Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: The SANS Institute (sanssans.org)
Date: Wed Jul 25 2001 - 13:00:49 CDT
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: July 25 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
The conference program for Network Security 2001 (San Diego, October
15-21) has just been posted at
You may have received it this week along with the Security Tools and
Managed Security poster.
If you have never been to a SANS Network Security conference,
the world-class training in all nine critical areas of security,
the huge exhibition of security tools and services, the birds of a
feather sessions, the SANS Night programs, the keynotes, and the
great interaction make it the one conference to attend this fall if
you are serious about information security.
The SANS Weekly Security News Overview
Volume 3, Number 30 July 25, 2001
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz
TOP OF THE NEWS
20 & 23 July 2001 White House Averts Code Red Denial of Service Attack
20 July 2001 SirCam Worm
19 July 2001 Wireless Networks Not Secured
18 & 20 July 2001 CIS Consensus Benchmark For Minimum Security
18 July 2001 Phony Microsoft Security Bulletins
THE REST OF THIS WEEK'S STORIES
23 July 2001 IDSes Require Fine-Tuning
23 July 2001 FBI's Missing Laptops
20 July 2001 Security Firm's Action Irresponsible, Say Critics
20 & 23 July 2001 DoJ to Create Nine New Cyber Crime Prosecution
20 July 2001 Privacy and Security Require Change from the Inside Out
20 July 2001 CERT/CC Advisory for Home Users
20 July 2001 Hong Kong Hacking Laws
18 July 2001 LDAP Vulnerabilities
17 & 18 July 2001 Bush Plan Calls for Cyber Security Board
17, 19 & 21 July 2001 eBook Security Researcher Arrested Under DMCA
16 July 2001 Witnesses Ask For Restraint at Subcommittee Hearing on
16 July 2001 Feds Meet with Hackers
16 July 2001 Project Seeks Help with Human Rights Violations
16 July 2001 Server Security Hole Allows Free Download of XP Beta
16 July 2001 Security Manager's Journal: Moving From Managed Services
UPCOMING TRAINING OPPORTUNITIES
SANSFIRE (8 tracks), Washington, DC, Jul. 30 - Aug. 4
SANS Information Security Officer Training, Washington, DC, Aug. 1-2
SANS Parliament Hill (5 tracks), Ottawa, Canada, Aug. 8-18
SANS Scandinavia (3 tracks), Stockholm, Sept. 23-28
SANS Network Security 2001 (8 tracks), San Diego, CA, Oct. 15-22
SANS Cyber Defense Initiative (CDI), Washington, DC, Nov. 27 - Dec. 3
Plus new, on-line, security training programs.
See www.sans.org for details.
********************** Sponsored by PentaSafe ************************
YOUR INFORMATION SECURITY POLICIES ARE ALREADY WRITTEN!
INFORMATION SECURITY POLICIES MADE EASY V8 is a practical, easy-to-use
reference tool offering 1100+ already-written security polices. Quickly
customize these definitive, up-to-date security policies covering
the latest threats and technologies -- saving thousands of hours
and dollars. This is the most comprehensive collective of security
policies available anywhere. Recently updated to help with HIPAA and
Download a FREE E-MAIL SECURITY POLICY now at:
--20 & 23 July 2001 White House Averts Code Red Denial of Service
Thwarting the attempts of the Code Red worm to launch a denial of
service attack against www.whitehouse.gov, system administrators
moved the site to an alternate IP address. Code Red takes advantage
of a known Microsoft IIS buffer overflow vulnerability and evades
antivirus scanners because it runs entirely in memory.
[Editor's (Murray) Note: This was the single most successful worm in a
decade, and it used only professionally managed systems. In a week,
it starts over again. Anyone want to assert that we have destroyed
all of more than 200K copies? Anyone want to assert that it has
exhausted the address space and that are simply no more systems for
it to attack? How about that we have responded to the attack and
finally gotten around to patching all the vulnerable systems?]
--20 July 2001 SirCam Worm
The SirCam worm propagates via Outlook when users open infected
attachments. The accompanying e-mail address will have a
randomly chosen subject line and will add a document from the
infected computer to the attachment, possibly exposing personal or
proprietary information. The worm also plays a sort of roulette,
which may result in all unused space on an infected machine's hard
drive being filled with random text. It also may delete all files
on an infected computer.
--19 July 2001 Wireless Networks Not Secured
A security group consulting manager said that wireless detection
tools can easily find unsecured wireless networks in any city.
Although wireless hacking tools are not widely available yet, once
the technology becomes more common, attacks on wireless networks will
become as prevalent as those on wired networks are today.
[Editor's (Ranum) Note: Wireless hacking tools, sadly, are not
necessary. The majority of wireless networks don't even need to be
"hacked" - they simply accept the attacker without offering any
defense at all.]
[(Murray): The issue is not so much that the air-side is weak as
that wireless punches a hole in the wire-side. It is not so much
about managing the access points that we know about as it is that
for tens of dollars almost anyone can install a rogue access point.
It is time to start managing all devices on your net by MAC address
and allocating IP addresses statically.]
--18 & 20 July 2001 CIS Consensus Benchmark For Minimum Security
By developing a consensus minimum security benchmark and offering
free testing tools, the Center for Internet Security (CIS) hopes to
pressure vendors into releasing products that are securely configured.
Gartner analyst John Pescatore observes that the CIS benchmark will be
extremely valuable and an easy way to get an increase in security,
versus just reading about threats. CIS is a consortium of 160
large businesses, government agencies and academic institutions in
--18 July 2001 Phony Microsoft Security Bulletins
Two spurious Microsoft security bulletins trick people into infecting
their machines with viruses; their attendant web sites have been
****** Also Sponsored by VeriSign -The Internet Trust Company ********
Secure your Web servers now - with a proven 5-part strategy. The FREE
Server Security Guide shows you how:
DEPLOY THE LATEST ENCRYPTION
and authentication techniques
DELIVER TRANSPARENT PROTECTION
with the strongest security without disrupting users.
--23 July 2001 IDSes Require Fine-Tuning
Federal security managers speaking at a conference about intrusion
detection systems (IDSes) say there's a lot more to the systems than
simply installing the boxes. You must know your network traffic
patterns well enough to determine what is out of the ordinary and
be careful not to set the threshold too low or you will flood your
own system. Additionally, monitoring the IDS results can consume a
lot of resources.
[Editor's (Schultz) Note: "Setting the threshold too low" refers to
a capability to adjust IDSs to either have more false alarms with the
gain of fewer misses (detection failures) or have fewer false alarms
with the gain of more misses.
(Multiple) Firewalls also require tuning and you have to know your
security policy to install them effectively. The fact that any security
system requires knowledge, skills, hard work, and tuning should not
be a surprise. (Paller): Sadly, federal agencies are asking people
with little or no training to take responsibility for securing major
--23 July 2001 FBI's Missing Laptops
The FBI began tracking its laptops only last year. In the last
11 years, 184 of 13,000 laptops have disappeared; at least 13
were stolen and three contained sensitive or classified data.
Legislators are unhappy, and Attorney General John Ashcroft
has requested an inventory of Bureau laptops and other items.
--20 July 2001 Security Firm's Action Irresponsible, Say Critics
eEye Digital security, the company that apparently discovered the
Code Red worm, has been criticized by security experts for publishing
exploit information that could potentially be used by crackers.
--20 & 23 July 2001 DoJ to Create Nine New Cyber Crime Prosecution
The Justice Department (DoJ) is creating nine additional cyber crime
units in cities across the country. The model for the units is the
first Computer Hacking and Intellectual Property (CHIP), based in
San Francisco. Forty-eight of the 77 people on staff nationwide will
[Editor's (Schultz) Note: This new initiative sounds good in that
having a sufficient number of prosecutors is critical to turning
the corner with respect to cybercrime. The FBI has initiated many
efforts in the past, most of which have fallen by the wayside. I hope
this one works.]
--20 July 2001 Privacy and Security Require Change from the Inside
At a panel discussion at the University of Chicago Law School the
consensus was that privacy and security will become manageable not
through "quick fixes," but through change from within the company
culture itself. Ontario's Information and Privacy Commissioner said
that "legislation can't work without self-regulation." One CIO said
that companies should make security requirements a part of contracts
--20 July 2001 CERT/CC Advisory for Home Users
CERT/CC has issued a security alert urging home users to protect their
computers with antivirus software, firewalls, and good practices.
[Editor's (multiple) Note: The CERT/CC bulletin is long overdue,
but still useful. It is questionable, however, whether this bulletin
will get to the people who need it most.]
--20 July 2001 Hong Kong Hacking Laws
Hackers in Hong Kong are now criminals, according to new measures, and
can be punished with a three-year prison sentence for their activities.
[Editor's (Murray) Note: Even here in the "Land of Law and Order"
we only punish behavior, not motive, not intent, and certainly not
self-identification. Many people who identify with the word "hacker"
never interfere with anyone else's system. While I get a little tired
of those that do not interfere with the systems of others defending
those that do, I am not yet ready to put them in jail simply because
they are called or call themselves "hackers."]
--18 July 2001 LDAP Vulnerabilities
A security test suite developed by a group at Oulu University
in Finland found vulnerabilities in various implementations
of the Lightweight Directory Access Protocol (LDAP) protocol.
The vulnerabilities could allow crackers to run code or launch denial
of service attacks on targeted machines. CERT/CC issued an advisory
that includes patch information.
[Editor's (Murray) Note: Patching protocol stacks is not an efficient
way to protect directories. Directories should run as single-
application kernel-only machines that fail to a halt. Better to have
a directory fail hard than to have it covertly compromised.]
--17 & 18 July 2001 Bush Plan Calls for Cyber Security Board
The Bush administration plans to set up a federal cyber security
board composed of 23 officials from major government agencies.
The panel will be charged with determining how best to protect
U.S. critical infrastructure and how to maintain functionality in
times of cyber crisis. The board would report to National Security
Advisor Condoleezza Rice. Critics have expressed concern that such
a large group will complicate decision-making.
[Editor's (Paller) Note: The critics got this one wrong. Decisions will
continue to be made quickly by senior officials. The board will engage
senior agency officials in the policy and implementation process and
accelerate the long overdue task of getting Federal agencies to lead
by example in the security field. On the other hand (Schultz) unless
something other than the "same old same old" is done here, this will
turn out to be yet another bureaucratic exercise in cyber futility.]
--17, 19 & 21 July 2001 eBook Security Researcher Arrested Under DMCA
A Russian encryption expert has been arrested for allegedly violating
the Digital Millennium Copyright Act (DMCA). Dmitry Sklyarov
presented his research at Defcon, demonstrating eBook security
problems. Sklyarov's arrest has rallied civil liberties groups to
launch protests and boycotts.
--16 July 2001 Witnesses Ask For Restraint at Subcommittee Hearing on
Witnesses at a Senate Subcommittee on Science, Technology and Space
hearing urged legislators to exercise caution when considering laws
aimed at cyber security. Vinton Cerf warned that passing unenforceable
legislation would result in people and businesses ignoring the law;
Bruce Schneier said he sees insurance companies helping to improve
security through risk management.
--16 July 2001 Feds Meet with Hackers
A panel of government officials spoke with hackers and voiced
hopes that they will put their talents to good and ethical uses.
--16 July 2001 Project Seeks Help with Human Rights Violations
The Hacktivismo project aims to disseminate information about human
rights violations while shielding the identities of the people who
report the incidents. Members of the Cult of the Dead Cow (cDc)
are finishing their Peekabooty application, which was developed for
just this purpose.
[Editor's (Murray) Note: Encryption is equally powerful for good
and evil. Software that can hide source and content of information
about human rights violations can hide the source and content of the
violations (e.g. depictions of violence against women and children)
--16 July 2001 Server Security Hole Allows Free Download of XP Beta
Previews of Windows XP, which were to be available to 100,000 people at
a cost of $10-20, could be downloaded without usernames or passwords.
While the unofficial downloads might prove difficult if not impossible
to install, one tester believes that product activation codes will
soon be broken.
--16 July 2001 Security Manager's Journal: Moving From Managed
Services to In-House
The security manager's new CIO wants to change from managed services
to in-house security. The manager says he needs new security
standards, policies, and network diagrams with which to determine
trust relationships. He has begun by creating a policy requiring
encryption of all sensitive data sent from the company.
[Editor's (Murray) Note: Do I understand correctly that having
identified "no security standards to speak of" and "vague policies"
as core problems, this manager jumps to the selection of encryption
software as the most efficient place to spend his limited resources?]
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----