# 95-11


Contents


     Commercial Distribution of WinWord.Concept Virus
     New Orleans in December
     Internet Security--Not the Dark--But Middle Ages
     RIP CVDQ/UTR
     CSI Survey Results
     CSL Contingency Planning


1.  The October 1995 edition of Virus Bulletin confirms that
Microsoft has admitted shipping the WinWord.Concept virus on a
Windows 95 compatibility test CD-ROM, entitled "Windows 95
Software Compatibility Test Version 4.0".  Virus Bulletin also
acquired another CD-ROM from a UK company called ServerWare which
had the same virus.  This second CD-ROM, entitled "Snap-on Tools
for the Windows NT Professional", went to "more than five and a
half thousand Windows NT users" per the Virus Bulletin article. 
The wide geographic dispersion of initial infection reports is
obviously related to these developments.

2.  The advance program for the Eleventh Annual Computer Security
Applications Conference, December 11-15, 1995, New Orleans, LA,
is now available.  There will be a two day symposium on INFOWAR-
Defend on December 11-12 before the conference, along with a
variety of tutorials on firewalls, security architecture,
protection profiles and common criteria, open systems security,
authentication and key distribution systems.  Bob Courtney will
present the Distinguished Lecture on December 13.  You may
contact George Mason University at 703-993-2090 for additional
details.  Dockmaster, Risks Forum, and other Internet resources
have as well posted information on registration.

3.  The latest edition of the IEEE Computer magazine has a clever
and interesting article, very short, entitled "Internet Security
Enters the Middle Ages".   

4.  The "Underground Technology Review" has ceased publication
with its October 1995 edition.  The editor/author, Mark Ludwig,
began publication of the "Computer Virus Development Quarterly"
in the fall of 1992.  CVDQ became UTR with an intended monthly
distribution schedule about a year ago.  Apparently the financial
results have not been favorable.  In my opinion the quality of
the publication has deteriorated in recent months, with political
and social commentary overshadowing technical discussions.  The
demise was probably inevitable.

5.  The Computer Security Institute, an organization specifically
dedicated to information systems security matters, has
distributed the results of a survey of Fortune 500 corporations,
government agencies, and universities.  There were 320 responses.
I have enclosed a few of the results.

    a.  "Does your organization use the Internet?"
        78% Yes     22% No

    b.  "Has your company experienced an Internet security
incident?"
        20% Yes     75% No    5% NA (Note:  I do not understand
the NA on the assumption those who do not use the Internet should
not have had to answer the question.)

    c.  "Does your organization use a firewall?"
        48% Yes     34% No    18% NA

    d.  "What type of firewall do you have?
        52% Screening router
        43% Dual homed or application gateway
         5% Other

6.  The September 1995 "CSL Bulletin" has an excellent overview
of contingency planning.  In six pages one has a training
planning guideline or lesson plan depending upon your needs. 
Electronic copies are available on the NIST security BBS/Internet
host.  You may subscribe by sending an e-mail message to
mailserv@nist.gov with the text subscribe csl-bulletin.
  
[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author, not his employer.  Recipients
are free to quote all/parts of the ISSU with credit/blame to the
author.]