OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: SANS NewsBites Vol. 2 Num. 41
From: The SANS Institute (sanssans.org)
Date: Wed Oct 11 2000 - 17:10:18 CDT

**********************************************************************
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: October 11 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************

                              SANS NEWSBITES

                  The SANS Weekly Security News Overview

Volume 2, Number 41 October 11, 2000

Editorial Team:
      Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
    Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz
Contributing Editors:
                         Amy Schoenhals, Chris Smith
                             <sansrosans.org>

**********************************************************************

6 October 2000 CERT Vulnerability Disclosure Policy Changes
6 October 2000 Revised Cyber-Crime Prosecution Bill Passes Committee
5 October 2000 Carnivore Review Committee May Not be Impartial, Some
                Claim
5 October 2000 Another IE 5.5 Security Hole
4 October 2000 Sega Seeks to Halt Piracy
3 October 2000 Railroad Security: AAR and DOT Partnership
3 October 2000 Privacy Group Not Satisfied with Carnivore Documents
3 October 2000 E-Mail Privacy at Work
2 October 2000 ICANN On-Line Election Glitch
2 October 2000 DOT Security Audit Turns Up Problems
2 October 2000 AIDC Replaces FIDNet
2 October 2000 Hacker Finds Hole in Financial Web Sites, Warns
                Webmasters
2 October 2000 CIO Council to Help Agencies with Security
2 October 2000 Intrusion Detection System Protects Privacy

********* This issue sponsored by AXENT Technologies, Inc. ***********

How to tame the risk and unleash the possibilities

Only AXENT's Webthority provides a scalable, integrated security
solution enabling secure Web-based e-business.
Visit www.axent.com/email/2412 to download your FREE copy of "Guide to
Secure Web Usage." Tame the risk and unleash the possibilities with
Webthority.

**********************************************************************

 --6 October 2000 CERT Vulnerability Disclosure Policy Changes
CERT has announced that it will disclose vulnerabilities 45 days from
the date of initial report, regardless of whether or not the vendors
have offered fixes; certain cases may merit departure from the time-
table. CERT says its aim is to balance the public's need to know with
the vendor's need for time to fix problems.
http://vnunet.com/News/1112167
Direct link to the CERT policy:
http://www.cert.org/faq/vuldisclosurepolicy.html

 --6 October 2000 Revised Cyber-Crime Prosecution Bill Passes
                   Committee
A bill that clarifies law enforcement authority to prosecute cyber-
criminals passed the Senate Judiciary Committee last week. Some of the
tougher provisions were removed because some minor abuses would have
become federal crimes.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO52094,00.html

 --5 October 2000 Carnivore Review Committee May Not be Impartial,
                   Some Claim
The ACLU and the House Majority Leader have both expressed concern that
the committee chosen to review the FBI's Carnivore packet-sniffer has
ties to the government that prevent the analysis from being truly
independent. The names and background information of the committee
members were initially blacked out on a DOJ site, but the method used
was soon undone and their names were posted on the Internet.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO51991,00.html

 --5 October 2000 Another IE 5.5 Security Hole
A security expert has uncovered yet another flaw in Microsoft's Internet
Explorer 5.5: ActiveX technology combined with Java could allow crackers
to access computers and alter files.
http://news.cnet.com/news/0-1005-200-2939733.html

 --4 October 2000 Sega Seeks to Halt Piracy
Sega wants to shut down web sites and message boards that carry
information about the Dreamcast game system because they provide illegal
information about pirated games. One site says the request to shut down
violates the constitutional right of free speech.
http://news.cnet.com/news/0-1005-200-2931893.html

 --3 October 2000 Railroad Security: AAR and DOT Partnership
The American Association of Railroads (AAR) plans to set up an
Information Sharing and Analysis Center (ISAC) for transportation. The
AAR will also work cooperatively with the Transportation Department
(DOT) to identify computer systems vulnerabilities and develop
strategies for managing cyber-threats.
http://www.fcw.com/fcw/articles/2000/1002/web-dot-10-03-00.asp

 --3 October 2000 Privacy Group Not Satisfied with Carnivore
                   Documents
The Electronic Privacy Information Center (EPIC) says the first
installment of Carnivore documents does not include enough information
to evaluate the system's potential threat to privacy.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO51829,00.html

 --3 October 2000 E-Mail Privacy at Work
Web based e-mail is just as easy for employers to read as e-mail sent
through corporate accounts, thanks to available surveillance technology.
Some companies are advertising private e-mail services.
http://news.cnet.com/news/0-1007-200-2924978.html

****** Also sponsored by PentaSafe Security Technologies, Inc. *******

Ready to learn about security policies and how to enforce them?

PentaSafe offers free security seminars around the country. November
1st is a special opportunity to learn about security policy with Charles
Cresson Wood, author of "Information Security Policies Made Easy".
Go to http://www.pentasafe.com/events/default.asp to register to attend
one of our free seminars today.

**********************************************************************

 --3 October 2000 ICANN On-Line Election Glitch
Hundreds of people registered to vote on line for ICANN directors found
their passwords verified, but then received error messages when they
attempted to submit their votes.
http://www.mercurycenter.com/premium/business/docs/netelect03.htm

 --2 October 2000 DOT Security Audit Turns Up Problems
The Transportation Department's (DOT) Office of Inspector General's
audit of DOT computer systems revealed firewall weaknesses and
unauthorized insider access to computers. DOT CIO George Molaski plans
to require systems connected to the telecommunications network be
certified.
http://www.fcw.com/fcw/articles/2000/1002/news-dotsec-10-02-00.asp
audit statistics:
http://www.fcw.com/fcw/articles/2000/1002/news-dotbox-10-02-00.asp

 --2 October 2000 AIDC Replaces FIDNet
The Automated Intrusion Detection Capability (AIDC) is the General
Services Administration's (GSA) proposed intrusion detection service
for federal computer systems. The first article sketches a timeline of
the GSA's intrusion detection system development effort from FIDNet to
AIDC.
http://www.fcw.com/fcw/articles/2000/1002/cov-balbox2-10-02-00.asp
A second article lists the requirements of each of the AIDC's
components: monitoring services, device support, communication services,
security operations center, and event processing.
http://www.fcw.com/fcw/articles/2000/1002/cov-balbox1-10-02-00.asp

 --2 October 2000 Hacker Finds Hole in Financial Web Sites, Warns
                   Webmasters
A hacker claimed he wrote his own exploit that gave him access to the
global.asa file of the news sites' web servers and could have allowed
him to alter four financial web sites, including Nasdaq.com. He warned
appropriate webmasters of the problems and said he will not publish his
exploit.
http://www.infoworld.com/articles/hn/xml/00/10/02/001002hnhacker.xml

 --2 October 2000 CIO Council to Help Agencies with Security
The CIO Council hopes to develop risk management guidelines and
benchmarks to help federal computer systems managers address security.
http://www.fcw.com/fcw/articles/2000/1002/mgt-ciocoun-10-02-00.asp

 --2 October 2000 Intrusion Detection System Protects Privacy
This opinion piece argues for the necessity of a federal intrusion
detection system: though some agencies may be concerned with regard to
disclosing information about security breaches, an intrusion detection
system protects private data.
http://www.fcw.com/fcw/articles/2000/1002/fcw-edit-10-02-00.asp

== End ==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE55NS7+LUG5KFpTkYRAsz1AJ9aBNmuNOcCZP2mKBRnXsXjdQc6+QCeNoQN
w1FDjDVYEdky1qrt52RRSzw=
=wG8q
-----END PGP SIGNATURE-----