SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #37
September 11, 2002
TOP OF THE NEWS
7 September 2002 LLNL Hacker Gets House Arrest and Community Service5 September 2002 Microsoft VP Not Proud of Company's Security
5 & 6 September 2002 PGP Buffer Overflow Vulnerability
26 August 2002 Federal Security Dollars Spent on OMB Reports Instead Of Fixing Security
THE REST OF THE WEEK'S NEWS
9 September 2002 September 11th Renews Commitment to Security in the Workplace9 September 2002 Philippine Phreaking Bust
9 September 2002 Intel Hardware will Integrate Security
9 September 2002 Venezuelan CD Pirates Sold Confidential Data
6 September 2002 Four Men Sentenced for Roles in Piracy Ring
6 September 2002 Spammers Use Unprotected Wireless Networks to Wield their Wares
5 September 2002 Biometrically Secured Airport Lockers Tested
5 September 2002 OASIS Adopts New ebXML Standard
5 & 6 September 2002 Microsoft Releases Windows Patch for Critical Digital Certificate Vulnerability
4 & 8 September 2002 Dearth of Security Specialists Bemoaned
4 September 2002 Security Tool Creates "Noise" Around Wireless Access Points
3 September 2002 Citibank E-Mail Campaign May Have Breached Customer Privacy
3 September 2002 Demand for Disaster Recovery and Business Continuity Planning is Up
3 September 2002 FBI Application Process Weeds Out Many Potentially Valuable Cyber Security Workers
3 September 2002 Are Viruses on the Decline?
3 September 2002 Security Firm Says Hacks are on the Rise
2 & 3 September 2002 Microsoft Enhances Passport Security
2 September 2002 Higher Ed Funding May be Tied to Security Practices
2 September 2002 Plan Will Establish Cybersecurity Network Operations Center
2 September 2002 Plan Includes Privacy Czar
STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT
7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to Improper Lockdown9 September 2002 Wardriving Reveals Lack of LAN Security
7 September 2002 City Employee Opens Hard Drive to Kazaa Network
4 September 2002 Mitnick Describes Social Engineering Tactics
SECURITY TRAINING NEWS
Gold Standard Training for Securing Windows 2000************** This Issue Sponsored by Tripwire, Inc. *****************
ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER
Tripwire data integrity assurance solutions pinpoint changes to your
servers and network devices accelerating discovery and increasing
uptime making you the hero of your IT organization. Click here to
get our FREE Security Exploit and Vulnerability Matrix Poster.
http://www.tripwire.com/literature/poster/index.cfm?djinn=639
***********************************************************************
TOP OF THE NEWS
7 September 2002 LLNL Hacker Gets House Arrest and Community Service
Benjamin Troy Breuninger of Minnesota will serve six months under house arrest and give 400 hours of his time to community service as a penalty for breaking into a computer system at Lawrence Livermore National Laboratory. He will also have to pay $20,000 in restitution. He was convicted of causing damage in excess of $32,000. The judge in the case did not give the harshest sentence because, authorities say, Breuninger did not access classified information and he apologized, accepted responsibility for his actions and was cooperating with authorities, including telling the Laboratory how he broke in.-http://www.bayarea.com/mld/cctimes/living/science/4022958.htm
5 September 2002 Microsoft VP Not Proud of Company's Security
Brian Valentine, senior VP in charge of the Windows development team, told a gathering of attendees of Microsoft's Windows .Net Server developer conference that the company has not done everything it could to protect customers because Microsoft products are not designed for security. Valentine observed that security is a problem that will never be solved because as concerns are addressed, hackers will devise new methods. He also pointed out that all major operating systems have security problems.-http://www.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml
[Editor's Note (Northcutt): Commercial operating system vendors, with Microsoft at the lead, have focused on features, not system and security engineering. Users have begun to realize they are sitting on a time bomb when they try to use Windows operating systems in commerce. Watch for early adopters of .NET to get hammered, as well. This is what drove the community to develop the Gold Standard to harden Windows 2000:
-http://www.fcw.com/fcw/articles/2002/0722/pol-win-07-22-02.asp
and gold standard course schedule is at:
-http://www.sans.org/Win2KWorldTour/win2K.php]
5 & 6 September 2002 PGP Buffer Overflow Vulnerability
A buffer overflow vulnerability in the way PGP Corporate Edition 7.1.0 and 7.1.1 handle long file names in encrypted archives could crash the program. The vulnerability could be exploited to run malicious code on a targeted computer. A patch is available.-http://news.com.com/2100-1001-956815.html
-http://www.theregister.co.uk/content/55/26998.html
-http://www.eweek.com/article2/0,3959,518907,00.asp
-http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
26 August 2002 Federal Security Dollars Spent on OMB Reports Instead Of Fixing Security
Much of the money earmarked for making improvements in computer networks at federal agencies actually goes to preparing reports for Congress and the Office of Management and Budget (OMB). The OMB says the gathered data will help support requests for increased resources to address security; however, even if agencies complete the entire OBM checklist, it does nothing to guarantee the security of their systems.-http://federaltimes.com/index.php?S=1072569
********** Also Sponsored by Internet Security Systems ****************
CONNECT 2002: The Premier Conference for Internet, Enterprise and
Network Security
Join us at Internet Security Systems' International Security Summit,
September 30 - October 4, 2002 in Atlanta
Register today at http://www.issconnect.net for $50 Discount!
***********************************************************************
THE REST OF THE WEEK'S NEWS
9 September 2002 September 11th Renews Commitment to Security in the Workplace
The September 11 terrorist attacks have changed some businesses' attitudes toward security. Companies have reevaluated their security policies and disaster preparedness plans and employees are more aware of the importance of security in their workplaces.-http://www.computerworld.com/managementtopics/management/recovery/story/
0,10801,74049,00.html
9 September 2002 Philippine Phreaking Bust
Philippine police arrested three men in connection with a ring believed to be responsible for hacking into the Philippine Long Distance Telephone Company's computers and selling phone time. If convicted, each of the men faced a six-year prison sentence and a fine of almost $2,000. The arrests were made in accordance with the Philippines' e-Commerce law, which was passed after the Love Bug author escaped prosecution because there was no applicable law.-http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020909/tc_nm/
tech_philippines_arrests_dc_1
-http://www.manilatimes.net/national/2002/sept/10/top_stories/20020910top3.html
9 September 2002 Intel Hardware will Integrate Security
Intel plans to integrate security features into its new chips and other hardware. The features will work with Microsoft's Palladium.-http://www.msnbc.com/news/805877.asp?0dm=C15JT
9 September 2002 Venezuelan CD Pirates Sold Confidential Data
Two people have been arrested in Caracas, Venezuela for their roles in a CD piracy trade that included confidential phone company records and police files.-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8953
6 September 2002 Four Men Sentenced for Roles in Piracy Ring
Four men in the UK have been found guilty for conspiracy to defraud in connection with a software piracy ring. Two of the men received prison sentences of four-and-one-half years; the other two received four-month "custodial sentences."-http://news.com.com/2100-1001-956884.html
-http://www.theregister.co.uk/content/51/26993.html
6 September 2002 Spammers Use Unprotected Wireless Networks to Wield their Wares
A consultant claims spammers are taking advantage of unsecured wireless network access points and use the victim company's system to send out unsolicited e-mail.-http://news.com.com/2100-1033-956911.html
5 September 2002 Biometrically Secured Airport Lockers Tested
The Transportation Safety Administration (TSA) is testing biometrically secured public lockers at Minneapolis-St. Paul International airport. Following the September 11th attacks, the TSA has banned all such lockers. The lockers will require a fingerprint for rental and retrieval of stored items.-http://www.fcw.com/fcw/articles/2002/0902/web-lock-09-05-02.asp
5 September 2002 OASIS Adopts New ebXML Standard
The Organization for the Advancement of Structured Information Standards (OASIS) has announced that its members have approved and adopted the new ebXML Messaging Service Specification Version 2.0.-http://www.computerworld.com/managementtopics/ebusiness/story/0,10801,74001,00.h
tml
5 & 6 September 2002 Microsoft Releases Windows Patch for Critical Digital Certificate Vulnerability
Microsoft has released a patch for a security hole in Windows Cryptography API, which supports encryption, decryption and digital certificate handling. The vulnerability affects multiple versions of Windows and three Macintosh programs. Patches are not yet available for all versions of Windows, but exploit code has already been released, so Microsoft is making the patches available as they are ready. The vulnerability can be exploited to create phony digital certificates useful for launching "man-in-the middle" attacks.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73996,0
0.html
-http://www.theregister.co.uk/content/55/26972.html
-http://news.com.com/2100-1001-956729.html
-http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
4 & 8 September 2002 Security Specialists in Short Supply
Security experts speaking at a cybersecurity conference in Washington D.C. expressed concern that the country is going to need many more skilled IT workers to protect the critical infrastructure than are presently available. The military faces shortages of skilled IT workers because many command higher salaries in the private sector. In a related story, cyber forensic specialists are increasingly in demand.-http://www.govexec.com/dailyfed/0902/090402td2.htm
-http://seattletimes.nwsource.com/html/businesstechnology/134531230_forensics08.h
tml
4 September 2002 Security Tool Creates "Noise" Around Wireless Access Points
Two computer programmers have developed a tool called Fake AP that generates 53,000 phony wireless access points around each real one. People who may legitimately access the network will be able to determine the actual access point. Some hackers are likely to rise to the challenge and develop tools that test all the points quickly to determine the real one.-http://www.newscientist.com/news/news.jsp?id=ns99992760
3 September 2002 Citibank E-Mail Campaign May Have Breached Customer Privacy
Citibank used two outside companies to gather e-mail addresses of its customers. The companies then sent e-mails offering the opportunity to receive information about Citibank accounts on line. However, some of the e-mails addresses did not belong to the Citibank customers.-http://www.msnbc.com/news/802701.asp?0dm=H24BTs
3 September 2002 Demand for Disaster Recovery and Business Continuity Planning is Up
Companies that offer disaster recovery planning services have noticed an increase in their business since the September 11th terrorist attacks. Previously, many businesses had not given much thought to such widespread catastrophe. Businesses want help drafting business continuity plans. Plans in place had not taken into account the possibility of a "regional disaster." Companies are reevaluating back-up plans and increasing the distances between data centers.-http://www.computerworld.com/managementtopics/management/recovery/story/
0,10801,73956,00.html
3 September 2002 FBI Application Process Weeds Out Many Potentially Valuable Cyber Security Workers
Although the FBI is interested in recruiting security experts for their agency, the application process weeds out many based on their ethics, ages and levels of physical fitness. The FBI does have civilian employees, though employees who are not agents are "at the bottom of the food chain." One security consultant says that even if hacker applicants are hired, they won't be put on computer security cases for several years.-http://www.wired.com/news/politics/0,1283,54850,00.html
3 September 2002 Are Viruses on the Decline?
Though the number of worms and viruses have grown about 50% each year since 1990, this year, that number is expected to decline by 5%, according to some security specialists. The reasons for the drop could be increased penalties for (creating and spreading malware) or increased use of anti-virus software. There is still a risk of infection, however; researchers estimate that up to 7% of e-mail messages contain a virus or a worm.-http://europe.cnn.com/2002/BUSINESS/asia/09/02/techwatch.virus/index.html
3 September 2002 Security Firm Says Hacks are on the Rise
Security firm mi2g has reported more hacks in the first eight months of 2002 than the total number of hacks reported in all of 2001. The company also says that cyber terrorism organizations are trying to harvest information about computer networks in the financial sector and other targets through electronic bulletin boards.-http://news.bbc.co.uk/2/hi/technology/2231205.stm
2 & 3 September 2002 Microsoft Enhances Passport Security
Microsoft has improved the security of its Passport single sign-on authentication technology. First, in order to establish an account, users must submit a valid e-mail address; they will then receive an e-mail message with links that will allow them to validate the account. Second, it is now easier to cancel accounts that are no longer needed.-http://news.com.com/2100-1001-956246.html
-http://www.computerworld.com/managementtopics/ebusiness/story/0,10801,73945,00.h
tml
2 September 2002 Higher Ed Funding May be Tied to Security Practices
The National Strategy to Secure Cyberspace is likely to tie state and federal funding for colleges and universities to compliance with cyber security rules, including the designation of a CIO for each institution and establishing an Information Sharing and Analysis Center (ISAC) for US institutions of higher education.-http://www.eweek.com/article2/0,3959,508676,00.asp
2 September 2002 Plan Will Establish Cybersecurity Network Operations Center
The National Strategy to Secure Cyberspace, which will be released September 18 at Stanford University in California, includes plans to create a cybersecurity network operations center (NOC). Despite rumors to the contrary, the NOC does not intend to intercept and examine e-mail and data traffic from major ISPs and private networks. The plan is to model the NOC after the Incident.org web site and Internet Storm Center.-http://www.computerworld.com/securitytopics/security/story/0,10801,73922,00.html
2 September 2002 Plan Includes Privacy Czar
The National Strategy to Secure Cyberspace is likely to include the appointment of a "privacy czar" or chief privacy officer (CPO) who will examine government data collection and security initiatives and ensure that privacy is protected. The CPO would also oversee privacy advocates at each government agency. The Czar would be in the new Department of Homeland Security.-http://www.eweek.com/article2/0,3959,503728,00.asp
STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT
7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to Improper Lockdown
Microsoft has issued an advisory stating that the attacks on servers running Windows 2000 were the result of hackers taking advantage of inadequately locked down machines rather than exploiting a security hole. Microsoft said the attacked servers had blank or weak passwords, and it recommends that customers address the password problem, disable guest accounts, install firewalls, keep up to date with security patches and run anti-virus software. The attacks were designed to load a Trojan onto the server.-http://zdnet.com.com/2100-1105-957159.html
-http://www.theregister.co.uk/content/55/27007.html
Microsoft advisory:
-http://support.microsoft.com/default.aspx?scid=kb;en-us;q328691
9 September 2002 Wardriving Reveals Lack of LAN Security
A week-long worldwide wardrive revealed that many wireless LANs (local area networks) don't employ even basic security. A New Jersey-based company is selling complete wardriving kits. A consultant for the company observed that wardriving is legal and has legitimate uses.-http://www.computerworld.com/mobiletopics/mobile/story/0,10801,74103,00.html
-http://www.computerworld.com/mobiletopics/mobile/story/0,10801,74102,00.html
[Editor's Note (Murray): it is legal to look in your neighbor's open window but nice people do not do it. There is no more corrupting idea than the current one that that which is legal is, ipso facto, ethical. ]
7 September 2002 City Employee Opens Hard Drive to Kazaa Network
An Aspen, Colorado city employee who had installed Kazaa peer-to-peer file sharing software on his work computer inadvertently made his entire hard drive available to the network. The problem was discovered by Canadian Kazaa member James Pocock, who e-mailed the employee as well as the city's mayor and police chief about the information he'd been able to view. The city has changed passwords and installed a new firewall.-http://www.denverpost.com/Stories/0,1413,36~53~843149~,00.html
4 September 2002 Mitnick Describes Social Engineering Tactics
Kevin Mitnick describes how companies leave themselves vulnerable to socially engineered cyber attacks: corporate culture and terrain can be discerned by examining documents found in trash cans, and help desk personnel are often easily tricked into handing over login names and passwords over the phone. Furthermore, if CEOs make a habit of ignoring security policies and procedures when they want a task accomplished quickly, this too can be exploited.-http://www.infoconomy.com/pages/news-and-gossip/group66338.adp
[Editor's Note (Northcutt): This note applies to all four of the preceding stories. If you agree there is a security awareness problem of epidemic proportions and want to make a difference, please help with SANS new project in security awareness. It turns out to be incredibly difficult to create powerful, believable security awareness training, that appeals to administrative workers as well as the system and network administrators who are some of the worst offenders. After two years of research, we have a tool that seems to work. True stories of the impact of security breaches, written in the first person, are the most effective tools to actually change behavior. If you would like to be involved in this consensus research project, contact awareness@sans.org ]
SECURITY TRAINING NEWS
Gold Standard Training for Securing Windows 2000
using the new consensus standards and free testing tools - 38 cities.-http://www.sans.org
/Win2KWorldTour/">
-http://www.sans.org
/Win2KWorldTour/
SANS Network Security 2002 in October: Largest security conference & expo:
-http://www.sans.org
/NS2002">
-http://www.sans.org
/NS2002
For security managers in military sites: click on the National Information Assurance Leadership Conference. Advanced security training in nineteen additional cities, plus Local Mentor programs in 35 cities. See:
-http://www.sans.org
== end ==
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Bill Murray, Stephen
Northcutt, Alan Paller, Marcus Ranum, and Eugene Schultz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites