SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #31

July 31, 2002

TOP OF THE NEWS

25 & 26 July 2002 Princeton Admissions Dean Charged with Hacking Yale Admissions Site
26 July 2002 New DoD IDs Will Contain Biometrics
25 July 2002 Eli Lilly Settles Data Exposure Case
25 July 2002 Legal Liability Due to Unsecured Wireless Network
24 & 26 July 2002 Man Indicted for Accessing Wireless Network

THE REST OF THE WEEK'S NEWS

29 July 2002 RIAA Hit with DoS Attack
26 July 2002 Perens Declines to Provide Details on DVD Hack for Fear
of Violating DMCA
25 July 2002 ACLU Case Challenges DMCA on Behalf of Filtering Researcher
29 July 2002 Wireless Honeypot
29 July 2002 Symbols of Security are No Guarantee
26 July 2002 NIST Releases Two More Draft Security Guides
25 July 2002 SQL and Exchange Server Vulnerabilities
25 July 2002 Employees Fired in Grade Altering Scheme at Florida School
25 July 2002 New Security Specification for Flash Memory Cards
25 July 2002 Keeping Your Computer Safe
25 July 2002 NASCIO Takes First Step Toward Forming ISAC
25 July 2002 Police and Computer Science Students Collaborate in Tulsa
23 July 2002 National Cyber Security Strategy Plans to Extend Cyber Corps to State Level
23 July 2002 Microsoft Changes Vulnerability Reporting Method
23 & 24 July 2002 Malware Changes MSNTV Dial Up Number to 911
23 July 2002 NASCIO Report Urges Cooperation, Info Sharing
22 July 2002 The Long Arm of Cyber Law Reaches Beyond National Borders
17 July 2002 Symantec Buys BugTraq

---

************ Sponsored by VeriSign - The Value of Trust ***************
Learn how to build a secure e-commerce site with VeriSign's FREE White
Paper, "Building an E-Commerce Trust Infrastructure." See how you
can authenticate your site to customers, use 128-Bit SSL encryption
to secure your web servers, and accept secure payments online.
Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n11690091010057000
***********************************************************************

---

TOP OF THE NEWS

25 & 26 July 2002 Princeton Admissions Dean Charged with Hacking Yale Admissions Site

Princeton University associate dean of admissions Stephen LeMenager has been placed on administrative leave after evidence surfaced that computers there were used to log in to a Yale University admissions website without authorization. LeMenager maintains he was merely testing the security of the site, which allows Yale applicants to find out whether or not they have been accepted; birthdates and social security numbers are used as authentication tools. The site was apparently accessed from a variety of computers. The FBI is assessing the situation to determine if federal charges are applicable.
-http://www.yaledailynews.com/article.asp?Aclass=19455
-http://www.cnn.com/2002/US/07/25/yale.princeton/index.html
-http://www.washingtonpost.com/wp-dyn/articles/A2983-2002Jul25.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,73065,00.html

26 July 2002 New DoD IDs Will Contain Biometrics

Future generations of Defense Department ID cards will contain biometric data in an embedded computer chip; presently used cards already contain chips with such personal data as name, rank and serial number. The cards will be used not just for physical access to facilities, but also for access to computer files.
-http://www.washingtonpost.com/wp-dyn/articles/A6427-2002Jul26.html
[Editor's Note (Northcutt): Northcutt: This is an amazing project and a victory for Federal Information Processing Standard 140. Netscape has a great FAQ to help get up to speed fast on FIPS 140 -1
-http://developer.netscape.com/tech/security/fips/faq.html
The document itself which is not for the faint of heart:
-http://www.itl.nist.gov/fipspubs/fip140-1.htm
The Schlumberger press release has some more information about the cards:
-http://www1.slb.com/smartcards/infosec/dod.html]

25 July 2002 Eli Lilly Settles Data Exposure Case

Pharmaceutical manufacturer Eli Lilly and eight US states have agreed to a settlement in a case involving Lilly's inadvertent exposure of more that 650 customer e-mail addresses. In addition to paying a $160,000 fine to be split among the states, Lilly must improve internal security practices.
-http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,72978
,00.html
[Editor's Note (Murray): Security managers take note. Do not be misled by the fact that the state was the plaintiff. A one-tme leak of only 650 names results in a $160K loss. I suspect that the cost of litigation was ten times that. ]

25 July 2002 Legal Liability Due to Unsecured Wireless Network

This article discusses a hypothetical liability, but there is an actual case in the Scottish courts that is testing the "downstream liability" concept. A Scottish ISP is suing Nike because hackers were able to redirect people wishing to visit the Nike site, to another site. This disrupted service for the ISP's customers.
-http://techupdate.zdnet.co.uk/story/0,,t481-s2119788,00.html
A brief on the legal aspects may be found at
-http://www.lanepowell.com/pressroom/publications/pdf/matisonk_001.pdf
[Editor's Note (Schultz) To date there has been a lot more "hype" than substance to the downstream liability issue. The verdict of this case will be interesting. If the ruling is in favor of the plaintiff, it could open the door for more downstream liability suits. (Northcutt): The legal story is fascinating and worth tracking. On the technology front for wireless, guest editor Bryce Alexander, GCIA points out: "802.1X is an up and coming standard for layer two security, it grew out of the wireless world, but is equally good at protecting Ethernet. Most people are looking at it as a wireless only security, but I am seeing a lot of support growing for it being used as port level security across the board. It does require some ancillary equipment such as a radius or other authentication server. Network equipment like Cisco Catalyst switches and wireless access points are aware of 802.1x and with it enabled, won't even allow a device onto the network until it is validated with an authentication server. This helps to eliminate most layer two exploits such as ARP poisoning and MITM. Here are a couple of URL's for more information.
-http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceddk40/htm/cm
con8021xauthentication.asp
-http://www.microsoft.com/windowsxp/pro/techinfo/planning/wirelesslan/solutions.a
sp
-http://www.cisco.com/warp/public/784/packet/exclusive/apr02.html]

24 & 26 July 2002 Man Indicted for Accessing Wireless Network

Stefan Puffer has been indicted by a grand jury on two counts of fraud for accessing a wireless network at the county district clerk's office. Puffer allegedly accessed the network on March 8; on March 18, Puffer demonstrated to a county official and a newspaper reporter the ease with which he was able to access the network using only a laptop computer and an inexpensive wireless LAN card. The March 8 intrusion did no damage, but the network has been shut down because it lacked security.
-http://www.chron.com/cs/CDA/story.hts/tech/news/1507766
-http://www.theregister.co.uk/content/55/26397.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT! "Combat Web Application Attackers" - FREE 15-day WebInspect
Download http://www.sans.org/cgi-bin/sanspromo/NB57
(2) FREE WEBINAR: Three Steps to 100% Secure Web Applications:
Featuring Hurwitz Group! http://www.sans.org/cgi-bin/sanspromo/NB58
(3) How to keep web application integrity and thwart content defacement
- -- Unconditionally.
FREE WHITEPAPER http://www.sans.org/cgi-bin/sanspromo/NB59
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

29 July 2002 RIAA Hit with DoS Attack

RIAA.org, the web site of the Recording Industry Association of America (RIAA) was hit by a denial-of-service attack lasting from Friday, July 26 until today. No one has claimed responsibility for the attack, which comes after the RIAA endorsed legislation proposed by Representative Howard Berman (D-Calif.) which would allow copyright holders to hack back at peer-to-peer networks which violate copyright laws.
-http://news.com.com/2100-1023-947072.html?tag=fd_top

26 July 2002 Perens Declines to Provide Details on DVD Hack for Fear of Violating DMCA

Bruce Perens had planned to reveal his method for circumventing the protections on US-bought DVD players that prevent them from playing most DVDs purchased in other "zones." His employer, Hewlett Packard, stepped in and convinced him not to disclose the details of his work at an open source convention because they were fearful he would be arrested and prosecuted for violating the Digital Millennium Copyright Act (DMCA).
-http://zdnet.com.com/2100-1104-946792.html
-http://www.wired.com/news/business/0,1367,54168,00.html

25 July 2002 ACLU Case Challenges DMCA on Behalf of Filtering Researcher

The American Civil Liberties Union (ACLU) has filed a lawsuit challenging several parts of the 1998 Digital Millennium Copyright Act (DMCA) on behalf of a young researcher. Ben Edelman evaluates filtering software used in public schools and libraries; the software often includes an encrypted list of banned sites. Edelman wants to decrypt and publish the banned list that accompanies N2H2's filtering software; he also wants to distribute the utility used to decrypt the list.
-http://zdnet.com.com/2100-1106-946270.html
-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=12535
64

29 July 2002 Wireless Honeypot

Researchers at the Science Applications International Corporation (SAIC) have built the Wireless Information Security Experiment (WISE), a wireless honeypot designed to attract wireless hackers and to gather information on their activities. Due to the nature of wireless networks, it may be difficult to differentiate between deliberate war drivers and those who discover the network by accident.
-http://online.securityfocus.com/news/552

29 July 2002 Symbols of Security are No Guarantee

Security seals and lock icons do not guarantee a site's security, according to Netcraft. Many sites that display the images may be vulnerable to security exploits
-http://www.smh.com.au/articles/2002/07/29/1027818508949.html
The article is based on information from the following links:
-http://www.theregister.co.uk/content/6/26344.html
-http://www.netcraft.com/survey/

26 July 2002 NIST Releases Two More Draft Security Guides

The National Institute of Standards and Technology's (NIST's) Computer Security Division has released two more draft guides for federal agencies: a highly technical wireless security guide and a security training guide for CIOs and program managers. Comments on the wireless guide are due September 1; comments on the training guide are due August 16.
-http://www.fcw.com/fcw/articles/2002/0722/web-nist-07-26-02.asp

25 July 2002 SQL and Exchange Server Vulnerabilities

Microsoft has released advisories warning of a variety of security vulnerabilities in SQL Server 2000 database, Exchange Server and metadirectory service. Three of the security flaws, all in SQL Server 2000, are deemed critical: two buffer overflow holes, which could allow an attacker to gain control of vulnerable systems, and a denial-of-service vulnerability. A patch is available.
-http://news.com.com/2100-1001-946333.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,72967,0
0.html
SQL Critical Severity Vulnerabilities:
-http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
SQL Moderate Severity Vulnerabilities:
-http://www.microsoft.com/technet/security/bulletin/MS02-038.asp
Exchange Server advisory:
-http://www.microsoft.com/technet/security/bulletin/MS02-037.asp
Metadirectory advisory:
-http://www.microsoft.com/technet/security/bulletin/MS02-036.asp

25 July 2002 Employees Fired in Grade Altering Scheme at Florida School

Three students have been expelled and two employees fired from Florida Memorial College for their involvement in a grade-altering scheme. Insiders in the registrar's office allegedly used their valid passwords to access and significantly change students' grades in exchange for money. An additional 69 people face disciplinary action. The scheme was discovered during a routine grade audit held in May.
-http://www.miami.com/mld/miamiherald/news/local/3728808.htm

25 July 2002 New Security Specification for Flash Memory Cards

A group of five companies calling itself 5C has announced the creation of the Mobile Commerce Extension Specification for flash memory cards. 5C is hopeful the new specification will make flash memory cards useful and desirable to industries that store sensitive information like medical records and financial data. The specification, which can be used in all major flash memory card formats, will help prevent data from being stolen during wireless transmission, and will be inaccessible if the a lost card is found by a stranger.
-http://news.com.com/2100-1040-946353.html

25 July 2002 Keeping Your Computer Safe

The author advises protecting yourself from lurking cyber dangers by choosing Macs or Linux over Microsoft products. If that is not a possibility, apply all patches, use anti-virus software, firewalls and a safe password. You should also employ secure practices, like not opening unexpected attachments, maintaining several e-mail addresses for various purposes, and being cautious about giving out personal information on the Internet.
-http://news.bbc.co.uk/2/hi/technology/2143630.stm

25 July 2002 NASCIO Takes First Step Toward Forming ISAC

The National Association of State Chief Information Officers (NASCIO) has signed an agreement with the FBI's National Infrastructure Protection Center (NIPC) that will let the states receive computer and physical security threat alerts. The agreement is a step toward the establishment of an Interstate Information Sharing and Analysis Center (ISAC).
-http://www.fcw.com/geb/articles/2002/0722/web-nipc-07-25-02.asp

25 July 2002 Police and Computer Science Students Collaborate in Tulsa

Police in Tulsa, Oklahoma are working with computer science students at the University of Tulsa to investigate cyber crimes. The students will learn how a forensic investigator works while the police will gain experience with new software tools and research techniques.
-http://www.fcw.com/geb/articles/2002/0722/web-tulsa-07-25-02.asp
[Editor's Note (Schultz): We badly need much more of this type of collaboration, yet I'd like law enforcement to go farther by requiring officers to take a variety of relevant computer science and other courses. ]

23 July 2002 National Cyber Security Strategy Plans to Extend Cyber Corps to State Level

Richard Clarke says the national cyber security strategy, due to be released in September, will extend the Federal Cyber Service Program, which provides scholarships to both undergraduate and graduate computer security students in exchange for two years of federal service employment, to the state level. The Cyber Service Program is also expected to receive $19 million for a supplemental funding bill to be voted on soon.
-http://www.fcw.com/geb/articles/2002/0722/web-cyber-07-23-02.asp

23 July 2002 Microsoft Changes Vulnerability Reporting Method

Microsoft has removed secure@microsoft.com, the dedicated e-mail address for reporting vulnerabilities, from its "Alert Us" page; while Microsoft will continue to monitor the address, users are encouraged to report vulnerabilities by filling out a Web-based input form. The form is designed to provide the company with adequate information to begin investigations more quickly; often vulnerabilities reported at the web address required some back and forth communication before an investigation could be launched. Critics say the web form is not flexible enough and does not provide a "paper trail" to show when Microsoft was first notified of the vulnerability.
-http://online.securityfocus.com/news/545

23 & 24 July 2002 Malware Changes MSNTV Dial Up Number to 911

Some MSNTV users' machines have become infected with malicious code that changes the dial up number to 911. The code arrives as an e-mail attachment. Users are being advised to reset their machines; a patch is due to be issued.
-http://abcnews.go.com/sections/scitech/TechTV/techtv_911virus020723.html
-http://zdnet.com.com/2100-1105-945985.html
-http://www.vnunet.com/News/1133850

23 July 2002 NASCIO Report Urges Cooperation, Info Sharing

A report from the National Association of State Chief Information Officers (NASCIO) implores government leaders to work together to address cybersecurity and critical infrastructure protection.
-http://www.computerworld.com/governmenttopics/government/policy/story/
0,10801,72947,00.html
-http://endowment.pwcglobal.com/pdfs/HeimanReport.pdf

22 July 2002 The Long Arm of Cyber Law Reaches Beyond National Borders

Internet content is facing increasing scrutiny and legal action from governments around the world, regardless of where the offending content is hosted. For example, web sites allegedly run by two Italian men were deemed offensive, and Italian police replaced the images with a police unit insignia, despite the fact that the sites were hosted in the US. Differing laws regarding freedom of speech and the European Union's privacy laws are making it difficult for Internet businesses to know what to do.
-http://www.cnn.com/2002/TECH/internet/07/22/borderless.internet.ap/index.html

17 July 2002 Symantec Buys BugTraq

Symantec has purchased the BugTraq computer security e-mail list, "the computer security world's equivalent of a professional journal." The change of hands raises the question of whether or not hackers will continue to publish vulnerabilities and exploits on the list.
-http://www.msnbc.com/news/781975.asp?0dm=T279T
[Editors' Note: Symantec also bought Riptech (a managed services company) and Recourse Technologies (a security software company). ]

---

== end ==
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Bill Murray, Stephen
Northcutt, Alan Paller, Marcus Ranum, and Eugene Schultz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites