SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #16
April 18, 2001
Mobile security has become a major topic of discussion in boardrooms
and will heat up even more, very shortly. For those of you who want to
understand the issues, Bill Murray prepared a brief discussion and
provided a pointer to a well-researched article from ZDNet News. They
are in the Tutorial section below.
We're excited about the growth in numbers of people coming to SANS 2001,
SANS Fire, and the regional conferences, but we understand that some of
you work in places that cannot send you to training right now. If that's
your case, try out the online programs. They are greatly expanded,
covering far more of the certification tracks, and people who use them
(over 9,000 so far) say they are actually the most effective method for
mastering the material quickly. (But those same people still would
rather attend the live programs.)
Online training: http://www.sans.org/giactc.htm
Live conferences: http://www.sans.org
AP
TOP OF THE NEWS
14 April 2001 What Egghead.com Learned11 April 2001 Chinese Hacking
10 & 11 April 2001 Alcatel Modem Security
10 April 2001 FTP Security Hole
THE REST OF THE WEEK'S NEWS
14 April 2001 Philippine Hackers13 April 2001 Digital Signatures Could Help Prevent On-Line Credit Card Fraud
12 April 2001 Closed-Circuit Execution Security
11 April 2001 Computer Dealer Sends Virus to Competitor
10 April 2001 Pioneer Accidentally Sends Out Troj_Hybiris
11 April 2001 Russian Hacker Claims US Diplomats Tried to Hire Him To Steal Files
11 April 2001 Shopping Cart Software Flaw Allowed Credit Card Theft
10 & 11 April 2001 Windows XP Security
9 & 10 April 2001 German Interior Minister's Questionable Remarks
9 April 2001 Warner Bros. Online Security Breach
9 April 2001 Cyber Forensics
9 April 2001 Reassessing Security
9 April 2001 Australian Legislation Addresses Cyber Crime
9 April 2001 Security Manager's Journal: Fire Drills
9 April 2001 IT Security in Prisons
TUTORIAL
Wireless security flaws are being recognized and publicized. Here Newsbites editorial board member Bill Murray introduces a rather good wireless security opinion/news.******* This issue sponsored by Entercept Security Technologies ******
HACKED IN 60 SECONDS OR LESS - that's how long it takes a hacker to
bypass your firewall and wreak havoc: Defacing Web sites or shutting
you down is their reward.
ENTERCEPT PROTECTS e-SERVERS FROM KNOWN AND UNKNOWN ATTACKS - BEFORE
damage occurs. Find out how to protect your e-Servers AND your business.
View Entercept's online demo at http://www.entercept.com/sans/aprnb
**********************************************************************
TOP OF THE NEWS
14 April 2001 What Egghead.com Learned
This article offers a relatively detailed account of the Egghead.com database crack that took place in December, 2000. CEO Jeff Sheahan discusses what he would and wouldn't do differently if faced with a similar situation. A consulting company that provided investigative and forensic services on the case concluded that the cracker had been unsuccessful in penetrating the customer database. Egghead conducted a thorough security review resulting in stronger password procedures.-http://www.retailtech.com/content/coverstories/apr01.shtml
[Editor's (Cowan) Note: A good story, even if the journalist is unclear on the relationship between an executable program and a zipped archive. (Murray) I thought it was a great article until I got to lessons learned. I would hope they learned more than the article suggested. I would hope that they learned not to permit logon to servers from the public network. Failing that, I hope that they learned to use strong authentication. ]
11 April 2001 Chinese Hacking
Despite strict laws against hacking, Chinese hackers are being urged to target US systems in retaliation for the recent mid-air collision, and Vigilinx CEO Bruce Murphy believes the Adore worm was written in retribution for the incident. In 1999, Chinese hackers attacked a number of US government systems in retaliation for the bombing of the Chinese Embassy in Belgrade. A security consultant recently discovered that a Chinese hacker authored the Lion worm. The Chinese government requires anti-virus vendors to provide complete virus code samples if they want to do business in China, leading some security experts to question their motives.-http://www.wired.com/news/politics/0,1283,42982,00.html
10 & 11 April 2001 Alcatel Modem Security
Crackers could take advantage of a vulnerability in Alcatel high-speed modems to shut down a user's connection, monitor LAN traffic, or launch denial-of-service attacks. Crackers could remotely deactivate protections that would allow them to install firmware. Alcatel suggests its customers install firewalls to protect themselves. Researchers who discovered the flaw say it is arcane and exploits for it are unlikely to become widespread.-http://news.cnet.com/news/0-1004-200-5567751.html?tag=prntfr
-http://www.infoworld.com/articles/hn/xml/01/04/11/010411hnalc.xml?0411alert
-http://dailynews.yahoo.com/h/ap/20010411/tc/modem_flaw_1.html
[A fascinating (but unverified) look at how Alcatel's management struggled over the media update distributed in response to the disclosure may be found at
-http://morons.org/articles/1/188.
The authors (not Alcatel) use profanity. ]
10 April 2001 FTP Security Hole
PGP security has discovered a flaw in the "globbing" command of many FTP server systems that could be used to cause buffer overflows and allow crackers to gain root control privileges on the system. PGP has released a tool that can help users identify vulnerable systems.-http://www.wired.com/news/technology/0,1282,42955,00.html
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59463,00.html
******** Also sponsored by VeriSign -The Internet Trust Company ******
Intranets, Extranets, Virtual Private Networks,and e-commerce
applications require an advanced public key infrastructure (PKI). Get
our FREE White Paper "PKI - the VeriSign Difference" and learn how to
protect your company's vital data.
Click Here! http://www.verisign.com/cgi-bin/go.cgi?a=n112433530152000
**********************************************************************
THE REST OF THE WEEK'S NEWS
14 April 2001 Philippine Hackers
A lack of jobs has led qualified Philippine programmers into the realm of hackers.-http://www.time.com/time/asia/digital/printout/0,9788,105665,00.html
13 April 2001 Digital Signatures could Help Prevent On-Line Credit Card Fraud
The author posits the idea that requiring on-line shoppers to attach digital signatures with each purchase could go a long way toward thwarting on-line credit card fraud. One impediment to such a plan is the fact that digital signatures have not been standardized.-http://www.msnbc.com/news/559034.asp?0nm=T17L
[Editor's (Murray) Note: The standard is called SET. The credit card companies are the ones to implement this. They are doing so. (See American Express Blue.) They understand that this technology must be "enabled" and that it cannot be "required." ]
12 April 2001 Closed-Circuit Execution Security
Experts surmise that the Justice Department plans to use ISDN lines to transmit the closed-circuit video of Timothy McVeigh's execution. Interception would require actual physical access to the network or line; but if that occurred, the encrypted video could be saved and decrypted at leisure. A more likely security risk would be far more low-tech: an audience member with a tape recorder or tiny camera.-http://www.wired.com/news/politics/0,1283,43040,00.html
[Editor's (Cowan) Note: this situation is an allegory for people who think that SSL will protect their web site, and for "digital rights management" proponents who think that digital copy prevention schemes will prevent music and video piracy. ]
11 April 2001 Computer Dealer Sends Virus to Competitor
A Devon, UK computer dealer was sentenced to 175 hours of community service for sending a virus to a competitor. The company became suspicious of the offending e-mail, discovered it contained a virus, and informed the police. The rivals had been engaged in a price war.-http://www.theregister.co.uk/content/8/18238.html
10 April 2001 Pioneer Accidentally Sends Out Troj_Hybiris
Pioneer unwittingly sent Troj_Hybiris, a semipolymorphic worm, to more than 10,000 customers; at least 19 computers were infected. The worm is activated only when users click on the attached file. The company has sent out an virus alert, apology and fix.-http://www.infoworld.com/articles/hn/xml/01/04/10/010410hnpio.xml?0410alert
[Editor's (Cowan) Note: This incident makes clear how difficult it will be to prosecute malicious use of viruses, because it is so easy to spread viruses accidentally. (Murray) Enterprises should scan e-mail for viruses outbound as well as in. ]
11 April 2001 Russian Hacker Claims US Diplomats Tried to Hire Him To Steal Files
The Moscow Times reported that a Russian hacker claims that diplomats at the US Embassy in Moscow attempted to him to copy, alter, and delete files in the Country's Federal Security Service's computer network.-http://www.wired.com/news/politics/0,1283,42998,00.html
--11 April 2001 Shopping Cart Software Flaw Allowed Credit Card Theft A bug in PDG Shopping Cart software apparently allowed crackers to steal credit card numbers from several e-commerce web sites; NIPC posted an alert on April 9th. PDG contacted its vendors with a patch the same day it became aware of the problem. The fix is also available at PDG's web site.
-http://sg.news.yahoo.com/010410/13/mibu.html
NIPC Alert:
-http://www.nipc.gov/warnings/advisories/2001/01-007.htm
PDG Fix:
-http://www.pdgsoft.com/security-upgrade.htm
10 & 11 April 2001 Windows XP Security
Microsoft says its new versions of Windows XP and Whistler, will have dramatically improved security capabilities. In addition to checking for signed integrity credentials before allowing applications to run, and allowing administrators to limit access permissions to specific users, Microsoft has established an internal program, the Secure Windows Initiative, to provide its engineers on-going security education.-http://news.cnet.com/news/0-1003-200-5567520.html?tag=prntfr
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59501,00.html
9 & 10 April 2001 German Interior Minister's Questionable Remarks
A spokesman for German Interior Minister Otto Schily implied that the press has misinterpreted a remark he made regarding his support for using denial-of-service attacks in the fight against far-right web sites.-http://www.wired.com/news/politics/0,1283,42921,00.html
-http://www.wired.com/news/politics/0,1283,42961,00.html
9 April 2001 Warner Bros. Online Security Breach
A cracker stole an e-mail newsletter mailing list from the Warner Bros. Online computer system and spammed the addresses with a pitch for a pyramid marketing scheme. Warner Brothers sent e-mail apologies to the subscribers, but would not comment on what other information may have been stolen.-http://www.msnbc.com/news/556908.asp?0nm=T24F
9 April 2001 Cyber Forensics
The market for private sector cyber-forensics is growing, as companies are reluctant to call in law enforcement for fear of bad publicity; furthermore, private companies have greater expertise in getting to the bottom of security breaches.-http://www.msnbc.com/news/555451.asp?0nm=T25F
9 April 2001 Reassessing Security
The rapid growth of Internet crime can be attributed to the haste with which businesses entered the e-commerce market, often pursuing visibility at the cost of security. The recent economic slowdown presents time to evaluate and update security policies and procedures. The author provides a list of suggestions for conducting an internal security assessment.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59328,00.html
[Editor's (Grefer) Note: Policies and procedures are quite often viewed as counter-productive, (short-term) taking away from the bottom-line, and not allowing enough flexibility and speed in time-to-market. While I personally agree that this would be the right time, my experience shows that a lot of companies do not perceive this need and/or opportunity as such. (Murray) We are not behind because of "haste." We are behind because our success, as it always has in IT, exceeded our wildest expectations. We play catch-up in security because we cannot anticipate the requirement. ]
9 April 2001 Australian Legislation Addresses Cyber Crime
The New South Wales government has proposed amendments that add cyber- crime offenses to the Crimes Act; offenders could face up to 10 years in jail.-http://www.zdnet.com/zdnn/stories/news/0,4586,2705803,00.html
9 April 2001 Security Manager's Journal: Fire Drills
This week, the security manager writes about methods he uses to test his security staff and the systems they use. In one test, he launched a SYN Flood attack against his company's corporate e-mail server. His next planned test will utilize social engineering techniques.-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO59330,00.html
9 April 2001 IT Security in Prisons
IT managers at correctional institutions have to use stringent security measures. One manager points out that security is more about training than technology. Another advises providing prisoners only stand-alone machines or isolated networks.-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO59364,00.html
TUTORIAL
TUTORIAL SECTION
Wireless security flaws are being recognized and publicized. Here NewsBites editorial board member Bill Murray introduces and discusses a well-researched article on wireless security. The article may be found at:-http://news.excite.com:80/news/zd/010412/07/80211-and-swiss
Bill's discussion: 802.11b wireless is so attractive that it will be used. The attraction is in the connectivity and convenience. Its cost is already at a level that makes new wireless LANs competitive with new wired LANS. While one can still do a wired LAN over existing copper cheaper than wireless, the prices of wireless have dropped 10-30 percent since Christmas and may well have halved Christmas to Christmas. Wireless will be used in spite of its security or lack thereof. In practice it is being installed with the most convenient and least secure settings. These settings provide the greatest connectivity and convenience; that these settings are used by default will not surprise regular readers of NewsBites.
As the referenced article points out, 802.11b comes with security features and properties. All of these have limitations, not to say flaws. It seems clear, both from the article and the primary sources that it references, that these features and properties are not as robust as they appear on first sight and may not provide adequate protection for many applications and environments for which one might otherwise want to use 802.11b. Again, this should not surprise any of our readers; the same statement can be made about most of our technology. However, this is a problem for the 2-3 year time frame. The immediate problem is that the features are not being used at all. That WEP does not provide the protection that it appears to provide is not relevant if no one uses it at all. That MAC address access control can be duped is not relevant if all access points are operated as open to all devices. Whatever the limitations of these features, they can raise the cost of attack by several times. It is extremely unlikely that anyone will attack them when most, not to say all, of the systems using 802.11b do not bother to use them. Their use will certainly take you off the soft target list if not off the target of opportunity list. We must learn to compensate for the limitations of our materials. While, there are many applications for which 802.11b is not by itself safe, this is equally true of wired LANs. On the other hand, as there are few applications that cannot be done safely over wired LANS, there are few applications that cannot be done safely over 802.11b. I agree with Stephan Somogyi that the developers and the IEEE did us all a disservice by permitting 802.11b to become a standard with these security problems,
[but boy does it interoperate well ]
. It will not be easy to remedy these problems while maintaining interoperability and conserving investment but it can be done. If it is to happen, not only must we lean hard on our vendors, but we must demonstrate that we are serious by using what we have been given and compensating for its limitations. No serious vendor is likely to fix what is not used. Use the features but do not rely upon them to protect sensitive data in hostile environments.
===end===
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz
