SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #36

September 04, 2002

Reminder: Friday 9/6 is the early registration deadline for Network
Security 2002 in Washington DC in October.

---

TOP OF THE NEWS

29 & 30 August 2002 iVillage.com E-Mail Shut Down Due to Security and Privacy Problems
28 August 2002 Ziff Davis Media Settles Privacy Breach Investigation
27 August 2002 DoubleClick Settles Privacy Investigation
28 August 2002 On Line Gold Theft Attempt Thwarted
26 August 2002 Woman Pleads Guilty to Importing Phony Software

THE REST OF THE WEEK'S NEWS

2 September 2002 New Airline Passenger Screening System Expected Soon
28 August 2002 Proposed Legislation Would Have Biometric Data on Drivers Licenses
26 August 2002 Biometrics in Travel Documents Raises Security and Reliability Concerns
26 August 2002 DoD Testing Iris Recognition at Athletic Club
30 August 2002 Hacker Has Trouble Finding Work
28 & 30 August 2002 More Warflying
29 August 2002 Poll Says Half of CSO Subscribers Believe Major Cyber Attack is Imminent
26 August 2002 Are Cyberterrorism Warnings Overstated?
29 August 2002 Microsoft Certificate Enrollment Control Security Hole
29 August 2002 Hard-To-Copy CD-ROMs
28 August 2002 Spyware Intercepts Web-Based E-Mail
30 August 2002 DOD Distributes One Millionth Smart Card
28 August 2002 RIAA Defaced, Taken Off Line
28 August 2002 Linux for Newbies
27 & 28 August 2002 Microsoft Releases APIs
27 August 2002 Lamo Segment Pulled from NBC Nightly News
27 August 2002 Developing a Database with a Conscience
27 August 2002 Hackers Threaten Retaliation if Duo Gets Jail Time
27 August 2002 Man Pleads Guilty to Stealing Microsoft Certification Exam Questions
26 August 2002 Hacker Tools Can Help Too
26 August 2002 Government Wary of Handheld Wireless Due to Security Concerns
26 August 2002 Enterprise AIM Addresses Security Issues
22 August 2002 The Ethics of Cyber Warfare

SECURITY TRAINING NEWS

Gold Standard Training for Securing Windows 2000

---

******** This Issue Sponsored by Internet Security Systems ************
10... 9... 8... ISS CONNECT Registration is closing soon!
Reserve your seat today, and save $50
Join Internet Security Systems in ATLANTA (9/30-10/4) for CONNECT
- - the premier conference for Internet, Enterprise and Network
Security. This 4th annual event features over 50 sessions including
hands-on workshops, live security labs, product demonstrations and
more. Highlights include Keynote Speaker Richard A. Clarke, Special
Advisor to the President for Cyberspace Security.
Register now for $50 Discount: http://www.issconnect.com/?source=SANS
***********************************************************************

---

TOP OF THE NEWS

29 & 30 August 2002 iVillage.com E-Mail Shut Down Due to Security and Privacy Problems

iVillage.com shut down its e-mail service on August 29th after it learned that users were logging on and finding other users' in-boxes available for perusal. Some customers had been complaining about the problem for a week. The violation of privacy policy could spell bad news for iVillage.com based on the recent settlement agreed to by Ziff Davis Media.
-http://www.msnbc.com/news/800959.asp?0dm=T22FT
-http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,73900
,00.html

28 August 2002 Ziff Davis Media Settles Privacy Breach Investigation

Ziff Davis Media has agreed to pay $125,000 as part of a settlement following an investigation into a breach of customer data privacy. Ziff Davis Media will also establish security practices to better protect information online. According to state attorneys general involved in the investigation, some of the people whose information was exposed were victims of identity theft.
-http://news.com.com/2100-1023-955841.html
-http://www.wired.com/news/business/0,1367,54817,00.html
Press Release from New York State Attorney General:
-http://www.oag.state.ny.us/press/2002/aug/aug28a_02.html

27 August 2002 DoubleClick Settles Privacy Investigation

DoubleClick has agreed to a settlement following an investigation into its privacy practices regarding the data it collects. The investigation was a joint effort on the part of 10 of the 50 States Attorneys General. DoubleClick will pay $450,000 toward the investigation costs and will amend its privacy practices. It will also store all data more than three months old off line. The company will also be subject to third-party audits to check for compliance with the terms of the settlement.
-http://www.theregister.co.uk/content/6/26817.html
[Editor's Note (Ranum): This is the way to make strides forward in security: start making failure to do the right thing expensive. ]

28 August 2002 On Line Gold Theft Attempt Thwarted

Hackers placed a keystroke logger on gold dealer Crowne Gold's computer system and harvested passwords. The hackers then used the passwords to attempt a transfer of almost $200,000 worth of gold to another brokerage; their attempt was foiled by the fact that they lacked proper documentation. Crowne Gold shut down its system so customers have not been able to access their accounts. The company hoped to have the site up again soon.
-http://www.wired.com/news/business/0,1367,54802,00.html

26 August 2002 Woman Pleads Guilty to Importing Phony Software

A woman in Los Angeles has pleaded no contest to charges of importing almost $75 million worth of counterfeit software. Lisa Chen will receive a sentence of between five and nine years in federal prison and pay restitution to Microsoft and Symantec. Chen and three other people were arrested after an 18-month investigation; the others' cases are pending in federal court. This is apparently the largest seizure of counterfeit software ever in the United States.
-http://www.siliconvalley.com/mld/siliconvalley/3943489.htm

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) CONTROL use of I/O devices by means of Windows Group Policies -
FREE evaluation software. http://www.sans.org/cgi-bin/sanspromo/NB72
(2) Are you a Symantec customer? Register now for Symantec's Worldwide
Users' Conference http://www.sans.org/cgi-bin/sanspromo/NB73
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

2 September 2002 New Airline Passenger Screening System Expected Soon

Federal airport security officers hope to be using a significantly enhanced version of the Computer Assisted Passenger Prescreening System (CAPPS) before the end of the year. CAPPS II will provide real-time threat evaluation of passengers; it will search through multiple government and commercial databases for information and provide almost immediate feedback on a passenger's background. Implementation of the new system could be delayed if the Transportation Department becomes part of the Department of Homeland Security.
-http://www.fcw.com/fcw/articles/2002/0902/news-capps-09-02-02.asp

28 August 2002 Proposed Legislation Would Have Biometric Data on Drivers Licenses

Two US lawmakers from Virginia have proposed the 2003 Driver's License Modernization Act which would have all US drivers' licenses include biometric data. The legislators say the new licenses could help prevent identity theft. There is also talk of issuing smart cards to all federal employees, following in the footsteps of the Defense Department's Common Access Card.
-http://www.govexec.com/dailyfed/0802/082802s1.htm
[Editor's Note (Murray): There is already biometric data on the drivers license; it is called the photograph. This particular biometric has the advantage that it can be easily reconciled by people. Computers cannot reconcile it very well but then they do not do very well at any biometrics. That is why we must use strong authentication. ]

26 August 2002 Biometrics in Travel Documents Raises Security and Reliability Concerns

The US Patriot Act calls for the implementation of biometric identifiers on travel documents for non-US citizens by the year 2004. The National Institute of Standards and Technology (NIST) has been studying various biometric systems and has so far found areas of concern with fingerprints, iris scanning and facial recognition technology, leading to a preliminary conclusion that no one biometric technology by itself is reliable. The use of biometric technology also raises concerns about how the information will be stored: smart cards must be managed so that various permissions can be revoked easily, and network based authentication systems pose the risk of data interception and altering.
-http://www.gcn.com/21_25/security/19773-1.html

26 August 2002 DoD Testing Iris Recognition at Athletic Club

The Defense Department Biometrics Management Office is testing an iris recognition system at the Pentagon Athletic Club. Participation in the testing is voluntary. Starting August 30th, the Defense Department's Biometrics Management Office plans to use the system as the "sole tool" for entry to the athletic club.
-http://www.fcw.com/fcw/articles/2002/0826/mgt-eyes-08-26-02.asp

30 August 2002 Hacker Has Trouble Finding Work

Though hackers used to have little trouble finding jobs, the scene is changing. Max Ray Butler once worked as a cyber informant for the FBI, but recently served a year in federal prison for intruding into government and military computer networks. Since his release, Butler has had trouble finding a job and is working for minimum wage.
-http://www.wired.com/news/culture/0,1284,54838,00.html
[Editor's Note (Murray): 14% percent of companies admit that they will hire rogue hackers for security jobs. Would be nice to know who they are so that we can avoid them. ]

28 & 30 August 2002 More Warflying

Following close on the heels of a warflying report from Sydney, Australia, two hackers conducted a warflying (junket) above San Diego County, California. The two discovered that the range of 802.11b WLAN signals is greater than expected; they were able to detect access points from 2,500 feet in the air.
-http://arstechnica.com/wankerdesk/3q02/warflying-1.html
-http://www.computerworld.com/mobiletopics/mobile/story/0,10801,73901,00.html

29 August 2002 Poll Says Half of CSO Subscribers Believe Major Cyber Attack is Imminent

Almost half of 1,009 subscribers of the new magazine CSO believe that a major cyber attack from terrorists will occur during the next year. Those polled are largely US and Canadian CSOs. The magazine's editor in chief says the fear of the cyber attacks is based on the plausibility of such attacks occurring rather than on hard intelligence. Nearly all of those polled say vendors need to improve product security.
-http://www.washingtonpost.com/wp-dyn/articles/A10407-2002Aug29.html

26 August 2002 Are Cyberterrorism Warnings Overstated?

Talk of terrorists launching catastrophic cyberattacks that disable the country's critical infrastructure and cause death and destruction are largely hyperbole. Hackers could cause communications problems however, and utilities which may have their control systems linked to the Internet. A destructive attack would require a great deal of inside knowledge as there are more often than not back-up procedures that are not computerized. The major concern with terrorists and the Internet is their use of it to plan a physical attack.
-http://zdnet.com.com/2100-1105-955293.html
[Editor's Note (Schultz) Sadly, the threat of cyberterrorism is indeed being badly overstated. But this is only part of a bigger problem. There are too many alarmists who constantly tell the rest of the world that "the sky is falling" in the cybersecurity arena. ]

29 August 2002 Microsoft Certificate Enrollment Control Security Hole

Microsoft has issued a security bulletin warning of a critical hole in the Certificate Enrollment Control component of Windows, an ActiveX control used to request new certificates on line and to install them. The bulletin says that the Certificate Enrollment Control can also be used to remotely corrupt or delete certificates, and urges vulnerable users to install a patch. The vulnerability could be exploited by tricking users into visiting a specially crafted malicious web page or opening HTML e-mail. Affected versions of Windows include 98, 98SE, Millennium, NT 4.0, 2000 and XP; earlier versions weren't tested because they are no longer supported.
-http://www.theregister.co.uk/content/55/26859.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73864,0
0.html
-http://www.microsoft.com/technet/security/bulletin/ms02-048.asp

29 August 2002 Hard-To-Copy CD-ROMs

A new technology developed by JVC and Hudson Soft called "Root" is designed to prevent people from copying CD-ROM disks. The contents of the disk are encrypted and the required key also resides on the disk. The key can be read by CD-ROM drives, but cannot be copied by CD-R/RW drives. The key on each disk is different and is hidden on a different place on the disk. The technology can be applied to software disks and DVDs but not to audio CDs.
-http://news.zdnet.co.uk/story/0,,t269-s2121508,00.html
[Editor's Note (Northcutt): These types of solutions are generally defeated in short order as has been shown in the computer game industry. This scheme makes a loser out of the honest person that can't make a backup. (Grefer) It's just a matter of time until this method will be cracked, too. The only question is whether it will take months, weeks or days. ]

28 August 2002 Spyware Intercepts Web-Based E-Mail

A new version of eBlaster spyware allows people to intercept outgoing and incoming web based e-mail from employees, family members or other spy targets. While some may contend that employers have a right to see everything that takes place on company computers, others have expressed concern that the spyware may violate the Electronic Communications Privacy Act.
-http://www.msnbc.com/news/800409.asp?0dm=C24FT

30 August 2002 DoD Distributes One Millionth Smart Card

The Department of Defense (DoD) has issued the one millionth Common Access Card (CAC) on August 28th. CACs are smart cards that are used for identification and building and network access. The DoD, which began distributing the cards in October 2001, hopes to have cards for all 4 million employees by October 2003.
-http://www.fcw.com/fcw/articles/2002/0826/web-cac-08-30-02.asp

28 August 2002 RIAA Defaced, Taken Off Line

The web site of the Recording Industry Association of America (RIAA) was apparently hacked in retaliation for a lawsuit it filed against a Chinese site from which people could download music. The hackers posted a phony apology message on RIAA's site and made some songs available for download. An RIAA spokeswoman acknowledged a problem with the site and said they would have it fixed soon, but provided no details. The site was taken off-line. The RIAA was the victim of a denial of service attack in July.
-http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,73830
,00.html
-http://news.com.com/2100-1023-955776.html
-http://www.wired.com/news/politics/0,1283,54812,00.html
-http://www.newsfactor.com/perl/story/19227.html
--28 August 2002 Linux for Newbies This article offers advice on setting up and securing Linux for "newbies."
-http://www.theregister.co.uk/content/4/26843.html

27 & 28 August 2002 Microsoft Releases APIs

As part of its settlement with the US Justice Department and nine US states, Microsoft has made available 289 application programming interfaces (APIs). The APIs are available at Microsoft's Network Developer web site.
-http://news.com.com/2100-1001-955655.html
-http://www.computerworld.com/governmenttopics/government/legalissues/story/
0,10801,73829,00.html
-http://msdn.microsoft.com/library/en-us/dnapiover/html/api-overview.asp

27 August 2002 Lamo Segment Pulled from NBC Nightly News

Adrian Lamo is the hacker known for breaking into the computer systems of many highly visible corporations, including the New York Times, where he made off with the names and addresses of famous guest editorial contributors. Lamo was scheduled to appear in a segment on the NBC Nightly News but the segment was pulled. Lamo alleges the interviewer asked him if he could break into NBC's system, so he did.
-http://online.securityfocus.com/news/595
[Editor's Note (Ranum): My hat's off to MBC for pulling the segment. ]

27 August 2002 Developing a Database with a Conscience

An IBM researcher is developing a database that takes responsibility for the data it holds much as physicians are bound by the Hippocratic oath to maintain confidentiality regarding what their patients tell them. The database is set up with rules about what kind of data is to be collected and how it is to be used.
-http://www.idg.net/ic_940272_1794_9-10000.html

27 August 2002 Hackers Threaten Retaliation if Duo Gets Jail Time

Other hackers are threatening to retaliate if the pair calling themselves the "Deceptive Duo" is sent to prison. The two allegedly defaced numerous United States government and corporate web sites earlier this year in an attempt to alert the government to vulnerabilities in the country's critical infrastructure.
-http://vnunet.com/News/1134600

27 August 2002 Man Pleads Guilty to Stealing Microsoft Certification Exam Questions

Robert R. Keppel, owner of a "braindump" site called CheetSheets.com, has pleaded guilty in federal court to theft of trade secrets; Mr. Keppel apparently sold questions and answers to Microsoft security certification examinations. The case is significant because most other such cases have been pursued in civil court rather than in criminal court. CheetSheets.com is now defunct.
-http://certcities.com/editorial/news/story.asp?Editorialsclass=336

26 August 2002 Hacker Tools Can Help Too

Tools used by hackers to gain access to wireless networks can also prove helpful to network administrators; the tools can be used to identify dead spots in wireless networks and to detect the perimeter of the wireless network. They can also be used to improve performance by identifying overlapping signals.
-http://www.eweek.com/article2/0,3959,485577,00.asp

26 August 2002 Government Wary of Handheld Wireless Due to Security Concerns

Government agencies are hesitant to use wireless handheld devices because of the security risks they pose. Handhelds are often lost and people who find or steal the devices could use them to access internal networks. Even with good security in place, users need to be educated in good security practices. The Advanced Encryption Standard (AES) should prove helpful to wireless handheld device security because it employs variable key lengths between 128 and 256 bits, unlike the older Data Encryption Standard (DES) which has a fixed key length of 56 bits.
-http://www.fcw.com/fcw/articles/2002/0826/tec-wire-08-26-02.asp
-http://www.fcw.com/fcw/articles/2002/0826/tec-wire1-08-26-02.asp

26 August 2002 Enterprise AIM Addresses Security Issues

The soon-to-be-released Enterprise AOL Instant Messenger (AIM) addresses security concerns that have sometimes led to companies blocking the use of the technology in the workplace. Enterprise AIM will allow the system administrator to set policies regarding who can send and receive instant messages and what content may be sent in those messages. Users will also be able to send encrypted instant messages using a public key infrastructure (PKI).
-http://www.fcw.com/fcw/articles/2002/0826/tec-aol-08-26-02.asp
[Editor's Note (Murray) Perhaps this is the long-awaited "killer application" for PKI. ]

22 August 2002 The Ethics of Cyber Warfare

The Bush administration is examining the legal and ethical issues surrounding cyber warfare as the specter of such an event looms. Some countries are looking to cyberwar as a way to level the playing field, as it is less expensive than conventional methods of attack. The US must tread carefully because people are so dependent upon computers that retaliation for a cyberattack could be costly.
-http://www.washingtonpost.com/wp-dyn/articles/A46967-2002Aug21.html

---

SECURITY TRAINING NEWS

Gold Standard Training for Securing Windows 2000

using the new consensus standards and free testing tools - 38 cities.
-http://www.sans.org
/Win2KWorldTour/">
-http://www.sans.org
/Win2KWorldTour/
SANS Network Security 2002 in October: Largest security conference & expo:
-http://www.sans.org
/NS2002">
-http://www.sans.org
/NS2002
For security managers in military sites: click on the National Information Assurance Leadership Conference. Advanced security training in nineteen additional cities, plus Local Mentor programs in 35 cities. See:
-http://www.sans.org