In brief: Cisco issues patch for Aironet hole

Plus: New group to tackle patch management; IBM submits draft security language to W3C; IDC says IT spending to increase; Diebold won’t go after those who post documents on its flaws; Homeland Security warns of government regulation of high tech.

Cisco is warning customers using its Aironet wireless access points about a security vulnerability that could let attackers obtain keys used to secure communications on wireless networks.

The vulnerability affects Aironet 1100, 1200 and 1400 series access points and could let Wired Equivalent Privacy keys be sent as plain text over corporate networks that use an SNMP server and have a specific option enabled on the access point, Cisco says.

To be vulnerable, organizations have to be using an affected Aironet model with the IOS software, have an SNMP server deployed, be using static WEP keys for encryption and have enabled an option on the access point called “snmp-server enable traps wlan-wep.” That option is disabled by default on Aironet access points, Cisco says. Cisco has issued a patch for vulnerable versions of the IOS software, 12.2(13)JA1.

Patching is such a headache these days that a number of security experts have gotten together to form PatchManagement.org, a support group where network managers, systems administrators and security professionals can discuss all things patching. The discussion list will focus on operating systems, applications and network devices.

The moderators will include Eric Schultze, chief security architect for Shavlik Technologies and former program manager for the Microsoft Security Response Center; Tina Bird, a member of the Information Security team at Stanford University; Jason Chan, principal security architect for @stake; and Ben Laurie, director of the Apache Software Foundation. 

IBM has submitted a draft of its Enterprise Privacy Authorization Language to the World Wide Web Consortium to develop. IBM is turning EPAL over to the W3C in the hope that it will be turned into a standard that will help automate privacy management tasks, improve consumer trust and reduce the cost of privacy compliance, the company said.

EPAL is a programming language based on XML that will let software developers build security policy enforcement features directly into enterprise software applications. Using EPAL, personal data could have policies attached to it as it moves from application to application within a company. IBM introduced EPAL in July as a way to move beyond user identity-based security.

The standard builds upon existing privacy specifications such as the Platform for Privacy Preferences, which the W3C released in April 2002. The W3C said the organization was “pleased to receive the EPAL Submission” from IBM.

IDC last week announced its annual IT predictions for the coming year, and according to the research firm’s worldwide analysis, spending will increase and infrastructure will evolve to better support business-driven initiatives. IDC Senior Vice President Frank Gens said IT spending would grow 6% to 8%, up from previous predictions of just less than 5%.

Gens said enterprise adoption of business-oriented applications and the need to upgrade hardware after a three-year drought would drive the upturn in IT buying. “We could be in for a refresh of 3-year-old or older IT infrastructure in 2004,” he said. “IT organizations have been sitting on their hands for years, but this optimism certainly is fragile considering the last few years.” Radio frequency identification also will see slower growth than previously expected, IDC says.

In a move hailed as a victory for free speech advocates, Diebold Election Systems said last week that it wouldn’t follow up on its threats to sue those who published information that indicated flaws in the company’s electronic voting machines. Diebold declined to give specific reasons for dropping the legal threats.

The dispute between Diebold and various voter rights activists arose after a hacker broke into a Diebold Web server in March and was able to access information concerning issues with Diebold election equipment. The documents indicated flaws in the touch-screen voting machines and irregularities with certifying the machines for actual elections were leaked to the press in August. Diebold used the controversial Digital Millennium Copyright Act of 1998 to pressure universities and ISPs to take down the copies of its internal information.

Top officials from the U.S. Department of Homeland Security last week warned members of the high-tech industry that unless they took concrete steps toward cybersecurity, their industry could face government regulation. “It should go without saying that the continued success of protecting our cyberspace depends on the continued investment of each of you and the businesses you represent,” said Homeland Security Secretary Tom Ridge, addressing the National Cyber Security Summit.

The Department’s Assistant Secretary for Infrastructure Protection Bob Liscouski was more direct on the need for industry self-regulation: “You’ve got to help us tell that story, because if we can’t tell that story, there are a lot of people willing to legislate how you should be doing that work.”