Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: The SANS Institute (sanssans.org)
Date: Wed Jul 25 2001 - 13:00:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    From: Alan for the SANS NewsBites service
    Re: July 25 SANS NewsBites

    Hash: SHA1

    The conference program for Network Security 2001 (San Diego, October
    15-21) has just been posted at

    You may have received it this week along with the Security Tools and
    Managed Security poster.

    If you have never been to a SANS Network Security conference,
    the world-class training in all nine critical areas of security,
    the huge exhibition of security tools and services,  the birds of a
    feather sessions, the SANS Night programs,  the keynotes, and the
    great interaction make it the one conference to attend this fall if
    you are serious about information security.



                                 SANS NEWSBITES

                     The SANS Weekly Security News Overview

    Volume 3, Number 30 July 25, 2001

    Editorial Team:
         Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
           Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz



    20 & 23 July 2001 White House Averts Code Red Denial of Service Attack
    20 July 2001 SirCam Worm
    19 July 2001 Wireless Networks Not Secured
    18 & 20 July 2001 CIS Consensus Benchmark For Minimum Security
    18 July 2001 Phony Microsoft Security Bulletins


    23 July 2001 IDSes Require Fine-Tuning
    23 July 2001 FBI's Missing Laptops
    20 July 2001 Security Firm's Action Irresponsible, Say Critics
    20 & 23 July 2001 DoJ to Create Nine New Cyber Crime Prosecution
    20 July 2001 Privacy and Security Require Change from the Inside Out
    20 July 2001 CERT/CC Advisory for Home Users
    20 July 2001 Hong Kong Hacking Laws
    18 July 2001 LDAP Vulnerabilities
    17 & 18 July 2001 Bush Plan Calls for Cyber Security Board
    17, 19 & 21 July 2001 eBook Security Researcher Arrested Under DMCA
    16 July 2001 Witnesses Ask For Restraint at Subcommittee Hearing on
                  Cyber Security
    16 July 2001 Feds Meet with Hackers
    16 July 2001 Project Seeks Help with Human Rights Violations
    16 July 2001 Server Security Hole Allows Free Download of XP Beta
    16 July 2001 Security Manager's Journal: Moving From Managed Services
                  to In-House


    SANSFIRE (8 tracks), Washington, DC, Jul. 30 - Aug. 4
    SANS Information Security Officer Training, Washington, DC, Aug. 1-2
    SANS Parliament Hill (5 tracks), Ottawa, Canada, Aug. 8-18
    SANS Scandinavia (3 tracks), Stockholm, Sept. 23-28
    SANS Network Security 2001 (8 tracks), San Diego, CA, Oct. 15-22
    SANS Cyber Defense Initiative (CDI), Washington, DC, Nov. 27 - Dec. 3
    Plus new, on-line, security training programs.
    See www.sans.org for details.

    ********************** Sponsored by PentaSafe ************************


    INFORMATION SECURITY POLICIES MADE EASY V8 is a practical, easy-to-use
    reference tool offering 1100+ already-written security polices. Quickly
    customize these definitive, up-to-date security policies covering
    the latest threats and technologies -- saving thousands of hours
    and dollars. This is the most comprehensive collective of security
    policies available anywhere. Recently updated to help with HIPAA and
    GLBA regulations.

    Download a FREE E-MAIL SECURITY POLICY now at:


     --20 & 23 July 2001 White House Averts Code Red Denial of Service
    Thwarting the attempts of the Code Red worm to launch a denial of
    service attack against www.whitehouse.gov, system administrators
    moved the site to an alternate IP address. Code Red takes advantage
    of a known Microsoft IIS buffer overflow vulnerability and evades
    antivirus scanners because it runs entirely in memory.
    [Editor's (Murray) Note: This was the single most successful worm in a
    decade, and it used only professionally managed systems. In a week,
    it starts over again. Anyone want to assert that we have destroyed
    all of more than 200K copies? Anyone want to assert that it has
    exhausted the address space and that are simply no more systems for
    it to attack? How about that we have responded to the attack and
    finally gotten around to patching all the vulnerable systems?]

     --20 July 2001 SirCam Worm
    The SirCam worm propagates via Outlook when users open infected
    attachments. The accompanying e-mail address will have a
    randomly chosen subject line and will add a document from the
    infected computer to the attachment, possibly exposing personal or
    proprietary information. The worm also plays a sort of roulette,
    which may result in all unused space on an infected machine's hard
    drive being filled with random text. It also may delete all files
    on an infected computer.

     --19 July 2001 Wireless Networks Not Secured
    A security group consulting manager said that wireless detection
    tools can easily find unsecured wireless networks in any city.
    Although wireless hacking tools are not widely available yet, once
    the technology becomes more common, attacks on wireless networks will
    become as prevalent as those on wired networks are today.
    [Editor's (Ranum) Note: Wireless hacking tools, sadly, are not
    necessary. The majority of wireless networks don't even need to be
    "hacked" - they simply accept the attacker without offering any
    defense at all.]
    [(Murray): The issue is not so much that the air-side is weak as
    that wireless punches a hole in the wire-side. It is not so much
    about managing the access points that we know about as it is that
    for tens of dollars almost anyone can install a rogue access point.
    It is time to start managing all devices on your net by MAC address
    and allocating IP addresses statically.]

     --18 & 20 July 2001 CIS Consensus Benchmark For Minimum Security
    By developing a consensus minimum security benchmark and offering
    free testing tools, the Center for Internet Security (CIS) hopes to
    pressure vendors into releasing products that are securely configured.
    Gartner analyst John Pescatore observes that the CIS benchmark will be
    extremely valuable and an easy way to get an increase in security,
    versus just reading about threats. CIS is a consortium of 160
    large businesses, government agencies and academic institutions in
    17 countries.

     --18 July 2001 Phony Microsoft Security Bulletins
    Two spurious Microsoft security bulletins trick people into infecting
    their machines with viruses; their attendant web sites have been
    shut down.

    ****** Also Sponsored by VeriSign -The Internet Trust Company ********

    Secure your Web servers now - with a proven 5-part strategy. The FREE
    Server Security Guide shows you how:
    and authentication techniques
    with the strongest security without disrupting users.

    Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n061242310013000


     --23 July 2001 IDSes Require Fine-Tuning
    Federal security managers speaking at a conference about intrusion
    detection systems (IDSes) say there's a lot more to the systems than
    simply installing the boxes. You must know your network traffic
    patterns well enough to determine what is out of the ordinary and
    be careful not to set the threshold too low or you will flood your
    own system. Additionally, monitoring the IDS results can consume a
    lot of resources.
    [Editor's (Schultz) Note: "Setting the threshold too low" refers to
    a capability to adjust IDSs to either have more false alarms with the
    gain of fewer misses (detection failures) or have fewer false alarms
    with the gain of more misses.
    (Multiple) Firewalls also require tuning and you have to know your
    security policy to install them effectively. The fact that any security
    system requires knowledge, skills, hard work, and tuning should not
    be a surprise. (Paller): Sadly, federal agencies are asking people
    with little or no training to take responsibility for securing major

     --23 July 2001 FBI's Missing Laptops
    The FBI began tracking its laptops only last year. In the last
    11 years, 184 of 13,000 laptops have disappeared; at least 13
    were stolen and three contained sensitive or classified data.
    Legislators are unhappy, and Attorney General John Ashcroft
    has requested an inventory of Bureau laptops and other items.

     --20 July 2001 Security Firm's Action Irresponsible, Say Critics
    eEye Digital security, the company that apparently discovered the
    Code Red worm, has been criticized by security experts for publishing
    exploit information that could potentially be used by crackers.

     --20 & 23 July 2001 DoJ to Create Nine New Cyber Crime Prosecution
    The Justice Department (DoJ) is creating nine additional cyber crime
    units in cities across the country. The model for the units is the
    first Computer Hacking and Intellectual Property (CHIP), based in
    San Francisco. Forty-eight of the 77 people on staff nationwide will
    be prosecutors.
    [Editor's (Schultz) Note: This new initiative sounds good in that
    having a sufficient number of prosecutors is critical to turning
    the corner with respect to cybercrime. The FBI has initiated many
    efforts in the past, most of which have fallen by the wayside. I hope
    this one works.]

     --20 July 2001 Privacy and Security Require Change from the Inside
    At a panel discussion at the University of Chicago Law School the
    consensus was that privacy and security will become manageable not
    through "quick fixes," but through change from within the company
    culture itself. Ontario's Information and Privacy Commissioner said
    that "legislation can't work without self-regulation." One CIO said
    that companies should make security requirements a part of contracts
    between businesses.

     --20 July 2001 CERT/CC Advisory for Home Users
    CERT/CC has issued a security alert urging home users to protect their
    computers with antivirus software, firewalls, and good practices.
    [Editor's (multiple) Note: The CERT/CC bulletin is long overdue,
    but still useful. It is questionable, however, whether this bulletin
    will get to the people who need it most.]

     --20 July 2001 Hong Kong Hacking Laws
    Hackers in Hong Kong are now criminals, according to new measures, and
    can be punished with a three-year prison sentence for their activities.
    [Editor's (Murray) Note: Even here in the "Land of Law and Order"
    we only punish behavior, not motive, not intent, and certainly not
    self-identification. Many people who identify with the word "hacker"
    never interfere with anyone else's system. While I get a little tired
    of those that do not interfere with the systems of others defending
    those that do, I am not yet ready to put them in jail simply because
    they are called or call themselves "hackers."]

     --18 July 2001 LDAP Vulnerabilities
    A security test suite developed by a group at Oulu University
    in Finland found vulnerabilities in various implementations
    of the Lightweight Directory Access Protocol (LDAP) protocol.
    The vulnerabilities could allow crackers to run code or launch denial
    of service attacks on targeted machines. CERT/CC issued an advisory
    that includes patch information.
    [Editor's (Murray) Note: Patching protocol stacks is not an efficient
    way to protect directories. Directories should run as single-
    application kernel-only machines that fail to a halt. Better to have
    a directory fail hard than to have it covertly compromised.]

     --17 & 18 July 2001 Bush Plan Calls for Cyber Security Board
    The Bush administration plans to set up a federal cyber security
    board composed of 23 officials from major government agencies.
    The panel will be charged with determining how best to protect
    U.S. critical infrastructure and how to maintain functionality in
    times of cyber crisis. The board would report to National Security
    Advisor Condoleezza Rice. Critics have expressed concern that such
    a large group will complicate decision-making.
    [Editor's (Paller) Note: The critics got this one wrong. Decisions will
    continue to be made quickly by senior officials. The board will engage
    senior agency officials in the policy and implementation process and
    accelerate the long overdue task of getting Federal agencies to lead
    by example in the security field. On the other hand (Schultz) unless
    something other than the "same old same old" is done here, this will
    turn out to be yet another bureaucratic exercise in cyber futility.]

     --17, 19 & 21 July 2001 eBook Security Researcher Arrested Under DMCA
    A Russian encryption expert has been arrested for allegedly violating
    the Digital Millennium Copyright Act (DMCA). Dmitry Sklyarov
    presented his research at Defcon, demonstrating eBook security
    problems. Sklyarov's arrest has rallied civil liberties groups to
    launch protests and boycotts.

     --16 July 2001 Witnesses Ask For Restraint at Subcommittee Hearing on
                     Cyber Security
    Witnesses at a Senate Subcommittee on Science, Technology and Space
    hearing urged legislators to exercise caution when considering laws
    aimed at cyber security. Vinton Cerf warned that passing unenforceable
    legislation would result in people and businesses ignoring the law;
    Bruce Schneier said he sees insurance companies helping to improve
    security through risk management.

     --16 July 2001 Feds Meet with Hackers
    A panel of government officials spoke with hackers and voiced
    hopes that they will put their talents to good and ethical uses.

     --16 July 2001 Project Seeks Help with Human Rights Violations
    The Hacktivismo project aims to disseminate information about human
    rights violations while shielding the identities of the people who
    report the incidents. Members of the Cult of the Dead Cow (cDc)
    are finishing their Peekabooty application, which was developed for
    just this purpose.
    [Editor's (Murray) Note: Encryption is equally powerful for good
    and evil. Software that can hide source and content of information
    about human rights violations can hide the source and content of the
    violations (e.g. depictions of violence against women and children)
    themselves. ]

     --16 July 2001 Server Security Hole Allows Free Download of XP Beta
    Previews of Windows XP, which were to be available to 100,000 people at
    a cost of $10-20, could be downloaded without usernames or passwords.
    While the unofficial downloads might prove difficult if not impossible
    to install, one tester believes that product activation codes will
    soon be broken.

     --16 July 2001 Security Manager's Journal: Moving From Managed
                     Services to In-House
    The security manager's new CIO wants to change from managed services
    to in-house security. The manager says he needs new security
    standards, policies, and network diagrams with which to determine
    trust relationships. He has begun by creating a policy requiring
    encryption of all sensitive data sent from the company.
    [Editor's (Murray) Note: Do I understand correctly that having
    identified "no security standards to speak of" and "vague policies"
    as core problems, this manager jumps to the selection of encryption
    software as the most efficient place to spend his limited resources?]


    Please feel free to share this with interested parties via email (not
    on bulletin boards). For a free subscription, (and for free posters)
    e-mail sanssans.org with the subject: Subscribe NewsBites

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number (from the
    headers.) You will receive your personal URL via email.

    You may also email <sanssans.org> with complete instructions and
    your SD number for subscribe, unsubscribe, change address, add other
    digests, or any other comments.

    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    -----END PGP SIGNATURE-----