Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #3

January 16, 2002


Salary growth has slowed for security people, after rapid growth for
several years, but bonuses and premiums are boosting pay for those with
strong technical skills (demonstrated by GIAC certifications and CISA
audit certifications). Foote Partner's quarterly IT salary, skills and
certification survey covers more than 28,000 employees and David Foote
presented the latest survey data in a web broadcast archived at
http://searchsecurity.techtarget.com/onlineEventsTranscriptSecurity/
1,289693,sid14_gci777176,00.html


Saturday is the last day for registering for the SANS Security Bootcamp
program in Monterey, February 9-14, before the late fee kicks in.
Bootcamp is the most intense learning environment most security
professionals will ever experience. Courses run during the day and
special Bootcamp sessions run at night. If you are seeking advanced
security education that gives you the tools, tips and techniques to get
up to speed fast, this is the ideal training opportunity. Most people
who have attended SANS conferences in Monterey say it is the best place
in the country to go to a conference - especially with the program
running right next to Fisherman's Wharf.
http://www.sans.org/Bootcamp.htm


Alan

TOP OF THE NEWS

15 January 2002 Solaris Buffer Overflow Being Exploited
14 January 2002 Congress May Take New Look At Software Protection from Product Liability For Security Flaws
11 January 2002 Incidents Reported to CERT/CC Doubled in 2001
10 January 2002 FedCIRC Says Hacking is Down
10 January 2002 DeCSS Author Indicted
9 January 2002 AIM Fix Has Back Door
7 January 2002 Cross-Site Scripting Vulnerability in Citibank Payment Service Site

THE REST OF THE WEEK'S NEWS

15 January 2002 Justice Department Forms New Anti-hacker Unit
14 January 2001 Wireless LANs at Airports Pose Security Threat
11 January 2002 Gigger Virus
11 January 2002 Cyber Law Predictions
11 January 2002 Opinion: Microsoft Not Focused on Security
11 January 2002 Report Makes Federal Cyber Security Recommendations
11 January 2002 Financial Companies Looking Into Biometrics
11 January 2002 Human Firewall Survey Reveals Employees' Lack of Security Knowledge
10 & 11 January 2002 Microsoft Says Donut is Not .Net Virus
10 January 2002 DoubleClick Drops Targeting Service
9 & 10 January 2002 IRS Computers Missing
9 January 2002 Guarding Against Socially Engineered Attacks
9 January 2002 Cracker Pleads Guilty to DoE Lab Intrusion
8 & 9 January 2002 Macromedia Flash Virus is Not Much of a Threat
8 & 9 January 2002 CSTB Report Says Companies are Neglecting Security
8 January 2002 Security Advice Confuses
8 January 2002 Microsoft Investigates Purported IE Hole
7 January 2002 Virus Writers Justify their Work
7 January 2002 Crowell Supports GovNet
4 January 2002 Report Considers Al-Qaeda Cyber Capabilities


*********** This issue sponsored by NetIQ Corporation ***************
FREE Security White Paper from NetIQ!
Between 60% and 90% of the time IT managers spend resolving problems is
lost to diagnostics. Wouldn't you like to significantly reduce that
percentage?
Download NetIQ's FREE white paper,
"Security Event Correlation: Where Are We Now?"
http://www.netiq.com/f/form/form.asp?id=421
***********************************************************************

TOP OF THE NEWS

15 January 2002 Solaris Buffer Overflow Being Exploited

The HoneyNet project reported that a buffer overflow problem in Solaris, reported and patched two months ago, is now being exploited by attackers. CERT offered an advisory recommending the patch be applied or the affected service.
-http://news.cnet.com/news/0-1003-200-8495923.html?tag=lh
The CERT advisory:
-http://www.cert.org/advisories/CA-2002-01.html

14 January 2002 Congress May Take New Look At Software Protection from Product Liability For Security Flaws

Rep. Rick Boucher (D-Va.) who co-chairs the Congressional Internet Caucus said . "The producers of software should be responsible for any flaws that the software contains," especially if the flaws lead to hacking."
-http://www.latimes.com/news/nationworld/nation/la-011402micro.story

11 January 2002 Incidents Reported to CERT/CC Doubled in 2001

The number of security incidents reported to the Computer Emergency Response Team Coordination Center (CERT/CC) in 2001 was more than double the number reported the previous year, from 21.756 to 52,658. The number of alerts nearly doubled, up from 26 to 41. Much of the increase is attributable to heightened security awareness.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67318,00.html

10 January 2002 FedCIRC Says Hacking is Down

The Federal Computer Incident Response Center (FedCIRC) says that the incidence of hacking has fallen since the terrorist attacks of September 11. Reasons offered for the decrease are improved security practices and intrusion detection tools and legislation that treats hackers as terrorists.
-http://www.theregister.co.uk/content/55/23628.html
[Editor's (Murray) Note: It is naive to believe that legislation that does not result in prosecutions has any impact on behavior. (Paller) FedCIRC is to be congratulated, but the decline in attacks reported by federal sites is not being replicated elsewhere. One needs only to look at the defaced web site mirror at Alldas.de to see that December was the highest month for such hackings since the summer.
-http://defaced.alldas.de/?archives=complete]

10 January 2002 DeCSS Author Indicted

Jon Johansen, a Norwegian man who co-authored the DeCSS utility, has been indicted in hacking charges and could face between 6 months and 2 years of incarceration.
-http://www.wired.com/news/politics/0,1283,49638,00.html
-http://www.securityfocus.com/news/306
-http://news.cnet.com/news/0-1005-200-8434181.html?tag=prntfr

9 January 2002 AIM Fix Has Back Door

AIMFilter, a fix for the AIM vulnerability, contains a back door that lets the program's author redirect users' browsers to pay-for-click sites.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67214,00.html
-http://www.theregister.co.uk/content/55/23596.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5101490,00.html

7 January 2002 Cross-Site Scripting Vulnerability in Citibank Payment Service Site

A security researcher has found a cross-site scripting vulnerability in C2it.com, Citibank's on-line payment service. The security hole could expose customer account data and even allow attackers to move money out of customer accounts.
-http://www.msnbc.com/news/683646.asp?0dm=T225T
[Editor's (Murray) Note: Characterizing this activity as "security research" is inappropriate, not to say destructive. ]

THE REST OF THE WEEK'S NEWS

15 January 2002 Justice Department Forms New Anti-hacker Unit

The new unit has six full-time prosecutors and will focus on Cybercrime and cyber-terrorism. Prosecutors in nine other cities have also formed Cybercrime units.
-http://www.cnn.com/2002/TECH/industry/01/15/catching.hackers.ap/index.html

14 January 2002 Wireless LANs at Airports Pose Security Threat

Some airlines are using wireless LANs with no encryption for baggage matching and curbside check-in applications. These insecure wireless networks could put flight operations systems at risk.
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO67344,00.html

11 January 2002 Gigger Virus

The Gigger virus arrives as an attachment purporting to be a Microsoft security update and tries to delete files from infected computers' hard drives. The JavaScript virus spreads via Outlook address books and mIRC. Antivirus vendors are updating their software to detect the virus and protection is now largely in place."
-http://www.zdnet.com/zdnn/stories/news/0,4586,2838401,00.html?chkpt=zdhpnews01
-http://www.theregister.co.uk/content/56/23652.html

11 January 2002 Cyber Law Predictions

Ten experts in cyber legal matters predict what 2002 holds for Internet law and policy.
-http://www.nytimes.com/2002/01/11/technology/11CYBERLAW.html
(please note: free registration required)

11 January 2002 Opinion: Microsoft Not Focused on Security

Jim Rapoza maintains Microsoft consistently places security behind productivity when designing software, thereby inviting security problems. He conceded that the company has made some headway in the area of server security.
-http://www.zdnet.com/zdnn/stories/comment/0,5859,5101601,00.html
[Editor's (Schultz) Note: Until the public clamors for greater security in vendor products, vendors are unlikely to pay greater attention to security concerns. And, as I have said so many times before, the real problem is not security per se, but rather lack of quality in software development. (Murray) It seems clear that MS users would like to have security if it were free. There is no evidence to suggest that they will give up productivity (or even generality or flexibility) to get it. ]

11 January 2002 Report Makes Federal Cyber Security Recommendations

A Heritage Foundation report strongly recommends that President Bush designate Global Positioning Satellite (GPS) radio frequencies and network systems as critical infrastructure to bolster their security. The report makes other recommendations as well, including creating a center to allow all levels of government to share information and intelligence, and securing all federal networks and information systems.
-http://www.fcw.com/fcw/articles/2002/0107/web-heritage-01-11-02.asp

11 January 2002 Financial Companies Looking Into Biometrics

Financial services companies are considering biometrics for customer identification. Some companies already use the technology to restrict employee access to server rooms. Citibank hopes to offer its customers several biometric identification options.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67314,00.html

11 January 2002 Human Firewall Survey Reveals Employees' Lack of Security Knowledge

A survey conducted by the Human Firewall project illustrates the knowledge gap between security managers and most other employees. Many employees were unable to identify safe passwords and most are unaware of their companies' security policies.
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO67319,00.ht
ml

10 & 11 January 2002 Microsoft Says Donut is Not .Net Virus

Antivirus vendors are calling Donut the first .Net virus, but Microsoft maintains it is merely a reworked Windows virus. The virus does not self-propagate; users become infected by receiving deliberately sent e-mail or from a web site. The virus does not damage computers, but it does infect other .Net files.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67256,00.html
-http://news.cnet.com/news/0-1003-200-8444607.html?tag=prntfr
-http://news.cnet.com/news/0-1003-201-8447073-0.html?tag=prntfr

10 January 2002 DoubleClick Drops Targeting Service

DoubleClick discontinued its Intelligent Targeting service late last year. The service allowed advertisers to send ads to Internet users based on their surfing habits.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67262,00.html

9 & 10 January 2002 IRS Computers Missing

A recent Treasury Department audit revealed that the Internal Revenue Service (IRS) could not account for more than 2300 of its computers. An agency spokesman said that almost 1600 of the machines have been located. He also said that taxpayer information was not compromised despite the fact that the missing machines likely contain tax return and audit information.
-http://news.cnet.com/news/0-1005-200-8418759.html?tag=owv
-http://www.wired.com/news/politics/0,1283,49615,00.html

9 January 2002 Guarding Against Socially Engineered Attacks

In the second of two articles about social engineering, the author discusses preventing, spotting and dealing with socially engineered attacks. Companies should implement security policies, use good physical security practices and train their staff. They should also have procedures in place for handling socially engineered attacks when they occur.
-http://www.securityfocus.com/infocus/1533
[Editor's (Schultz) Note: Social engineering is something about which virtually all information security professionals know, but the overwhelming majority of the papers and talks on this issue focus on the problem, not effective solutions. Granger's piece is a refreshing exception to this trend. (Murray) We have been dealing with this attack since Eve. We are not much better at resisting it now than we were then. It must exploit some fundamental vulnerability. ]

9 January 2002 Cracker Pleads Guilty to DoE Lab Intrusion

Benjamin Troy Breuninger, who uses the hacker alias "Konceptor," pleaded guilty to breaking into the computer network at Lawrence Livermore National Laboratory, admitting he downloaded data and agreed that he caused $20,000 worth of damage. Breuninger will be sentenced on April 12; he could receive up to 5 years in prison, a $250,000 fine plus a requirement for restitution.
-http://www.gcn.com/vol1_no1/daily-updates/17736-1.html
-http://www.securityfocus.com/news/305

8 & 9 January 2002 Macromedia Flash Virus is Not Much of a Threat

SWF/LFM-926 is a proof of concept Macromedia Flash virus that can infect other Flash files. It has a relatively weak vector of infection: to become contaminated, users must download an infected Flash file and view it in a different player; viewing a Flash film in a browser will not infect a machine. While this virus is not a large threat, future variants could be more aggressive.
-http://www.cnn.com/2002/TECH/internet/01/09/macromedia.virus.reut/index.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5101425,00.html?chkpt=zdhpnews01
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1750000/1750775.stm

8 & 9 January 2002 CSTB Report Says Companies are Neglecting Security

A report from the National Academy of Science's Computer Science and Telecommunications Board (CSTB) says that US companies are not using available security measures to protect themselves from cyber attacks. The CSTB encourages companies to conduct random security testing, use strong authentication systems and train all employees in the proper use of security tools. Furthermore, the report suggests that companies producing unsecure software should be held liable.
-http://www.securityfocus.com/news/304
-http://www.wired.com/news/technology/0,1282,49570,00.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67238,00.html

8 January 2002 Security Advice Confuses

The recent confusion surrounding the Universal Plug and Play security problems in Windows XP underscores the difficulty users face in deciding where to turn for reliable security information and advice.
-http://www.msnbc.com/news/682227.asp?0dm=C235T

8 January 2002 Microsoft Investigates Purported IE Hole

An alleged vulnerability in Internet Explorer versions 5.5 to 6 could allow crackers to spoof web sites, steal cookie information and read local files on affected computers. The hole is due to Microsoft's failure to comply with the "same-origin policy." Microsoft is looking into the problem and has expressed displeasure at the method of disclosure.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67199,00.html

7 January 2002 Virus Writers Justify their Work

Some virus writers justify their activity by claiming it helps other people learn about security and provides jobs for security experts. They also claim that releasing an exploit anonymously is safer than going directly to the software companies with the vulnerability because they might be accused of hacking. Detractors say they have never heard of a software company prosecuting someone who came forward with information about vulnerabilities.
-http://www.wired.com/news/culture/0,1284,49483,00.html

7 January 2002 Crowell Supports GovNet

Cylink Corp. CEO, Bill Crowell, who is a former National Security Agency (NSA) deputy director, supports the creation of GovNet, a secure government network not connected to the Internet, and says that the private sector should consider doing the same thing.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67138,00.html
[Editor's (Murray) Note: GovNet as a strategy is "defense in depth." It will be interesting to see how successful the operators are in resisting connections to the broader network. ]

4 January 2002 Report Considers Al-Qaeda Cyber Capabilities

A report from the Canadian Office of Critical Infrastructure Protection and Emergency Services suggests that al-Qaeda's financial resources could allow the terrorist organization to mount cyber attacks against critical infrastructure targets. Such an attack could have a devastating ripple effect.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66092,00.html


==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz