Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #39

September 23, 2002

ARTICLES ON THE NATIONAL STRATEGY FOR SECURING CYBERSPACE (NSSC)

18 September 2002 NSSC Avoids Regulations; Critics Say it Lacks Necessary Muscle
16 & 19 September 2002 NSSC Summary
17-19 September 2002 Variety of Experts Chat With Washington Post About the NSSC
17 September 2002 Home Users Know the Drill but Don't Abide By It

A TIME LINE

18 September 2002 Cyber Security Time Line

THE REST OF THE WEEK'S NEWS

23 September 2002 Suspected Slapper Author Arrested; New Variant on the Loose
16 & 17 September 2002 Slapper Worm
23 September 2002 al Qaeda May Have Structural Analysis Software
22 September 2002 Scottish Pol's E-Mail Spoofed
21 September 2002 Client Employee Arrested for Data Theft
20 September 2002 Cisco VPN 5000 Vulnerabilities
20 September 2002 VeriSign Won't Disclose .gov Info
20 September 2002 Oregon Cyber Security Awareness Program for Youth
20 September 2002 XP Service Pack Causes Problems
19 & 20 September 2002 Suspected T0rn Rootkit Author Arrested
19 September 2002 Disgruntled Former Employee Gets Prison Sentence for Erasing Company Data
19 September 2002 Nokia Decries Warchalking
18 & 19 September 2002 Patches Available for Microsoft Java VM Vulnerabilities
18 & 19 September 2002 Falun Gong Members on Trial for TV Hacking
18 September 2002 Gartner Advises Waiting to Deploy Yukon
18 September 2002 Bush Appoints 24 to NIAC
17 & 18 September 2002 Norton Found In Contempt of Court for Failing to Address Computer Security Issues
17 September 2002 Glue: The Latest in Anti-Piracy Technology
17 September 2002 Paul Kocher Interviewed on Cryptography
16 September 2002 Senate Homeland Security Bill Would Broaden Indemnity
16 September 2002 Analysis Finds More Government Sites Have Security and Privacy Policies
16 September 2002 Informal Airport LAN Audit Reveals Lax Security
16 September 2002 Sites Still Vulnerable to Cross-Site Scripting
15 & 16 September 2002 Mozilla Browser Privacy Hole

ARTICLES ILLUSTRATING CHANGES IN INFORMATION WARFARE

16 September 2002 ABCNews Hired Firm to Test CA Police Dept. Security From Afar
16 September 2002 Nimda Changed IT Security Thinking

FREE WEB BROADCAST

Dustin Childs covers the basics of event logs in Windows NT and 2000

SECURITY TRAINING NEWS

*SANS Network Security 2002 in October


******* This Issue Sponsored by The Human Firewall Council ************
How do your security management practices measure up to ISO17799? FREE
SURVEY Find out how your security management practices measure up to
ISO17799 standards using the new Security Management Index. Sponsored
PentaSafe and other industry leaders, this new free online tool covers
the 9 major sections of ISO17799 and provides each participant with
a score. Results are confidential. Aggregate data will be used to
create an industry-wide report to be released in January 2003.
Visit: http://www.humanfirewall.org
***********************************************************************

ARTICLES ON THE NATIONAL STRATEGY FOR SECURING CYBERSPACE (NSSC)

18 September 2002 NSSC Avoids Regulations; Critics Say it Lacks Necessary Muscle

The National Strategy to Secure Cyberspace encourages home users to adopt safe computing practices but shies away from creating federal regulations to attain cyber security. Critics say the strategy has no teeth, that all ideas that might have proven objectionable to anyone have been removed.
-http://online.securityfocus.com/news/677
-http://www.washingtonpost.com/wp-dyn/articles/A35812-2002Sep18.html
NSSC text:
-http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf

16 & 19 September 2002 NSSC Summary

The National Strategy to Secure Cyberspace draft recommendations by sector: consumer and small business, large companies, governments and universities and international partners. The draft also lists 18 national cyber security priorities.
-http://www.washingtonpost.com/wp-dyn/articles/A38066-2002Sep19.html
-http://www.fcw.com/fcw/articles/2002/0916/web-strat-09-16-02.asp

17-19 September 2002 Variety of Experts Chat With Washington Post About the NSSC

Online transcripts of chats with various people about NSSC Alan Paller (SANS):
-http://www.washingtonpost.com/wp-srv/liveonline/02/special/sp_technews_paller091
802.htm

Scott Charney (Microsoft):
-http://www.washingtonpost.com/wp-srv/liveonline/02/special/sp_technews_charney09
1702.htm

Richard Smith:
-http://www.washingtonpost.com/wp-srv/liveonline/02/special/sp_technews_smith0919
02.htm

[Editors' Comment on the Strategy: (Ranum) It's not a strategy; it's a statement of the obvious. It would have been more effective if The President simply asked the hackers to be nice and cease and desist. (Murray): Did anyone find any mention of cryptography? I found no mention of strong authentication (except for home users; weak passwords on their systems are not being attacked). I found no mention of closed networks. Anyone find any mention of holding edge connectors responsible for their traffic or for enforcing source IP addresses? The report's solution to the broken transport layer is to avoid the use of wireless. Its solution to the problem of weak systems connected to the Internet is more "patch and fix." Did anyone find mention of safe defaults? Are all these things too controversial even to float? ]

17 September 2002 Home Users Know the Drill but Don't Abide By It

The recently released draft of the National Strategy to Secure Cyberspace recommends that home users deploy firewalls, use regularly updated anti-virus software, create strong passwords, install all necessary patches and use common sense about e-mail and downloads. Though these pieces of advice are well-known, many home users do not adhere to them.
-http://www.washingtonpost.com/wp-dyn/articles/A30681-2002Sep17.html

A TIME LINE

18 September 2002 Cyber Security Time Line

This page offers a brief time-line of computer bugs, viruses, worms and attacks from the 1945 moth in Navy computer relays to the Morris worm to Melissa author David Smith's sentencing. Also includes cyber milestones such as the development of ASCII, the launch of ARPANET and the appointment of the nation's first "cyber security czar."
-http://www.washingtonpost.com/wp-dyn/articles/A50636-2002Jun26.html
[Editor's Note (Northcutt): I enjoyed the retelling of the cyber security story. It appears the rate of change in security is accelerating. ]

THE REST OF THE WEEK'S NEWS

23 September 2002 Suspected Slapper Author Arrested; New Variant on the Loose

A man has been arrested on suspicion of authoring the Slapper worm; the worm evidently was sending infected machine addresses back to his Ukraine-based e-mail address. Though the original Slapper worm activity appears to be calming down, a variant has been detected in the wild and has been spreading in Australia.
-http://www.vnunet.com/News/1135274
-http://www.news.com.au/common/story_page/0,4057,5151968^15306,00.html

16 & 17 September 2002 Slapper Worm

The Linux.Slapper.Worm, which exploits a vulnerability in the OpenSSL protocol of Linux Apache web server, is believed to be the first worm that makes use of P2P technology. The worm has infected at least 30,000 servers. The worm directs infected machines to join a P2P network, and the network could be used to launch a denial of service attack. It spreads through port 80. There is a fix for the security hole it exploits. OpenSSL versions 0.9.6e and newer are fixed.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74288,0
0.html

-http://www.wired.com/news/technology/0,1282,55172,00.html
-http://news.com.com/2100-1001-958122.html
-http://www.theregister.co.uk/content/55/27134.html
-http://www.msnbc.com/news/808678.asp?0dm=C224T
-http://www.vibrantmedia.com/computerwire/
news.asp?Page=1&ContentPurchasedclass=18&">
-http://www.vibrantmedia.com/computerwire/
news.asp?Page=1&ContentPurchasedcla
ss=18&
ho=0&ArticlesPerPage=20&Target=
-http://www.vibrantmedia.com/computerwire/
news.asp&Articleclass=235074
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,74325,0
0.html

CERT/CC Advisory:
-http://www.cert.org/advisories/CA-2002-27.html

23 September 2002 al Qaeda May Have Structural Analysis Software

According to an FBI bulletin, a computer belonging to a bin Laden associate contained software that can be used to find structural weaknesses in large structures like dams and skyscrapers.
-http://news.com.au/common/story_page/0,4057,5149311^421,00.html
--22 September 2002 Scottish Pol's E-Mail Spoofed A hacker spoofed the e-mail account of Scottish Member of Parliament (SMP) Fiona Hylsop and used it to send spam. Detectives have been called in.
-http://www.scotlandonsunday.com/politics.cfm?id=1053342002

21 September 2002 Client Employee Arrested for Data Theft

A Chinese oil company employee who was receiving training to use advanced seismic imaging software from 3DGeo Development was arrested after it was alleged that he had accessed 3DGeo proprietary code and copied it onto his laptop. If convicted, Shan Yan Ming could face five years in prison and a $250,000 fine.
-http://www.bayarea.com/mld/mercurynews/business/4121880.htm

20 September 2002 Cisco VPN 5000 Vulnerabilities

Security holes in Cisco VPN 5000 Client software could allow an attacker to attain root access to local workstations running the software or to grab passwords. The root access hole affects the 5.2.7 for Linux and 5.2.8 for Solaris versions of the software, while the password vulnerability is present in the version for Macintosh in all versions prior to 5.2.2. Cisco has placed updates on its website.
-http://www.idg.net/ic_950944_5055_1-2793.html

20 September 2002 VeriSign Won't Disclose .gov Info

VeriSign Inc. will no longer supply the public with data about the .gov Internet domain because the company fears the information could be used to plot cyber attacks.
-http://www.theregister.co.uk/content/55/27210.html

20 September 2002 Oregon Cyber Security Awareness Program for Youth

The Hillsboro, Oregon police department plans to launch a cybersecurity awareness program aimed at young people. The Cyber Awareness, Responsibility and Ethics program will begin at the Boys and Girls Clubs of Hillsboro and eventually spread to the schools. The program hopes to educate area youth about the effect their actions can have; it will also encourage constructive cyber experimentation under the guidance of other young people.
-http://www.oregonlive.com/metrowest/oregonian/index.ssf?/
xml/story.ssf/html_standard.xsl?/base/metro_west_news/1032523123238162.xml
[Editor's Note]
Schultz): Ultimately, strategic gains in the information security arena will be due to efforts like the one described in this news item. The next generation merits our full attention when it comes to security education and awareness. ]

20 September 2002 XP Service Pack Causes Problems

A small group of Windows XP customers has reported having problems with the operating system's first service pack which was released on September 9th. Among the problems cited are slow-running machines, unstable systems and crashing programs.
-http://www.pcworld.com/news/article/0,aid,105144,00.asp
[Editor's Note (Murray): Toshiba advised me to re-install XP from scratch to get rid of the service pack. ]

19 & 20 September 2002 Suspected T0rn Rootkit Author Arrested

A 21-year-old UK man has been arrested on suspicion of writing the T0rn rootkit, which helps people attack Linux based servers and was used by the Lion worm. Officers from Scotland Yard's Computer Crime Unit arrested the man, whose name has not been released, under the country's 1990 Computer Misuse Act. He is presently out on bail
-http://www.theregister.co.uk/content/55/27200.html
-http://news.bbc.co.uk/2/hi/technology/2270962.stm
-http://www.usatoday.com/tech/news/2002-09-20-alleged-hacker_x.htm

19 September 2002 Disgruntled Former Employee Gets Prison Sentence for Erasing Company Data

A UK computer engineer who botched a job went back into the company's computer system and wiped out their data after the company refused to pay his bill; Stephen Carey had altered the company's computer system so he could access the database from home. Police who seized the man's home computer found that the time the files were destroyed matched the time his home computer was connected to the company's. Carey received an 18-month prison sentence for unauthorized modification of computer material.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=9061

19 September 2002 Nokia Decries Warchalking

Nokia has issued an advisory condemning warchalking, the practice of marking the locations of wireless access points outside buildings. The company maintains that people who use bandwidth without paying for it are thieves. A number of readers' comments are posted along with the article.
-http://news.bbc.co.uk/2/hi/technology/2268224.stm

18 & 19 September 2002 Patches Available for Microsoft Java VM Vulnerabilities

Microsoft issued a security bulletin urging Windows users to apply two patches for vulnerabilities in the company's Java Virtual Machine. The flaws affect all versions of VM, including the most recent (5.0.3805). The flaws could be exploited to gain control of vulnerable machines by sending users specially crafted HTML e-mail or enticing them to visit specially constructed web sites.
-http://news.com.com/2100-1001-958547.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74365,0
0.html

-http://www.microsoft.com/technet/security/bulletin/MS02-052.asp

18 & 19 September 2002 Falun Gong Members on Trial for TV Hacking

Fifteen members of the Falun Gong spiritual movement in China have gone on trial for hacking into a cable television network and broadcasting pro-Falun Gong footage. If found guilty, each member could face between three and seven years in prison.
-http://news.bbc.co.uk/1/hi/world/asia-pacific/2267523.stm
-http://asia.cnn.com/2002/WORLD/asiapcf/east/09/19/china.falun.gong/index.html

18 September 2002 Gartner Advises Waiting to Deploy Yukon

Analysts are warning users not to deploy the upcoming version of Microsoft SQL server, known as Yukon, because it is likely to contain numerous security holes. Gartner is advising users to wait for the release of Service Pack 1.
-http://www.vnunet.com/News/1135116
[Editor's Note (Schultz): The competence of this advice from the Gartner Group is extremely dubious. It appears to be a massive overgeneralization that does not take this specific product into account. Did the Gartner Group even ask Microsoft how this product fared with security testing? What about Windows XP? It would be difficult to claim that it was full of security holes (although some
[(Paller) many ]
were discovered) and should thus not be used until SP1 was available. Also, the statement to the effect that if an organization uses Yukon, it should minimize the services that are run, adds absolutely nothing. You should always run only essential services, regardless of whether the product is a Microsoft product. ]

18 September 2002 Bush Appoints 24 to NIAC

President Bush has appointed 24 people to the National Infrastructure Advisory Committee (NIAC). The committee makes recommendations about national security and economic critical infrastructure cyber security; it also addresses cyber security partnerships between the public and private sectors. The council members are drawn from major economic sectors, like energy, transportation and banking, and from law enforcement, academia and state and local government.
-http://www.whitehouse.gov/news/releases/2002/09/20020918-12.html

17 & 18 September 2002 Norton Found In Contempt of Court for Failing to Address Computer Security Issues

Interior Secretary Gale Norton and Assistant Secretary for Indian affairs Neal McCaleb have been found in contempt of court for failing to adequately address vulnerable computer systems that manage Indian trust fund accounts. The entire Interior department was taken off line late last year when it became clear that its computer systems lacked adequate security.
-http://www.fcw.com/fcw/articles/2002/0916/web-int-09-17-02.asp
-http://www.gcn.com/vol1_no1/daily-updates/20053-1.html

17 September 2002 Glue: The Latest in Anti-Piracy Technology

In yet another attempt to thwart music pirates, one record company is giving reviewers CDs sealed into players with headphone jacks sealed so the CD cannot be re-recorded. At least one reviewer was able to retrieve the CD, however.
-http://www.iht.com/articles/70893.html
-http://www.vnunet.com/News/1135077

17 September 2002 Paul Kocher Interviewed on Cryptography

In an interview, cryptographer Paul Kocher discusses how the increasing complexity of cryptography affects computer security.
-http://www.businessweek.com/technology/content/sep2002/tc20020917_5283.htm

16 September 2002 Senate Homeland Security Bill Would Broaden Indemnity

An amendment to the Senate's version of the Homeland Security Bill would have the government pay liability damages beyond the private coverage held by designated homeland security vendors. Critics are concerned that the extension of this indemnity would have a negative impact of the quality of security products.
-http://www.computerworld.com/governmenttopics/government/legislation/story/
0,10801,74279,00.html

16 September 2002 Analysis Finds More Government Sites Have Security and Privacy Policies

Brown University's Center for Public Policy analyzed 1,265 federal and state government web sites; among their findings were marked increases in the number of sites with security and privacy policies when compared with the sites last year. The study also noted that some sites restrict access to certain information.
-http://www.gcn.com/vol1_no1/daily-updates/20026-1.html

16 September 2002 Informal Airport LAN Audit Reveals Lax Security

A recent audit of wireless LANs at airports in Chicago, San Francisco, San Diego and Atlanta revealed that many were not running even basic security measures; only about 25% of the access points had the WEP protocol turned on. Some access points were found to be broadcasting DCHP. The audit was informal, conducted as an executive at a security research firm traveled through various airports over the course of a week.
-http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10801,74271,
00.html

16 September 2002 Sites Still Vulnerable to Cross-Site Scripting

A significant number of web sites are vulnerable to cross-site scripting attacks, despite warnings about the problem that have been out for six months. Crackers have exploited the vulnerabilities to publish phony press releases and to steal credit card information and cookies. Addressing the problem on each site can be complicated and time consuming. It is also possible that because the affected site is the party delivering the malicious code, it could be liable for damages.
-http://www.vnunet.com/News/1135064

15 & 16 September 2002 Mozilla Browser Privacy Hole

A privacy flaw in the Mozilla browser discloses the URL of the site a user is visiting to the web server of the last site visited. This holds true even if the next site visited is typed in manually or a bookmarked site. The flaw affects at least versions 1.0, 1.0.1 and 1.1 of Mozilla, as well as Netscape 7 and Galeon.
-http://news.com.com/2100-1001-958001.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74297,0
0.html

ARTICLES ILLUSTRATING CHANGES IN INFORMATION WARFARE (Northcutt) The next two articles help us understand the future of information warfare. Malicious code is essentially asymmetric. It is a lot cheaper to write a worm than to clean up after one has infected your systems. A determined adversary with a substantial technology base could create a variety of attacks that have never been seen before and release them at the same time. As long as they do not gain entry into specialized command and control networks that are supposedly not connected to the Internet, the result is more likely to be a nuisance than a nightmare. As Ed Skoudis put it, "I'm looking forward to an Internet 'snow day', I could use the rest".

ARTICLES ILLUSTRATING CHANGES IN INFORMATION WARFARE

16 September 2002 ABCNews Hired Firm to Test CA Police Dept. Security From Afar

In a "swarming attack," terrorists would attack both physically and on the cyber space front; the forthcoming National Strategy to Secure Cyberspace is designed to address such concerns. In an effort to discover what kind of havoc hackers could wreak from afar, ABCNews hired a Colorado Springs-based computer security consulting firm to break into a California police department's computer system. The hackers mapped the department's network, sent a phony e-mail from the chief to a detective, and tried to send the chief a Trojan horse, which was blocked by the department's virus detection system. They also sent fake warnings to every screen in the department before they disclosed their identity. The police department officials were aware that the attack was going to take place; they just didn't know when.
-http://abcnews.go.com/sections/wnt/DailyNews/cyberterror020913.html

16 September 2002 Nimda Changed IT Security Thinking

The spread of the Nimda worm had a greater effect on cyber security than did the September 11th terrorist attacks. The worm, which debuted a year ago, spread not only through e-mail attachments, but also through shared files on servers. It broadened the focus of security to encompass not only network and perimeter security, but application and database security as well. It also drove home the point that patches and updates need to be applied quickly.
-http://www.computerworld.com/securitytopics/security/story/0,10801,74284,00.html

FREE WEB BROADCAST

Dustin Childs covers the basics of event logs in Windows NT and 2000

the managing of logs, and when you can and cannot completely trust those logs. Listen live and ask questions, or, once you have an access code, sign on later to listen to the web cast at your leisure. Register in advance to get the handouts:
-http://sans.digisle.tv/audiocast_100202/brief.htm

SECURITY TRAINING NEWS

*SANS Network Security 2002 in October

Largest security conference & expo:
-http://www.sans.org/NS2002
*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20