To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: January 16 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Salary growth has slowed for security people, after rapid growth for
several years, but bonuses and premiums are boosting pay for those with
strong technical skills (demonstrated by GIAC certifications and CISA
audit certifications). Foote Partner's quarterly IT salary, skills and
certification survey covers more than 28,000 employees and David Foote
presented the latest survey data in a web broadcast archived at
http://searchsecurity.techtarget.com/onlineEventsTranscriptSecurity/1,289693,sid14_gci777176,00.html

Saturday is the last day for registering for the SANS Security Bootcamp
program in Monterey, February 9-14, before the late fee kicks in.
Bootcamp is the most intense learning environment most security
professionals will ever experience. Courses run during the day and
special Bootcamp sessions run at night. If you are seeking advanced
security education that gives you the tools, tips and techniques to get
up to speed fast, this is the ideal training opportunity. Most people
who have attended SANS conferences in Monterey say it is the best place
in the country to go to a conference - especially with the program
running right next to Fisherman's Wharf.
http://www.sans.org/Bootcamp.htm

                                Alan

**********************************************************************

                             SANS NEWSBITES

                 The SANS Weekly Security News Overview

Volume 4, Number 3 January 16, 2002

Editorial Team:
      Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
             Bill Murray, Stephen Northcutt, Alan Paller,
             Marcus Ranum, Howard Schmidt, Eugene Schultz

**********************************************************************

TOP OF THE NEWS
15 January 2002 Solaris Buffer Overflow Being Exploited
14 January 2002 Congress May Take New Look At Software Protection from
                 Product Liability For Security Flaws
11 January 2002 Incidents Reported to CERT/CC Doubled in 2001
10 January 2002 FedCIRC Says Hacking is Down
10 January 2002 DeCSS Author Indicted
9 January 2002 AIM Fix Has Back Door
7 January 2002 Cross-Site Scripting Vulnerability in Citibank Payment
                Service Site

THE REST OF THE WEEK'S NEWS
15 January 2002 Justice Department Forms New Anti-hacker Unit
14 January 2001 Wireless LANs at Airports Pose Security Threat
11 January 2002 Gigger Virus
11 January 2002 Cyber Law Predictions
11 January 2002 Opinion: Microsoft Not Focused on Security
11 January 2002 Report Makes Federal Cyber Security Recommendations
11 January 2002 Financial Companies Looking Into Biometrics
11 January 2002 Human Firewall Survey Reveals Employees' Lack of
                 Security Knowledge
10 & 11 January 2002 Microsoft Says Donut is Not .Net Virus
10 January 2002 DoubleClick Drops Targeting Service
9 & 10 January 2002 IRS Computers Missing
9 January 2002 Guarding Against Socially Engineered Attacks
9 January 2002 Cracker Pleads Guilty to DoE Lab Intrusion
8 & 9 January 2002 Macromedia Flash Virus is Not Much of a Threat
8 & 9 January 2002 CSTB Report Says Companies are Neglecting Security
8 January 2002 Security Advice Confuses
8 January 2002 Microsoft Investigates Purported IE Hole
7 January 2002 Virus Writers Justify their Work
7 January 2002 Crowell Supports GovNet
4 January 2002 Report Considers Al-Qaeda Cyber Capabilities

UPCOMING TRAINING OPPORTUNITIES
** SANS Peachtree 2002 (3 tracks), Atlanta, Jan 18-24
* SANS SNORT Series (1 Day), Atlanta, Jan 18
*** SANS Darling Harbour (4 tracks), Sydney, Jan 19-24
*** SANS Aloha IV (4 tracks), Honolulu, Jan 28-Feb 2
**** SANS Computer Security Bootcamp (7 tracks), Monterey, CA, Feb 9-14
* SANS San Diego ISO (1 track), Feb 25-Mar 1
* SANS Tysons Corner ISO (1 track), March 3-7
** SANS Lone Star (3 tracks), San Antonio, March 11-16
* SANS Securing IIS (1 day), Los Angeles, March 20
** SANS Arizona (2 tracks), Phoenix, March 23-27
* SANS Securing IIS (1 day), Phoenix, March 28
***** SANS 2002 (our largest conference) (12 tracks plus a free
           technical conference for all who attend the tracks),
           Orlando, April 1-7
**** SANS Parliament Square 2002 (4 tracks), London, April 22-27
See www.sans.org for details.

************ This issue sponsored by NetIQ Corporation ***************

FREE Security White Paper from NetIQ!

Between 60% and 90% of the time IT managers spend resolving problems is
lost to diagnostics. Wouldn't you like to significantly reduce that
percentage?

Download NetIQ's FREE white paper,

"Security Event Correlation: Where Are We Now?"

http://www.netiq.com/f/form/form.asp?id=421

***********************************************************************

TOP OF THE NEWS

 --15 January 2002 Solaris Buffer Overflow Being Exploited
The HoneyNet project reported that a buffer overflow problem in Solaris,
reported and patched two months ago, is now being exploited by
attackers. CERT offered an advisory recommending the patch be applied
or the affected service.
http://news.cnet.com/news/0-1003-200-8495923.html?tag=lh
The CERT advisory: http://www.cert.org/advisories/CA-2002-01.html

 -- 14 January 2002 Congress May Take New Look At Software Protection
                     from Product Liability For Security Flaws
Rep. Rick Boucher (D-Va.) who co-chairs the Congressional Internet
Caucus said . "The producers of software should be responsible for any
flaws that the software contains," especially if the flaws lead to
hacking."
http://www.latimes.com/news/nationworld/nation/la-011402micro.story

 --11 January 2002 Incidents Reported to CERT/CC Doubled in 2001
The number of security incidents reported to the Computer Emergency
Response Team Coordination Center (CERT/CC) in 2001 was more than double
the number reported the previous year, from 21.756 to 52,658. The
number of alerts nearly doubled, up from 26 to 41. Much of the increase
is attributable to heightened security awareness.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67318,00.html

 --10 January 2002 FedCIRC Says Hacking is Down
The Federal Computer Incident Response Center (FedCIRC) says that the
incidence of hacking has fallen since the terrorist attacks of September
11. Reasons offered for the decrease are improved security practices
and intrusion detection tools and legislation that treats hackers as
terrorists.
http://www.theregister.co.uk/content/55/23628.html
[Editor's (Murray) Note: It is naive to believe that legislation that
does not result in prosecutions has any impact on behavior.
(Paller) FedCIRC is to be congratulated, but the decline in attacks
reported by federal sites is not being replicated elsewhere. One needs
only to look at the defaced web site mirror at Alldas.de to see that
December was the highest month for such hackings since the summer.
http://defaced.alldas.de/?archives=complete]

 --10 January 2002 DeCSS Author Indicted
Jon Johansen, a Norwegian man who co-authored the DeCSS utility, has
been indicted in hacking charges and could face between 6 months and 2
years of incarceration.
http://www.wired.com/news/politics/0,1283,49638,00.html
http://www.securityfocus.com/news/306
http://news.cnet.com/news/0-1005-200-8434181.html?tag=prntfr

 --9 January 2002 AIM Fix Has Back Door
AIMFilter, a fix for the AIM vulnerability, contains a back door that
lets the program's author redirect users' browsers to pay-for-click
sites.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67214,00.html
http://www.theregister.co.uk/content/55/23596.html
http://www.zdnet.com/zdnn/stories/news/0,4586,5101490,00.html

 --7 January 2002 Cross-Site Scripting Vulnerability in Citibank
                   Payment Service Site
A security researcher has found a cross-site scripting vulnerability in
C2it.com, Citibank's on-line payment service. The security hole could
expose customer account data and even allow attackers to move money out
of customer accounts.
http://www.msnbc.com/news/683646.asp?0dm=T225T
[Editor's (Murray) Note: Characterizing this activity as "security
research" is inappropriate, not to say destructive.]

THE REST OF THE WEEK'S NEWS

 --15 January 2002 Justice Department Forms New Anti-hacker Unit
The new unit has six full-time prosecutors and will focus on Cybercrime
and cyber-terrorism. Prosecutors in nine other cities have also formed
Cybercrime units.
http://www.cnn.com/2002/TECH/industry/01/15/catching.hackers.ap/index.html

 --14 January 2002 Wireless LANs at Airports Pose Security Threat
Some airlines are using wireless LANs with no encryption for baggage
matching and curbside check-in applications. These insecure wireless
networks could put flight operations systems at risk.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO67344,00.html

 --11 January 2002 Gigger Virus
The Gigger virus arrives as an attachment purporting to be a Microsoft
security update and tries to delete files from infected computers' hard
drives. The JavaScript virus spreads via Outlook address books and
mIRC. Antivirus vendors are updating their software to detect the virus
and protection is now largely in place."
http://www.zdnet.com/zdnn/stories/news/0,4586,2838401,00.html?chkpt=zdhpnews01
http://www.theregister.co.uk/content/56/23652.html

 --11 January 2002 Cyber Law Predictions
Ten experts in cyber legal matters predict what 2002 holds for Internet
law and policy.
http://www.nytimes.com/2002/01/11/technology/11CYBERLAW.html
(please note: free registration required)

 --11 January 2002 Opinion: Microsoft Not Focused on Security
Jim Rapoza maintains Microsoft consistently places security behind
productivity when designing software, thereby inviting security
problems. He conceded that the company has made some headway in the
area of server security.
http://www.zdnet.com/zdnn/stories/comment/0,5859,5101601,00.html
[Editor's (Schultz) Note: Until the public clamors for greater security
in vendor products, vendors are unlikely to pay greater attention to
security concerns. And, as I have said so many times before, the real
problem is not security per se, but rather lack of quality in software
development.
(Murray) It seems clear that MS users would like to have security if it
were free. There is no evidence to suggest that they will give up
productivity (or even generality or flexibility) to get it.]

 --11 January 2002 Report Makes Federal Cyber Security Recommendations
A Heritage Foundation report strongly recommends that President Bush
designate Global Positioning Satellite (GPS) radio frequencies and
network systems as critical infrastructure to bolster their security.
The report makes other recommendations as well, including creating a
center to allow all levels of government to share information and
intelligence, and securing all federal networks and information systems.
http://www.fcw.com/fcw/articles/2002/0107/web-heritage-01-11-02.asp

 --11 January 2002 Financial Companies Looking Into Biometrics
Financial services companies are considering biometrics for customer
identification. Some companies already use the technology to restrict
employee access to server rooms. Citibank hopes to offer its customers
several biometric identification options.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67314,00.html

 --11 January 2002 Human Firewall Survey Reveals Employees' Lack of
                    Security Knowledge
A survey conducted by the Human Firewall project illustrates the
knowledge gap between security managers and most other employees. Many
employees were unable to identify safe passwords and most are unaware
of their companies' security policies.
http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO67319,00.html

 --10 & 11 January 2002 Microsoft Says Donut is Not .Net Virus
Antivirus vendors are calling Donut the first .Net virus, but Microsoft
maintains it is merely a reworked Windows virus. The virus does not
self-propagate; users become infected by receiving deliberately sent
e-mail or from a web site. The virus does not damage computers, but it
does infect other .Net files.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67256,00.html
http://news.cnet.com/news/0-1003-200-8444607.html?tag=prntfr
http://news.cnet.com/news/0-1003-201-8447073-0.html?tag=prntfr

 --10 January 2002 DoubleClick Drops Targeting Service
DoubleClick discontinued its Intelligent Targeting service late last
year. The service allowed advertisers to send ads to Internet users
based on their surfing habits.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67262,00.html

 --9 & 10 January 2002 IRS Computers Missing
A recent Treasury Department audit revealed that the Internal Revenue
Service (IRS) could not account for more than 2300 of its computers.
An agency spokesman said that almost 1600 of the machines have been
located. He also said that taxpayer information was not compromised
despite the fact that the missing machines likely contain tax return
and audit information.
http://news.cnet.com/news/0-1005-200-8418759.html?tag=owv
http://www.wired.com/news/politics/0,1283,49615,00.html

 --9 January 2002 Guarding Against Socially Engineered Attacks
In the second of two articles about social engineering, the author
discusses preventing, spotting and dealing with socially engineered
attacks. Companies should implement security policies, use good physical
security practices and train their staff. They should also have
procedures in place for handling socially engineered attacks when they
occur.
http://www.securityfocus.com/infocus/1533
[Editor's (Schultz) Note: Social engineering is something about which
virtually all information security professionals know, but the
overwhelming majority of the papers and talks on this issue focus on
the problem, not effective solutions. Granger's piece is a refreshing
exception to this trend.
(Murray) We have been dealing with this attack since Eve. We are not
much better at resisting it now than we were then. It must exploit some
fundamental vulnerability.]

 --9 January 2002 Cracker Pleads Guilty to DoE Lab Intrusion
Benjamin Troy Breuninger, who uses the hacker alias "Konceptor," pleaded
guilty to breaking into the computer network at Lawrence Livermore
National Laboratory, admitting he downloaded data and agreed that he
caused $20,000 worth of damage. Breuninger will be sentenced on April
12; he could receive up to 5 years in prison, a $250,000 fine plus a
requirement for restitution.
http://www.gcn.com/vol1_no1/daily-updates/17736-1.html
http://www.securityfocus.com/news/305

 --8 & 9 January 2002 Macromedia Flash Virus is Not Much of a Threat
SWF/LFM-926 is a proof of concept Macromedia Flash virus that can infect
other Flash files. It has a relatively weak vector of infection: to
become contaminated, users must download an infected Flash file and view
it in a different player; viewing a Flash film in a browser will not
infect a machine. While this virus is not a large threat, future
variants could be more aggressive.
http://www.cnn.com/2002/TECH/internet/01/09/macromedia.virus.reut/index.html
http://www.zdnet.com/zdnn/stories/news/0,4586,5101425,00.html?chkpt=zdhpnews01
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1750000/1750775.stm

 --8 & 9 January 2002 CSTB Report Says Companies are Neglecting
                       Security
A report from the National Academy of Science's Computer Science and
Telecommunications Board (CSTB) says that US companies are not using
available security measures to protect themselves from cyber attacks.
The CSTB encourages companies to conduct random security testing, use
strong authentication systems and train all employees in the proper use
of security tools. Furthermore, the report suggests that companies
producing unsecure software should be held liable.
http://www.securityfocus.com/news/304
http://www.wired.com/news/technology/0,1282,49570,00.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO67238,00.html

 --8 January 2002 Security Advice Confuses
The recent confusion surrounding the Universal Plug and Play security
problems in Windows XP underscores the difficulty users face in deciding
where to turn for reliable security information and advice.
http://www.msnbc.com/news/682227.asp?0dm=C235T

 --8 January 2002 Microsoft Investigates Purported IE Hole
An alleged vulnerability in Internet Explorer versions 5.5 to 6 could
allow crackers to spoof web sites, steal cookie information and read
local files on affected computers. The hole is due to Microsoft's
failure to comply with the "same-origin policy." Microsoft is looking
into the problem and has expressed displeasure at the method of
disclosure.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67199,00.html

 --7 January 2002 Virus Writers Justify their Work
Some virus writers justify their activity by claiming it helps other
people learn about security and provides jobs for security experts.
They also claim that releasing an exploit anonymously is safer than
going directly to the software companies with the vulnerability because
they might be accused of hacking. Detractors say they have never heard
of a software company prosecuting someone who came forward with
information about vulnerabilities.
http://www.wired.com/news/culture/0,1284,49483,00.html

 --7 January 2002 Crowell Supports GovNet
Cylink Corp. CEO, Bill Crowell, who is a former National Security Agency
(NSA) deputy director, supports the creation of GovNet, a secure
government network not connected to the Internet, and says that the
private sector should consider doing the same thing.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67138,00.html
[Editor's (Murray) Note: GovNet as a strategy is "defense in depth."
It will be interesting to see how successful the operators are in
resisting connections to the broader network.]

 --4 January 2002 Report Considers Al-Qaeda Cyber Capabilities
A report from the Canadian Office of Critical Infrastructure Protection
and Emergency Services suggests that al-Qaeda's financial resources
could allow the terrorist organization to mount cyber attacks against
critical infrastructure targets. Such an attack could have a
devastating ripple effect.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67092,00.html

==end==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites
 
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.
 
You may also email <sanssans.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE8RaZM+LUG5KFpTkYRAqMKAKCYqGhJSx3YkmW8wLJdjDnrAGPOFwCfaWPH
27s8E89mBWAT1K/7VIAg8S4=
=0xcY
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]