SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #7
February 19, 2003
TOP OF THE NEWS
Millions of Credit Card Numbers May Have Been CompromisedClass-Action Law Suit Filed Claiming Liability For Security Breach
Final Draft of National Strategy to Secure Cyberspace Released
NIPC Warns Against Patriotic Hacking
Seventeen Indicted for Satellite Television Hacking
THE REST OF THE WEEK'S NEWS
Confidential Canadian Documents ExposedAddamark Technologies Alleges Competitor Viewed Confidential Document
When Did Symantec Know About Slammer?
PayPal Users Receiving Trojan-Laden e-Mail
Timeline of Viruses and Other Malware
Microsoft Updates Buggy Cumulative IE Patch
FTD.com Exposes Customer Data
Catherine Zeta-Jones Virus
NSF Expands Scholarship for Service Program
Linux to be Submitted for Common Criteria Certification
Red Hat Linux Receives Defense Department COE Certification
CERT/CC Warns of CVS Vulnerability
BLM Smart Card Program
Sixth Grader Suspended for Altering His Grades
GAO Says Financial Industry Needs to Improve Continuity Plans
Microsoft Introduces Security Update for Home Users
TUTORIAL
How Can We Stop Identity Theft For Good********* This Issue Sponsored by Internet Security Systems *********
Webinar: "Security Best Practices for Critical Servers"
Servers and server-based applications are the obvious target for most
attacks and misuse. JoinInternet Security Systemsto learn how to keep
them safely up and running.
Click to register: http://www.iss.net/about/events/webinars.php
***********************************************************************
TOP OF THE NEWS
Millions of Credit Card Numbers May Have Been Compromised (17/18 February)
A hacker broke into the computer system of a company that processes credit card transactions, gaining access to more than 8 million Visa, MasterCard, American Express and Discover accounts. VISA and the other credit card companies notified the banks that issued the cards, and Visa says that no accounts have been used fraudulently. The FBI is investigating.-http://money.cnn.com/2003/02/18/technology/creditcards/index.htm
-http://reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2246735
-http://news.bbc.co.uk/1/hi/business/2774477.stm
[Editor's Note (Northcutt): This is the largest known credit card compromise to date. The news stories do not tell which card reseller/processor had a security failure. A search of Google for 5.6 million credit card numbers leads me to think that the tenth largest bankcard issuer might be the one. ]
Class-Action Law Suit Filed Claiming Liability For Security Breach (29/30 January 2003)
Attorneys have filed a class action lawsuit against Tri-West Healthcare after hard drives containing personal information about more than 500,000 were stolen. The lawsuit seeks monetary damages and asks that Tri-West pay for monitoring the credit reports of all those affected by the theft for the next twenty years.-http://www.kold.com/Global/story.asp?S=1105006
-http://www.arizonarepublic.com/arizona/articles/0130triwest30.html
[Editor's Note (Paller): Damages sought in this lawsuit are not based on actual use of the stolen information, but rather for the cost of monitoring credit reports for years in the future. If the class is certified and the court holds in favor of plaintiffs, the price of carelessness in protecting client's and employee's information could rise substantially. ]
Final Draft of National Strategy to Secure Cyberspace Released (14/15/16 February 2003)
Following close on the heels of the elevation of the country's alert status to Code Orange, Homeland Security Secretary Tom Ridge has released the final draft of the National Strategy to Secure Cyberspace. The strategy establishes five priorities: create a national security response system, work with private industry to reduce vulnerabilities, improve security training, secure government systems and develop strategies to improve security on an international level.-http://www.washingtonpost.com/wp-dyn/articles/A10274-2003Feb14.html
-http://www.computerworld.com/
governmenttopics/government/policy/story/0,10801,78562,00.html
-http://www.gcn.com/vol1_no1/daily-updates/21156-1.html
Homeland Defense Web Page with relevant press release:
-http://www.dhs.gov/dhspublic/display?theme=87&content=450
The strategy may be found at:
-http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf
[Editor's Note (Northcutt): If you are a security professional you probably should invest an hour to read this. It is well written, easy reading and a bit watered down from the earlier drafts. ]
NIPC Warns Against Patriotic Hacking (12/14 February 2003)
The FBI's National Infrastructure Protection Center (NIPC) is concerned that increasing tensions between the US and Iraq could inspire hacking from both sides. NIPC has issued a warning about the situation, saying that it does not condone "Patriot Hacking," and reminding people that such activity is considered a felony in the US.-http://www.washingtonpost.com/wp-dyn/articles/A64049-2003Feb12.html
-http://news.bbc.co.uk/1/hi/technology/2760899.stm
-http://www.nipc.gov/warnings/advisories/2003/03-002.htm
Seventeen Indicted for Satellite Television Hacking (11/12/13 February 2003)
A federal grand jury has indicted 17 people in connection with hacking into television satellite transmissions; six of the people have been charged with violating the criminal antidecryption provisions of the Digital Millennium Copyright Act (DMCA).-http://www.washingtonpost.com/wp-dyn/articles/A63056-2003Feb12.html
-http://www.msnbc.com/news/871516.asp?0dm=C218T
-http://zdnet.com.com/2100-1104-984408.html
[Editor's Note (Shpantzer): Is this finally a good case for the DMCA? For details on the spectrum of intellectual property cases prosecuted at the federal level, see
-http://www.usdoj.gov/criminal/cybercrime/ipcases.htm]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step
White Paper
http://www.sans.org/cgi-bin/sanspromo/NB134
(2) Stop spam! - Top 10 enterprise techniques to control spam
***white paper ***
http://www.sans.org/cgi-bin/sanspromo/NB135
(3) Earn a Norwich University Master's Degree in Information Security
in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB136
***********************************************************************
THE REST OF THE WEEK'S NEWS
Confidential Canadian Documents Exposed (17 February 2003)
Employees at Transport Canada posted thousands of documents, some confidential, in a database that was accessible to all its employees. The computer system was supposed to use encryption to protect confidential information, but it was never implemented. Officials say they have removed confidential documents from the database and they are assessing their system's vulnerability to attacks.-http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/
Article_Type1&c=Article&cid=1035777855362&call_pageid=968332188492&col=968793972154
Addamark Technologies Alleges Competitor Viewed Confidential Document (17 February 2003)
Addamark Technologies, Inc. alleges that a competitor, ArcSight Inc. viewed a confidential, password-protected document. ArcSight does not deny the allegations; someone who had legitimate access to the document apparently provided someone at ArcSight with the necessary user ID and password.-http://www.eweek.com/article2/0,3959,892577,00.asp
When Did Symantec Know About Slammer? (14 February 2003)
Symantec claims to have detected the Slammer worm hours before (the public was made aware of it) but released the information only to paying customers of its DeepSight Threat Management System. Members of the security community have expressed disapproval of Symantec's actions because information about such virulent malware should be shared with everyone as quickly as possible. Others have dismissed Symantec's claims as marketing hype, saying the company may have detected traffic anomalies, but not its source.-http://www.wired.com/news/infostructure/0,1377,57676,00.html
[Editor's Note (Northcutt): Whether or not Symantec was first to detect Slammer, what is certainly true is that detection using a distributed sensor network like SANS Internet Storm Center (dshield) or Symantec's sensor network is important. The harder task is analyzing and responding. Page 6 of the National Strategy to Secure Cyberspace says that the NIMDA worm had infected nationwide in just one hour. What I remember was that at the end of the day, hours after it had reached saturation, there was still an incomplete analysis of the infection vectors. Several days passed before there was a reliable disassembly. Part of the problem is there are so few people in the world who can do this type of work. For a limited time (until the instructor starts grad school) we are offering reverse engineering of malware as an onsite class:
-http://www.sans.org/onsite/]
PayPal Users Receiving Trojan-Laden e-Mail (14 February 2003)
PayPal customers have been targeted by at least four fraudulent e-mail messages that purport to be security upgrade announcements, but which actually contain Trojan Horses programs. The e-mails ask the recipients to run .exe or .vbs programs to receive the updates, or they would be locked out of their PayPal accounts.-http://www.wired.com/news/ebiz/0,1272,57673,00.html
Timeline of Viruses and Other Malware (14 February 2003)
A timeline of significant developments and events in computer security.-http://www.securityfocus.com/news/2445
Microsoft Updates Buggy Cumulative IE Patch (13/14 February 2003)
A recently released cumulative patch for Microsoft's Internet Explorer versions 5.01, 5.5 and 6.0 left some users who applied it unable to access their e-mail accounts and other web sites requiring authentication. The patch does, however, address the security flaws it was designed to fix. Microsoft has released an updated version of the patch.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78510,0
0.html
-http://www.washingtonpost.com/wp-dyn/articles/A7648-2003Feb14.html
-http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
FTD.com Exposes Customer Data (13/14 February 2003)
A security flaw allowed people using the FTD.com website to view information about other customers' purchases simply by altering a character in a cookie. Customer names and credit cards were among the available data. The site allows unencrypted transactions and used sequential identifiers, making valid cookies easy to guess. FTD has released a statement declaring that they have "resolved the situation and ... have added additional levels of security."-http://news.com.com/2100-1017-984585.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78564,0
0.html
Catherine Zeta-Jones Virus (13 February 2003)
A virus that claims to offer pictures of the actress Catherine Zeta-Jones has been spreading through the KaZaa file-sharing network and through IRC instant messaging. The virus has been reported in the wild but there are no known instances of infection.-http://zdnet.com.com/2100-1105-984484.html
NSF Expands Scholarship for Service Program (13 February 2003)
The National Science Foundation is expanding its Scholarship for Service program to four more schools, bringing the total number of universities participating to 13. The program gives scholarships to students studying information assurance in return for a one- or two-year assignment in the government's Cyber Corps. An infusion of $19 million from last August's supplemental appropriation will increase the number of students participating to 300.-http://www.fcw.com/fcw/articles/2003/0210/web-schol-02-13-03.asp
Linux to be Submitted for Common Criteria Certification (12/13 February 2003)
Red Hat, IBM and Oracle all plan to submit Linux for Common Criteria certification. If approved, it could then be used by government agencies. The process could take nearly a year and cost as much as $1 million.-http://news.com.com/2100-1001-984383.html?tag=fd_top
-http://www.techweb.com/wire/story/TWB20030213S0003
-http://www.eweek.com/article2/0,3959,886729,00.asp
[Editor's Note (Grefer): In this context it is important to keep the following statement by the National Infrastructure Assurance Partnership (NIAP) in mind: "The security evaluation results are only applicable to that particular version and release of the product in its evaluated configuration. Consumers are responsible for determining the security impact of installing or operating an evaluated IT product in a configuration other than the configuration in which it was evaluated."
-http://niap.nist.gov/cc-scheme/consumer-guidance.html
In other words, any patch or upgrade applied to the certified product invalidates the certification. This applies not only for the upcoming certification of Linux, but also for the current certifications of Oracle, Windows NT and Solaris. (Paller) In other words, when you rely on a vendor's promotion of his Common Criteria certification, you, the buyer, have an absolute obligation to require the vendor to deliver the software configured safely in accordance with the benchmarks published by NSA and/or the Center for Internet Security (
-http://www.cisecurity.org).
Otherwise you may be buying a great lock, but leaving the key in it for any thief to use. ]
Red Hat Linux Receives Defense Department COE Certification (11/12 February 2003)
Red Hat's Advanced server version of Linux has received the Defense Department's Common Operating Environment (COE) certification.-http://news.com.com/2100-1001-984202.html?tag=rn
-http://www.itworld.com/Comp/2388/030213redhat
CERT/CC Warns of CVS Vulnerability (12 February 2003)
The Computer Emergency Response Team/Coordination Center (CERT/CC) has issued an advisory warning of a vulnerability in the open source Concurrent Versions Systems (CVS) management tool that could be exploited to change the way the CVS program runs, launch denial of service attacks or access "sensitive information." The flaw affects CVS releases 1.11.4 and earlier; most vendors have issued patches for the problem.-http://www.vnunet.com/News/1138702
-http://www.cert.org/advisories/CA-2003-02.html
BLM Smart Card Program (12 February 2003)
The Bureau of Land Management (BLM) plans to implement a smart card system for its 13,000 employees; the cards would be used for physical and computer access. BLM previously ran a smart card pilot program with 1,000 users.-http://www.fcw.com/fcw/articles/2003/0210/web-blm-02-12-03.asp
Sixth Grader Suspended for Altering His Grades (12 February 2003)
A Florida sixth grader has been arrested on charges of altering his grades in his reading teacher's electronic grade book. While the grade books are accessible with passwords, the reading teacher had left hers open. The student was not able to access the school's mainframe computer nor was he able to access other teachers' grade books; he has been suspended and may be expelled.-http://www.gopbi.com/partners/pbpost/epaper/
editions/wednesday/martin_stlucie_e394fc8032005260000b.html
[Editor's Note (Schultz): This news item certainly reinforces the need to educate children as early as possible concerning ethics in computing and proper use of computing systems. ]
GAO Says Financial Industry Needs to Improve Continuity Plans (12 February 2003)
A report from the General Accounting Office (GAO) says that US financial companies need to improve their business continuity plans in order to help them defend themselves better against possible attacks in the future.-http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,7848
6,00.html
Microsoft Introduces Security Update for Home Users (11 February 2003)
Microsoft is now offering a home user version of its Security Update newsletter; home users often don't want to wade through the technical details of security issues. Last year, Microsoft began offering home user versions of its security bulletins.-http://www.eweek.com/article2/0,3959,883280,00.asp
TUTORIALS
How Can We Stop Identity Theft For Good It's no secret:
Identity theft is a growing problem in the U.S., with complaints rising 73 percent from 2001 to 2002. But there's a mistaken impression that identity theft is carried out merely by rogue hackers. That's not the case.-http://www.zdnet.com/anchordesk/stories/story/0,10738,2910503,00.html
Supporting document from the Federal Reserve Bank of Boston
-http://www.bos.frb.org/consumer/identity/idtheft.pdf
HIGHLIGHTED SECURITY WORKSHOP
Audit and Security Controls That Work (Registration now open)
April 5-6 Baltimore Inner Harbor Can you imagine working for an organization where security is integrated into the operations lifecycle from the beginning, resulting in repeatable and auditable processes and products? "Audit and Security Controls That Work" is your chance to learn exactly how this organization and other successful security leaders actually achieved these incredible results. Nobody has all the answers, but we are finding organizations that are head and shoulders above the rest and have proven what is good for security is good for operations. This workshop will have a single track, because we want everyone to have a chance to learn and discuss the same information: > Operations, Security, Audit, and Management can work together to solve common objectives > Best practices increase productivity and decrease thrash > Metrics guide continual process improvement > Repeatable processes allow organizations to do more with less, and spending fewer cycles on unproductive, reactive tasks, such as incident handling Please join us! Registration is now open. For details or to register, please visit-http://www.sans.org/audittech/
TUTORIAL
How Can We Stop Identity Theft For Good It's no secret:
Identity theft is a growing problem in the U.S., with complaints rising 73 percent from 2001 to 2002. But there's a mistaken impression that identity theft is carried out merely by rogue hackers. That's not the case.-http://www.zdnet.com/anchordesk/stories/story/0,10738,2910503,00.html
Supporting document from the Federal Reserve Bank of Boston
-http://www.bos.frb.org/consumer/identity/idtheft.pdf
===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Guest Editors: Bruce Schneier, Hal Pomeranz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.
