**********************************************************************
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: March 21 SANS NewsBites

*************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you missed today's free web broadcast on Critical Windows Security
Vulnerabilities, you may listen to the recorded version (and get the
detailed data on correcting them) at www.sans.org/audiogate

                                   AP

**********************************************************************

                              SANS NEWSBITES

                  The SANS Weekly Security News Overview

Volume 3, Number 12 March 21, 2001

Editorial Team:
      Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
    Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz

**********************************************************************

TOP OF THE NEWS
Busboy Masterminds Identity Thefts of CEOs
16 March 2001 Magistr Carries Destructive Payload
14 March 2001 Pirated Version of Office XP Posted
12 March 2001 BIND Security Still an Issue
9 March 2001 USPS to Offer Digital Signatures

THE REST OF THIS WEEK'S STORIES
16 March 2001 NIPC "Stick" Warning
16 March 2001 GAO Report Cites IRS E-Filing Vulnerabilities
15 March 2001 Opinion: Federal CIO Necessary
14 March 2001 Federal Agencies Need Security Plans to Obtain Funding
16 March 2001 Securing On-Line Checking Account Payments
15 March 2001 Source Code Theft Confirmed
15 March 2001 GAO Critical of Present Export Controls
15 March 2001 Another TCP Vulnerability
13 & 15 March 2001 New Version of SubSeven More Dangerous
13 March 2001 Teen Charged in NASA Site Defacements
12 March 2001 Internal Cyber Crime Strategies
12 March 2001 Worm Writing Tool Updated
12 March 2001 Rethinking Malware Classification
12 March 2001 Securing the Home Office

****************** This issue sponsored by PentaSafe *****************

Introducing PentaSafe's VigilEnt Policy Center.

Put an end to the confusion by automating each step of policy
management: creation, editing, review, distribution, education,
compliance reporting, and maintenance. With VPC you can not only create
a more secure work environment, you can develop a culture of information
security awareness.

Visit http://www.pentasafe.com/products/policyoverview.htm to see an
online demo, or REGISTER FOR A LIVE WEBCAST ON MARCH 28 with to discuss
policy management live with policy guru, Charles Cresson Wood, CISA,
CISSP at www.pentasafe.com/events.

**********************************************************************

TOP OF THE NEWS
 --Busboy Masterminds Largest Identity Thefts of CEOs
More than 200 chief executives listed in Forbes magazine were the
victims of a 32 year old high-school dropout named Abraham Abdallah.
http://news.excite.com/news/r/010320/12/net-crime-dc

 --16 March 2001 Magistr Carries Destructive Payload
Magistr, a sophisticated worm/virus that spreads via e-mail, LANs, or
shared disks, carries a highly destructive payload. Machines become
infected when users open attachments. Magistr then uses its own
internal e-mail program to send itself on to everyone in the infected
machine's address book, generating random subject headings and attaching
up to five files from the infected machine's hard drive. After lying
dormant for one month, Magistr begins destroying files and attacking
the CMOS and flash BIOS, rendering the computer inoperable.
http://www.pcworld.com/news/article/0,aid,44686,00.asp

 --14 March 2001 Pirated Version of Office XP Posted
Despite a product activation security feature built into the yet-to-be
released Windows XP and Office XP, a copy of Office XP has leaked out
and has been posted on a Usenet newsgroup. The posted, pirated version
has the serial number coded into the program, thereby thwarting the
anti-piracy feature.
http://www.wired.com/news/print/0,1294,42402,00.html

 --12 March 2001 BIND Security Still an Issue
Serious security holes remain in many domain name servers; there is no
tool for verifying whether or not DNS servers running BIND software have
had patches applied.
http://www.zdnet.com/zdnn/stories/news/0,4586,2694514,00.html

 --9 March 2001 USPS to Offer Digital Signatures
The US Postal Service (USPS) plans to provide federal employees with
digital signatures, and hopes eventually to sell them to the general
public. The USPS would serve as the certification authority, as
customers would be required to provide three forms of identification to
obtain the digital security.
http://www.fcw.com/fcw/articles/2001/0305/web-digsig-03-09-01.asp

******************** Also sponsored by Network ICE *******************

Hackers Will Find Your Weakest Link

VPN connections are a common way hackers get into corporate networks.
Network ICE secures home dial-up and VPN users with advanced intrusion
detection technology that blocks out hackers in real-time. This fully
distributed and centrally managed solution can be deployed "silently"
without the user interface, virtually eliminating end-user support and
training.

Visit http://www.networkice.com/sans

**********************************************************************

THE REST OF THIS WEEK'S STORIES
 --16 March 2001 NIPC "Stick" Warning
NIPC issued a warning about "Stick", an unreleased hacking tool that
disarms intrusion detection systems by simulating a flood of attacks
and overwhelming the software. The tool's author gave the code to the
National Security Agency (NSA) along with a potential release date of
March 15, 2001, but now says he does not plan to release the code until
July.
http://www.msnbc.com/news/544860.asp?0nm=T21D
[Editor's (Paller) Note: This article faults the FBI for early release
of information when nearly all close observers are aware that delay in
information release has been a primary criticism leveled at the FBI over
the past two years. The article also appears to support the behavior
of a programmer who is threatening to release an attack program that
exploits a vulnerability that cannot be effectively corrected. For a
more in-depth discussion of these issues, written Newsbites editor Bill
Murray, send us an email with the subject "Bill's Commentary."]

 --16 March 2001 GAO Report Cites IRS E-Filing Vulnerabilities
A GAO report says that last year the IRS's e-filing system had
vulnerabilities that could have allowed unauthorized viewers to see and
alter taxpayer information. Among the security concerns listed in the
report are the agency's failure to encrypt data, a lack of an adequate
intrusion detection system, and network controls that had been shut off
to improve processing time.
http://www.zdnet.com/zdnn/stories/news/0,4586,2697298,00.html
http://www.infoworld.com/articles/hn/xml/01/03/16/010316hnirs.xml
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58717,00.html

 --15 March 2001 Opinion: Federal CIO Necessary
An information security services director argues for the creation of a
CIO post in the US Government. The federal CIO would enforce
information security standards and procedures to protect government
systems.
http://www.zdnet.com/zdnn/stories/comment/0,5859,2696750,00.html

 --14 March 2001 Federal Agencies Need Security Plans to Obtain
                  Funding
Federal agencies may find funding requests for new and existing computer
systems held up until they can adequately provide evidence they plan to
implement security measures or demonstrate their systems are already
secure. Under a new policy, agencies must include security plans in
their budget requests.
http://www.fcw.com/fcw/articles/2001/0312/web-omb-03-14-01.asp

 --16 March 2001 Securing On-Line Checking Account Payments
The National Automated Clearing House Association (NACHA) has
established security standards for companies authorized to deduct on-
line payments from customers' checking accounts. The standards require
companies to install security software, encrypt customers' checking
account numbers, and conduct annual audits of security procedures.
http://news.cnet.com/news/0-1007-200-5163122.html?tag=prntfr

 --15 March 2001 Source Code Theft Confirmed
A US government contractor has confirmed that crackers stole satellite
control and missile guidance system source code from a restricted Navy
computer system. The FBI says the software is unclassified.
http://www.vnunet.com/News/1119140

 --15 March 2001 GAO Critical of Present Export Controls
Citing "militarily significant uses for computers" and the attendant
impact on national security, the General Accounting Office (GAO) says
that the loosening of computer export controls was not well justified.
GAO indicates that there is a need to study alternative methods for
determining export controls.
http://news.cnet.com/news/0-1003-200-5153450.html?tag=prntfr

 --15 March 2001 Another TCP Vulnerability
The researcher who identified a new vulnerability in TCP maintains that
it is different from a similar problem identified in 1985. In the
original problem, the Initial Sequence Numbers (ISNs) generated at the
beginning of TCP sessions were found to be predictable, allowing an
attacker to pretend to be a trusted host. As a fix, vendors began
incrementing ISNs by random numbers. However, the researcher says that
attackers can extract enough information from TCP sessions to infer
ISN values.
http://www.zdnet.com/zdnn/stories/news/0,4586,2696792,00.html
[Editor's (Schultz) Note: This article is not entirely accurate. If
someone guesses a packet sequence number, this does not allow that
person to pretend to be a trusted host. It simply allows an otherwise
unallowed TCP connection. You have to do other things to capitalize on
trusted host mechanisms.]

 --13 & 15 March 2001 New Version of SubSeven More Dangerous
A new version of the SubSeven backdoor program has emerged. The program
allows crackers to perform a variety of activities on targeted
computers, including retrieving saved passwords, uploading, downloading
and altering files, and modifying the registry so the program runs
whenever Windows is rebooted.
http://www.vnunet.com/News/1119001
http://news.cnet.com/news/0-1003-200-5147606.html?tag=prntfr

 --13 March 2001 Teen Charged in NASA Site Defacements
A Michigan teenager has been charged with unauthorized access to
computers for breaking into NASA systems at the Jet Propulsion
Laboratory and Goddard Space Flight Center. A NASA official says the
boy never accessed sensitive information.
http://www.msnbc.com/news/543817.asp?0nm=T23D

 --12 March 2001 Internal Cyber Crime Strategies
Security experts told Cybercrime Summit 2001 attendees that establishing
internal security policies and computer crime forensic procedures is
crucial to the success of court cases involving insider computer abuse.
The experts advised that organizations have clear, explicit acceptable
use policies and consent to monitor agreements; they also recommended
that organizations get forensic training or use computer forensic
specialists to preserve evidence so that it will be admissible in court.
A sidebar in the article lists some basic computer crime forensics tips.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58447,00.html
[Editor's (Murray) Note: "Policy" has become simultaneously routine and
ineffective. It fails to specify the level of risk that general
management is prepared to take, the level of security it is prepared to
pay for, and whom it holds responsible.]

 --12 March 2001 Worm Writing Tool Updated
A Brazilian man has released a new version of his worm writing kit,
which a Dutch teenager used earlier this year to create the Anna
Kournikova worm. The updated software can now generate worms that carry
.exe payloads and use encryption to hide their signatures.
http://www.wired.com/news/technology/0,1282,42375,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2695305,00.html

 --12 March 2001 Rethinking Malware Classification
The author points out that the proliferation of code like ActiveX and
Java has blurred the lines of distinction between viruses, worms, and
Trojans. He observes that contemporary malware behaves more like a
parasite, controlling hosts' behavior and altering environments to suit
its needs. Furthermore, signature file anti-virus protection is
reactive; in order to do a better job of protecting our systems, he
advocates using behavior-based anti-virus programs to stem the tide of
parasitic hostile code.
http://www.zdnet.com/zdnn/stories/comment/0,5859,2694882,00.html

 --12 March 2001 Securing the Home Office
Working at home presents special security concerns. In order to protect
machines from intruders, the InfoWorld Test Center recommends that home
office users install personal firewalls and SOHO (small office/home
office) routers, and that users identify and change all default
passwords.
http://www.infoworld.com/articles/tc/xml/01/03/12/010312tcsoho.xml

== End ==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE6uUdR+LUG5KFpTkYRAgREAJ0XkiWsz+pWSr01rSaZ9v7ZcLcTzACfUytR
dIttwYq9CXWbPoRGJmsCjps=
=6+gM
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]