SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #1

January 03, 2002

A vulnerability has been discovered in the Windows version of the AOL
Instant Messenger software.(AIM software running on other platforms
such as Linux or the Macintosh do not appear to be vulnerable). If
exploited, an attacker may be able to run programs on your computer
without your permission, much like a worm or virus can. A temporary
fix can be applied that will help to reduce the risk.


1. Go to your Preferences
2. Go to the Privacy section
3. Click "Allow only users on my Buddy List" under "who can
contact me"


This is not a perfect fix, if someone on your buddy list gets
attacked, you can be attacked by that infected individual. Users
should watch for updated AIM software from AOL. AOL is also
expected to patch it's servers to alleviate the problem. More
information about this vulnerability can be found at
http://www.newsbytes.com/news/02/173320.html

---

TOP OF THE NEWS

1 January 2002 Some Harvard Admissions E-Mail Treated as Spam
31 December 2001 NY Privacy Policy Act Becomes Law
14 December 2001 Cracker/Thief Sentenced
10 December 2001 GAO and State Auditors Release Security Auditing Guide

THE REST OF THE WEEK'S NEWS

31 December 2001 Sklyarov Returns Home
28 December 2001 Banks Support B2B Standard
27 December 2001 Worm Writers are Not Often Caught or Prosecuted
27 December 2001 McAfee Offers AV and Firewall Subscriptions
27 December 2001 Gift Cards Frequently Not Secure
27 December 2001 This Year's Threats May Get More Vicious
26 December 2001 Patching IE Can be Tricky
26 December 2001 IE SSL Authentication Hole
24 December 2001 Gilmore Commission on IT and Homeland Security
20 December 2001 Cyber Law Year in Review
18 December 2001 AmEx Contest Security Gaffe
1 December 2001 The Question of Cyberinsurance
December 2001 Sieberg's Top Ten Tech Stories of 2001

TUTORIALS

14 December 2001 Rootkit Basics
13 December 2001 Blended Threats

---

***********************Sponsored by SurfControl***********************
Personal Web-Based Email Accounts Spell Trouble for Security
Viruses can enter your network undetected via downloads or accessing
web-based email. This security risk can be eliminated by blocking
access to such accounts and restricting downloads of potentially
damaging files.
Try SuperScout Web Filter FREE:
http://www.surfcontrol.com/promo/zsnb0102
************************************************************************

---

TOP OF THE NEWS

1 January 2002 Some Harvard Admissions E-Mail Treated as Spam

Between 75 and 100 early admission application e-mail messages from Harvard University's admissions office were bounced back because AOL identified them as spam. Hopeful students found out whether or not they had been admitted by calling the office instead.
-http://www.cnn.com/2002/TECH/internet/01/01/harvard.spam.ap/index.html
[Editor's (Murray) Note: Security is a difficult balancing act. However, the real villains here are those that initiate the spam that forces the filtering in the first place. (Schultz) Later data showed that 1) only acceptance (not rejection) messages had been emailed, and 2) Harvard snail mailed acceptance letters after learning about what AOL did. ]

31 December 2001 NY Privacy Policy Act Becomes Law

New York State's freshly signed Internet Privacy Policy Act prohibits State agencies from gathering or divulging site visitors' personal data without their consent. Visitors are allowed to access any of their information the sites collect.
-http://www.gcn.com/vol1_no1/daily-updates/17664-1.html

14 December 2001 Cracker/Thief Sentenced

Markus Lukawinsky received a prison sentence of a year and a day to be followed by three years of probation. He was sentenced for stealing computer equipment from and breaking into the computers of a Connecticut consulting company and downloading encrypted password files which he used to log in to the system as an employee. Lukawinsky must also pay the firm restitution of almost $200,000.
-http://www.usdoj.gov/criminal/cybercrime/LukawinskySent.htm

10 December 2001 GAO and State Auditors Release Security Auditing Guide

The US Government Accounting Office and twelve state and local auditing agencies jointly published a comprehensive and thoughtful roadmap for security audits. Among the many important guidelines was an unequivocal requirement that auditors who audit access control (including penetration testing) and system software must have specialized technical skills such as knowledge of security configuration requirements and how to test for them on both servers and applications as well as advanced knowledge of network hardware, software and protocols.
-http://www.gao.gov/special.pubs/mgmtpln.pdf

skills, security auditors often become the most powerful force for positive change in improving security. Even before the new report was issued, we saw a surge in auditors attending very technical courses at SANS conferences and earning GIAC certifications. Randy Marchany (at Virginia Tech) is the quintessence of the fusion of technical skills and auditing. His STAR risk analysis system has been a boon to hundreds of security auditors:
-http://www.security.vt.edu/playitsafe/index.phtml#RiskAnalysis]

---

THE REST OF THE WEEK'S NEWS

31 December 2001 Sklyarov Returns Home

Dmitry Sklyarov, the Russian software programmer who recently reached an agreement with US authorities to avoid prosecution under the Digital Millennium Copyright Act (DMCA), has returned to Russia. He has agreed to keep authorities apprised of his location and to appear at legal hearings if he is needed.
-http://news.cnet.com/news/0-1005-200-8324114.html?tag=owv

28 December 2001 Banks Support B2B Standard

Fourteen banks around the world are running pilot programs of Project Eleanor, a proposed industry standard that will secure business-to-business payments by establishing online authentication methods and reduce payment clearing time to one day. The standard has the support of major banks worldwide.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66001,00.html

27 December 2001 Worm Writers are Not Often Caught or Prosecuted

Even though some worm and virus writers leave clues to their identities in their coding, they're not often caught because tracking them down is not a profitable business. Cybercrime units tend to focus their resources on fraud and legal systems around the world are unsure what to do with cyber criminals. Russ Cooper says virus writers should be pursued and prosecuted as an example to the rest of the virus-writing community.
-http://www.wired.com/news/politics/0,1283,49313,00.html

27 December 2001 McAfee Offers AV and Firewall Subscriptions

McAfee is offering subscriptions for automatically updated antivirus software and remotely managed firewall service to Internet users in the UK and Germany. The service will be available to a dozen more countries in 2002.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1723000/1723447.stm

27 December 2001 Gift Cards Frequently Not Secure

Some retailers that sell magnetic stripe gift cards are not taking adequate security precautions to protect the cards from counterfeiters. If card account numbers are visible before purchasing or are shelved sequentially, thieves need only create fraudulent cards for those accounts and find out the amounts purchased on each card by using an 800 number. Stores would be well advised to package the cards so the account numbers are hidden, use bar codes rather than magnetic strips, and have their cashiers check that the numbers on the card and the transaction match.
-http://www.msnbc.com/news/598102.asp?0dm=C12OT

27 December 2001 This Year's Threats May Get More Vicious

Experts predict that worms and viruses will get nastier in 2002. Blended threats, such as Nimda, made a strong appearance in 2001; blended threats make use of multiple attack methods and don't require users to click on attachments. The experts disagree about the threat of mobile viruses.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2834890,00.html

26 December 2001 Patching IE Can be Tricky

Fixing the "automatic execution of embedded MIME types" vulnerability in Internet Explorer (IE) is not a one-size-fits-all, which can frustrate system administrators who need to patch numerous company desktops.
-http://www.zdnet.com/zdnn/stories/comment/0,5859,2834787,00.html

26 December 2001 IE SSL Authentication Hole

E-matters, a German web development company, found that Microsoft's Internet Explorer (IE) can be tricked into accepting phony or expired certificates for accessing e-commerce sites. Users who check the certificates before visiting sites will notice that they have expired or that the domain does not match the site they are accessing, but most people don't do this.
-http://www.newsbytes.com/news/01/173217.html
E-matters' report:
-http://security.e-matters.de/advisories/012001.html

24 December 2001 Gilmore Commission on IT and Homeland Security

The Gilmore Commission's December 15th report on the response to terrorism addressed IT aspects of homeland protection. The report recommends that the Critical Infrastructure Protection Board include representatives from all levels of government and that a third party evaluate agency programs.
-http://www.fcw.com/fcw/articles/2001/1217/web-report-12-24-01.asp
Gilmore Commission Site and links to report:
-http://www.rand.org/nsrd/terrpanel/

20 December 2001 Cyber Law Year in Review

Cyber law experts list significant developments of 2001; among the top few are the passage of the USA Patriot Act, the Microsoft decision, and the Digital Millennium Copyright Act (DMCA) prevailing in court decisions.
-http://www.nytimes.com/2001/12/28/technology/28CYBERLAW.html

18 December 2001 AmEx Contest Security Gaffe

American Express admitted that it didn't build adequate security into a web page asking customers to enter personal data, including credit card numbers, for a chance to win a vacation. The page in question caches the data and does not use SSL.
-http://www.silicon.com/a50000

1 December 2001 The Question of Cyberinsurance

Although cyberinsurance covers events not covered in traditional policies, some companies still find that their current insurance policies are adequate. Additionally, cyberinsurance can be costly, and companies may wish to spend money on security technology instead. While cyberinsurance premium discounts may be for using certain platforms and security services, some are concerned that organizations using those products may fall into a false sense of security.
-http://www.cio.com/archive/120101/et_article.html
[Editor's (Schultz) The verdict on cyberinsurance is still very uncertain. It has not had the degree of impact upon the infosec arena that experts predicted it would only a few years ago. Some consultancies based their business strategies on alliances with insurance companies, with little to show for their efforts. ]

December 2001 Sieberg's Top Ten Tech Stories of 2001

CNN.com Science and Technology Editor Daniel Sieberg offers his list of the top ten technology stories of 2001, including Code Red, the FBI's Magic Lantern project, Dmitry Sklyarov's arrest under the Digital Millennium Copyright Act (DMCA) and Richard Clarke's appointment as "cybersecurity czar."
-http://www.cnn.com/SPECIALS/2001/yir/stories/technology/

---

TUTORIALS

14 December 2001 Rootkit Basics

This article describes rootkits and their purposes and activities, and suggests ways to detect their presence on your system. The author also recommends installing firewalls on network-connected machines, applying software patches as they become available and removing unnecessary services.
-http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html

13 December 2001 Blended Threats

Blended threats make use of multiple methods of propagation, attack multiple points in a system and require no human action to spread. The best defense against blended threats is a comprehensive security strategy that includes antivirus software, content filtering, firewalls, intrusion detection and keeping current with patches.
-http://enterprisesecurity.symantec.com/article.cfm?articleclass=967&Pclass=9
834967&Eclass=151

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz