SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #30

July 23, 2002

TOP OF THE NEWS

22 July 2002 Feds Endorse Security Benchmarks
22 July 2002 Homeland Security Strategy Calls For Widespread Background Checks.
17 July 2002 Hacking Part of Chinese War Threat
17 July 2002 Student Charged With Hacking To Boost Her Grades
16 July 2002 House Votes To Increase Cybercrime Penalties

THE REST OF THE WEEK'S NEWS

22 July 2002 Congressman Davis Asks For Security Benchmarks In Homeland Security Act
22 July 2002 PHP Hole Puts Web Servers At Risk
19 July 2002 Movie Industry Tracking Down Individuals Trading Music Files
19 July 2002 Supova Worm Spreading Through Kazaa Network
15 July 2002 Frethem.K fits worm is spreading.
18 July 2002 Microsoft's Gates Says $100 Million Spent On Security
18 July 2002 Blue Cascades Report Cites Major Response Deficiencies
18 July 2002 Department of Homeland Security: NIST Out, Security Teams In
18 July 2002 Yahoo Mail Filters Fixed
17 July 2002 European and US Lawmakers Work On Internet Security/Privacy Issues
17/18 July 2002 National Strategy For Securing Cyberspace Due September 11
16 July 2002 South Korean Activists Threaten DOS Protest Attack on US
16 July 2002 Liberty Alliance Network Identity Sign-On Standard Unveiled
16 July 2002 Microsoft Backs SAML Standard
16 July 2002 CERT: Reported Security Flaws Increasing
15 July 2002 Cyberforensics Increasingly Used To Track Down Criminals

TUTORIALS ON HACKER TOOLS

IN-DEPTH TECHNICAL SECURITY TRAINING (AND SECURITY MANAGEMENT COURSES) IN THE NEXT 120 DAYS

---

******************** Sponsored by CipherTrust, Inc.*******************
Secure the Email Gateway **FREE Email Security White Paper
Stop SPAM, HACKERS, VIRUSES, WORMS and TROJAN HORSES from destroying
or exposing critical data or bringing down Exchange, Notes, GroupWise
or Sendmail. IronMail integrates defenses against these threats,
and secures webmail systems including Outlook Web Access, all in a
hardened gateway appliance.
FREE white paper on email security risks
http://www.ciphertrust.com/article/sans_01.htm
**********************************************************************

---

TOP OF THE NEWS

22 July 2002 Feds Endorse Security Benchmarks

A coalition of technology users in industry, academia, and government joined to publish a Windows 2000 minimum security configuration benchmark -- the first in a series of benchmarks for strengthening security on systems.
-http://www.fcw.com/fcw/articles/2002/0722/pol-win-07-22-02.asp
-http://zdnet.com.com/2100-1105-944801.html
An eWeek evaluation of the testing program:
-http://www.eweek.com/article2/0,3959,392579,00.asp
Download the benchmarks and testing tools:
-http://www.cisecurity.org

22 July 2002 Homeland Security Strategy Calls For Widespread Background Checks

The National Strategy for Homeland Security released last week calls for background checks of people managing IT systems in corporations that make up the nation's critical infrastructure. The report specifically says, "Personnel with privileged access to critical infrastructure, particularly
[IT-based ]
control systems, may serve as terrorist surrogates by providing information on vulnerabilities, operating characteristics and protective measures."
-http://www.computerworld.com/securitytopics/security/story/0,10801,72921,00.html
The complete strategy document is posted at
-http://www.whitehouse.gov/homeland/book/index.html

17 July 2002 Hacking Part of Chinese War Threat

A Pentagon assessment of the threat China poses to its neighbors says that computer hacking may be one of the tools China uses in executing its goal of surprise, deception and shock. According to the report China is exploring coercive strategies designed to bring Taipei to terms quickly.
-http://www.cnn.com/2002/WORLD/asiapcf/east/07/13/china.taiwan/index.html
[Editor's Note (Ranum): Napoleon Bonaparte once commented that "given the chance, a wise commander would employ lightning bolts if they are available." Given the choice between hacking and ballistic warheads, I'm amazed anyone sees hacking as a real concern in this case. ]

17 July 2002 Student Charged With Hacking To Boost Her Grades

Darielle Insler, a 22 year old University of Delaware student, allegedly changed her grades in a math and a science class from "F's" to "A's". She apparently fooled the human resources department into setting new passwords for instructor accounts. She is charged with multiple counts of identity theft and unauthorized access and misuse of information on a computer system.
-http://www.msnbc.com/news/781682.asp

16 July 2002 House Votes To Increase Cybercrime Penalties

The US House of Representatives voted 385 to 3 to increase to 20 years the maximum penalty for knowingly attempting to cause serious injury through a cyberattack.
-http://www.cnn.com/2002/TECH/industry/07/16/cybercrime.ap/index.html
-http://www.usatoday.com/life/cyber/tech/2002/07/16/cybercrimes.htm

---

************************ SPONSORED LINKS *****************************
Privacy notice: These links redirect to non-SANS web pages.
(1) TRUSTWORTHY COMPUTING? Learn How to Stop the 7 Deadly Classes of
IIS Attacks Free Whitepaper: http://www.sans.org/cgi-bin/sanspromo/NB55
(2) Aberdeen Alert! Web Application Attacks-Download FREE Research
Report on Web App Security http://www.sans.org/cgi-bin/sanspromo/NB56
**********************************************************************

---

THE REST OF THE WEEK'S NEWS

22 July 2002 Congressman Davis Asks For Security Benchmarks In Homeland Security Act

Rep. Tom Davis (R, VA), who chairs the House Government Reform Subcommittee on Technology and Procurement Policy, wrote to House Majority Leader Dick Armey asking him to include minimum security benchmarks in the Homeland Security Act. Davis' letter said the bill's provisions would "significantly strengthen federal cyberpreparedness by requiring all agencies to implement specific, baseline security standards."
-http://www.gcn.com/vol1_no1/daily-updates/19403-1.html

22 July 2002 PHP Hole Puts Web Servers At Risk

A security hole in the PHP Hypertext Preprocessor (PHP) scripting language used on many Web servers could allow an attacker to execute code on affected systems or even take control of them.
-http://www.computerworld.com/softwaretopics/software/appdev/story/0,10801,72920,
00.html
The advisory, a fixed version of PHP, and a work around for the problem were released by the PHP Group and are available at:
-http://www.php.net/release_4_2_2.php
[Editor's Note (Grefer): PHP is a recursive acronym. ]

19 July 2002 Movie Industry Tracking Down Individuals Trading Music Files

The Motion Picture Association of America uses a specialized search engine to track down copyrighted movies, then requests that the ISP require the user to get rid of the file or lose their Internet connectivity. MPAA says more than 100,000 users have gotten cease and desist letters from their ISPs, and most comply.
-http://www.siliconvalley.com/mld/siliconvalley/news/3697951.htm
-http://www.nando.net/technology/v-text/story/472025p-3771890c.html

19 July 2002 Supova Worm Spreading Through Kazaa Network

The Supova worm spreading through the Kazaa music and video file sharing network. It destroys system files and then launches denial of service attacks against religious web sites.
-http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=54692&REQSTR1=s
ilicon.com
For more a more technical description:
-http://www3.ca.com/virusinfo/virus.asp?class=12565
-http://securityresponse.symantec.com/avcenter/venc/data/w32.supova.worm.html

15 July 2002 Frethem.K fits worm is spreading.

Frethem has many of the characteristics of last year's mass-mailing worms. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files.
-http://www.incidents.org/diary/index.html?id=163
-http://www.sophos.com/virusinfo/analyses/w32frethemfam.html

18 July 2002 Microsoft's Gates Says $100 Million Spent On Security

Microsoft's Chairman Bill Gates claims the cost of its delay in development to improve security has cost the company $100 million. Despite these efforts the company continues to release security fixes weekly, sometimes daily.
-http://www.reuters.com/news_article.jhtml?type=technologynews&Storyclass=122
1950
[Editor's Note (Schultz): Let's be fair to Microsoft. Just because bugs are being found in current and older releases does not mean that Microsoft's efforts to improve the security of its codes are a failure. The real test will be new releases which, given what I have heard from engineers who work at Microsoft, are likely to be less bug-riddled. ]

18 July 2002 Blue Cascades Report Cites Major Response Deficiencies

Blue Cascades was last month's high-level exercise sponsored by the Pacific Northwest Economic Region (PNWER). It tested the region's vulnerability to power outages and telecommunications failures. Among other conclusions, the report said that Blue Cascades showed that neither corporate nor government officials recognize their "overwhelming dependency upon IT-related resources to continue business operations and execute recovery plans."
-http://computerworld.com/newsletter/0%2C4902%2C72807%2C0.html?nlid=PM
[Editor's Note (Northcutt): This exercise that was cosponsored by FEMA, The US Navy, and the Canadian Office of Critical Infrastructure Protection and Emergency Preparedness. The invitation and additional information about it can be found at
-http://www.pnwer.org/pris/invitation.html]

18 July 2002 Department of Homeland Security: NIST Out, Security Teams In

The US House Select Committee writing the Department of Homeland Security Act decided not to include the Computer Security Division of the National Institutes of Standards and Technology in the new division. Instead it is to stay at NIST. The House's version also establishes Information Security Teams to test security of federal agencies and assist them in improving security.
-http://www.govexec.com/dailyfed/0702/071802td1.htm

18 July 2002 Yahoo Mail Filters Fixed

Yahoo! Has altered the filters it was using to replace words in malicious scripts. An error in the filters caused them to replace words throughout messages sent to Yahoo! users, not just in the scripts.
-http://www.idg.net/ic_888927_1794_9-10000.html
-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=12155
63

17 July 2002 European and US Lawmakers Work On Internet Security/Privacy Issues

Members of the European Parliament met with US legislators, regulators and Vice President Cheney this week to "debate." Arlene McCarthy, a member of the European Parliament said, "Expectations aren't that the two approaches to Internet policy will become identical, but that they can be compatible enough to help facilitate global commerce and enforcement."
-http://computerworld.com/governmenttopics/government/policy/story/0,10801,72771,
00.html
[Editor's Note (Schultz): Achieving any kind of agreement is going to be exceptionally difficult. The US and Europe are worlds apart when it comes to privacy expectation. ]

17/18 July 2002 National Strategy For Securing Cyberspace Due September 11

Richard Clarke, the President's computer security adviser, said Wednesday that an upcoming national plan to protect cyberspace will include expectations for home users, as well as large companies and the government. The new plan will be the Internet component of the national strategy for homeland security announced by President Bush. The CNN article also talks about plans for PC standards and tools to help users keep their systems secure as part of the strategy.
-http://story.news.yahoo.com/news?tmpl=story2&cid=528&ncid=528&e=1&am
p;u=/ap/20020717/ap_on_hi_te/computer_security_14
-http://www.cnn.com/2002/TECH/ptech/07/18/computer.security.ap/index.html

16 July 2002 South Korean Activists Threaten DOS Protest Attack on US

The White House and military web sites are the targets of a threatened attack by South Korean activists angry about the deaths of two girls struck by a US military vehicle on a road north of Seoul. The soldiers driving the truck have been indicted and could face up to six years in prison.
-http://www.usatoday.com/life/cyber/tech/2002/07/16/south-korea-cyber-attack.htm

16 July 2002 Liberty Alliance Network Identity Sign-On Standard Unveiled

The Liberty Alliance, a Sun-backed consortium, released technical specifications for federated network identity sign-on as a secure method for identifying individuals using any manner of internet-connected devices. Such standards will help Internet merchants maintain ownership of their client data while sharing lead information with others. Version 1.0 does not cover personal data, but provides a format for exchanging authentication information while holding the identity of the user safe.
-http://computerworld.com/newsletter/0%2C4902%2C72725%2C0.html?nlid=WK
-http://www.theregister.co.uk/content/4/26210.html
The Liberty Alliance is an alternative to Microsoft's Passport program. Liberty's press release may be found at:
-http://www.projectliberty.org/press/releases/2002-07-15-1.html

16 July 2002 Microsoft Backs SAML Standard

Microsoft architect Kim Cameron said that Microsoft would Security Assertion Mark-up Language (SAML), which was developed by the twelve members of OASIS ) Organization for Advancement of Structured Information Standards). This announcement raises the possibility of greater interoperability with standards supported by other groups, including Sun Microsystems.
-http://www.theregister.co.uk/content/4/26211.html

16 July 2002 CERT: Reported Security Flaws Increasing

Larry Rogers of the CERT Coordination Center at Carnegie Mellon University reports that the number of reported security flaws has jumped from 2400 for all of last year to more than 1,000 for just the first three months of this year.
-http://news.zdnet.co.uk/story/0,,t269-s2119219,00.html

15 July 2002 Cyberforensics Increasingly Used To Track Down Criminals

The FBI recently made a case against a New Jersey gambling operation using data obtained with a password uncovered through a keystroke logging program. Police are finding it easier to get electronic records because of the Patriot Act passed in the aftermath of September 11. Privacy advocates are concerned police have too much power to snoop.
-http://abcnews.go.com/sections/us/DailyNews/cybersleuth020715.html
[Editor's Note (Northcutt): This is a well written article. A very clear expression of the concerns of privacy advocates is the ACLU briefing on the subject:
-http://www.aclu.org/congress/l110101a.html]

---

TUTORIALS ON HACKER TOOLS

These are two excellent articles summarizing hacker tools.

The Symantec article provides foundation knowledge while the article by Ed Skoudis called "Faster, Stealthier? More Dangerous," in Information Security magazine, provides a unique look at the newest developments in hacker techniques. (The following is a shameless plug) Ed is one of the two lead faculty members for SANS Hacker Exploits hands-on class and also one of the two highest rated speakers on the topic in the world. Symantec:
-http://enterprisesecurity.symantec.com/article.cfm?articleid=1398&Pclass=124
93901&Eclass=0
Skoudis:
-http://www.infosecuritymag.com/2002/jul/faster.shtml

---

==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
Special For US Military Personnel And Others Involved With Military
Systems and Networks
Please Mark Your Calendar Today!


The Second Annual National Information Assurance Leadership (NIAL)
conference will be held October 24-25 at the Washington Convention
Center in Washington, DC. It is a joint conference of the US Army,
US Navy, US Marine Corps, US Air Force, and US Coast Guard. Each
service has a separate track exclusively for the ISSOs and ISSMs who
are responsible for security in that service and the contractors who
help make it successful. The Service Tracks are designed to provide
authoritative and timely answers to key security management and policy
questions as well as technology updates, and offer opportunities to
discuss security issues with top brass in that service. In addition,
joint sessions featuring White House and other speakers, will offer
all attendees the opportunity to gain a larger perspective.


Joint Sessions:
Richard A. Clarke, President Bush's Special Assistant for Cyberspace
Security will present the new National Strategy for Securing Cyberspace
keynote address on October 24th and will also present the National
Information Assurance Leadership awards to organizations - both public
and private - that have set an example of excellence in improving
information security.


Ed Skoudis, author of the best selling book, Counter Hack, will
present the Security Threat Update keynote presentation on October
25th. Ed will take you inside the hacker's methods and show you how
they are changing their attack approach and what you can do about it.
Service Track Chairs:
US Air Force, Wanda Heath, Wanda.Heath@pentagon.af.mil
US Navy, Russ Marsh, MarshR@nctc.navy.mil
US Army, John Quigg, john.quigg@us.army.mil
US Coast Guard, Ken Reynolds, KReynolds@TISCOM.uscg.mil
US Marines, Janet Palmer, PalmerJS@hqmc.usmc.mil
There is a firm limit of 150 persons in each Service Track as the
rooms won't hold any more people. Please reserve a place within the
next few weeks so you won't be left out. The price is $300 for the
two day program and includes a compendium of presentations, breaks,
and access to the largest exhibition of security tools and services
the SANS Institute has ever assembled. In addition, your fee includes
access to a wide variety of evening training and networking programs
where new technologies will be discussed. SANS' contact is Kathy
Northcutt, knorthc@aol.com.
SANS has extended a 20% discount on all its training programs at
NS2002 exclusively to civilian and military employees and contractors
involved full-time with military systems. You do not have to attend
the NIAL conference to use the discount for the training programs.


Register online:
https://registration.sans.org/cgi-bin/NS2002mil_register/
Be sure to enter the appropriate code:
Air Force: af
Army: army
Coast Guard: cg
Marine Corps: usmc
Navy: nmci
If your email address is not .mil, provide a .mil address in the
comments field that we will use to verify your involvement with
military systems.


A discounted hotel rate is available through 9.27.02.
An attendee manual, with agenda, is posted online:
http://www.sans.org/NIAL/NIAL_attendee.pdf
The conference is being held in conjunction with SANS Network Security
2002, which features 12 intensive training programs ranging from
Information Security Officer training to Intrusion Detection Analyst
training. The new standards for securing Windows and other systems,
announced by government leaders last week, will also be taught in
courses at NS2002. This program is a unique opportunity to combine
intense award-winning training with a conference specifically aimed
at answering the questions you face each day in helping secure the
information systems on which our military officers and enlisted
persons depend. Don't miss it.


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz