatorWatch Auditor 128 and Update Service,
PredatorWatch Auditor 16 and Update Service, and PredatorWatch Auditor
Enterprise and Update Service each recently received official
"Certificates of CVE Compatibility" at MITRE's compatibility awards
ceremony on November 18, 2004 at the "CSI Computer Security
Conference" in Washington, D.C., USA.

LINKS:

"eWeek" magazine article - http://www.eweek.com/article2/0,1759,1738994,00.asp

CVE-Compatible Products and Services page - http://cve.mitre.org/compatible/

-------------------------------------------------------------
HOT TOPIC #2:

CVE Mentioned in Article about OVAL in "Information Security Magazine"

CVE was mentioned in an article entitled "'Big O' For Testing" in the
December 2004 issue of "Information Security Magazine. " In the
article the author describes MITRE Corporation's OVAL project and
states: "The Open Vulnerability Assessment Language (OVAL) project,
headed by nonprofit MITRE and funded by the Department of Homeland
Security's U.S.-CERT, is being developed as a standardized process by
which security tool creators, operating system vendors and security
professionals test systems for exploitable vulnerabilities. XML-based
OVAL leverages MITRE's Common Vulnerabilities and Exposures (CVE)
Initiative . . . [and] gives security managers the ability to test for
a particular CVE vulnerability in OVAL-compliant applications and
platforms. OVAL will tell testers whether vulnerable software is
installed and, if so, whether it has a vulnerable configuration."

MITRE's OVAL Web site is listed on the CVE-Compatible Products and
Services page and OVAL-IDs are included as references in CVE names
when applicable.

LINKS:

"Information Security Magazine" article -
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss526_art1075,00.html

OVAL Project Web Site - http://oval.mitre.org/

CVE List - http://cve.mitre.org/cve

-------------------------------------------------------------
LATEST COMPATIBLE PRODUCTS/SERVICES:

* netVigilance, Inc. has declared that its network scanning appliance,
  EagleBox, is CVE-compatible.

* Gentoo Foundation has declared that its Gentoo Linux Security
  Advisories will be CVE-compatible.

* KDware Ltd. has declared that its incident management tool, Incident
  MiND, will be CVE-compatible.

* Privacyware has declared that its host-based intrusion prevention
  product for Microsoft Web Servers, ThreatSentry, will be
  CVE-compatible.

* ReddShell Corporation has declared that its vulnerability assessment
  and management tool, SECUREScan, will be CVE-compatible.

* Xacta Corporation has declared that its risk management capability,
  Xacta IA Manager, will be CVE-compatible.

Find more information on these and other products at
http://cve.mitre.org/compatible/

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Mentioned in Product Review Article in "Network Computing"

* "Certificate of CVE Compatibility" Awarded to Trend Micro, Inc.

* Seven "Certificates of CVE Compatibility" Awarded to Internet
  Security Services, Inc.

* Two "Certificates of CVE Compatibility" Awarded to Symantec Corporation

* CVE Mentioned in PredatorWatch, Inc. Press Release

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical
Center. Writer: Bob Roberge, Corporate Communications. The MITRE
Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related
to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message
"SIGNOFF CVE-Announce-list", then send the message to:
listservlists.mitre.org. To subscribe, send an email message to
listservlists.mitre.org with the following text in the BODY of the
message: "SUBSCRIBE CVE-Announce-List".

Copyright 2004, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]