SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #6
February 12, 2003
Three quick notes:
Today: Attend the "Top Ten UNIX/Linux Internet Security Vulnerabilities
And How To Fix Them" web briefing by Hal Pomeranz, SANS top UNIX/Linux
security teacher, free, at 1 pm EST (1800 UTC) Wednesday, Feb
12. If you miss the live program, it will be archived by evening.
Please download the visuals well before 1 pm because the download
site closes a few minutes before the broadcast begins.
http://www.sans.org/webcasts/021203.php
Help SANS create a Vendor Security Leadership Report Card. What do
you expect industry leaders like Cisco and Microsoft and Sun and
IBM to do to make security better, easier, and less expensive for
their users? And how are they doing? Send your suggestions to
info@sans.org with subject "vendor report card." We'll publish
the first draft report card at the National Information Assurance
Leadership Conference in San Diego in early March. (NIAL is the top
rated conference for chief information security officers.)
http://www.sans.org/SANS2003/nial.php
Today is the last day to register for SANS Annual Conference if you
want to avoid the late payment fee. And Friday is the last day to
get the low cost rooms at the hotel (right on the ocean in San Diego).
http://www.sans.org/SANS2003
TOP OF THE NEWS
Bush Authorized Development of Cyber Warfare RulesDOD's Computer Network Attack Task Force
Feds Bypass Procurement Procedures To Buy More Secure Systems
European Union to Create Cyber Security Agency
Research Says IT Workers Looking to Government for Jobs; Security
Certifications Pay Growing Fastest
THE REST OF THE WEEK'S NEWS
Insurers Move Toward Stand Alone Policies for Hacking ProtectionTwo Men Sentenced for Altering Data in California Court Computer System
Boston College Student Indicted on Charges Related to Keystroke Logging Software
Attacks on Internet Core Nodes Could Crash the Internet, Say Researchers
ISM Canada's Missing Hard Drive Found; Charges Pending Slammer Hoax
Three Arrested in Connection with TK Worm
Man Convicted of Illegal Access to Judge's AOL Account
Bloomberg Cyber Extortion Trial Begins
Litchfield Says He Will Continue to Publish Proof-of-Concept Code
Government Surplus Computer Contained AIDS Patients' Names
Website Tells How to Hack London's Traffic Signals
Microsoft Issues Security Bulletins for Flaws in IE and Windows XP
Microsoft Releases Tools to Fight Slammer
Former ViewSonic Employee Arrested on Cyber Sabotage Charges
FedCIRC Wants Industry's Help in Establishing Info Sharing Standards
Suspicious .gov Site Removed
Santa Clara County Delays Choosing Electronic Voting System
Microsoft Pulls Faulty NT 4.0 Patch
Vulnerabilities Found in Opera Browser; New Version Released
BBC Sends Sobig to Radio Show Mailing List
Cybersecurity Market Growth Trends
Korean Group Mulls Class Action Suit Over Slammer
******** This Issue Sponsored by VeriSign - The Value of Trust ********
Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and
learn everything you need to know about using SSL to encrypt your
e-commerce transactions for serious online security.
Visit: http://www.verisign.com/cgi-bin/go.cgi?a=n20400113340057000
***********************************************************************
TOP OF THE NEWS
Bush Authorized Development of Cyber Warfare Rules (7 February 2003)
In July 2002, President Bush signed National Security Presidential Directive 16, which orders the government to develop rules for cyberwarfare. The directive seeks to establish when and how to attack enemy computer networks, which targets should be attacked and who should authorize and launch the attacks.-http://www.washingtonpost.com/ac2/wp-dyn/A38110-2003Feb6
-http://www.gcn.com/vol1_no1/daily-updates/21122-1.html
[Editor's Note (Schneier): Although still nascent, cyber-warfare will be an important part of 21st Century warfare. Rules of engagement will be critical as we navigate this new military theatre. (Grefer) The development of cyber attack tools would allow for a much more realistic test and improvement of defensive mechanism. ]
DOD's Computer Network Attack Task Force (7 February 2003)
The US Defense Department's (DOD's) Strategic Command Joint Task Force-Computer Network Operations is being reorganized into two task forces. One will concentrate on network defense, the other on computer network attack (CNA).-http://www.fcw.com/fcw/articles/2003/0203/web-net-02-07-03.asp
Feds Bypass Procurement Procedures To Buy More Secure Systems (4 February 2003)
The final draft of the National Strategy to Secure Cyberspace suggest that federal agencies will be able to purchase secure software outside of normal procurement procedures. Microsoft's Susan Koehler claims some agencies are already getting special approval to bypass the purchasing process "because of the security of Windows Server 2003."-http://www.eweek.com/article2/0,3959,864577,00.asp
[Editor's Note (Paller): Procurement facilitation for more secure systems can be an element of a powerful strategic initiative that uses federal procurement to encourage vendors to deliver safely configured software. However, it would be dangerous for agencies to use this new flexibility to buy software simply because it is approved under the Common Criteria. Common Criteria-approved systems are often dangerously vulnerable, unless they are delivered with installation scripts that comply with secure configuration benchmarks - such as those published by the NSA and the Center for Internet Security. Contracting officers who believe vendors' claims that Common Criteria certification implies effective security, may regret their decision when a worm like Slammer takes over their systems and brings down their networks. ]
European Union to Create Cyber Security Agency (6/10 February 2003)
The European Commission plans to establish a cybersecurity center to help member states share information about cyber threats and to promote best practice standards. The European Network and Information Security Agency, which has a $26.3 million budget over five years, is due to begin operations in January 2004.-http://www.vnunet.com/News/1138546
-http://www.msnbc.com/news/869573.asp?0dm=C258T
-http://www.computerworld.com/securitytopics/security/story/0,10801,78402,00.html
Research Says IT Workers Looking to Government for Jobs; Security Certifications Pay Growing Fastest (10 February 2003)
According to research from Foote Partners, IT workers from the private sector are increasingly pursuing IT jobs in government in search of better employment security and shorter hours. In addition, premium pay for those with security certifications has risen more than 30% in two years.-http://www.computerworld.com/careertopics/careers/story/0,10801,78304,00.html?na
s=CAR-78304
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop spam! - Top 10 enterprise techniques to control spam
***white paper ***
http://www.sans.org/cgi-bin/sanspromo/NB131
(2) PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
countermeasures! FREE DEMO.
http://www.sans.org/cgi-bin/sanspromo/NB132
(3) Event Correlation - Is It Security's Holy Grail? View our White
Paper at http://www.sans.org/cgi-bin/sanspromo/NB133
***********************************************************************
SANS National Information Assurance Leadership Conference (March 5-6
in San Diego) features the five top rated speakers in security, and
it is the only place where you will get the updated Internet Threat
Briefing. It is the conference to attend for CISO's, security
managers and team leaders. No vendor marketing fluff, and it is not
too technical for managers. You may even attend it and then attend
SANS immersion training in the same hotel right after the conference.
http://www.sans.org/SANS2003/nial.php
***********************************************************************
THE REST OF THE WEEK'S NEWS
Insurers Move Toward Stand Alone Policies for Hacking Protection (9 February 2003)
Insurance companies are now making businesses purchase stand-alone policies for hacking instead of covering those losses under their general liability policies. The market for hacking insurance is expected to leap from $100 million this year to $900 million in 2005.-http://www.usatoday.com/money/industries/technology/2003-02-09-hacker_x.htm
[Editor's Note (Schultz): I am more than a little skeptical of the projected numbers in this news item. Time-after-time we've seen unfulfilled predictions concerning the growth of cybersecurity insurance in the past. (Schneier): Insurance is an important tool to manage security risks. As insurance becomes more ubiquitous, the insurance industry will begin driving security requirements much the same way that do so on the physical world. ]
Proposed Legislation Would Impose Extra Sentence for Use of Encryption with Criminal Intent (7 February 2003)
Among the provisions in a draft of the Domestic Security Enhancement Act of 2003 is a proposed law that would provide for prison sentences for those who "knowingly and willfully use[ ]
encryption technology to conceal any incriminating communication" in connection with a federal crime. Other provisions would significantly expand government surveillance abilities.
-http://online.securityfocus.com/news/2296
Two Men Sentenced for Altering Data in California Court Computer System (7 February 2003)
Two hackers have pleaded guilty to breaking into Riverside County (CA) court computer system and altering data to make it appear charges had been dismissed in a number of cases, including one against one of the hackers. The two obtained access to the system through a password one of them had copied while working as an outside consultant to a local police department. William Grace and Brandon Wilson were each sentenced to nine years in prison.-http://www.msnbc.com/news/870163.asp?0dm=C17LT
[Editor's Note (Ranum): One has to ask how on earth the court's systems had such poor audit, poor perimeter security, and why on earth they were dial-up accessible. The hackers deserve appropriate punishment for this, but whoever established a password-based security access policy for such a critical system should lose their job for it. I'm not "blaming the victim" but this represents stunning security-incompetence. And systems admins and MIS managers will continue to display such incompetence as long as nobody ever loses their job for it. (Grefer): This incident may serve as a timely reminder to our readers to implement (and test) a policy of regular password changes. ]
Boston College Student Indicted on Charges Related to Keystroke-Logging Software (6/7 February 2003)
Douglas Boudreau, a Boston College student, was indicted on charges of installing keystroke-logging software on more than 100 computers at his school; Boudreau then allegedly used the information he collected to steal about $2000. He faces up to 20 years in prison if convicted.-http://news.com.com/2100-1023-983717.html
-http://www.washingtonpost.com/wp-dyn/articles/A37471-2003Feb6.html
-http://www.theregister.co.uk/content/55/29233.html
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78
319,00.html
[Editor's Note (Schneier): This is a trivial case, but it's a harbinger of things to come. Punishments need to fit the crime. ]
Attacks on Internet Core Nodes Could Crash the Internet, Say Researchers (6 February 2003)
Researchers at Arizona State University have published a paper describing how strategically designed attacks on high-load Internet nodes could cause cascading failures and ultimately crash the Internet. They recommend that high-load nodes should have extra protection and that load redistribution mechanisms should be developed in case high-load nodes fail.-http://www.newsfactor.com/perl/story/20686.html
ISM Canada's Missing Hard Drive Found; Charges Pending (6 February 2003)
A hard drive that contained personal information belonging to over one million people and that had been reported missing from ISM Canada Inc. has been recovered. A Regina (Saskatchewan) police department sergeant says charges are pending against one individual. Investigators are checking to see if the information on the disk had been used. Several companies that had customer data on the disk say they will not work with ISM Canada again until it can provide assurance that the data it stores is secure.-http://www.theglobeandmail.com/servlet/ArticleNews/front/
RTGAM/20030204/wdriv24a2a/Front/homeBN/breakingnews
[Editor's Note (Grefer): The case probably would have gained more media attention if it had been pointed out earlier that ISM is a (Canadian) subsidiary of IBM. ]
Slammer Hoax (6 February 2003)
A recently published story claiming that the Slammer worm was the work of terrorists has been proven to be a hoax. Brian McWilliams purchased a website that was formerly run by a Pakistan-based terrorist organization; in the guise of "Abdul Mujahid," McWilliams claimed responsibility for spreading the Slammer worm. Computerworld journalist Dan Verton was victimized by McWilliams' hoax. In his account of the events, Verton concludes "So, I'm left here scratching fleas as the price you sometimes pay for sleeping with dogs.-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78
238,00.html
[Editor's Note (Schultz): Mr. McWilliams owes some explanations, first for by his own admission breaking into an email account allegedly used by Saddam Hussein without authorization, and now more recently for his reported involvement in spreading a foolish hoax. ]
Three Arrested in Connection with TK Worm (6/7 February 2003)
Police in the UK have arrested two men believed to be a part of a hacking ring responsible for creating the TK worm, which has infected about 18,000 computers around the world, according to the UK's National Hi-Tech Crime Unit (NHTCU). US law enforcement agents have been aiding in the investigation into the ring. Computers infected with the TK worm become hosts under the command of computers controlled by the group. The two suspects have been released on bail. A third man was also arrested in the US.-http://www.theregister.co.uk/content/56/29221.html
-http://news.com.com/2100-1001-983804.html
-http://news.bbc.co.uk/2/hi/technology/2733657.stm
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78
310,00.html
Man Convicted of Illegal Access to Judge's AOL Account (6 February 2003)
A Pennsylvania man was convicted of unlawfully accessing a judge's America Online account on three different occasions. Brian T. Ferguson could face up to three years in prison and a fine of as much as $300,000 when he is sentenced in early April.-http://www.ds-osac.org/view.cfm?KEY=7E4455464155&type=2B170C1E0A3A0F162820
Bloomberg Cyber Extortion Trial Begins (6 February 2003)
The trial of Oleg Zezov, the man from Kazakhstan who is accused of breaking into Bloomberg financial news services' computer systems and attempting to extort $200,000 from the company, has begun. Zezov could face up to 20 years in prison if convicted. Zezev's defense team said he was simply attempting to receive payment in exchange for demonstrating Bloomberg's computer security vulnerabilities. An alleged accomplice in the case will be in court later this year.-http://www.theregister.co.uk/content/55/29218.html
-http://www.newsday.com/news/local/newyork/politics/ny-nybloo063118900feb06.story
[Editor's Note (Shpantzer): Prosecutions like these owe much of their success to Louis Freeh's vision of increased international cooperation between law enforcement agencies, via the Bureau's expanded Legal Attache program. Here are a couple of samples of Freeh's testimony on international crime as Director of the FBI in the 90's.
-http://www.fas.org/irp/congress/1996_hr/s960312f.htm
-http://www.fas.org/irp/congress/1998_hr/s980421-lf.htm]
Litchfield Says He Will Continue to Publish Proof-of-Concept Code (5/6 February 2003)
David Litchfield acknowledged last week that proof-of-concept code he published to demonstrate a vulnerability in Microsoft SQL was used as the basis for the Slammer worm. He says he will continue to publish code, asserting that such publication is beneficial to network and computer security.-http://www.eweek.com/article2/0,3959,868083,00.asp
-http://www.theregister.co.uk/content/55/29195.html
-http://zdnet.com.com/2100-1105-983602.html
[Editor's Note (Schneier): The only reason security companies take vulnerabilities seriously is because researchers publish exploit code. The vulnerability is the problem, not the information about the vulnerability. Keeping vulnerabilities secret, and not allowing people information about their own risks, is irresponsible. ]
Government Surplus Computer Contained AIDS Patients' Names (6 February 2003)
A computer that had been used by a Kentucky state agency and that was being made available at a government surplus sale was found to contain sensitive data about people with AIDS and other sexually transmitted diseases. The State Auditor said the computer has never left state custody, and that the security breach was discovered during a random check for unpurged data. The Health Services Secretary said the drive was thought to have been cleaned before the computer was offered for sale and has ordered an investigation.-http://www.msnbc.com/news/869709.asp?0dm=T248T
Website Tells How to Hack London's Traffic Signals (6 February 2003)
Transportation officials in London have expressed concern about a website that offers detailed instructions for hacking into the computers that control London traffic signals. Experts say the information provided could be used to cause turmoil on London streets.-http://www.thisislondon.co.uk/traffic/articles/3266323?source=Evening%20Standard
Microsoft Issues Security Bulletins for Flaws in IE and Windows XP (6 February 2003)
A "critical" flaw in Internet Explorer (IE) could let attackers run code on vulnerable machines; IE versions 5.01, 5.5 and 6.0 are affected. A patch is available. An "important" flaw in the Windows Redirector software in Windows XP could allow local privilege elevation.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78232,0
0.html
IE Bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
XP Bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS03-005.asp
Microsoft Releases Tools to Fight Slammer (6 February 2003)
Microsoft has released three software tools designed to help administrators check for the Slammer worm's presence and to fix the vulnerabilities it exploits.-http://zdnet.com.com/2100-1105-983603.html
-http://www.microsoft.com/sql/downloads/securitytools.asp
Former ViewSonic Employee Arrested on Cyber Sabotage Charges (6 February 2003)
Andy Garcia Montebello has been arrested on charges of sabotaging computers of his former employer, ViewSonic Corp. Montebello's actions allegedly caused $100,000 in damages and cost the company $1 million in lost business If he is convicted, Montebello could receive a 15-year prison sentence.-http://www.msnbc.com/news/869572.asp?0dm=T238T
[Editor's Note (Shpantzer): This is only the latest of many former-employee sabotage cases in recent months. Review your security policies for inclusion of credentials-revocation for employees on their way out, regardless of circumstances for separation. Passwords, tokens, IDs and badges should be changed and/or revoked as appropriate. Some organizations also acquire forensic images of the exiting employee's company-owned computers and save them in case investigations are later required. ]
FedCIRC Wants Industry's Help in Establishing Info Sharing Standards (5 February 2003)
The Federal Computer Incident Response Center (FedCIRC) has released a request for information (RFI) asking those in industry for help in establishing standards for sharing information about computer security incidents.-http://fcw.com/fcw/articles/2003/0203/web-fedcirc-02-05-03.asp
Suspicious .gov Site Removed (5 February 2003)
The General Services Administration (GSA) has removed the URL of an unauthorized .gov site from the .gov directory name server. The site in question, AONN.gov, purported to be a government agency that had the support of the Defense Department; however, there is no such agency.-http://news.com.com/2100-1023-983384.html?tag=fd_lede2_hed
Santa Clara County Delays Choosing Electronic Voting System (5 February 2003)
The Santa Clara (CA) County Board of Supervisors, which is under court order to find a replacement for its punch-card voting system by March 2004, has put off choosing a vendor for an electronic voting system. The board expressed concerns about the security of such systems as well as about the machines' accessibility to people with disabilities.-http://www.siliconvalley.com/mld/siliconvalley/5110653.htm
Microsoft Pulls Faulty NT 4.0 Patch (4/10 February 2003)
Microsoft has pulled a patch for a privilege elevation vulnerability in Windows NT 4.0; the patch has been blamed for computers crashing and rebooting. Microsoft plans to issue a new patch soon. Patches for the same vulnerability in Windows 2000 and XP are not affected by this problem.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78171,0
0.html
Microsoft has released an updated patch for the vulnerability.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78408,0
0.html
Updated security bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS02-071.asp
Vulnerabilities Found in Opera Browser; New Version Released (4/5 February 2003)
GreyMagic Software says it has found five security vulnerabilities in the Opera 7 web browser. Three of the flaws allow attackers to browse vulnerable systems' hard drives and read files; the other two expose browsing histories. Four of the vulnerabilities can be addressed by disabling JavaScript. Opera has released an updated version of the browser.-http://www.computerworld.com/securitytopics/security/story/0,10801,78175,00.html
-http://www.theregister.co.uk/content/55/29177.html
-http://zdnet.com.com/2100-1105-983435.html
BBC Sends Sobig to Radio Show Mailing List (4 February 2003)
The BBC inadvertently sent the Sobig worm to people on a mailing list for a popular radio show. Several weeks ago, BBC computers became infected with the ExploreZip virus.-http://www.theregister.co.uk/content/56/29180.html
Cybersecurity Market Growth Trends (4 February 2003)
An IDC study says the cybersecurity market will grow to $45 billion by 2006; in 2001, that figure was $17 billion. Security hardware is expected to offer the greatest growth opportunity, with a predicted 25% compound annual growth between 2001 and 2006.-http://www.infoworld.com/article/03/02/04/HNsecure_1.html?security
Korean Group Mulls Class Action Suit Over Slammer (3/4 February 2003)
The People's Solidarity for Participatory Democracy (PSPD), a Korean civic group, is weighing the possibility of filing a class action lawsuit against Microsoft Corp. for damages caused by the Slammer worm. A recently passed product liability law holds companies liable for damage caused by flaws in their products.-http://times.hankooki.com/lpage/nation/200302/kt2003020318021611960.htm
-http://www.theregister.co.uk/content/56/29174.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.
