SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #47

November 20, 2002

Special invitation for security managers and executives among NewsBites
readers: Announcing NIAL IV, the Fourth National Information Assurance
Leadership Conference


People attend NIAL because they manage security programs and need
unbiased management-level briefings on both technology and management
issues, on the future of information security, the latest threats,
up to date defenses, how to choose the right security tools, how to
build a defense-in-depth toolbox that scales from a SOHO to a vast
enterprise, and even how to present their security program effectively.


The first three NIAL conferences were limited to Navy, Marines, Army,
Air Force and other DoD security managers. NIAL IV, March 5 and 6,
2003, at Harbor Island in San Diego, will be the first NIAL open to all
security managers and leaders. NIAL is the one conference to attend
if you want a conference where every session features an extraordinary
speaker with valuable, practical information you can apply when you
return to work. This is what a security conference should be, but it
is all too rare. Check out the agenda at the end of this NewsBites,
and then plan to join us in San Diego in March. You'll save $500 if
you register for NIAL plus one of SANS immersion training tracks that
follow NIAL.
http://www.sans.org/SANS2003/nial.php


Stephen Northcutt, Alan Paller, Ed Skoudis
Principal Instructors, NIAL IV

---

TOP OF THE NEWS

12 November 2002 Vulnerabilities Affect BIND Versions 4 & 8
14 & 15 November 2002 BIND Vulnerabilities Raise Disclosure Debate
14 November 2002 Tcpdump Trojan Infection
14 November 2002 Evidence Obtained from PC Without Warrant Violates Fourth Amendment
13 & 14 November 2002 Homeland Security Proposal Additions Concern Security and Privacy

THE REST OF THE WEEK'S NEWS

18 November 2002 GSA Awards Patch Dissemination Contract
18 November 2002 University of Oslo Passwords Hacked
17 November 2002 Journalist Gets Into Hussein's e-Mail
15 November 2002 Bill Establishes e-Government Office in OMB
15 November 2002 WPA Vulnerable to DoS
15 November 2002 P2P Honeypots?
11 November 2002 Revamping P2P Request Rules Diminishes Attack Effects
14 November 2002 Mundie on Trustworthy Computing
14 November 2002 Chechen News Sites Targeted by Foes?
13 November 2002 OHS to Release Conceptual Architecture Plan for DHS
13 November 2002 Men Surrender to FBI in Breeders' Cup Case
13 November 2002 Court Appearance for Virus Spreader
13 November 2002 Latin American Companies Vulnerable to Cyber Attacks
13 November 2002 e-Card Tricks Recipients into Accepting License Terms
12 & 13 November 2002 UK Man Indicted on Military Computer Hacking Charges
15 November 2002 McKinnon Left Evidence Behind
12 November 2002 Pentagon Developing Global Cyber Surveillance System
12 November 2002 ATM Thieves in Australia
12 November 2002 Report Encourages Government to Use Wireless Devices
12 November 2002 Treasury Dept. IG Report Holds Praise, Offers Suggestions
11 November 2002 Single Point of Government Contact for Vulnerability Reporting?
11 November 2002 Charney Calls for Government to Take Larger Role in CI Security
11 November 2002 Hong Kong Police Force Bolsters Computer Forensic Dept.
15 November 2002 Mac Unix-based Xserve Vulnerabilities
11 November 2002 Unix-Based Mac OS More Vulnerable

---

**************** This Issue Sponsored by NetIQ ***********************
FREE HIPAA Compliance White Paper from NetIQ
Attn Healthcare professionals! Are you ready for HIPAA (The Health
Insurance Portability and Accountability Act of 1996)? Read NetIQ's
FREE White Paper, "HIPAA Readiness," and learn how to plan for and
maintain compliance with HIPAA's security guidelines and regulations.
Visit http://www.netiq.com/f/form/form.asp?id=1304&origin=NSSANS102302
***********************************************************************

---

TOP OF THE NEWS

12 November 2002 Vulnerabilities Affect BIND Versions 4 & 8

Three "malformed request" vulnerabilities in BIND DNS make servers running the software susceptible to denial-of-service attacks; one of the three also includes a buffer overflow attack that allows arbitrary code to be executed. Affected versions include BIND 4 and BIND 8 through 8.3.3. Users are encouraged to upgrade to BIND 9.
-http://www.computerworld.com/securitytopics/security/story/0,10801,75828,00.html
-http://news.com.com/2100-1001-965525.html
-http://www.linuxsecurity.com/articles/vendors_products_article-6140.html

14 & 15 November 2002 BIND Vulnerabilities Raise Disclosure Debate

While Internet Security Systems (ISS), the group that made the announcement of the flaws in the BIND domain name system (DNS) software maintains patches for the problems were readily available when they published the information, users say otherwise. Some say that when they went to the Internet Software Consortium (ISC-the group responsible for maintaining BIND) web site, they were told to e-mail the group to speak to them about patches. ISS has been accused of failing to follow the Organization for Internet Safety's (OIS) code of conduct. ISS also says they believed the vulnerabilities were not being actively exploited.
-http://www.eweek.com/article2/0,3959,708890,00.asp
-http://www.smh.com.au/articles/2002/11/14/1037080843561.html

14 November 2002 Tcpdump Trojan Infection

A hacker managed to install a Trojan horse backdoor program on two software products available on the tcpdump.org website: tcpdump, a network data traffic monitoring utility and libpcap, its code library. The software has been mirrored on other sites; CERT/CC has issued an advisory about the affected utilities and advises sites to verify the integrity of the code they make available. This attack is similar to earlier attacks on Sendmail and OpenSSH.
-http://zdnet.com.com/2100-1105-965800.html
-http://news.com.com/2100-1001-965916.html
-http://www.cert.org/advisories/CA-2002-30.html

14 November 2002 Evidence Obtained from PC Without Warrant Violates Fourth Amendment

A federal judge in Virginia ruled that police who submitted evidence obtained by a hacker from a suspect's PC without a warrant constituted unreasonable search and seizure, violating the Fourth Amendment. The evidence was suppressed.
-http://news.com.com/2100-1023-965926.html
[Editor's Note (Murray): The FBI is usually careful to insulate such evidence by getting a warrant based on "testimony of a confidential (and often paid) informant," and then getting the same evidence again under cover of that warrant. In this case, it looks like they skipped that step and compromised their prosecution. ]

13 & 14 November 2002 Homeland Security Proposal Additions Concern Security and Privacy

The Cyber Security Enhancement Act (CSEA) has been inserted into the Department of Homeland Security proposal. CSEA, which passed in the House but not the Senate earlier this year, could send certain crackers to prison for life. It also broadens the circumstances under which an ISP can divulge user activity
-http://news.com.com/2100-1001-965750.html
-http://www.washingtonpost.com/wp-dyn/articles/A54872-2002Nov14.html

---

THE REST OF THE WEEK'S NEWS

18 November 2002 GSA Awards Patch Dissemination Contract

The General Services Administration (GSA) has awarded a contract to Veridian Corp. for a computer vulnerability patch dissemination system for government agencies. Veridian will maintain profiles of agency systems, advise agencies on what to do until patches become available and will test patches before sending them out to the various agencies.
-http://www.fcw.com/fcw/articles/2002/1118/news-patch-11-18-02.asp
[Editor's Note (Grefer): During the Top20 announcement, the GSA representative emphasized that the patch "testing" would just be a general functional test, without any implied nor explicit guarantees whatsoever. Each agency will still have to do its own testing. The only thing that will be caught by this setup is anything that has not gone through quality assurance cycles at the vendor. ]

[20 ]
]
- 18 November 2002 University of Oslo Passwords Hacked Crackers obtained the University of Oslo's central password file; they also stored quantities of pirated programs and movies on the University's servers. The University had to change all the passwords and install new software on some computers. The University was unaware that an SQL database installs automatically with Windows 2000; it was not being properly maintained.
-http://www.ds-osac.org/view.cfm?key=7E475241425D&type=2B170C1E0A3A0F162820

17 November 2002 Journalist Gets Into Hussein's e-Mail

Journalist Brian McWilliams guessed the password to an e-mail account for Saddam Hussein on the Iraqi government web site, www.uruklink.net/iraq, and downloaded more than 1,000 messages that had been sent to Hussein. The mail included business proposals from some U.S. companies even, though the U.S. has trade sanctions against Iraq. There is no way to know if Hussein ever read any of the mail. McWilliams recommended that the site change the account password; when nothing was done, he changed it himself. It has since been changed again.
-http://www.cnn.com/2002/TECH/11/17/offbeat.saddams.email.ap/index.html
[Editor's Note (Schultz): Let's not give any kudos to Mr. McWilliams. Breaking into another person's account without authorization is illegal and unethical. ]

15 November 2002 Bill Establishes e-Government Office in OMB

The House recently approved H.R. 2458, which establishes an e-government office within the Office of Management and Budget (OMB). The bill also created an e-government fund for interagency projects; $200 million is authorized for each of the next three years. Among other responsibilities, the e-government office's CIO would establish security guidelines. The Senate passed its version of the bill, S.803, in June; now both go to conference committee.
-http://www.govexec.com/dailyfed/1102/111502a2.htm

15 November 2002 WPA Vulnerable to DoS

Wi-Fi Protected Access (WPA), the new wireless security standard, is vulnerable to a type of denial of service attack. If it receives two unauthorized data packets within one second, it shuts down for one minute to prevent an "active attack." In other words, an attacker could send two unauthorized packets every minute and keep the network down.
-http://www.wired.com/news/business/0,1367,56350,00.html
Cisco's response admitting vulnerability to DoS in the conclusion:
-http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00800a9
e74.html
[Editor's Note (Shpantzer): This feature/vulnerability is built into the spec. It focuses on improving resistance to confidentiality and integrity attacks, at least relative to WEP. The tradeoff is a built-in denial of service vulnerability. ]

15 November 2002 P2P Honeypots?

Some record labels, film companies software manufacturers and other digital content copyright holders are paying companies to seed peer-to-peer networks with decoy files that may start playing music and then fade away or play nothing at all.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=1758568

11 November 2002 Revamping P2P Request Rules Diminishes Attack Effects

Two researchers at Stanford University say they believe they could build a peer-to-peer file-sharing network that would protect users from denial-of-service attacks. This is especially significant due to proposed legislation that would permit copyright holders to hack back at computers of those suspected of copyright violation. Using a mathematical model of Gnutella, the researchers determined that establishing rules for responding to requests from certain nodes greatly reduced the damage from an attack.
-http://www.newscientist.com/news/news.jsp?id=ns99993037
[Editor's Note (Northcutt): Measures and countermeasures. This is going to get pretty nasty, whether or not they legalize attacks, it is only a matter of time before we see serious P2P malware. If you are sitting on the sidelines in your organization thinking, "what harm can some music files do", you are underestimating the impact. Work to develop strong policy against the use of these tools, and enforce that policy before the shooting starts. ]

14 November 2002 Mundie on Trustworthy Computing

Microsoft senior VP for advanced strategies and policies Craig Mundie said that though the company has made progress with its Trustworthy Computing Initiative, it still has a way to go. Examples of progress include the success of the voluntary program that lets Windows XP users have their machines automatically report bugs back to Microsoft, and privacy enhancements made to Media Player 9. Among the costs of the program is the fact that Microsoft no longer supports Windows 95 despite its widespread use. Mundie says one of the problems the company is facing is the fact that customers are running older, less secure versions of their software; he also says the company plans to force security fixes onto older versions of their software, even if it breaks some users' applications.
-http://www.computerworld.com/securitytopics/security/story/0,10801,75873,00.html
-http://www.wired.com/news/technology/0,1282,56381,00.html
-http://www.pcworld.com/news/article/0,aid,106928,00.asp
-http://zdnet.com.com/2100-1105-965759.html
-http://www.theregister.co.uk/content/4/28100.html
[Editor's Note (Murray): Mundie's message, "You will just have to go back and fix it," seems to be addressed to the developers. MS has a hard problem here. Historically they have catered to the developers because the popularity of Windows is related to the fact that there are a lot of applications. However, it is the users that will suffer the broken apps. ]

14 November 2002 Chechen News Sites Targeted by Foes?

Chechen separatists allege that Russia's FSB security service took down two of their primary news web sites. An FSB spokesman denies the allegation. One site (chechenpress.com) was the victim of a denial of service attack; the other's (kavkaz.org) registration was changed and the site closed.
-http://news.zdnet.co.uk/story/0,,t269-s2125938,00.html

13 November 2002 OHS to Release Conceptual Architecture Plan for DHS

The Office of Homeland Security is going to issue a conceptual architecture plan for integrating IT systems within the Homeland Security Department. A CIO team from the 22 agencies that will merge to form the new department is also taking a look at various IT projects and deciding which to combine with others and which to terminate.
-http://www.govexec.com/dailyfed/1102/111302h2.htm

13 November 2002 Men Surrender to FBI in Breeders' Cup Case

Three men involved with suspicious off-track betting in the Breeders' Cup surrendered to the FBI last week. The men may be charged with wire fraud conspiracy. One of the three was fired from his job at Autotote shortly after the event in question; his job allowed him the type of computer access required to manipulate the wagers.
-http://www.wired.com/news/politics/0,1283,56328,00.html

13 November 2002 Court Appearance for Virus Spreader

A Welsh man, Simon Vallor, appeared in court on charges of distributing the Gokar, Redesi and Admirer mass-mailer computer viruses. Information from the FBI helped in the investigation and subsequent arrest of the 21-year-old in February.
-http://news.zdnet.co.uk/story/0,,t281-s2125873,00.html
-http://www.theregister.co.uk/content/56/28077.html

13 November 2002 Latin American Companies Vulnerable to Cyber Attacks

Companies in Latin American countries are vulnerable to computer attacks because they don't spend enough or in some cases even have enough to spend on security. The companies tend to behave reactively rather than proactively. Employees are not trained properly and many businesses lack security policies or don't educate employees about the policies. In addition, the governments are not enforcing cyber security laws.
-http://www.infoworld.com/articles/hn/xml/02/11/13/021113hnlatamhack.xml
[Editor's Note (Murray): Nonsense. There is always enough money to do that which must be done. If the cost of security were not less than the cost of insecurity, we would not do it. Trust me when I tell you that if their systems are compromised they will find the money for remediation. That money will come out of profits. ]

13 November 2002 e-Card Tricks Recipients into Accepting License Terms

An electronic greeting card created by a Panama-based company tricks recipients into downloading an application that sends e-cards to everyone in the Outlook address book. The company manages to make such activity legal by the simple fact that users have accepted the terms of a license agreement.
-http://news.com.com/2100-1001-965570.html

12 & 13 November 2002 UK Man Indicted on Military Computer Hacking Charges

UK citizen Gary McKinnon has been indicted in Virginia and New Jersey on charges of hacking into a variety of U.S. military computer networks between March 2001 and March 2002. McKinnon was in British custody before being released recently; U.S. Attorney for the Eastern District of Virginia Paul McNulty said U.S. officials hope to extradite McKinnon. McKinnon says he will fight extradition.
-http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,75833
,00.html
-http://www.govexec.com/dailyfed/1102/111202h2.htm
-http://news.com.com/2100-1001-965490.html
-http://www.cnn.com/2002/LAW/11/12/military.hacker/index.html
-http://online.securityfocus.com/news/1646
-http://www.gcn.com/vol1_no1/daily-updates/20478-1.html
-http://www.washingtonpost.com/wp-dyn/articles/A45963-2002Nov12.html
-http://media.guardian.co.uk/newmedia/story/0,7496,839642,00.html
--15 November 2002 McKinnon Left Evidence Behind Gary McKinnon, the UK man indicted for breaking into U.S. military computers, left clues to his identity in a software download log file. McKinnon downloaded a utility called RemotelyAnywhere in March 2001. His IP address was left in the company's server log files; the company also had the e-mail address he gave to receive code to unlock the software.
-http://www.wired.com/news/technology/0,1282,56392,00.html

12 November 2002 Pentagon Developing Global Cyber Surveillance System

The Pentagon's Information Awareness Office plans to develop a global computer surveillance system to detect suspicious activity in the effort to fight terrorism. The Information Awareness Office is run by former national security advisor John Poindexter who proposed the project; the project is funded by DARPA, the Defense Advanced Research Projects Agency, to the tune of $200 million annually. It plans to examine travel, banking, purchasing, medical and other data. Poindexter says the data would be collected with business and government permission. Some have raised questions about the proposed system's ability to be calibrated to avoid collecting data about innocent people. Poindexter said the system would have safeguards, but that his goal is to develop technology, not policy.
-http://www.washingtonpost.com/wp-dyn/articles/A40942-2002Nov11.html

12 November 2002 ATM Thieves in Australia

New South Wales, Australia police have warned of thieves attaching skimming devices to ATMs; the devices read the necessary information to access bank customers' accounts. The thieves have already stolen hundreds of thousands of dollars.
-http://www.ds-osac.org/view.cfm?key=7E4752424153&type=2B170C1E0A3A0F162820

12 November 2002 Report Encourages Government to Use Wireless Devices

A report from the IBM Endowment for the Business of Government encourages government agencies to train their employees in wireless technologies and provide them with wireless devices, like PDAs. The report also warned that wireless security should be improved before the technology is used between government and private citizens.
-http://www.govexec.com/dailyfed/1102/111202td1.htm
[Editor's Note (Murray): Not to fear. The economies of wireless are such that it will be used. Connectivity trumps security every time; get used to it. Our readers should forget "wireless security" and focus on end-to-end encryption. There are many applications that I can do from my laptop that I cannot do from my PDA because my PDA browser does not support SSL. Our readers cannot control the use or the security of wireless but they can control the security of their applications. ]

12 November 2002 Treasury Dept. IG Report Holds Praise, Offers Suggestions

Treasury Department Inspector General reports found that three department agencies - the Office of the Comptroller of the Currency, the Financial Management Service and the Bureau of Public Debt. - need to improve their computer inventory systems to prevent loss and theft. A report said that audits should be conducted by an independent party. The report had praise for the agencies' written security policies and other security measures.
-http://www.govexec.com/dailyfed/1102/111202a1.htm

11 November 2002 Single Point of Government Contact for Vulnerability Reporting?

Government security officials are discussing the possibility of creating a single point of contact for cyber security vulnerability notification; the government would be notified at the same time as the vendor whose product is affected. Some people are concerned about the amount of information the government would receive.
-http://www.eweek.com/article2/0,3959,685579,00.asp

11 November 2002 Charney Calls for Government to Take Larger Role in CI Security

Microsoft chief security strategist Scott Charney wants the government to take a stronger role in securing critical infrastructure instead of leaving it to market forces. Charney said the role "might be
[regulation ]
, but it doesn't have to be." He would like government to work closely with vendors to figure out what needs to be done and how best to achieve that goal. Charney's position is contrary to the National Strategy to Secure Cyberspace, which shies away from government regulation of cyber security, but Charney acknowledges that vendors have to take an active role as well.
-http://www.eweek.com/article2/0,3959,686367,00.asp

11 November 2002 Hong Kong Police Force Bolsters Computer Forensic Dept.

The Hong Kong police force plans to increase the number of officers in the computer forensics department of its Technology Crime Division. The Division presently includes 66 officers in three departments: operations, forensic investigations, and intelligence and support. The amount of crime data undergoing forensic investigation is increasing dramatically; the police force has also opened a HK$4 million computer forensics laboratory.
-http://www.infosecnews.com/sgold/news/2002/11/11_02.htm

15 November 2002 Mac Unix-based Xserve Vulnerabilities

The Macintosh Xserve server is vulnerable to denial of service attacks or web page defacements if it is not configured correctly. Furthermore, the server is Unix based, making it vulnerable to Unix flaws. However, because Macintosh server software is not as prevalent as Windows, it is not often targeted by virus writers and hackers.
-http://www.newsfactor.com/perl/story/19994.html

11 November 2002 Unix-Based Mac OS More Vulnerable

Although a recent study proclaimed the Macintosh OS the least likely to be the target of malware, it was unclear whether the study looked at Classic Mac-OS or the new, Unix-based version. While the older OS may be less likely to come under attack, the Unix-based OS is likely to open the door for more attacks on Macintoshes. In addition, security advisories at CERT/CC show a higher incidence of security issues with Mac OS X than does the study.
-http://www.newsfactor.com/perl/story/19930.html
[Editor's Note (Northcutt): I own a pair of Macintosh OS X systems, and my wife and I love them. However, when I watch them on the home network with an analyzer, their traffic leads me to believe they must have serious potential vulnerabilities. They are very chatty and their multicast traffic is only partially documented. The MI2g press releases reflected in the preceding articles do not appear to be supported by sound research, and some people are going to believe these sorts of things without doing any research and testing themselves. Readers beware. ]

---

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, visit https://portal.sans.org/preferences.php/
To change your subscription, address, or other information, visit https://www.sans.org/sansurl/ and enter your SD number or email address (from the headers.) You will receive your personal URL via email.
AGENDA FOR NIAL 4, March 5-6, San Diego
The Fourth National Information Assurance Leadership Conference (NIAL IV), March 5 and 6, 2003, on Harbor Island in San Diego, is open to all managers and leaders involved in information and network security. Learn the latest threat information, how to update your defenses, and the tools and tips that work from the best speakers in the security field. http://www.sans.org/SANS2003/nial.php
"SANS is on the cutting edge of security and is recognized as the standard that everyone else wants to be." Wade Gaines, Dept of Energy "Worth every dime!" Dustin Howard, Lucent
Agenda
March 5, 2003
Keynote - Marcus Sachs - President's Critical Infrastructure Protection Board, The White House Learn the inside story on the National Strategy For Securing Cyberspace and on the lessons learned in the aftermath of September 11, 2001. Marcus is the technical information security guru on the White House staff, and one of the most respected security experts involved in fighting back against cyber crime. He gives an extraordinary presentation bridging the technical and policy aspects of the issues involved in creating a national cybersecurity strategy. "Down to earth, practical training...where the rubber meets the road!" J. Frazier, PWC
Intellectual Property Intrusion Detection - Stephen Northcutt Plagiarism, Kazaa and other networks of stolen .mp3s, economic espionage, and information warfare are similar issues; they are attacks against intellectual property. We know attacks against copyrights, trade and service marks and trade secrets are as common as hacker attacks, but how do we detect these, how can we defend against them? This talk will describe the categories of intellectual property, show techniques to detect intrusion and theft, and most importantly describe tried and proven strategies for defense of intellectual property. "Stephen's knowledge and experience (stories) mix well to fully meet the objectives of the course." Joshua Feldman, NFR Security
The SANS/FBI Top 20 Internet Security Vulnerabilities: How To Find Them and Get Rid of Them - Alan Paller
In this session you'll learn how the SANS/FBI Top 20 were created and how they are different from the 2001 Top 20. You'll also learn about the current state of tools that can test for the Top 20 and the lessons learned by NASA in wiping out the common vulnerabilities across more than 80,000 systems.
Future Trends in Information Security - Stephen Northcutt
If you are a manager or leader, you need to know where the industry is going, not where it has been. In this talk, updated from the keynote at NIAL 03, Stephen uses data from surveys, web hit statistics and other proprietary information sources to track the dominant trends shaping the future of information security.
"You just have to hear the master speak, he can share the experience we can only dream of." Kris Van der Smissen, Telindus
"How to give Winning Technical Presentations" - Alan Paller
The core of SANS is great teaching by front-line practitioners and every one of the top rated SANS instructors have taken this short-course. No single professional skill is more important to on-the-job success than your ability to present your ideas in a compelling and approachable manner. Whether the audience is the CEO or a crowd of techies, there are approximately 30 errors technical people make so often that they have been catalogued. These errors sometimes are so bad that they cause audiences to want to do just the opposite of what the speaker is saying. In this fast-paced session, you'll have a humorous introduction to the errors and learn how to eliminate them. "Alan Paller is charismatic, has high energy, and is adept at showing an audience how to communicate and present effectively, while making the audience feel interested along each step of the way." Karl G. Pena, Arin.Net
Cyberwarfare - Stephen Northcutt
This freshly updated talk is a SANS classic, It has been taught at SANS since 1997 and clearly indicated the economic effects of terrorism using the airline industry years before 9/11. It is based on research work done by Rand for the National Security Agency and tuned at NSWC and examines information warfare methods and scenarios. We look at how to apply an 'Indications and Warnings' intelligence methodology to information security correlations to improve early warning of impending large-scale attacks. We'll then apply these methods to analyzing a hypothetical cyber war scenario set in 2004, and will discuss large-scale response, critical infrastructure defense. "Stephen's blend of enthusiasm and content knowledge make the subject matter (often mind-numbing) intensely interesting." Adam Taylor, DoD March 6, 2003
"SANS is the best vendor neutral training that I have ever received, and I have had over 1,000 hours of pro training." Keith Nelson, Deployment Technologies
Keynote - Breaking News - Recent Advances in Computer Attacks and Defenses - Ed Skoudis
The bad guys just keep getting better. They constantly devise new and ever more devious ways to break into our computers. To even the score, we must keep up with their advances by improving our defenses. This briefing covers several recent trends in computer attacks over the past several months, with recommendations for countering each threat. In this engaging session, we will address super-stealthy Trojan Horse backdoors, advanced scanners, software flaw analysis tools, and new wireless LAN attacks.
Choosing the Right Vulnerability Detection and Intrusion Analysis Tools - Alan Paller
If you had $100,000 or $500,000 to spend on security tools, what would be the best allocation of the money? Which types of tools would you want to buy first? Which vendors would you look to? This session summarizes answers to those questions based on data from more than 1,000 user organizations that have made those decisions for intrusion detection and vulnerability analysis tools. Stealth, Evasion, and Anti-Forensics: How Bad Guys Hide on Computers- Ed Skoudis
Experienced computer attackers are highly effective in disguising their malicious actions. Using IDS evasion, anti-forensics, sniffing backdoors, and other related techniques, attackers are constructing effective "cones of silence" around their activities. If you don't prepare your systems in advance, your users and system administrators could be unaware of a full-scale computer attack until it's too late. In this session, you'll learn the attackers' tactics, as well as actions you can use to pierce the bad guys' defenses.
The Defender's Toolbox - Ed Skoudis
In the arms race between computer attackers and defenders, it sometimes feels like we just cannot keep up with the bad guys' increasingly sophisticated arsenal. This session is designed to help level the playing field, and even give the good guys an advantage. We will highlight the most effective tools used by system administrators in defending against computer attacks. The session will help you arm yourself and your team with highly effective open source security tools.
"Having access to some of the best minds in security is a once in a lifetime opportunity." Jakub Pittner, Elytra Enterprises Inc. Minimum Standards for Securing Popular Systems: The Center for Internet Security - Hal Pomeranz
One of the most important responsibilities of a security manager is to ensure the enterprise's systems are deployed safely. That's much easier to say than do. The Center for Internet Security is the international public/private partnership of large organizations working to reach consensus on standard security configurations and providing free tools to test systems against those standards. In this briefing you'll learn about the first standards that have been completed (including Windows 2000, NT, Solaris, IOS and more), about how to get and use the free testing tools, and about how you can involve your organization in helping to shape the standards. "Where else can you pick the brains of top notch people in info security!" Anees Mirza, Mountain Wave Inc.
The Coming Super Worms - Ed Skoudis
Worms have proven to be among the most damaging of computer attack tools. However, we've only seen the tip of this iceberg. Attackers are planning on major revolutionary strides in worm functionality. This session discusses the new breed of worms we'll face in the next two to five years, as well as tips for preparing for the onslaught. We'll detail super worm features including hyper propagation, multi-platform support, and poly/metamorphic code. "Ed rocks!" Jeff Lahann, IBM
Recent Trends in Web Application Attacks - Ed Skoudis Attackers have increasingly focused their sights on web applications, which are often the easiest way to penetrate an organization. Using techniques such as SQL injection, cross-site scripting, and session hijacking, bad guys are compromising web sites at an alarming rate. This session addresses this class of attacks and what you need to know to inoculate your web site against them.
"Skoudis is extremely knowledgeable and sharp! I really regret that I have to fly back to work tomorrow and have to miss some of his presentations." Tam Knight, Learjet