SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #27

July 03, 2002

Preliminary data from the SANS 2002 Security/Syadmin Salary Survey:
- -Average salary: $69,340 (median $67,000
- -Average bonus: 14.5% of base salary (median 10%).
- -Average salary increases 7% (down from 11.6% in 2000)
- -Global patterns: (variance from global average): US +5.6%, UK -9.7%,
Other W. Eur -13.3%, Australia -27.7%, Canada -34%,
Latin & S. America -51.2%
- -US regional patterns: (variance from US average) NY/NE +9.3%,
West Coast +4.2%, Mid-Atlantic +2.6%, Southwest -3.8%,
Southeast -5.6%, Midwest -6.1%


More data from the survey, including data on career paths (a new
feature this year) and factors affecting job satisfaction are at the
end of this Newsbites.


SANS salary survey is continuing through the summer.
You may get detailed data from the survey by filling it out at
http://rr.sans.org/survey In the process, you will also get access
to the 2,000 unique security research papers in the SANS Reading Room.
In a separate salary survey, reported in the second story below, SANS
GIAC and CISSP certifications accounted for the largest "certification
premium pay," ranging up to more than 10%.


Alan

---

TOP OF THE NEWS

25 & 27 June 2002 NIST Study Says Software Flaws Cost the Country a Bundle
1 July 2002 Security Salaries Up, Raises and Bonuses Down; Certification Pays
1 July 2002 BIND and BSD Resolver Library Buffer Overflow Flaw
25, 26 & 27 June 2002 OpenSSH Buffer Overflow Vulnerability
27 June 2002 al Qaeda Could Pose Significant Cyber Threat to US Critical Infrastructure
30 June 2002 Massive Cyber-Terrorism on Critical Infrastructure Unlikely, Say Experts
25 & 26 June 2002 IT Professionals Not Confident Government Could Handle a Cyber Attack

THE REST OF THE WEEK'S NEWS

28 & 30 June 2002 Media Player Patch EULA Harbors a Surprise
26 & 27 June 2002 Windows Issues Patch for Media Player Vulnerabilities
27 June 2002 Microsoft Issues a Patch for Commerce Server Holes
28 June 2002 GameSpy Installer Infected with Nimda
26 June & 1 July 2002 Yaha.E Worm Targets Pakistani Government Site
27 June 2002 W32.dotor.A
25, 26 & 27 June 2002 Legislation Would Okay Hacking Back at Filesharing Copyright Violators
27 June 2002 Polish Prosecutors Looking for NASA Hacker
26 June & 1 July 2002 Warchalking
24 & 26 June 2002 Florida Man Arrested for Keystroke Logging
26 June 2002 Site Will Tell You if Your Credit Card Number has Been Stolen
26 June 2002 Who's Who in Government Cyber Security
26 June 2002 BestBuy Files Suit Against Spammers
26 June 2002 A Timeline of Worms, Viruses and Other Cyber Attacks
25 June 2002 Near North Suit Alleges Former Employees Stole Sensitive Data
25 June 2002 Broadband Modem Password Problems
25 June 2002 NIPC, NIST and SBA to Offer Vulnerability Seminars for Small Businesses
25 June 2002 FBI Deluged with Applicants
24 June 2002 Mitnick Testifies at Las Vegas Call Diversion Hearing
24 June 2002 Microsoft Will Release Some Palladium Source Code
22 June 2002 TSA Won't Endorse Trusted Traveler Airport Security Project

---

******************* This Issue Sponsored by VeriSign *****************
The Value of Trust
FREE E-COMMERCE SECURITY GUIDE
Is your e-business built on a strong, secure foundation? Find out
with VeriSign's FREE White Paper, "Building an E-Commerce Trust
Infrastructure." Learn how to authenticate your site to customers,
secure your web servers with 128-Bit SSL encryption, and accept secure
payments online.
Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n20390091010057000
**********************************************************************

---

TOP OF THE NEWS

25 & 27 June 2002 NIST Study Says Software Flaws Cost the Country a Bundle

According to a National Institute of Standards and Technology (NIST) study, "buggy software" costs the US $59.9 billion annually, with the lion's share of the burden falling on consumers. Better testing could reduce the cost by as much as 1/3, or $22 billion.
-http://www.computerworld.com/managementtopics/management/itspending/story/
0,10801,72245,00.html
-http://www.vnunet.com/News/1133047
-http://www.nist.gov/public_affairs/releases/n02-07.htm
[Editor's Note (Schultz) Good testing is only a part of good software engineering practices. Using the full gamut of software engineering practices would reduce the cost substantially more. ]

1 July 2002 Security Salaries Up, Raises and Bonuses Down; Certification Pays

Two salary surveys agree that raises for security professionals are down substantially, but they are still getting better raises than their peers in other areas of IT. Security certifications from GIAC and ISC2 lead to substantial pay premiums.
-http://www.nwfusion.com/news/2002/0701secpros.html
-http://www.computerworld.com/careertopics/careers/story/0,10801,72432,00.html

1 July 2002 BIND and BSD Resolver Library Buffer Overflow Flaw

A buffer overflow flaw in BIND and BSD resolver libraries could allow attackers to take control of vulnerable systems. If applications dynamically link to the library, the problem can be fixed by updating the library. However, if the libraries are embedded, administrators will have to recompile the applications.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,72408,0
0.html

25, 26 & 27 June 2002 OpenSSH Buffer Overflow Vulnerability

Open Secure Shell (OpenSSH) versions 3.0 - 3.2.3 on Open BSD and other operating systems are susceptible to buffer overflow attacks. The vulnerability could be exploited to gain control of the computer with a high level of access. OpenSSH developers have made a patch available; users are encouraged to apply the patch or upgrade to OpenSSH 3.4.
-http://www.linuxsecurity.com/articles/cryptography_article-5185.html
-http://www.theregister.co.uk/content/55/25910.html
-http://zdnet.com.com/2100-1105-939887.html
-http://www.openssh.com/txt/preauth.adv
-http://www.cert.org/advisories/CA-2002-18.html

27 June 2002 Al Qaeda Could Pose Significant Cyber Threat to US Critical Infrastructure

Evidence indicates that al Qaeda's cyber capabilities are stronger than previously thought. Digital control systems for various elements of the nation's critical infrastructure have been probed. Distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems are configured with very little security as they were not designed for public access. Additionally, information found on al Qaeda computers indicates members have been studying the structural integrity of a dam. The Washington Post article also describes the ease with which an Australian man was able to manipulate a digital control system to release sludge from a sewage treatment plant several years ago.
-http://www.washingtonpost.com/wp-dyn/articles/A50765-2002Jun26.html
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_2070000/2070706.stm
-http://www.cnn.com/2002/US/06/27/alqaeda.cyber.threat/index.html

30 June 2002 Massive Cyber-Terrorism on Critical Infrastructure Unlikely, Say Experts

Computer security and terrorism experts are skeptical that al Qaeda could do serious harm to the nation's critical infrastructure with computers.
-http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2002/06/30/MN1
52350.DTL

25 & 26 June 2002 IT Professionals Not Confident Government Could Handle a Cyber Attack

Nearly half of 295 IT professionals participating in a recent survey believe the US could be the target of a major cyber attack in the next year; they do not think the government is adequately prepared to deal with an attack and its fallout
-http://www.gcn.com/vol1_no1/daily-updates/19113-1.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,72268,00.html
-http://www.washingtonpost.com/wp-dyn/articles/A47680-2002Jun26.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop Unwanted E-Mail at the Server - FREE White Paper on Email
Security
http://www.sans.org/cgi-bin/sanspromo/NB49
(2) WEB SERVER BODY ARMOR! Protect you IIS Web Server with SecureIIS -
FREE Trial
http://www.sans.org/cgi-bin/sanspromo/NB50
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

28 & 30 June 2002 Media Player Patch EULA Harbors a Surprise

According to the End User License Agreement (EULA), when you install Microsoft's patch for Media Player vulnerabilities, you grant Microsoft the right to force automatic updates on your system.
-http://bsdvault.net/article.php?sid=527&mode=&order=0
-http://www.theregister.co.uk/content/55/25956.html
[Editor's Note (Murray): Without getting into the debate over how much copyright owners should be able to cripple our systems to enforce their rights, few businesses would want to authorize "automatic updates" that might limit their use of their systems. Fewer still rely on Windows Media Player. However, most end users understand that AOL automatically updates their systems at its discretion. ]

26 & 27 June 2002 Windows Issues Patch for Media Player Vulnerabilities

Microsoft has issued a patch for security flaws in its Windows Media Player: an information disclosure vulnerability, a privilege escalation flaw, and a script execution vulnerability. The first and more critical of the flaws could let an attacker run rogue code on a vulnerable computer.
-http://zdnet.com.com/2100-1104-939873.html
-http://zdnet.com.com/2100-1104-940063.html
-http://www.theregister.co.uk/content/55/25919.html
-http://www.microsoft.com/technet/security/bulletin/MS02-032.asp

27 June 2002 Microsoft Issues a Patch for Commerce Server Holes

Microsoft has released a patch for security holes in its Commerce Server software that could be exploited to run unauthorized code on vulnerable computers.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,72282,0
0.html
-http://www.microsoft.com/technet/security/bulletin/MS02-033.asp

28 June 2002 GameSpy Installer Infected with Nimda

GameSpy Arcade Installer 1.09 was infected with the Nimda virus for several hours last week. An estimated 3,100 infected files were downloaded, and the company is contacting all who might have downloaded the affected software. The installer has been replaced with a clean version. In a separate incident, kaZaA users were exposed to the Backdoor.K0wbot1.3.B virus that contains a "remote backdoor component."
-http://www.theregister.co.uk/content/56/25945.html
-http://www.msnbc.com/news/773650.asp?0dm=T227T

26 June & 1 July 2002 Yaha.E Worm Targets Pakistani Government Site

The Yaha.E worm carries a payload that lobs a slow denial-of-service attack against www.pak.gov.pk, the official website of the Pakistani government. According to some analysis, the worm also tries to disable anti-virus and firewall software. In addition, Hotmail's anti-virus scanner apparently did not detect Yaha.E as of June 26, allowing members to both receive and send the worm. Yaha.E also drops a text file on infected computers that claims the worm is the work of sNAkeeYes,c0Bra.
-http://online.securityfocus.com/news/501
-http://theregus.com/content/56/25389.html
-http://www.vnunet.com/News/1133119

27 June 2002 W32.dotor.A

W32.dotor.A is a mass-mailer worm that poses as a fix for macro viruses. It arrives as an attachment called Doctor.exe.
-http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=54212&REQSTR1=s
ilicon.com
-http://securityresponse.symantec.com/avcenter/venc/data/w32.dotor.a@mm.html

25, 26 & 27 June 2002 Legislation Would Okay hacking Back at Filesharing Copyright Violators

Congressman Howard Berman (D-Calif.) has proposed legislation that would allow record companies to launch cyber attacks on peer-to-peer content sharing networks that violate copyright laws. Permitted defenses would include interdiction, redirection and spoofing, but the law does not allow damage to computers or the spread of viruses. The legislation would provide for penalties for those who abuse their power.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_2069000/2069747.stm
-http://news.com.com/2100-1023-939333.html
-http://www.theregister.co.uk/content/6/25903.html
Press release:
-http://www.house.gov/berman/pr062502.htm
[Editor's Note (Schultz) I've lamented the lack of relevant computer crime legislation in the past, but this proposed bill is not at all what we need. Giving companies the right to launch attacks against the networks of organizations that engage in peer-to-peer sharing is extremely inappropriate. It is like giving a victim of home theft the right to break into the thief's home. What Congressman Berman is doing is promoting vigilanteeism instead of helping to promote law and order. Hopefully, this legislation will fail. ]

27 June 2002 Polish Prosecutors Looking for a NASA Hacker

A Polish prosecutor says efforts are underway to find the person who allegedly broke into NASA computer system, causing an estimated $1 million in damage.
-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=11399
29

26 June & 1 July 2002 Warchalking

Matt Jones has devised "warchalking," a system of sidewalk chalk symbols that tell people where they can access wireless network nodes. There are different symbols to denote open, closed, and WEP-protected nodes, and each one is capped with the node's Service Set Identifier (SSID). According to Jones, some system administrators have been appreciative of the system because it helps them know where their networks are exposed.
-http://news.com.com/2100-1033-939546.html
-http://news.bbc.co.uk/hi/english/in_depth/sci_tech/2000/dot_life/newsid_2070000/
2070176.stm
Matt Jones's web site:
-http://www.blackbeltjones.com/warchalking/

24 & 26 June 2002 Florida Man Arrested for Keystroke Logging

Dimitri Sinilnikov has been arrested at Pasadena (CA) City College (PCC)as he was attempting to install keystroke capture software. The 48-year-old Mr. Sinilnikov, a.k.a. Michael Negron, was convicted of identity theft in Florida and faces parole violation charges for leaving the state.
-http://chronicle.com/free/2002/06/2002062401t.htm
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,72
274,00.html

26 June 2002 Site Will Tell You if Your Credit Card Number has Been Stolen

CardCops has created a web site,
-http://www.Cardcops.com,
where people can enter their credit card numbers to find out if they have been stolen. The group garnered the credit card information from various chat rooms dedicated to credit card fraud, and they have turned their database over to the Secret Service. Cardcops says they have secured the database and they do not have people enter their cards' expiration dates.
-http://www.cnn.com/2002/TECH/internet/06/26/identity.theft.ap/index.html

26 June 2002 Who's Who in Government Cyber Security

A list of people involved in the government's cybersecurity efforts includes Bush administration officials, legislators from both houses, and private sector representatives.
-http://www.washingtonpost.com/wp-dyn/articles/A50625-2002Jun26.html

26 June 2002 BestBuy Files Suit Against Spammers

Hackers managed to steal a BestBuy.com e-mail list and used it to send spam with adult content. Best Buy Concepts, Inc. has filed suit in U.S. District Court against the as yet unknown defendants, referred to as John and Jane Doe, seeking damages greater than $75,000.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8399

26 June 2002 A Timeline of Worms, Viruses and Other Cyber Attacks

An overview of virus and cyber-attack milestones.
-http://www.washingtonpost.com/wp-dyn/articles/A50636-2002Jun26.html

25 June 2002 Near North Suit Alleges Former Employees Stole Sensitive Data

Near North National Group has filed a civil lawsuit against three former employees who allegedly broke into company computers and obtained intellectual property and other confidential data and shared it with a Near North competitor. The company is seeking to recover $645,000, the cost of investigating the incident and securing their network. Near North has asked the FBI to investigate.
-http://www.chicagobusiness.com/cgi-bin/news.pl?post_date=2002-06-25&id=5785
-http://www.nnng.com/NewsAtNearNorth/press_releases/pr26.html

25 June 2002 Broadband Modem Password Problems

Many broadband modems are installed with default passwords, leaving them susceptible to hackers and spammers, and the directions for changing the passwords are not always clear or easy. In addition, hackers can access broadband modems even when computers are turned off. A New Zealand programmer who found his modem was compromised wrote a program that looked for vulnerable connections and sent warning messages when they were found. He was threatened with possible legal action.
-http://www.nzherald.co.nz/storydisplay.cfm?storyclass=2048412
[Editor's Note(Grefer): One more reason to place a NATing (netork address translating) router directly behind the broadband modem. ]

25 June 2002 NIPC, NIST and SBA to Offer Vulnerability Seminars for Small Businesses

The National Infrastructure Protection Center (NIPC), the National Institute of Standards and Technology (NIST) and the Small Business Administration (SBA) have joined forces to help small businesses identify security vulnerabilities in their computer systems. The alliance will begin by offering seminars in three cities this summer.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8394
-http://csrc.nist.gov/securebiz

25 June 2002 FBI Deluged with Applicants

The FBI has received 47,000 applications for 900 special agent positions that director Robert Mueller hopes to fill with people possessed of strong computer and information technology skills.
-http://www.fcw.com/fcw/articles/2002/0624/web-fbi-06-25-02.asp

24 June 2002 Mitnick Testifies at Las Vegas Call Diversion Hearing

Some purveyors of adult entertainment in Las Vegas, NV have complained that calls to their businesses are being diverted, and Sprint denies the allegation, maintaining their systems have never been compromised. Kevin Mitnick testified at a hearing that he had once gained control of Sprint's switching systems in that city.
-http://online.securityfocus.com/news/497

24 June 2002 Microsoft Will Release Some Palladium Source Code

Microsoft will release the source code to the secure processing environment of Palladium. They hope that releasing the code will boost trust in the project. The group product manager for the Palladium project says releasing the code enhances its security. The statement is an apparent about face from the company's previous stance on open source code
-http://news.com.com/2100-1001-938973.html
[Editor's Note (Schultz): Some proprietary software is secure, some is insecure. The same applies to open software. The quality of the development process is the critical value. At any rate, Microsoft deserves credit for trying something new, releasing Palladium as open software, which is quite a bold experiment. ]

22 June 2002 TSA Won't Endorse Trusted Traveler Airport Security Project

The Transportation Security Administration (TSA) will not endorse the "trusted traveler" project, which would use biometric technology and smart cards to allow prescreened passengers a faster route though airport security, because they believe the system could be vulnerable to terrorist infiltration. The White House Office of Homeland Security has shown interest in the project. It is unclear when testing would begin. Civil liberties activists are opposed to the idea.
-http://www.washingtonpost.com/wp-dyn/articles/A25989-2002Jun21.html

---

==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
Additional data from the 2002 SANS Security/Sysadmin Salary Survey
- -Top paying industries: consulting, system integration, aerospace,
banking, computer and network manufacturing, and telecom.
- -Lowest paying industries: education, other not-for-profits, and
government agencies.
- -Employers with more than 10,000 employees paid their security and
system administration staff nearly 10% more, on average, than did
smaller employers.
- -Security and system administrators who work with UNIX reported
salaries nearly 25% higher than those who work primarily with
Windows systems.
Career Paths in Information Security
For the first time this year, SANS has tabulated information about
career paths by asking what positions people held three years ago.
Since most people are in the same position (at higher levels) the data
is sparse. Still it provides a fascinating picture of mobility among
various security and system administration jobs (with the exception
of auditing that seems to be more insular). The primary starting
points for people who want to work in security appear to be system
administration, network administration, and help desk analyst.
The Most Important Aspects of Job Satisfaction
Employers can affect job satisfaction for security and system
professionals in dozens of ways. The survey measured 25 of them.
Only five had a large impact:
Number 1:
Management that shows respect for and trust in your decisions
Tied for number 2:
Educational/training opportunity
Ability to work with and learn new, advanced technologies
Challenge of job/responsibility
Number 5:
Base pay
Among the lowest rated aspects were the reputation of the company,
availability of workout facilities, and stock options.


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz