|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Wed Mar 14 2001 - 18:08:26 CST
**********************************************************************
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: March 14 SANS NewsBites
*************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
By announcing the Russian and Ukrainian extortion attacks the FBI has
caused an extraordinary change in the opinions held by journalists and
business folks. One journalist from a major business publication told
me that he used to think of web attackers like the human spiders who
climb up the sides of buildings. Now he thinks of them as criminals who
need to be stopped. Similar conclusions have been voiced by other
journalists. As they make the transition, they are likely to bring
their readers with them and give improved security a boost. (Also see
the third story under TOP OF THE NEWS for a pointer to the free tool
that checks Windows NT systems for the FBI-reported vulnerabilities.)
Separately, there are six days left until the early registration
deadline for SANS 2001 in Baltimore. http://www.sans.org/SANS2001.htm
AP
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 3, Number 11 March 14, 2001
Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz
**********************************************************************
TOP OF THE NEWS
8 & 9 March 2001 FBI Warns of Enormous Credit Card Theft
9 March 2001 Early Warning Helped
9 March 2001 Industry/Government Consortium Releases Free Tool To
Block Russian Attacks
9 March 2001 Thieves Steal Personal Info via Internet
7 & 8 March 2001 Tool Can Crack Passwords on Some IBM E-Commerce
Software
5 - 8 March 2001 Bibliofind Security Breach
THE REST OF THIS WEEK'S NEWS STORIES
9 March 2001 Cracker Sentence Includes Programming
8 March 2001 Web-Enabled Gadgets Ripe for Abuse, Says Privacy Expert
8 March 2001 Credit Card Fraud Trail Leads to Yugoslavia
8 March 2001 NIAP Forum Focuses on Need for Security Requirements
7 & 8 March 2001 Microsoft Will Make Source Code Available to Some
Customers
7 March 2001 Naked Wife Virus
7 March 2001 Seven-Line DVD Descrambling Program
7 March 2001 Hamas Site Suffers Redirect Attack
7 March 2001 Honeypot Ethics
6 March 2001 Study Critical of Remote Internet Voting
5 March 2001 Web "Bug" Detecting Tools Emerge
5 March 2001 Managed Security Services
5 March 2001 PKI Used for Secure Website Communication
5 March 2001 GAO Report on Federal PKI Implementation Challenges
5 March 2001 Price Tag Altering Scams
28 February 2001 NIST Soliciting Comments On Draft FIPS
TUTORIALS
9 March 2001 HIPAA Compliance Makes Good Sense
UPCOMING TRAINING AND CERTIFICATION CONFERENCES
SANS 2001, May 13-20, Baltimore: http://www.sans.org/SANS2001.htm
Orlando, April 18-20: http://www.sans.org/springbreak.htm
--- Orlando is SANS' largest regional featuring the most popular
tracks from SANS 2001
London, June 20-23: http://www.sans.org/london2001/index.htm
Dallas, March 22-25: http://www.sans.org/lonestar/lonestar.htm
Raleigh, April 10-12:
http://www.sans.org/trianglepark/trianglepark.htm
********* Sponsored by VeriSign- The Internet Trust Company *********
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "SecuringYour Web site for Business" and you'll
learn everything you need to know about using 128-bit SSL to encrypt
your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business.
Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094410560008000
**********************************************************************
TOP OF THE NEWS
--8 & 9 March 2001 FBI Warns of Enormous Credit Card Theft
The FBI says groups in Russia and the Ukraine have stolen more than one
million credit card numbers from vulnerable websites. The agency's
National Infrastructure Protection Center (NIPC) advises Internet
businesses to be vigilant about data protection and to patch known
security holes. Some of the crackers attempted to extort payments from
the Internet companies, and when their demands weren't met, they
published the card information on-line.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58414,00.html
http://www.usatoday.com/life/cyber/tech/2001-03-08-fbi-hackers.htm
http://www.washingtonpost.com/wp-dyn/articles/A43993-2001Mar8.html
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/
2001/03/09/MN225220.DTL
--9 March 2001 Early Warning Helped
The FBI's warning about website intrusions by organized rings of Eastern
European crackers may have thwarted a number of attacks. Security
experts lauded the FBI for releasing forensics information that helped
defenders, even though the information comes from ongoing
investigations.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58475,00.html
--9 March 2001 Industry/Government Consortium Releases Free Tool To
Block Russian Attacks
The Center for Internet Security published PatchWorks, a free tool that
tests Windows NT systems to determine whether the FBI's list of
necessary patches are in place, points directly to the patches on
Microsoft's site if they are not, and retests to be certain they were
installed correctly. It also attempts to determine whether systems have
been compromised by checking for telltale files. The Center is a not-
for-profit consortium of 150 user organizations from 14 countries that
jointly develop consensus on the priority of cyber threats and work
together to forge tools to counter those threats.
http://www.cisecurity.org/patchwork.html
[Editor's (Paller) Note: Three security questions are often asked by
savvy senior managers: "What are the most important threats? How do we
counter them? And Are we doing as much as our competitors to improve
security?" Those are the questions the Center helps answer. If your
organization has any customer information stored on computers accessible
from the Internet, you owe it to your customers to become active in the
Center's work and to gain from the unique knowledge that comes from
consolidating the experiences of more than a hundred of government and
commercial organizations. http://www.cusecurity.org]
--9 March 2001 Thieves Steal Personal Info via Internet
Microsoft co-founder Paul Allen and Metromedia International Group
Chairman John Kluge are among executives who allegedly had their
identities stolen and bank accounts looted by two Internet thieves,
according to a report.
http://news.cnet.com/news/0-1007-200-5078246.html?tag=prntfr
--7 & 8 March 2001 Tool Can Crack Passwords on Some IBM E-Commerce
Software
A pair of Danish hackers have published a tool that can be used in
conjunction with flaws in IBM's Net.Commerce and WebSphere software to
crack encrypted user passwords. A specially crafted URL can execute a
macro on unprotected servers that will expose user names and encrypted
passwords, and the hackers discovered that the software encrypts
passwords with a fixed key. IBM noted the macro flaw two years ago.
The hackers have asked people not to take advantage of the
vulnerability.
http://news.cnet.com/news/0-1003-200-5068115.html?tag=prntfr
http://www.internetnews.com/wd-news/article/0,,10_707381,00.html
This IBM site describes the security hole and outlines corrective
action:
http://www-4.ibm.com/software/webservers/commerce/servers/2001-2.htm
[Editor's (Murray) Note: If they really did not want anyone to use the
code, they need not have published. Of course, we all know that they
published in order to demonstrate their cleverness. Those of us who
give recognition to the cleverness while not censuring the recklessness
are contributing to disorder and deserve what we get]
--5 - 8 March 2001 Bibliofind Security Breach
An internal investigation of a website defacement at Bibliofind, an on-
line bookseller, turned up evidence that crackers had downloaded files
containing customer credit card information a number of times between
October 2000 and February 2001. Routine maintenance did not detect the
breaches. The company has since removed the information from its servers
and has contacted credit card companies and customers. While a
Bibliofind spokesman says it does not appear that anyone's information
has been misused, one on-line retailer claims to have detected a series
of fraudulent credit card transactions last fall; the cards belonged to
a group of people whose only link was having shopped at Bibliofind.
http://www.cnn.com/2001/TECH/internet/03/05/bibliofind/index.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2692833,00.html
http://www.msnbc.com/news/540158.asp?0nm=T24A
http://www.guardianunlimited.co.uk/business/story/0,3604,448383,00.html
(merchant story)
[Editor's Notes: (Murray) The credit card companies should refuse to do
business with merchants who insist upon storing credit card numbers in
the clear on servers directly connected to the Internet. (Paller) VISA
is leading the way in forcing merchants to implement encryption in both
stored and transmitted data.]
*********** Also sponsored by Network-1 Security Solutions ***********
Don't Skimp - Use a Full-Force Firewall on Servers
CyberwallPLUS protects NT/ 2000 servers against attacks using stateful
packet inspection and fine-grain access controls. It also provides
active intrusion detection that resides directly on the server.
Central management and logging facilities make it ideally suited for
enterprise deployment. Don't skimp!
Free 30-day evaluation: http://www.network-1.com/support/download.html
**********************************************************************
THE REST OF THIS WEEK'S NEWS STORIES
--9 March 2001 Cracker Sentence Includes Programming
Dennis Moran, the New Hampshire teenager who defaced a number of
websites, has been sentenced to spend nine months in jail and to pay
$5,000 to each of his victims. As an additional part of his sentence,
he has been ordered to help program the jail computers.
http://www.usatoday.com/life/cyber/tech/2001-03-09-coolio.htm
http://news.cnet.com/news/0-1003-200-5080727.html?tag=prntfr
--8 March 2001 Web-Enabled Gadgets Ripe for Abuse, Says Privacy
Expert
Richard Smith, a computer privacy expert, says web-enabled gadgets can
pose a threat to consumer privacy. While fitness monitors that send
data to a website, biometric identification, and devices like web
cameras can be viewed as valuable technology, they also present the
opportunity for abuse by unscrupulous companies and individuals.
http://news.cnet.com/news/0-1005-200-5067281.html?tag=prntfr
http://www.zdnet.com/zdnn/stories/news/0,4586,2693860,00.html
--8 March 2001 Credit Card Fraud Trail Leads to Yugoslavia
A man in Utah traced fraudulent charges on his wife's credit card to
someone in the metallurgy department at the University of Belgrade.
The University's systems administrator found a file that appeared to be
credit card information for 20-30 people. The company from which the
information was stolen has been out of business since Thanksgiving.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58395,00.html
[Editors' (Grefer and Murray) Note: The credit card company acted to
inform its customers and the Utah man followed up.]
--8 March 2001 NIAP Forum Focuses on Need for Security Requirements
The National Information Assurance Partnership (NIAP) brought together
security experts from government, industry and academia to discuss ways
to incorporate security requirements into the development cycle of
products. Everyone agreed that the first essential step is to define
security requirements.
http://www.fcw.com/fcw/articles/2001/0305/web-niap-03-08-01.asp
[Editor's (Murray) Note: True but not particularly helpful. We have had
long lists of security requirements since the early days of the Orange
Book. The problem is that they are met at the expense of some other
desirable characteristic of the product. Neither is there a shortage of
security features and properties in our products. The problem is that
they are not consistently applied and often deliberately compromised in
favor of some other value. Currently the value most often cited is
market pressure but ease of use has often been high on the list. Also
high on the list is operator convenience. This is the one that accounts
for in-band management of systems, a characteristic that accounts for
a large measure of the problems in the Internet today.]
--7 & 8 March 2001 Microsoft Will Make Source Code Available to Some
Customers
Microsoft is expanding Windows source code access to about 1000 of its
large biggest customers. Customers with more than 1500 in-house
licenses will be offered read-only access to source code for Windows
2000, Windows XP, and all attendant service packs.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58380,00.html
http://www.wininformant.com/Articles/Index.cfm?ArticleID=20226
--7 March 2001 Naked Wife Virus
The Naked Wife virus arrives disguised as a Macromedia Flash movie, and
delivers not racy pictures but a nasty payload, erasing vital Windows
and system files and mailing itself to the entire Outlook address book
of infected machines. Some information in the virus's source code
suggests that it originated in Brazil, though not all anti-virus firms
agree on that point. As always, users should refrain from opening
unexpected attachments.
http://www.msnbc.com/news/540062.asp?0nm=T21D
http://www.usatoday.com/life/cyber/tech/2001-03-06-nakedwife.htm
http://www.cnn.com/2001/TECH/internet/03/07/virus.brazil.02/index.html
--7 March 2001 Seven-Line DVD Descrambling Program
Two MIT programmers have written a seven-line program in Perl that
decrypts and plays DVD movies. The Motion Picture Association of
America (MPAA), which is embroiled in a suit against the on-line
magazine 2600 over their links to sites containing another DVD
descrambling program, DeCSS, is looking into the matter. Because the
new program lacks the five-byte title key, it apparently does not
violate the Digital Millennium Copyright Act, which the MPAA used in
its lawsuit against DeCSS.
http://www.wired.com/news/culture/0,1284,42259,00.html
http://news.cnet.com/news/0-1005-200-5058111.html?tag=prntfr
--7 March 2001 Hamas Site Suffers Redirect Attack
In the latest incident of vandalism in the mid east cyber "war," vandals
have redirected Hamas home page visitors to another site.
http://news.bbc.co.uk/hi/english/world/middle_east/newsid_1207000/
1207551.stm
--7 March 2001 Honeypot Ethics
Some security experts express concern that honeypots, decoy systems
designed for the express purpose of surreptitiously observing cracker
behavior, are unethical and perhaps even illegal.
http://www.wired.com/news/culture/0,1284,42233,00.html
[Editor's (Cowan) Note: Other security experts express concern that
honeypots are expensive and ineffective.]
--6 March 2001 Study Critical of Remote Internet Voting
A study commissioned by the National Science Foundation (NSF) concludes
that voters should not be allowed to cast Internet ballots from remote
locations, like work and home, because of security and reliability
concerns. However, poll-site Internet voting could boost convenience
and efficiency, according to the report, which was conducted by the
Internet Policy Institute (IPI) and the University of Maryland.
http://www.wired.com/news/politics/0,1283,42229,00.html
--5 March 2001 Web "Bug" Detecting Tools Emerge
Several companies have developed tools that help Internet users detect
and thwart web "bugs," hidden code which can be used for a variety of
purposes from tracking web surfing habits to stealing files from or
installing files on computers. One company plans to offer a service
that assigns a risk value to websites based on the number of web "bugs"
present; others plan to offer "bug" scrubbing services.
http://www.zdnet.com/zdnn/stories/news/0,4586,2692472,00.html
--5 March 2001 Managed Security Services
The increasingly complexity of information security is leading some
federal agencies to outsource security functions. Support available
from managed security services includes vulnerability analysis,
assessment and penetration testing, and real-time management.
http://www.fcw.com/fcw/articles/2001/0305/tec-netsec-03-05-01.asp
[Editors' Notes: (Murray) They also include near-real-time monitoring
and early attack response. There is also intelligence available to the
cross-enterprise operators that is not available to the enterprise.]
(Cowan) Outsourcers should be closely scrutinized. Terrorist groups
and competitors may be able to insert moles into outsourcing
organizations.]
--5 March 2001 PKI Used for Secure Website Communication
Students and alumni of the Defense Department's Defense Computer
Investigations Training Program (DCITP) are using PKI technology to
communicate on a secure website. Users can access the site from any
Internet address; teams of hackers on both offense and defense have
tested the site's security.
http://www.fcw.com/fcw/articles/2001/0305/mgt-pki-03-05-01.asp
--5 March 2001 GAO Report on Federal PKI Implementation Challenges
A General Accounting Office (GAO) report enumerates the challenges
government agencies face in implementing PKI technology, including
interoperability of agency PKIs, scalability, and the high cost of
building a PKI. The GAO report also recommended that the Office of
Management and Budget (OMB) establish PKI implementation standards for
government agencies.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58343,00.html
[Editors' Note: That said, the government is far ahead of the private
sector in PKI. This is one security technology where the government
really is in the vanguard.]
--5 March 2001 Price Tag Altering Scams
A security executive says many shopping cart applications are vulnerable
to phony price tag alterations through the use of "edit page" and
"publish" features on standard browsers. Some e-commerce sites monitor
orders for pricing irregularities, while others don't detect the
problems until they conduct quarterly or annual audits.
http://www.zdnet.com/zdnn/stories/news/0,4586,2692337,00.html?
chkpt=zdhpnews01
[Editors' Notes: (Grefer) This is simply theft -- the equivalent of
pealing off the price tag of a low-priced item and sticking it onto a
high priced one. (Cowan) E-commerce systems should NEVER trust ANY
result coming back from a Javascript applet that they sent to the
browser]
--28 February 2001 NIST Soliciting Comments On Draft FIPS
NIST has announced that it is soliciting public comments on the Draft
FIPS for the Advanced Encryption Standard (AES). The 90-day comment
period will close on May 29, 2001. Copies of the Draft FIPS and other
information related to the AES are available at the AES home page.
http://csrc.nist.gov/encryption/aes/index.html
TUTORIALS
--9 March 2001 HIPAA Compliance Makes Good Sense
The author, a security analyst, says that adhering to the Health
Insurance Portability and Accountability Act's (HIPAA) requirements
makes good business sense. Compliance is attained not by merely
installing new software, but by implementing security practices which
will attract customers who want to do business with an organization that
values personal medical information privacy and security. University
medical centers may face special compliance challenges due to the open
nature of their systems.
http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO58467,00.html
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6r/Tm+LUG5KFpTkYRAi/rAJoCTMVBVD0pmGrUYF3wW4xkEh/G1QCdFxWv
2jqBbvZp4qdXJyHo8MhOyqE=
=72bY
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]