SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #44
October 31, 2001
A consortium of large corporate and government user organizations are
trying to agree on minimum standards for security skills for system
administrators on three levels. In addition, they are working toward
standards for minimum technical skills for information system security
officers and law enforcement people. If you have a program that you
use and can vouch for, we'd love to include it and you in the consensus
building process. And if you have extensive security knowledge and
lead teams of system administrators and would be willing to help in
reaching consensus, we'd love to have your participation. Send a note
to info@sans.org with subject "Training standards" and tell us what
you already use to meet these needs.
And at the end of this note, we include (with permission) an email
from a security professional in a middle-sized organization expressing
a bit of shock at what can happen to the firms that are not so big.
AP
TOP OF THE NEWS
30 October 2001 New Version Of Nimda Spreading Slowly26 October 2001 USA Patriot Act Becomes Law
26 October 2001 Man Sentenced in Software Pirating Case
22 & 25 October 2001 CERT Tells of New DDoS Attacks
THE REST OF THE WEEK'S NEWS
30 October 2001 New York Times Faces DDOS Attack29 October 2001 Free Scanner Released To Test For SANS/FBI Top Twenty Vulnerabilities
26 October 2001 Holes in GovNet
26 October 2001 Pilots' Data Travels Unprotected
26 October 2001 Detecting Address Spoofing
25 October 2001 Antset Virus
25 October 2001 DoD Implores Contractors to Keep Silent
24 & 25 October 2001 Security News Portal Closed After Defacement
24 October 2001 Amsterdam Airport Pilots Iris Scanning System
22, 23 & 24 October 2001 Windows XP Security
22 October 2001 Security Manager's Journal: Security Review
21 October 2001 Elias Levy Responds to Culp
********************** Sponsored by Net IQ ***************************
Free Security Guide from NetIQ.
Keep the bad guys out with NetIQ's security guide, "Jack the Hacker
Tells All: Insights into Security Dos and Don'ts."
Respond to threats before they become major incidents.
Download it now before it's too late.
http://www.netiq.com/f/form/form.asp?id=56
**********************************************************************
TOP OF THE NEWS
30 October 2001 New Version Of Nimda Spreading Slowly
Users in Asia are reporting a slow moving worm that spreads like Nimda, but renames files to mimic existing Windows files.-http://www.zdnet.com/zdnn/stories/news/0,4586,5098988,00.html?chkpt=zdnnp1tp02
26 October 2001 USA Patriot Act Becomes Law
President Bush signed legislation giving the government broader Internet surveillance and home and office search powers. While some of the Bill's provisions have an expiration date of December 2005, many do not; civil rights advocates intend to make sure civil liberties are not compromised.-http://www.wired.com/news/politics/0,1283,47901,00.html
-http://news.cnet.com/news/0-1005-200-7671240.html?tag=prntfr
-http://www.fcw.com/fcw/articles/2001/1022/web-terror-10-26-01.asp
26 October 2001 Man Sentenced in Software Pirating Case
Paul Stamatis received a two-year prison sentence and must pay Microsoft half a million dollars in restitution for distributing pirated software.-http://news.cnet.com/news/0-1003-200-7672673.html?tag=prntfr
22 & 25 October 2001 CERT Tells of New DDoS Attacks
CERT/CC has issued a report describing the how crackers compromise poorly configured routers and use them for distributed denial of service (DDoS) attacks.-http://www.cert.org/archive/pdf/DoS_trends.pdf
-http://www.newsbytes.com/news/01/171530.html
-http://www.securityfocus.com/news/271
THE REST OF THE WEEK'S NEWS
30 October 2001 New York Times Faces DDOS Attack
Internet connections at the New York Times were interrupted for several hours on Tuesday afternoon.-http://www.wired.com/news/conflict/0,2100,48015,00.html
29 October 2001 Free Scanner Released To Test For SANS/FBI Top Twenty Vulnerabilities
A free scanner that automatically audits and reports on the vulnerabilities in the SANS/FBI Top Twenty Vulnerabilities List is been released by the Center for Internet Security. Runs on UNIX; tests UNIX and Windows systems.-http://www.cisecurity.org
[click on Top 20 Scanner under "What's New." ]
26 October 2001 Holes in GovNet
Former CIA director James Woolsey points out that GovNet, the proposed ultra-secure government computer network, overlooks the problems of insider threats and the growing sophistication of hackers; the network presents an incentive for foes to cultivate helpers with network access.-http://www.computerworld.com/storyba/0,4125,NAV47_STO65103,00.html
[Editor's (Murray) Note: As the environment becomes more hostile push your defenses out, pull the crown jewels in, and push them down in the ground. Security measures need not be 100% effective to be efficient. Mr. Woolsey is an intelligence expert, not a network security expert. ]
26 October 2001 Pilots' Data Travels Unprotected
Ryanair is recruiting pilots, but they must apply on-line and send their CV and credit card numbers unencrypted. Ryanair says the problem will be fixed soon.-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1621000/1621466.stm
26 October 2001 Detecting Address Spoofing
This article describes four ways to detect address spoofing by examining firewall logs.-http://www.tisc2001.com/newsletters/320.html
25 October 2001 Antset Virus
The Antset virus arrives as an attachment that claims to be a Trojan horse scanner; instead, it sends itself out via Outlook and to any e- mail addresses it finds in PHP, HTM, SHTM, CGI and PL files.-http://www.zdnet.com/zdnn/stories/news/0,4586,2820285,00.html?chkpt=zdhpnews01
25 October 2001 DoD Implores Contractors to Keep Silent
After some Defense department contractors issued press statements regarding various orders, officials sent out memos to the private industry contractors urging them to be prudent about the information they make public. Additionally, Air Force acquisition officials are now prohibited from conversing with the media.-http://www.computerworld.com/storyba/0,4125,NAV47_STO65052,00.html
24 & 25 October 2001 Security News Portal Closed After Defacement
The owner of the Security News Portal web site has decided to close the site after a cracker defaced its homepage. Though the defacement bears the name of well-known German hacker Kim Schmitz, people believe someone else is responsible.-http://www.newsbytes.com/news/01/171478.html
-http://www.wired.com/news/culture/0,1284,47836,00.html
24 October 2001 Amsterdam Airport Pilots Iris Scanning System
At Schiphol, Amsterdam's international airport, citizens from 18 European countries may enroll in a biometric identification program that will expedite security waits. The program uses iris scans to identify travelers who carry cards that contain computerized images that must match the scans. The system does not store information.-http://www.nytimes.com/2001/10/25/international/europe/25AMST.html
(free registration is required to visit this site)
22, 23 & 24 October 2001 Windows XP Security
With its embedded firewall and hardened architecture, Windows XP appears to have adequate security for average home users. However, there are still some weaknesses, such as a built in firewall that does not block outbound traffic.-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64909,00.html
-http://www.zdnet.com/zdnn/stories/comment/0,5859,2819732,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5098754,00.html?chkpt=zdhpnews01
22 October 2001 Security Manager's Journal: Security Review
The events of September 11th compelled the security manager to conduct a review of security practices at his company. He reviewed access permissions and examined physical security by wandering through various offices looking for poorly hidden passwords and unsecured areas. He also plans to review the company's disaster preparedness and business continuity plans and to test hiring practices with an eye to keeping out those who are trolling for company security information.-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO64933,00.ht
ml
21 October 2001 Elias Levy Responds to Culp
Elias Levy responds to Scott Culp's essay on "information anarchy" and suggests that instead of trying to keep knowledge of vulnerabilities out of the wrong hands, people should make efforts to restrict attack opportunities.-http://www.securityfocus.com/news/270
[Editor's (Murray) Note: It should be obvious to anyone that these are not mutually exclusive options. This argument is simply a rationale to do what the vandals intend to do in any case. "Security experts" post work-arounds, not exploits. (Schultz) Elias Levy has spoken well, and others should do the same. You cannot simply suppress information about vulnerabilities to achieve better security. Scott Culp's position on this matter is not only unrealistic, but it is downright frightening---a spokes-person for a prominent vendor is effect preaching "security by obscurity."]
The following note is shared with permission. This last week, I attended the Intrusion Detection Track at the San Diego SANS Network Security 2001 conference, and I have to tattle on myself and relate a funny(?) story from the class. Carl Hopper and myself are both from the medium to large corporate LAN/WAN side of the commercial world, and several things conspire to help us in that world. Although there's quite a bit of SUN/LINUX and NT Server stuff, there's also a vast amount of NetWare/Groupwise/IPX stuff in place. With Internet traffic being IP centric, and hackers being Microsoft centric, a happy accident has left a lot of commercial space a little safer than it would otherwise be. So several times in the conference, Carl and I would debate how big the exposure really was in our typical world. So I must admit, part way through class, I was telling myself this whole intrusion thing was academically interesting and obviously critical to big government, military or academic networks, but probably not such a big deal to us medium, stealthy commercial guys/girls .... Grump, Grump... this is a bunch of B.S., etc.! Sunday night I left the conference and dragged myself back by the office to dump books and check emails. As I got ready to leave the office, I laughingly took the class laptop w/SNORT down to our NOC/DMZ room and hooked it to a test port on the DMZ hub. I was folding up my briefcase when I thought, "I'd better check" to be sure the log directory and alerts.ids file got created. As I double-clicked on log, I stood there horrified as I watched .... "Holy Smokes Batman"..... new directories getting added as the detects started rolling in. Needless to say ... "Take me to the river - Throw me in the water - I'm converted" Thanks Glenn Kennedy
==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz
