Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #11

March 14, 2001


By announcing the Russian and Ukrainian extortion attacks the FBI has
caused an extraordinary change in the opinions held by journalists and
business folks. One journalist from a major business publication told
me that he used to think of web attackers like the human spiders who
climb up the sides of buildings. Now he thinks of them as criminals who
need to be stopped. Similar conclusions have been voiced by other
journalists. As they make the transition, they are likely to bring
their readers with them and give improved security a boost. (Also see
the third story under TOP OF THE NEWS for a pointer to the free tool
that checks Windows NT systems for the FBI-reported vulnerabilities.)
Separately, there are six days left until the early registration
deadline for SANS 2001 in Baltimore. http://www.sans.org/SANS2001.htm


AP

TOP OF THE NEWS

8 & 9 March 2001 FBI Warns of Enormous Credit Card Theft
9 March 2001 Early Warning Helped
9 March 2001 Industry/Government Consortium Releases Free Tool To Block Russian Attacks
9 March 2001 Thieves Steal Personal Info via Internet
7 & 8 March 2001 Tool Can Crack Passwords on Some IBM E-Commerce Software
5 - 8 March 2001 Bibliofind Security Breach

THE REST OF THE WEEK'S NEWS

9 March 2001 Cracker Sentence Includes Programming
8 March 2001 Web-Enabled Gadgets Ripe for Abuse, Says Privacy Expert
8 March 2001 Credit Card Fraud Trail Leads to Yugoslavia
8 March 2001 NIAP Forum Focuses on Need for Security Requirements
7 & 8 March 2001 Microsoft Will Make Source Code Available to Some Customers
7 March 2001 Naked Wife Virus
7 March 2001 Seven-Line DVD Descrambling Program
7 March 2001 Hamas Site Suffers Redirect Attack
7 March 2001 Honeypot Ethics
6 March 2001 Study Critical of Remote Internet Voting
5 March 2001 Web "Bug" Detecting Tools Emerge
5 March 2001 Managed Security Services
5 March 2001 PKI Used for Secure Website Communication
5 March 2001 GAO Report on Federal PKI Implementation Challenges
5 March 2001 Price Tag Altering Scams
28 February 2001 NIST Soliciting Comments On Draft FIPS

TUTORIAL

9 March 2001 HIPAA Compliance Makes Good Sense


********* Sponsored by VeriSign- The Internet Trust Company *********
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "SecuringYour Web site for Business" and you'll
learn everything you need to know about using 128-bit SSL to encrypt
your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business.
Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094410560008000
**********************************************************************

TOP OF THE NEWS

8 & 9 March 2001 FBI Warns of Enormous Credit Card Theft

The FBI says groups in Russia and the Ukraine have stolen more than one million credit card numbers from vulnerable websites. The agency's National Infrastructure Protection Center (NIPC) advises Internet businesses to be vigilant about data protection and to patch known security holes. Some of the crackers attempted to extort payments from the Internet companies, and when their demands weren't met, they published the card information on-line.
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58414,00.html
-http://www.usatoday.com/life/cyber/tech/2001-03-08-fbi-hackers.htm
-http://www.washingtonpost.com/wp-dyn/articles/A43993-2001Mar8.html
-http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/
2001/03/09/MN225220.DTL

9 March 2001 Early Warning Helped

The FBI's warning about website intrusions by organized rings of Eastern European crackers may have thwarted a number of attacks. Security experts lauded the FBI for releasing forensics information that helped defenders, even though the information comes from ongoing investigations.
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58475,00.html

9 March 2001 Industry/Government Consortium Releases Free Tool To Block Russian Attacks

The Center for Internet Security published PatchWorks, a free tool that tests Windows NT systems to determine whether the FBI's list of necessary patches are in place, points directly to the patches on Microsoft's site if they are not, and retests to be certain they were installed correctly. It also attempts to determine whether systems have been compromised by checking for telltale files. The Center is a not- for-profit consortium of 150 user organizations from 14 countries that jointly develop consensus on the priority of cyber threats and work together to forge tools to counter those threats.
-http://www.cisecurity.org/patchwork.html
[Editor's (Paller) Note: Three security questions are often asked by savvy senior managers: "What are the most important threats? How do we counter them? And Are we doing as much as our competitors to improve security?" Those are the questions the Center helps answer. If your organization has any customer information stored on computers accessible from the Internet, you owe it to your customers to become active in the Center's work and to gain from the unique knowledge that comes from consolidating the experiences of more than a hundred of government and commercial organizations.
-http://www.cusecurity.org]

9 March 2001 Thieves Steal Personal Info via Internet

Microsoft co-founder Paul Allen and Metromedia International Group Chairman John Kluge are among executives who allegedly had their identities stolen and bank accounts looted by two Internet thieves, according to a report.
-http://news.cnet.com/news/0-1007-200-5078246.html?tag=prntfr

7 & 8 March 2001 Tool Can Crack Passwords on Some IBM E-Commerce Software

A pair of Danish hackers have published a tool that can be used in conjunction with flaws in IBM's Net.Commerce and WebSphere software to crack encrypted user passwords. A specially crafted URL can execute a macro on unprotected servers that will expose user names and encrypted passwords, and the hackers discovered that the software encrypts passwords with a fixed key. IBM noted the macro flaw two years ago. The hackers have asked people not to take advantage of the vulnerability.
-http://news.cnet.com/news/0-1003-200-5068115.html?tag=prntfr
-http://www.internetnews.com/wd-news/article/0,,10_707381,00.html
This IBM site describes the security hole and outlines corrective action:
-http://www-4.ibm.com/software/webservers/commerce/servers/2001-2.htm
[Editor's (Murray) Note: If they really did not want anyone to use the code, they need not have published. Of course, we all know that they published in order to demonstrate their cleverness. Those of us who give recognition to the cleverness while not censuring the recklessness are contributing to disorder and deserve what we get ]

5 - 8 March 2001 Bibliofind Security Breach

An internal investigation of a website defacement at Bibliofind, an on- line bookseller, turned up evidence that crackers had downloaded files containing customer credit card information a number of times between October 2000 and February 2001. Routine maintenance did not detect the breaches. The company has since removed the information from its servers and has contacted credit card companies and customers. While a Bibliofind spokesman says it does not appear that anyone's information has been misused, one on-line retailer claims to have detected a series of fraudulent credit card transactions last fall; the cards belonged to a group of people whose only link was having shopped at Bibliofind.
-http://www.cnn.com/2001/TECH/internet/03/05/bibliofind/index.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2692833,00.html
-http://www.msnbc.com/news/540158.asp?0nm=T24A
-http://www.guardianunlimited.co.uk/business/story/0,3604,448383,00.html
(merchant story)
[Editor's Notes: (Murray) The credit card companies should refuse to do business with merchants who insist upon storing credit card numbers in the clear on servers directly connected to the Internet. (Paller) VISA is leading the way in forcing merchants to implement encryption in both stored and transmitted data. ]


*********** Also sponsored by Network-1 Security Solutions ***********
Don't Skimp - Use a Full-Force Firewall on Servers
CyberwallPLUS protects NT/ 2000 servers against attacks using stateful
packet inspection and fine-grain access controls. It also provides
active intrusion detection that resides directly on the server.
Central management and logging facilities make it ideally suited for
enterprise deployment. Don't skimp!
Free 30-day evaluation: http://www.network-1.com/support/download.html
**********************************************************************

THE REST OF THE WEEK'S NEWS

9 March 2001 Cracker Sentence Includes Programming

Dennis Moran, the New Hampshire teenager who defaced a number of websites, has been sentenced to spend nine months in jail and to pay $5,000 to each of his victims. As an additional part of his sentence, he has been ordered to help program the jail computers.
-http://www.usatoday.com/life/cyber/tech/2001-03-09-coolio.htm
-http://news.cnet.com/news/0-1003-200-5080727.html?tag=prntfr

8 March 2001 Web-Enabled Gadgets Ripe for Abuse, Says Privacy Expert

Richard Smith, a computer privacy expert, says web-enabled gadgets can pose a threat to consumer privacy. While fitness monitors that send data to a website, biometric identification, and devices like web cameras can be viewed as valuable technology, they also present the opportunity for abuse by unscrupulous companies and individuals.
-http://news.cnet.com/news/0-1005-200-5067281.html?tag=prntfr
-http://www.zdnet.com/zdnn/stories/news/0,4586,2693860,00.html

8 March 2001 Credit Card Fraud Trail Leads to Yugoslavia

A man in Utah traced fraudulent charges on his wife's credit card to someone in the metallurgy department at the University of Belgrade. The University's systems administrator found a file that appeared to be credit card information for 20-30 people. The company from which the information was stolen has been out of business since Thanksgiving.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58395,00.html
[Editors' (Grefer and Murray) Note: The credit card company acted to inform its customers and the Utah man followed up. ]

8 March 2001 NIAP Forum Focuses on Need for Security Requirements

The National Information Assurance Partnership (NIAP) brought together security experts from government, industry and academia to discuss ways to incorporate security requirements into the development cycle of products. Everyone agreed that the first essential step is to define security requirements.
-http://www.fcw.com/fcw/articles/2001/0305/web-niap-03-08-01.asp
[Editor's (Murray) Note: True but not particularly helpful. We have had long lists of security requirements since the early days of the Orange Book. The problem is that they are met at the expense of some other desirable characteristic of the product. Neither is there a shortage of security features and properties in our products. The problem is that they are not consistently applied and often deliberately compromised in favor of some other value. Currently the value most often cited is market pressure but ease of use has often been high on the list. Also high on the list is operator convenience. This is the one that accounts for in-band management of systems, a characteristic that accounts for a large measure of the problems in the Internet today. ]

7 & 8 March 2001 Microsoft Will Make Source Code Available to Some Customers

Microsoft is expanding Windows source code access to about 1000 of its large biggest customers. Customers with more than 1500 in-house licenses will be offered read-only access to source code for Windows 2000, Windows XP, and all attendant service packs.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58380,00.html
-http://www.wininformant.com/Articles/Index.cfm?Articleclass=20226

7 March 2001 Naked Wife Virus

The Naked Wife virus arrives disguised as a Macromedia Flash movie, and delivers not racy pictures but a nasty payload, erasing vital Windows and system files and mailing itself to the entire Outlook address book of infected machines. Some information in the virus's source code suggests that it originated in Brazil, though not all anti-virus firms agree on that point. As always, users should refrain from opening unexpected attachments.
-http://www.msnbc.com/news/540062.asp?0nm=T21D
-http://www.usatoday.com/life/cyber/tech/2001-03-06-nakedwife.htm
-http://www.cnn.com/2001/TECH/internet/03/07/virus.brazil.02/index.html

7 March 2001 Seven-Line DVD Descrambling Program

Two MIT programmers have written a seven-line program in Perl that decrypts and plays DVD movies. The Motion Picture Association of America (MPAA), which is embroiled in a suit against the on-line magazine 2600 over their links to sites containing another DVD descrambling program, DeCSS, is looking into the matter. Because the new program lacks the five-byte title key, it apparently does not violate the Digital Millennium Copyright Act, which the MPAA used in its lawsuit against DeCSS.
-http://www.wired.com/news/culture/0,1284,42259,00.html
-http://news.cnet.com/news/0-1005-200-5058111.html?tag=prntfr

7 March 2001 Honeypot Ethics

Some security experts express concern that honeypots, decoy systems designed for the express purpose of surreptitiously observing cracker behavior, are unethical and perhaps even illegal.
-http://www.wired.com/news/culture/0,1284,42233,00.html
[Editor's (Cowan) Note: Other security experts express concern that honeypots are expensive and ineffective. ]

6 March 2001 Study Critical of Remote Internet Voting

A study commissioned by the National Science Foundation (NSF) concludes that voters should not be allowed to cast Internet ballots from remote locations, like work and home, because of security and reliability concerns. However, poll-site Internet voting could boost convenience and efficiency, according to the report, which was conducted by the Internet Policy Institute (IPI) and the University of Maryland.
-http://www.wired.com/news/politics/0,1283,42229,00.html

5 March 2001 Web "Bug" Detecting Tools Emerge

Several companies have developed tools that help Internet users detect and thwart web "bugs," hidden code which can be used for a variety of purposes from tracking web surfing habits to stealing files from or installing files on computers. One company plans to offer a service that assigns a risk value to websites based on the number of web "bugs" present; others plan to offer "bug" scrubbing services.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2692472,00.html

5 March 2001 Managed Security Services

The increasingly complexity of information security is leading some federal agencies to outsource security functions. Support available from managed security services includes vulnerability analysis, assessment and penetration testing, and real-time management.
-http://www.fcw.com/fcw/articles/2001/0305/tec-netsec-03-05-01.asp
[Editors' Notes: (Murray) They also include near-real-time monitoring and early attack response. There is also intelligence available to the cross-enterprise operators that is not available to the enterprise. ]
(Cowan) Outsourcers should be closely scrutinized. Terrorist groups and competitors may be able to insert moles into outsourcing organizations. ]

5 March 2001 PKI Used for Secure Website Communication

Students and alumni of the Defense Department's Defense Computer Investigations Training Program (DCITP) are using PKI technology to communicate on a secure website. Users can access the site from any Internet address; teams of hackers on both offense and defense have tested the site's security.
-http://www.fcw.com/fcw/articles/2001/0305/mgt-pki-03-05-01.asp

5 March 2001 GAO Report on Federal PKI Implementation Challenges

A General Accounting Office (GAO) report enumerates the challenges government agencies face in implementing PKI technology, including interoperability of agency PKIs, scalability, and the high cost of building a PKI. The GAO report also recommended that the Office of Management and Budget (OMB) establish PKI implementation standards for government agencies.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58343,00.html
[Editors' Note: That said, the government is far ahead of the private sector in PKI. This is one security technology where the government really is in the vanguard. ]

5 March 2001 Price Tag Altering Scams

A security executive says many shopping cart applications are vulnerable to phony price tag alterations through the use of "edit page" and "publish" features on standard browsers. Some e-commerce sites monitor orders for pricing irregularities, while others don't detect the problems until they conduct quarterly or annual audits.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2692337,00.html?
chkpt=zdhpnews01
[Editors' Notes: (Grefer) This is simply theft -- the equivalent of pealing off the price tag of a low-priced item and sticking it onto a high priced one. (Cowan) E-commerce systems should NEVER trust ANY result coming back from a Javascript applet that they sent to the browser ]

28 February 2001 NIST Soliciting Comments On Draft FIPS

NIST has announced that it is soliciting public comments on the Draft FIPS for the Advanced Encryption Standard (AES). The 90-day comment period will close on May 29, 2001. Copies of the Draft FIPS and other information related to the AES are available at the AES home page.
-http://csrc.nist.gov/encryption/aes/index.html
TUTORIALS

9 March 2001 HIPAA Compliance Makes Good Sense

The author, a security analyst, says that adhering to the Health Insurance Portability and Accountability Act's (HIPAA) requirements makes good business sense. Compliance is attained not by merely installing new software, but by implementing security practices which will attract customers who want to do business with an organization that values personal medical information privacy and security. University medical centers may face special compliance challenges due to the open nature of their systems.
-http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO58467,00.html


== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz