SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #2
January 10, 2001
Please check out the new "Ask the Editors" feature for an analysis of
the impact of the public disclosure of the RSA hash used in its
handheld tokens. If you like the idea of continuing this type of
feature, send us a question you think a lot of people would like to
have answered. (send it to info@sans.org with subject: Ask The Editors)
AP
TOP OF THE NEWS
9 January 2001 Register.com Experiencing Denial of Service Attack3 January 2001 Survey Says CIOs Confident in Security; Others Contradict Results
3 January 2001 Spammers Sentenced
2 January 2001 Cracker Enters Guilty Plea
1 January 2001 Top Ten Security Issues
THE REST OF THE WEEK'S NEWS
5 January 2001 Vatis to Leave FBI5 January 2001 Man Charged in NASA Site Defacement
5 January 2001 UK E-Mail Firings
5 January 2001 Safe Harbor Adoption Slow
4 & 5 January 2001 Wyoming ISP Customer Info Stolen
4 January 2001 Best Practices for Web Site Availability
4 January 2001 Malaysian Government Site Attacked
4 January 2001 NASA to Test Biometric Authentication
3, 4 & 5 January 2001 Y2K Bug Bites in 2001
3 January 2001 Indian Cyber Crime Committee to be Advised by Savvy Teens
3 January 2001 AT&T Site Exposes Customer Billing Data
3 January 2001 On Line Game Cracked
1 January 2001 Wireless Security Issues
1 January 2001 Passwords and Security Scanners
ASK THE EDITORS
Bill Murray provides context for this week's publishing of the RSA Hash.Professional Development and Community Service Opportunities
Computerworld Seeks New Security Manager Columnist
New Orleans Security Training Sessions Partially Closed
London and Sydney Security Training Registrations Surging
InfoSec Reading Room Holdings Pass Two Hundred
************* This issue Sponsored by SurfControl, Inc. **************
SurfControl is ..."flexible & powerful" --SC Magazine
Relying on your firewall for complete network protection? You're leaving
yourself vulnerable to a host of harmful threats: Worms, Viruses, Trojan
horses... Internet filtering adds an extra layer of security. Monitor
and manage all traffic down to the port level.
Download a FREE 30-day trial.
http://www.surfcontrol.com/promo/SNB0110
**********************************************************************
TOP OF THE NEWS
9 January 2001 Register.com Experiencing Denial of Service Attack
GIAC reports that a computer at register.com, a firm that registers Internet domain names, has been under attack since January 4 in a DOS attack using spoofed DNS requests. The firm's Internet service providers, Exodus and Globix have been filtering out the malicious packets so register.com was able to continue operating, after a short outage, but they have not been successful in finding or stopping the attacker(s). Technical data:-http://www.sans.org/y2k/010901-1300.htm
3 January 2001 Survey Says CIOs Confident in Security; Others Contradict Results
A national survey of CIOs indicates they are confident in their companies' network security. But other sources suggest CIOs may be reluctant to acknowledge network problems, or that they allow a certain "buffer of acceptable risk." CIOs may also measure security by losses rather than vulnerability.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO55809,00.html
[Editor's (Murray) Note: My experience suggests that most enterprises have an acceptable or accepted level of risk. That is what these CIOs are saying. On the other hand, many are targets of opportunity, more are targets of choice, and most have their "crown jewels" at risk. Most could be much more secure for the same amount of money. Few are getting better. ]
3 January 2001 Spammers Sentenced
Steve Shklovskiy and Yan Shtok, who were behind an unsolicited e-mail scam that brought in more than $250,000 will serve 27 months in jail and pay over $100,000 in restitution. The majority of the money will go to the company that lost revenue while dealing with the massive amounts of spam.-http://www.idg.net/go.cgi?id=390492
[Editors' Note: It's about time. ]
2 January 2001 Cracker Enters Guilty Plea
Dennis Moran, who broke into rsa.com, dare.com, and several US military web sites, has pleaded guilty to a trio of misdemeanors. If the plea agreement is approved, the New Hampshire teen could face at least nine months in jail and $15,000 in restitution payments.-http://www.usatoday.com/life/cyber/tech/cti962.htm
1 January 2001 Top Ten Security Issues
An informal Computerworld poll of 35 security vice presidents, officers and managers at SANS Network Security 2000 in Monterey produced a Top 10 list of security issues, including international standards, employee awareness, authorization and authentication, and risk management.-http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO54802,00.html
*********** Also sponsored by Network-1 Security Solutions ***********
Host Resident Firewall for Windows NT/2000 Servers and Desktops
CyberwallPLUS is a firewall for NT/2000 servers and desktops. It
protects against attacks with an ICSA-certified packet filter that
provides network access controls, intrusion detection and traffic logs.
Local and central management facilities make it ideally suited for
enterprise-wide deployment.
Free 30-day evaluation: http://www.network-1.com/support/download.html
**********************************************************************
THE REST OF THE WEEK'S NEWS
5 January 2001 Vatis to Leave FBI
Michael Vatis, who for two years has been chief of the National Infrastructure Protection Center (NIPC), will leave the FBI. Vatis very recently launched the InfraGard program which aims to help government and private industry share information about cyber attacks (see story). No one has yet been named to replace Vatis.-http://www.zdnet.com/zdnn/stories/news/0,4586,2671601,00.html
5 January 2001 Man Charged in NASA Site Defacement
Matthew Lawrence, of Shelton Connecticut, has been charged with breaking into and defacing a web site at NASA's Goddard Space Flight Center. NASA said the server was out for nearly a month as a result of the attack. Attrition.org says that the site suffered another, more extensive attack the same day from a group not connected to the Connecticut man.-http://www.zdnet.com/zdnn/stories/news/0,4586,2671675,00.html
[Editor's (Murray) Note: I can understand that NASA would still be vulnerable to DoS attacks but that they are still vulnerable to break ins tells me that either they are terribly inept or the problem is completely intractable. They know that they are a target of choice but they are falling over to amateurs. ]
5 January 2001 UK E-Mail Firings
A British insurance firm fired 10 employees and disciplined more than 70 others in connection with inappropriate e-mail. The company has a written acceptable Internet use code.-http://www.it.fairfax.com.au/breaking/20010105/A11677-2001Jan5.html
5 January 2001 Safe Harbor Adoption Slow
The Commerce Department hopes that informational seminars will increase the number of US businesses signed up to support the "safe harbor" data privacy provisions which will ease e-commerce with the European Union. So far, only 12 organizations have become certified.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO55924,00.html
-http://www.wired.com/news/politics/0,1283,41004,00.html
4 & 5 January 2001 Wyoming ISP Customer Info Stolen
A cracker stole customer information, including credit card and bank account numbers, from GlobalCentral.com, a Wyoming Internet Service Provider (ISP), and sent the information to Computerworld. The ISP has taken measures to improve security, including new transaction monitoring software.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO55851,00.html
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO55951,00.html
4 January 2001 Best Practices for Web Site Availability
A Gartner analyst offers advice on avoiding web site down time. Continuous availability requires a "multi-pronged strategy" incorporating application and infrastructure design, testing, and proactive management. Two Internet company executives also offer their list of best practices for availability.-http://news.cnet.com/news/0-1007-202-4375556-0.html
[Editor's (Murray) Note: Not very rigorous. I am glad that they promote business and people issues, limit single points of failure, and promote up-front design but is that really their "best?" Where does it say it say fix responsibility and accountability, limit complexity and function, manage change, monitor, measure, report, etc. I admit that this is a difficult area to write in but I would expect better. ]
4 January 2001 Malaysian Government Site Attacked
A cracker apparently broke into the Malaysian parliament's web site and cleared it of everything but a message taking responsibility for the attack.-http://asia.dailynews.yahoo.com/headlines/technology/newsbytes/article.html?s=as
ia/headlines/010104/technology/newsbytes/Malaysian_Parliament_Site_Hacked.html
4 January 2001 NASA to Test Biometric Authentication
NASA's Goddard Space Flight Center plans to begin testing biometric authentication technology for employees logging in to the center's network from remote locations.-http://www.fcw.com/fcw/articles/2001/0101/web-nasa-01-04-01.asp
[Editors' Note: The specific claim in the story, that Goddard's biometrics authentication cannot be stolen or forged, is wrong; biometrics are subject to replay attacks. As a general rule biometrics should be validated on the client side, rather than the server side, with a one-time token sent to the server. ]
3, 4 & 5 January 2001 Y2K Bug Bites in 2001
Several companies experienced problems due to Y2K computer glitches. Some systems had not been configured to recognize 2000 as a leap year. Many 7-Eleven cash registers would not accept credit cards because they thought the date was January 1, 1901. The problem was fixed by close of business the next day. Some Norwegian trains could not start on December 31; as a temporary solution, the trains were reset to the beginning of December. General:-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1101000/1101917.stm
7-Eleven:
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO55853,00.html
-http://www.msnbc.com/news/511767.asp?0nm=T21E
Norwegian Trains:
-http://www.usatoday.com/life/cyber/tech/cti959.htm
3 January 2001 Indian Cyber Crime Committee to be Advised by Savvy Teens
India's National Cyber Cop Committee, which was set up by the country's software industry, will be advised by a group of hackers aged 14-19. The teenagers, none of whom has a criminal record, will not be paid, but will be recommended for e-security business jobs.-http://news.bbc.co.uk/hi/english/world/south_asia/newsid_1099000/1099181.stm
-http://www.msnbc.com/news/511042.asp?0nm=T23E
3 January 2001 AT&T Site Exposes Customer Billing Data
A customer alerted AT&T to a glitch in its Small Business Center web site that revealed other customers' billing records. AT&T took down part of its site to prevent any more information from being exposed; the site was repaired a day later.-http://www.msnbc.com/news/510637.asp?0nm=T24E
3 January 2001 On Line Game Cracked
Crackers have apparently exploited a hole in the log-on system of the on line game Diablo to gain control of and do away with some users' game characters. The attack followed on the heels of a software update.-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1097000/1097330.stm
-http://www.wired.com/news/technology/0,1282,40942,00.html
1 January 2001 Wireless Security Issues
Wireless commerce security issues include the vulnerability of messages being converted from wireless security protocol to Internet security protocol, and the question of authentication. Several companies have devised solutions to these problems.-http://computerworld.com/cwi/story/0%2C1199%2CNAV65-663_STO55583_NLTs%2C00.html
[Editors' Note: "Wireless" is not a single space. We use CDMA, 802.11, CDPD, HRF, and WAP each for different applications, each in different environments. The security implications are different for each. ]
1 January 2001 Passwords and Security Scanners
Jude Thaddeus, a columnist, wonders how to authenticate requests for resetting passwords, as "social engineering", or convincing help desk staff to provide passwords, is a common attack strategy. One simple solution would be to leave the new password on the user's voice mail. Jude also ran a security scanner that was easy to use and revealed some surprises.-http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO55582,00.html
[Editor's (Grefer) Note: That would require more trust in the voicemail security than I have. Or perhaps split the password between the original call and voice mail. ]
ASK THE EDITORS
Bill Murray provides context for this week's publishing of the RSA Hash.
This week, I. C. Wiener (icwiener@mailru.com) posted to BugTraq source code for a functional equivalent of the one-way algorithm used in RSA's SecurID token and Ace Server. "Once again, security of the cipher should be based entirely on the secrecy of the key, not the algorithm," quotes Wiener. BugTraq is a forum for the discussion of vulnerabilities. Wiener also says, "We have performed some cryptoanalysis and let's just say we do have grounds to believe that this algorithm is easily breakable." To be meaningful, such a claim would mean that using only the algorithm and a, presumably limited, number of previous outputs from the token, he could predict some number that the token would produce at some time in the future, that he could do so within the life of the token, and that the cost of doing so would be lower than the value of doing so.The hash has not been secret for some years; there are more than 12000 copies of the object code in use on servers. As with most hashes, its effectiveness relies not upon its secrecy but upon its complexity and irreversibility. However, in accordance with agreements with some customers, RSA has never published the source code. While this is not the first time that the object code has been reverse engineered. Adam Shostack (adam@homeport.org), founder of SDAdmin, says that he received a copy in 1996 with a request that he not publish it), it is the first time that it has been published.
Professional Development and Community Service Opportunities Computerworld Seeks New Security Manager Columnist
For the past year, SANS and Computerworld have cooperated in creating one of the most widely read security columns - The Security Manager's Journal. Sadly, the current columnist has gotten a major promotion and cannot continue. We are looking for candidates to replace him. Although your identity will be known to Computerworld and SANS editors, you will be free to tell the absolute truth about vendors and products and processes, because you will write under a pen-name. If you are a technical security manager and think you can write pretty well. Send us a sample article. Remember, these are journals so they need to tell what happened and the lessons learned. A sample article may be found at-http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO55582,00.html
New Orleans Security Training Sessions Partially Closed
Although two tracks have filled up at SANS Security New Orleans (January 28-Feb 2), several remain open. You may still register for Kick Start, SANS Security Essentials, Firewalls, Intrusion Detection, and Windows 2000 Security.-http://www.sans.org/NO2001.htm
London and Sydney Security Training Registrations Surging
To be sure to get your first choice of tracks, please reserve places soon for SANS Darling Harbour (Sydney Feb 12-15) or SANS Parliament Square (London June 20-23) See-http://www.sans.org
for detailed track descriptions.
Information Security Reading Room Holdings Pass Two Hundred
Check out the SANS InfoSec Reading Room for in-depth research on papers on thirty-five security subject areas, and the Intrusion Detection FAQ for valuable data on intrusion detection. InfoSec Reading Room-http://www.sans.org/infosecFAQ/index.htm
ID FAQ:
-http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz