Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #41

October 10, 2001


A new free resource form SANS!
SANS complete library of security policies -
two dozen templates and samples - is now online at
http://www.sans.org/newlook/resources/policies/policies.htm
You'll also find a primer on HIPAA and other useful materials there.
The UNIX Security track and Auditing track are both sold out for
the San Diego conference next week, but six other tracks still have
space (http://www.sans.org/NS2001/NS2001.htm). If you were thinking
about attending any security program this fall, come to San Diego
next week or to one of the other five cities (www.sans.org) where
we'll have programs. These programs provide world-class teachers and
offer immersion training giving you critical skills you can put to
work immediately when you return to the office - whether your job
is intrusion analyst or information security manager or any of six
other security related positions.

At the end of this issue you'll find a thought-provoking statement
by Bill Murray placing Microsoft's contribution to Internet security
in stark relief.

And welcome to Dorothy Denning and Vicki Irwin, the two newest members
of the editorial board. We are all honored by their willingness to
help make NewsBites more timely and more useful.

AP

TOP OF THE NEWS

8 October 2001 Recent Terrorist Attacks Prompt Concerns Over Internet Security
5 October 2001 PowerPoint and Excel Security Hole
3 & 4 October 2001 Microsoft's Strategic Technology Protection Program
2 & 4 October 2001 House Judiciary Committee Approves PATRIOT Act

THE REST OF THE WEEK'S NEWS

5 October 2001 Hacking Terrorist Funds is Tricky
4 October 2001 Pix Firewall Vulnerability
4 October 2001 Senators Displeased With Critical Infrastructure Protection Coordination
3 October 2001 NSA's Secure Linux Available for Download
3 October 2001 Key Escrow Won't Work
3 October 2001 Companies Unprepared for Worms and Viruses
3 October 2001 Sensitive Data Removed from Some Web Sites
2 & 3 October 2001 NIST Security Grants
2 October 2001 Increase Cyber Security R & D, Says Committee Chair
2 October 2001 Jack Straw Critical of UK's Position on Encryption
1 October 2001 Phony Nimda Fix
1 October 2001 Content Management
28 September 2001 .Net Security Concerns
Bill Murray's Essay on Microsoft Security


*********************** Sponsored by PentaSafe ***********************
With security top of mind, what's your next step?
TUNE IN FOR A LIVE WEBINAR NOVEMBER 7 presented by PentaSafe and
security policy guru Charles Cresson Wood.
Review four timely and essential tools for managing information
security and find out how your organization should be using them now --
Roles & Responsibilities, Policies, Risk Assessment, and Awareness.
Click here to register:
http://www.pentasafe.com/events/moreinfo.asp?class=164
**********************************************************************

TOP OF THE NEWS

8 October 2001 Wall Street Journal Analysis and Prescription for Cyberterror Threat

The Wall Street Journal's E-World Column on Monday provides a useful tool for security professionals who need top management support for improving security. It explains, in senior management language, why the threat is real and how your organization might respond. The article is available only to paid WSJ subscribers, so you may want to get a copy of the printed version of Monday's Journal. It is in column 1 on page A15.
-http://interactive.wsj.com/archive/retrieve.cgi?id=SB1002488650868962680.djm

8 October 2001 Wall Street Journal Analysis and Prescription for Cyberterror Threat

The Wall Street Journal's E-World Column on Monday provides a useful tool for security professionals who need top management support for improving security. It explains, in senior management language, why the threat is real and how your organization might respond. The article is available only to paid WSJ subscribers, so you may want to get a copy of the printed version of Monday's Journal. It is in column 1 on page A15.
-http://interactive.wsj.com/archive/retrieve.cgi?id=SB1002488650868962680.djm

5 October 2001 PowerPoint and Excel Security Hole

A vulnerability in Excel and PowerPoint allows malicious macros to completely bypass security checks and execute automatically when documents are opened. Affected software includes Excel 2000 and 2002 for Windows, PowerPoint 2000 and 2002 for Windows as well as several Macintosh versions.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64507,00.html
-http://www.cert.org/advisories/CA-2001-28.html
Handler's Diary link:
-http://www.incidents.org/diary/october01/100601.php#2
--3 & 4 October 2001 Microsoft's Strategic Technology Protection Program

2 & 4 October 2001 House Judiciary Committee Approves PATRIOT Act

The House Judiciary Committee unanimously approved a version of Attorney General John Ashcroft's Anti-terrorism Act (ATA) known as the PATRIOT (Provide Appropriate Tools Required to Intercept and Obstruct Terrorism) Act. The bill, which will probably go to a full house vote later this week, broadens the government's surveillance capabilities; several of the bill's provisions include an expiration date of December 31, 2003. Privacy advocates have expressed concern about that the bill erodes civil liberties. One of the most eloquent of those protests comes from Jennifer Granick, the Stanford Law School Professor who defends hackers in court. Her article is the final URL below.
-http://www.infoworld.com/articles/hn/xml/01/10/04/011004hnterror.xml
-http://www.wired.com/news/politics/0,1283,47312,00.html
-http://news.cnet.com/news/0-1005-200-7376176.html?tag=prntfr
-http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2001/10/03/ED7594
9.DTL



********************* Also sponsored by Camelot **********************
DO YOU HAVE $2.7 MILLION TO SPARE?
That's the average cost of an authorized user attack, according to
the FBI. Camelot's automated access control system solves the #1
security problem facing companies today - authorized user abuse.
Qualify for your FREE 30-day evaluation:
http://www.camelot.com/campaign.asp?ms=9114557
Visit us at SANS Network Security 2001 San Diego, Booth #307
**********************************************************************

THE REST OF THE WEEK'S NEWS

5 October 2001 Hacking Terrorist Funds is Tricky

Many doubt the story that a group of hackers infiltrated a foreign bank and gathered information about accounts belonging to Osama bin Laden. Such activity is actually quite complicated; the accounts are unlikely to be in bin Laden's name and tracking down the accounts would require analyzing quantities of transaction data. Furthermore, hacking into the banks often requires physical access, unlike Internet hacking.
-http://www.msnbc.com/news/638639.asp?0dm=C216T

4 October 2001 Pix Firewall Vulnerability

A security hole in the Cisco PIX Firewall Mailguard feature allows attackers to bypass the Firewall's SMTP command filtering mechanism. An attacker could execute arbitrary code on a mail server and gather e- mail account information without being intercepted by the PIX Firewall. The vulnerability affects PIX Firewall versions 5.2(4), 5.2(5), and 6.0(1), with access to SMTPmail services.
-http://www.vnunet.com/News/1125873
The Cisco Advisory:
-http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-regression-pub.shtml

4 October 2001 Senators Displeased With Critical Infrastructure Protection Coordination

The heads of the National Infrastructure Protection Center (NIPC), the Federal Computer Incident Response Center (FedCIRC) and the Critical Infrastructure Assurance Office (CIAO) attended a Governmental Affairs Committee hearing to describe their roles in protecting the nation's critical infrastructure. Senators were not impressed with the organization of critical infrastructure defense, and called for untangling the lines of authority and accountability.
-http://www.gcn.com/vol1_no1/daily-updates/17223-1.html
[Editor's (Schultz) Note: I don't blame the Senators for being displeased here. But they missed one important point, mainly that there needs to be some kind of direction that motivates incident response teams to cooperate with each other better. ]

3 October 2001 NSA's Secure Linux Available for Download

The National Security Agency (NSA) has released a version of Linux with enhanced security, SE Linux. The operating system has mandatory access controls and allows programs to run with limited security permissions. SE Linux supports the Intel x86 platform and has been tested on Red Hat.
-http://www.nwfusion.com/news/2001/1003nsalinux.html

3 October 2001 Key Escrow Won't Work

Experts and lawmakers opposed legislation that would require people using encryption to put their encryption keys in escrow with a third party, as the keys would become targets for terrorists. Responding to claims that a key escrow system could allow law enforcement officials to decode communication between terrorists and other criminals, Rep. Bob Goodlatte (R-Va) remarked that such persons are not likely to place their encryption keys in escrow anyhow.
-http://www.fcw.com/fcw/articles/2001/1001/web-keys-10-03-01.asp

3 October 2001 Companies Unprepared for Worms and Viruses

Security experts say that companies are not prepared to deal with the surge of viruses and worms. According to Symantec, if people have not updated their versions of Microsoft Outlook, they risk infection from Nimda without even opening the malicious attachment.
-http://www.computing.vnunet.com/News/1125813
A more thorough technical report on Nimda:
-http://www.incidents.org/react/nimda.pdf

3 October 2001 Sensitive Data Removed from Some Web Sites

Photos and maps of military installations, schedules of meetings at Minot Air Force Base and EPA chemical plant information have all been removed from various web sites for fear the information could be abused by terrorists. While the action does not prevent people from obtaining the data altogether, it does make information access more difficult.
-http://www.cnn.com/2001/TECH/internet/10/03/rec.attack.net.censorship.ap/index.h
tml

2 & 3 October 2001 NIST Security Grants

The National Institute of Standards and Technology (NIST) has awarded a total of $5 million in research grants to nine projects aimed at strengthening critical infrastructure security. Projects funded include developing metrics to evaluate and improve intrusion detection systems and examination of the security issues raised when networks merge.
-http://news.cnet.com/news/0-1003-200-7383891.html?tag=prntfr
-http://www.fcw.com/fcw/articles/2001/1001/web-nist-10-03-01.asp

2 October 2001 Increase Cyber Security R & D, Says Committee Chair

House Science Committee Chairman Rep. Sherwood Boehlert (R-NY) maintains the government should devote more research and development resources to cyber security, including biometric and other identification techniques.
-http://www.fcw.com/fcw/articles/2001/1001/web-cyber-10-02-01.asp

2 October 2001 Jack Straw Critical of UK's Position on Encryption

Former UK Home Secretary Jack Straw has criticized his country's loose stance on encryption, claiming that stronger laws that would have allowed the government to decrypt electronic communications that could possibly have averted the terrorist strikes of September 11. But the director of the Foundation for Information Policy Research says that terrorists will simply use other, less detectable methods of communicating over the Internet.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2815795,00.html

1 October 2001 Phony Nimda Fix

An e-mail with an attachment that appears to come from SecurityFocus and Trend Micro and purports to be a fix for the Nimda worm is circulating on the Internet. The message is not from either of the companies and could be a Trojan horse program.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO64377,00.html

1 October 2001 Content Management

The recent revelation that a cracker was able to alter several Yahoo news stories last month underscores the importance of content management. A good strategy would be to separate content creation from web production; if web site content is altered, it can be replaced with the original content.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2815654,00.html

28 September 2001 .Net Security Concerns

Anti-virus software will likely need a major overhaul to address security concerns that will be raised by the forthcoming .Net platform. These include executable code called Microsoft Intermediate Language (MSIL) and the possibility of new vectors of infection requiring anti-virus products to scrutinize remote code.
-http://www.theregister.co.uk/content/56/21929.html
Bill Murray's Short Essay on Microsoft's Role In Security "The debate about whether people should switch away from Microsoft's IIS misses the point. Suppose that tomorrow everyone that is knowingly and intentionally running and using IIS turned it off. Would it make any difference? As I understand it these malicious programs do not exploit only copies of IIS that somebody is using, "running," managing, choosing, or otherwise saying grace over. They exploit all instantiated copies of IIS. By shipping and installing by default hundreds of thousands of copies of flawed software that nobody asked for or wanted, Microsoft seriously weakened the network. That they make a timely patch available to the initiated is nice but irrelevant. That the cognescenti can run IIS safely is irrelevant. That it may or may not be more difficult to run safely than other web servers is irrelevant. Most of those running it did not intentionally decide to run it and most of them do not even know that they are running it until their neighbors start to complain. In their desire to be loved, Microsoft made a very bad decision, one that even they cannot easily remedy. They have opened Pandora's box. I have been saying for years that it is reckless to make a decision to run your code on someone else's machine without their permission, that it is hubris to believe that you can do that safely. I admit that I had virus writers, not Microsoft, in mind when I said it but now it is clear that the power to make such a decision cannot be trusted even to Microsoft. The more copies of that software one intends to be installed, the more important it is that the code be free of exploitable features, much less errors. It seems to me that Microsoft has seriously, not to say permanently polluted the network. Not only have they put their own customers at risk, they have put at risk people who do not run so much as a line of Microsoft code.
What am I missing? Dear God, I do so hope I have it wrong." NewsBites readers who want to change Microsoft's behavior can make a difference. More than 170 organizations (such as Shell, Intel, Hallmark, NASA, NIST, Navy, Infocomm Development Authority of Singapore, the Royal Canadian Mounted Police, and VISA and many other large and small organizations) have banded together to develop minimum security benchmarks for Internet connected systems. When enough organizations join them, and the buying community demands vendors deliver systems meeting minimum security standards, change will be possible. Instead of crying about the vendors' behavior, do something about it by joining others of like mind in the Center for Internet Security at www.cisecurity.org. Members of the Center are already testing tools that measure security of Cisco routers and of Solaris systems and they will shortly have a tool that measures security of Windows 2000.

Bill Murray's Short Essay on Microsoft's Role In Security

"The debate about whether people should switch away from Microsoft's IIS misses the point. Suppose that tomorrow everyone that is knowingly and intentionally running and using IIS turned it off. Would it make any difference? As I understand it these malicious programs do not exploit only copies of IIS that somebody is using, "running," managing, choosing, or otherwise saying grace over. They exploit all instantiated copies of IIS. By shipping and installing by default hundreds of thousands of copies of flawed software that nobody asked for or wanted, Microsoft seriously weakened the network. That they make a timely patch available to the initiated is nice but irrelevant. That the cognescenti can run IIS safely is irrelevant. That it may or may not be more difficult to run safely than other web servers is irrelevant. Most of those running it did not intentionally decide to run it and most of them do not even know that they are running it until their neighbors start to complain. In their desire to be loved, Microsoft made a very bad decision, one that even they cannot easily remedy. They have opened Pandora's box. I have been saying for years that it is reckless to make a decision to run your code on someone else's machine without their permission, that it is hubris to believe that you can do that safely. I admit that I had virus writers, not Microsoft, in mind when I said it but now it is clear that the power to make such a decision cannot be trusted even to Microsoft. The more copies of that software one intends to be installed, the more important it is that the code be free of exploitable features, much less errors. It seems to me that Microsoft has seriously, not to say permanently polluted the network. Not only have they put their own customers at risk, they have put at risk people who do not run so much as a line of Microsoft code.

What am I missing? Dear God, I do so hope I have it wrong." NewsBites readers who want to change Microsoft's behavior can make a difference. More than 170 organizations (such as Shell, Intel, Hallmark, NASA, NIST, Navy, Infocomm Development Authority of Singapore, the Royal Canadian Mounted Police, and VISA and many other large and small organizations) have banded together to develop minimum security benchmarks for Internet connected systems. When enough organizations join them, and the buying community demands vendors deliver systems meeting minimum security standards, change will be possible. Instead of crying about the vendors' behavior, do something about it by joining others of like mind in the Center for Internet Security at www.cisecurity.org. Members of the Center are already testing tools that measure security of Cisco routers and of Solaris systems and they will shortly have a tool that measures security of Windows 2000.

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, Bill
Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Eugene Schultz