SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #43
October 23, 2002
TOP OF THE NEWS
22 October 2002 DDoS Attack Targets The Core of The Internet17 & 18 October 2002 Cybersecurity Funding Bill Passes Senate
THE REST OF THE WEEK'S NEWS
21 October 2002 Chicago Housing Authority Employs Biometrics21 October 2002 Cytron Trojan
18 & 21 October 2002 Navy Computers Missing
18 October 2002 Cisco Catalyst LAN Switch Vulnerability
18 October 2002 Skeptic Files Defensive Patent Aimed at Preventing Palladium from Enforcing Software Licensing
17 & 18 October 2002 Yahoo Customers Tricked into Exposing Personal Data
17 October 2002 DoJ Response to Questions About Patriot Act Activities are Vague
17 October 2002 Microsoft Issues Three More Vulnerability Warnings and Patches
17 October 2002 ElcomSoft Trial Delayed
16 & 17 October 2002 Microsoft Beta Site Intrusion
16 & 17 October 2002 DOE Launches Digital Signature Software
16 October 2002 Clarke: No Tax Credits for Cyber Security Measures
16 October 2002 UK Businesses need to Address Cybersecurity
16 October 2002 Malware and Anti-Virus FAQ
16 October 2002 UK Corporate Group to Work with Law Enforcement
16 October 2002 Symantec Firewall Vulnerability
16 October 2002 e-Shoppers Concerned About Security
15, 16 & 18 October 2002 Pop-Up Spam
15 & 16 October 2002 Interpol Cybercrime Conference Convenes
15 October 2002 NIPC and Financial Services ISAC Will Share Cyberthreat Info
15 October 2002 ATM Fraudster Draws Jail Time
14 October 2002 Free Still Supports Encryption Restrictions
14 October 2002 FBI to Open Cyber Forensics Lab in CA
10 October 2002 Side Channel Attacks Changing Encryption Software Thinking
SECURITY TRAINING NEWS
*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20***************** This Issue Sponsored by NetIQ ***********************
FREE HIPAA Compliance White Paper from NetIQ
Attn Healthcare professionals! Are you ready for HIPAA (The Health
Insurance Portability and Accountability Act of 1996)?
Read NetIQ's FREE White Paper, "HIPAA Readiness," and learn how to
plan for and maintain compliance with HIPAA's security guidelines
and regulations.
Visit http://www.netiq.com/f/form/form.asp?id=1304&origin=NSSANS102302
***********************************************************************
TOP OF THE NEWS
22 October 2002 DDoS Attack Targets The Core of The Internet
The thirteen root name servers, effectively the master directory for the Internet, were subjected to a large-scale distributed denial of service attack on Monday evening. According to Internet Software Consortium Inc. Chairman Paul Vixie, only four withstood the attack. Redundancy designed into the Internet in the system allowed most traffic to get to its intended destination without delay.-http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
[Editor's Note (Paller): The only way to stop such attacks is to fix the vulnerabilities on the machines that would ultimately get taken over and used to launch the attacks. There's no defense once the machines are under the attacker's control. If organizations have not established vulnerability identification and remediation program for all their systems - even the "unimportant" ones - it won't be long before their foot dragging will subject them to economic liability and community contempt for their negligence. ]
17 & 18 October 2002 Cybersecurity Funding Bill Passes Senate
The US Senate recently passed S. 2182, which allocates $903 million over five years for cybersecurity research. The bill would require the National Institute of Standards and Technology (NIST) to create security configuration checklists for computers and software purchased by federal agencies. The bill now moves to the House, where it is expected to pass easily; the administration has also expressed support for the legislation.-http://207.27.3.29/dailyfed/1002/101702td1.htm
-http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=1593981
-http://www.fcw.com/fcw/articles/2002/1014/web-cyber-10-18-02.asp
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Webinar Series (10/24): Creating an Enterprise
Vulnerability Assessment & Remediation Management Strategy
http://www.sans.org/cgi-bin/sanspromo/NB90
(2) ALERT! "Cross-Site Scripting Attacks on Web Applications- Download
XSS White Paper! http://www.sans.org/cgi-bin/sanspromo/NB91
(3) WEB APPLICATION SECURITY & ROI - A Free Webinar featuring @Stake &
Stratum8 - Learn More http://www.sans.org/cgi-bin/sanspromo/NB92
***********************************************************************
THE REST OF THE WEEK'S NEWS
21 October 2002 Chicago Housing Authority Employs Biometrics
The Chicago Housing Authority (CHA) is using thumbprint biometric technology to authenticate user access to its computer network. It hopes to reduce helpdesk workload and the likelihood of unauthorized network access.-http://www.fcw.com/geb/articles/2002/1021/web-cha-10-21-02.asp
21 October 2002 Cytron Trojan
A Trojan horse program called Cytron is actually a browser plug-in that serves pop-up advertisements for pornographic web sites. Users are led to believe they are downloading an e-card viewer plug-in for an on-line greeting they've received, but what gets downloaded is actually Cytron, which has a valid certificate. The Trojan is named for the Canadian company that operates most of the sites on the pop-up ads.-http://online.securityfocus.com/news/1350
[Editor's Note (Schultz): What next? This latest threat once again highlights the importance of user awareness in preventing undesirable outcomes. (Murray) Enterprises should be blocking such plug-ins at the network gateway. I doubt that one can get it from AOL. ]
18 & 21 October 2002 Navy Computers Missing
According to an internal Navy report, the Pacific Fleet cannot account for 595 computers; a spokesman later said that number has been reduced to 187. Some of the missing computers contain classified information. All of the computers have removable hard drives.-http://news.com.com/2100-1001-962664.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,75295,00.html
18 October 2002 Cisco Catalyst LAN Switch Vulnerability
Some Cisco Catalyst LAN switches are vulnerable to buffer overflow attacks that could result in a denial of service. Switches running CatOS versions 5.4 to 7.3, inclusive, and which have "cv" in their image names are affected. Users are encouraged to upgrade their software or employ a workaround, which entails disabling HTTP on vulnerable switches.-http://www.theregister.co.uk/content/55/27690.html
18 October 2002 Skeptic Files Defensive Patent Aimed at Preventing Palladium from Enforcing Software Licensing
Speaking on a panel at the USENIX Security Symposium, Microsoft Palladium project manager Peter Biddle said the technology was designed to protect entertainment content and he didn't see how it could be used to enforce software licensing. Fellow panelist Lucky Green wasn't so sure; shortly after the conference he applied for two patents for techniques for using Palladium for just that purpose.-http://www.wired.com/news/technology/0,1282,55807,00.html
17 & 18 October 2002 Yahoo Customers Tricked into Exposing Personal Data
Some Yahoo customers were duped by a fraudulent e-mail into supplying their credit card and Yahoo account information. Yahoo sent a mass mailing to its customers advising them not to heed the phony request.-http://www.msnbc.com/news/822693.asp?0dm=T217T
-http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=
JanS.db&command=viewone&id=98&op=t
17 October 2002 DoJ Response to Questions About Patriot Act Activities are Vague
The House Judiciary Committee released the Justice Department's answers to 50 questions regarding its use of new surveillance powers granted by the Patriot Act.-http://www.pcworld.com/news/article/0,aid,106038,00.asp
17 October 2002 Microsoft Issues Three More Vulnerability Warnings and Patches
Microsoft has issued warnings about security vulnerabilities in three of its products. First, flaw in SQL Server could allow a user to elevate privileges. SQL Server 200 and SQL Server 7 are affected, as are Microsoft Data Engine 1.0 and Microsoft Desktop Engine 2000. Second, a flaw in the way certain versions of Microsoft Word and Excel handle field codes could allow attacker to steal documents on vulnerable computers. Word 97, 2000, and 2002 and Excel 2002 are affected; the flaw also some Word products for Macintosh. Finally, a security flaw in Windows XP help could allow an attacker to delete files on vulnerable machines.-http://news.com.com/2100-1001-962409.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,75167,0
0.html
Word and Excel:
-http://www.microsoft.com/technet/security/bulletin/MS02-059.asp
XP Help:
-http://www.microsoft.com/technet/security/bulletin/MS02-060.asp
SQL Server:
-http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
17 October 2002 ElcomSoft Trial Delayed
A trial in which a Russian software company is being charged with violating the controversial Digital Millennium Copyright Act (DMCA) has been delayed 6 and one half weeks because officials at the US embassy in Russia have denied visas to key witnesses. One of the witnesses, programmer Dmitry Sklyarov, was arrested in August 2001 after giving a presentation about software that circumvents e-book cop protection at a conference in Las Vegas. ElcomSoft's attorney plans to file a motion to dismiss the case because his clients aren't able to testify.-http://news.com.com/2100-1023-962491.html
16 & 17 October 2002 Microsoft Beta Site Intrusion
A hacker broke into BetaPlace.com, Microsoft's web site for beta testers; evidently someone's log-in credentials were leaked to the Internet. Microsoft shut down the site after it became aware of the breach; it also reset user passwords. The site contains unreleased versions of Windows, other software and activation keys. A spokesman said the intruder did not access source code. The event has sparked a criminal investigation.-http://news.com.com/2100-1001-962333.html
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,75
184,00.html
16 & 17 October 2002 DOE Launches Digital Signature Software
The Department of Energy (DOE) has launched digital signature software. DOE Secretary Spencer Abraham used the technology to digitally sign the department's e-Government Strategic Action Plan: A Road Map for Delivering Services. The plan will allow DOE and other departments to put secure documents on the Internet.-http://207.27.3.29/dailyfed/1002/101602t1.htm
-http://www.fcw.com/fcw/articles/2002/1014/web-energy-10-17-02.asp
-http://www.gcn.com/vol1_no1/daily-updates/20276-1.html
[Editor's Note (Murray): Even those enterprises and agencies that routinely sign their posts and e-mails are vulnerable to some spoofs and forgeries. However, those that do not are vulnerable to campaigns of such spoofs and forgeries and leave their constituents naked to them and with no defense except to ignore everything. ]
16 October 2002 Clarke: No Tax Credits for Cyber Security Measures
Richard Clarke says the Bush administration is unlikely to give tax credits to companies that employ cyber security measures; companies should be doing so of their own initiative. He also said that the government should not regulate cyber security; the government should instead encourage security awareness and information sharing and stimulate research.-http://www.cio.com/research/security/edit/101602_clarke.html
[Editor's Note (Schultz): Ideally, the US government should regulate industry, given that industry comprises so much of the national infrastructure. But the government has trouble regulating itself in the first place--how could it possibly regulate industry? ]
16 October 2002 UK Businesses need to Address Cybersecurity
British e-commerce minister Stephen Timms expressed concern that only 27% of businesses in the UK have IT security policies; that figure was published in a PricewaterhouseCoopers report, and marks a 100% increase over last year's numbers. The report also asserts that infections from malware and cyber attacks cost UK businesses billions of pounds last year. The UK government wants businesses to make IT security a priority.-http://news.zdnet.co.uk/story/0,,t274-s2123998,00.html
[Editor's Note (Murray): The correct measure is not the percentage of enterprises that have an IT security policy but what percentage of enterprises that have any policy at all have an IT security policy. Most small enterprises rely upon culture rather than written policies. ]
16 October 2002 Malware and Anti-Virus FAQ
This article describes viruses, worms and Trojans and how they propagate. It also explains what anti-virus software does, what to look for when buying the software, and offers basic advice for preventing and managing infections.-http://techupdate.zdnet.co.uk/story/0,,t481-s2123989,00.html
16 October 2002 UK Corporate Group to Work with Law Enforcement
The UK's Corporate IT Forum has established a security group that hopes to work with the government on cybercrime prosecution. The group will allow companies to preserve proprietary information and protect their reputations by not making them go public with intrusion incident information. The group would like to work with the National High Tech Crime Unit (NHTCU), which is eager to create partnerships with such organizations.-http://www.vnunet.com/News/1135990
16 October 2002 Symantec Firewall Vulnerability
A security flaw in the web proxy component of Symantec's firewall technology leaves more than a dozen of the company's products vulnerable to a denial of service attack. Symantec customers were notified of the problem at the end of September, and the company has issued a bulletin and patches for affected products. The Danish company that issued an advisory about the problem issued a second advisory about an information leak in Symantec's web server that could let crackers discern host addresses behind firewalls. Symantec has known about the problem since 2001 and has issued a patch.-http://www.infoworld.com/articles/hn/xml/02/10/16/021016hnsymantec.xml?s=IDGNS
16 October 2002 e-Shoppers Concerned About Security
A survey of Internet consumers indicates that people are apprehensive about the security of their credit card and other personal information when making on line purchases. Only 21.2% of those surveyed believed their information was secure. This lack of confidence could be detrimental to the growth of e-commerce.-http://www.msnbc.com/news/821649.asp?0dm=C237T
15, 16 & 18 October 2002 Pop-Up Spam
A company called DirectAdvertiser offers a tool which exploits Microsoft Messenger to send "anonymous and untraceable" pop-up ads to ranges of IP addresses. The Messenger service was designed for administrator use in contacting network users. Messenger is enabled by default in most versions of Windows.-http://www.wired.com/news/technology/0,1282,55795,00.html
-http://www.theregister.co.uk/content/55/27634.html
-http://zdnet.com.com/2100-1105-962506.html
-http://www.msnbc.com/news/823007.asp?0dm=C218T
15 & 16 October 2002 Interpol Cybercrime Conference Convenes
The fifth Interpol conference on computer crime was held in Seoul, South Korea. Attendees from 37 countries shared ideas about information sharing between public and private sectors as well as the need for international cooperation in cybercrime investigation. One concern is that more than 100 countries have no laws regarding cybercrime.-http://www.koreaherald.co.kr/SITE/data/html_dir/2002/10/15/200210150034.asp
-http://www.washingtonpost.com/wp-dyn/articles/A33231-2002Oct16.html
15 October 2002 NIPC and Financial Services ISAC Will Share Cyberthreat Info
The Financial Services Information Sharing and Analysis Center (ISAC) has signed an agreement with the FBI's National Infrastructure Protection Center (NIPC) that says they will communicate with each other on a weekly basis about cyber security threats. While the agreement indicates a shift in thinking for the private sector, companies are still wary of sharing certain information until they can be assured that it will not be accessible under the Freedom of Information Act (FOIA). This article also addresses concerns many private companies have about sharing cyber incident information, including the fear of information being made public and of computers being taken away.-http://www.cio.com/archive/101502/fear.html
15 October 2002 ATM Fraudster Draws Jail Time
A German man whose encryption scheme for ATMs was deemed too expensive instead turned to fraud, creating and using phony debit and credit cards to make withdrawals. The seventy-one-year-old was caught and sentenced to nearly five years in jail.-http://www.theregister.co.uk/content/55/27610.html
14 October 2002 Freeh Still Supports Encryption Restrictions
Former FBI director Louis Freeh has long favored stringent restrictions on encryption tools, including export restrictions and the inclusion of back doors so federal officials could access encrypted documents in criminal cases, but US policy went in the other direction, allowing the export of strong encryption products without backdoors. Freeh spoke to the Senate intelligence committee, pointing to the UK's Regulation of Investigatory Powers (RIP) Act which allows law enforcement officials to demand encryption keys for intercepted data, and provides for jail time for those who do not comply.-http://zdnet.com.com/2100-1104-961969.html
14 October 2002 FBI to Open Cyber Forensics Lab in CA
The FBI is establishing a Regional Computer Forensics Laboratory in Menlo Park, CA. The lab is expected to open next year; investigators will be able to bring seized digital equipment to a team of specialists for analysis to gather evidence in criminal investigations.-http://www.bayarea.com/mld/bayarea/4284974.htm
10 October 2002 Side Channel Attacks Changing Encryption Software Thinking
Instead of examining encrypted and unencrypted versions of a message to try to discern encryption keys, side channel attacks scrutinize processing time and power consumption. The head of RSA Laboratories says the growing presence of side channel attacks is causing a change in the way encryption software is written. New software may, for example, vary the amount of time it takes to perform specific functions.-http://www.vnunet.com/News/1135796
SECURITY TRAINING NEWS
*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
Featuring the eight highest rated teachers in the security field. If you can attend only one conference this winter, try to get a place in the courses in San Francisco. Also features a free, evening step-by-step program for implementing a Top 20 vulnerability remediation program.. San Francisco is often warmer and less crowded in December than in August. See:-http://www.sans.org
for details on San Francisco and other programs
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
