SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume III - Issue #22

May 30, 2001

A few people may have received a copy of this newsletter that contained
errors. This is a corrected version of the newsletter.
We have extra copies of course books for about 35 SANS courses. While
they last, order them from www.sansstore.org where you will also find
the new Windows 2000 Security Step-by-Step guide, updated guides for
securing NT and Solaris, and the guide for handling computer security
incidents.

---

TOP OF THE NEWS

24 May 2001 Max Butler Jail Sentence
23 & 24 May 2001 CERT/CC Hit by DDoS Attack
23 May 2001 Cisco Router Software Flaws
22 May 2001 Denial of Service Research

THE REST OF THE WEEK'S NEWS

25 May 2001 Shopping Cart Software Flaw Exposes Health Site Customer Information
25 May 2001 Cyber Disaster Drills
25 May 2001 Media Player Patch
25 May 2001 Worm Aims to Combat Child Pornography
24 May 2001 Trojans are Stealthy, Damaging and Tenacious
23 May 2001 Social Security Numbers and Identity Theft
22 & 23 May 2001 GAO Report on NIPC
22 & 23 May 2001 NSF Information Security Scholarships
21 May 2001 The Security Manager's Journal: Testing Intrusion Detection Systems
21 May 2001 Invicta Takes New Approach to Security
21 May 2001 Opinion: IIS Has Too Many Flaws
21 May 2001 Security Practices and Liability
15 May 2001 Las Vegas Phone Crackers

---

******************* Sponsored by NetIQ Corp. *******************
SECURITY SECRETS REVEALED: FREE WEBCAST
Security experts from NetIQ, Trend Micro and Check Point will reveal
the essentials of developing and implementing a successful security
strategy to protect your corporate network infrastructure during the
June 12 "Secrets to Developing a Sound Security Plan" Webcast.
Register:
http://webevents.road-show.com/netiq/6122001/start/register.asp?origin=SANS530
****************************************************************

---

TOP OF THE NEWS

24 May 2001 Max Butler Jail Sentence

Max Butler - hacker and former FBI informant - has been sentenced to 18 months in prison for unleashing a worm in military and defense computer networks three years ago. The worm had a benevolent intent - it was designed to fix a vulnerability another worm was exploiting - but it also left a backdoor in infected systems. Other hackers and crackers have expressed concern that the government's treatment of Mr. Butler might discourage others from aiding security efforts.
-http://www.wired.com/news/politics/0,1283,44007,00.html

23 & 24 May 2001 CERT/CC Hit by DDoS Attack

The Computer Emergency Response Team Coordination Center (CERT/CC) web site was the victim of a distributed denial of service (DDoS) attack. The cyber assault lasted about 30 hours, and no data were compromised. CERT/CC said it would still be able to issue security alerts if necessary. One computer expert pointed out that the attack highlights the risks inherent in centralizing computer alert teams.
-http://news.cnet.com/news/0-1003-200-6016900.html?tag=prntfr
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO60799,00.html
-http://www.cnn.com/2001/TECH/internet/05/24/computerattack.ap/index.html

23 May 2001 Cisco Router Software Flaws

Cisco Systems has issued an alert acknowledging four security holes in CBOS, the operating system for its 600 series routers, advising customers to upgrade. The flaws include passwords stored in clear text in router memory, predictable TCP Initial Sequence Numbers, and the possibility that the router will stop passing traffic when certain ECHO REPLY and ECHO REQUEST packets are sent through.
-http://www.theregister.co.uk/content/5/19148.html
-http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html

22 May 2001 Denial of Service Research

Research conducted at the University of California at San Diego (UCSD)

---

********** Also sponsored by Incidents.Org Help Wanted Site **********
The new central job repository for system administration, network
administration and security positions will open next week at
http://www.incidents.org/jobs/joblist.php
As an introductory offer, the sponsors are allowing all SANS alumni to
post jobs for 30 days. Email daragh@sans.org for instructions on
submitting posts.
**********************************************************************

---

THE REST OF THE WEEK'S NEWS

25 May 2001 Shopping Cart Software Flaw Exposes Health Site Customer Information

A flaw in PDG shopping cart software exposed the names, addresses, e- mail addresses and phone numbers of people who obtained free drug and alcohol addiction pamphlets from Health.org. Although NIPC issued a warning about the software problem in early April and the software company has attempted to contact all of its customers, the technical department director at the company that maintains the site for the Department of Health and Human Services said he never received a notice.
-http://www.msnbc.com/news/578476.asp?0nm=T219
[Editor's (Murray) Note: By this time, consumers are beginning to realize that even if they have end-to-end encryption of their data, that is not sufficient if the ends are not secure.]

25 May 2001 Cyber Disaster Drills

Computer disaster drills are on the rise due to the increase in cyber attacks and viruses, the threat of power outages, and the fact that more and more data are being stored on networks that can be reached from the Internet. The drills help workers identify security holes, recognize security problems, and maintain their data recovery skills.
-http://www.usatoday.com/life/cyber/tech/2001-05-24-cyberattacks-disaster-drills.
htm

25 May 2001 Media Player Patch

Microsoft has issued a fix for two vulnerabilities in Media Player 6.4 and 7. A buffer overrun could allow a cracker to run hostile code on someone else's machine. Another flaw that saves Internet shortcuts to a temporary files folder could be exploited, with the help of HTML code, to allow crackers to read files on the affected machine. Media Player 6.4 users need to install the patch, while Media Player 7 users should install Media Player 7.1 to fix the problems.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2765352,00.html

25 May 2001 Worm Aims to Combat Child Pornography

The Noped worm searches infected computers for certain image files names and alerts government agencies if any are found. Noped uses keyword and phrase identification rather than content analysis, which could result in a large number of false alerts.
-http://www.wired.com/news/technology/0,1282,44112,00.html
[Editor's (Murray) Note: The ends do not justify the means. It is at least rude and may be criminal to attempt to run your code on another's machine without their knowledge and consent. There is no motive so noble as to justify this behavior. (Cowan) Oh my. Salem witch hunts, with the accuser being a dumb piece of software. ]

24 May 2001 Trojans are Stealthy, Damaging and Tenacious

Trojan horse programs can be used by malicious hackers to spy on and stalk people, manipulate data and computers, steal money from bank accounts, and launch denial of service attacks. Trojans often slip into a computer while hidden in screensavers, games, e-mail messages or web pages, and they can be hard to detect and remove. The best methods may be reverting to a clean back-up or re-installing clean copies of software.
-http://www.wired.com/news/technology/0,1282,43981,00.html
[Editor's (Paller) Note: This is not news. It is included because it offers useful security awareness education material. ]

23 May 2001 Social Security Numbers and Identity Theft

Social security numbers can be purchased on line and used to steal people's identities and fraudulently obtain credit. Legislation has been introduced which, if passed, would restrict requests for social security numbers as identifiers and would ban their sale and display on public documents. One legislator wants the government to issue all citizens new social security numbers that will be kept secret.
-http://www.usatoday.com/life/cyber/tech/2001-05-23-id-theft-solutions.htm
[Editor's (Murray) Note: SSNs are identifiers, not authenticators. The problem is not so much the misuse of SSNs as identifiers, as egregious as that may be, but the inappropriate reliance upon them for authenticators. A name, address, and SSN, taken together, are more resistant to error than any of them taken alone. They are not resistant to fraud. The problem is not that we do not know how to implement reliable authentication but that, for whatever combination of reasons, we have failed to do so. Outlawing the use of an identifier will simply make us vulnerable to error as well as fraud. ]

22 & 23 May 2001 GAO Report on NIPC

A General Accounting Office (GAO) report says that the National Infrastructure Protection Center (NIPC) lacks sufficient staffing and fails to alert the public to virus threats in a timely manner. The National Security Council wrote a letter to the GAO suggesting that NIPC's responsibilities be distributed among several agencies. The report does say that NIPC has helped cyber crime investigations.
-http://www.fcw.com/fcw/articles/2001/0521/web-nipc-05-23-01.asp
-http://www.zdnet.com/zdnn/stories/news/0,4586,2763767,00.html
-http://www.wired.com/news/politics/0,1283,44019,00.html

22 & 23 May 2001 NSF Information Security Scholarships

The National Science Foundation's (NSF) Scholarship for Service program will provide two years of tuition assistance and a paid summer internship to students who agree to work for the government for two years in information security and assurance positions. The NSF plans to announce additional grants for faculty instruction development in these areas.
-http://news.cnet.com/news/0-1003-200-6008345.html?tag=prntfr
-http://www.wired.com/news/technology/0,1282,44021,00.html
-http://www.fcw.com/fcw/articles/2001/0521/web-nsf-05-23-01.asp
-http://www.nsf.gov/od/lpa/news/press/01/pr0145.htm

21 May 2001 The Security Manager's Journal: Testing Intrusion Detection Systems

Security manager describes how he tested his network-based intrusion detection system (IDS). Using a variety of attacks in a closed, controlled environment, he gradually increased network traffic to find out at what level the system began dropping packets.
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO60687,00.ht
ml

21 May 2001 Invicta Takes New Approach to Security

A former CIA director and a former KGB agent have released Invicta, a new security system that continuously changes network IP addresses, thereby creating "moving targets" for crackers. One insurance company is so convinced of Invicta's effectiveness that it plans to offer 10% discounts to companies that use the product.
-http://www.msnbc.com/news/576522.asp?0nm=T25B
[Editor's (Cowan) Note: DARPA (Defense Advanced Research Projects Agency) explored this idea in a red team experiment several years ago. The defenders employed the randomized address technique, without the attacker's knowledge. The technique significantly slowed the attackers, until they figured out what was going on, at which point effectiveness diminished. Problem: the effective random search space (the size of your subnet) is small. ]

21 May 2001 Opinion: IIS Has Too Many Flaws

The author wonders why companies continue to use Microsoft's Internet Information Server (IIS) despite its apparent flaws and suggests some alternatives.
-http://securityportal.com/articles/iis20010521.html

21 May 2001 Security Practices and Liability

Companies need to show "due diligence" in protecting their IT assets or they may find themselves facing liability suits for security breaches involving their machines, cautioned security experts. Companies would be well advised to employ security technology such as firewalls, intrusion detection systems and VPNs as well as establish consistent policies and procedures.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO60729,00.html

15 May 2001 Las Vegas Phone Crackers

Some purveyors of adult entertainment and bail bonds in Las Vegas are convinced their phones are being hacked and their calls diverted to competing businesses. Testing showed no irregularities, but a convicted computer criminal says the Las Vegas network has security holes that could allow such a scheme to work.
-http://www.theregister.co.uk/content/6/18950.html

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz