To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: March 27 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 13 March 27, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
             Marcus Ranum, Howard Schmidt, Eugene Schultz
**********************************************************************

TOP OF THE NEWS
25 March 2002 GSA To Provide Patches For All Feds
21 March 2002 Security Vendors Adopt CIS Standards
21 & 22 March 2002 Government Sites to Remove Sensitive Info
21 March 2002 Antispam Admin Could Face Felony Charges for Crashing
               Server
20 March 2002 CERT Warns of Social Engineering IM/IRC Attacks

THE REST OF THE WEEK'S NEWS
26 March 2002 Virus "WildList" Closes
22 March 2002 New MyLife Variant has Nasty Payload
22 March 2002 Image-Based Passwords
21 March 2002 Mueller Mulling Dividing NIPC
21 March 2002 Lieberman Asks Ridge for Information
21 March 2002 Richard Smith on Outlook 2002 and HTML
20 March 2002 Apache Flaw on IRIX
20 March 2002 Microsoft Warns of Another Java Hole
18 & 20 March 2002 NSA Assesses Security Consultants
19 March 2002 Transportation Mulls Smart Cards
18 March 2002 Georgia Tech Server Compromised
15, 19 & 21 March 2002 Vulnerability Reporting Standards Draft
                        Withdrawn from IETF

TRAINING OPPORTUNITIES IN THE NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in Boston, London,
Washington, Denver, New York, Los Angeles, and Toronto. Smaller
programs in Phoenix, Minneapolis, Portland, Colorado Springs, Chicago,
Detroit.
Details and registration information: www.sans.org

Two notes for people planning May training: In Toronto,
May 13-18 we have an opportunity to offer smaller class
sizes. (http://www.sans.org/Ontario) And in Washington, May 6-11,
we'll be launching the enterprise security management and SANS site
certification initiative. (http://www.sans.org/CapitolHill)

********************* Sponsored by NetIQ *****************************

Secure your Windows Environment, Decrease Costs - NetIQ White Paper!

Learn proven strategies to manage group policies in Windows 2000/Active
Directory. This free white paper will reveal how you can unleash its
power to eliminate and address security holes as well as automate
time-consuming administrative tasks.

Download now! http://www.netiq.com/f/form/form.asp?id=912

**********************************************************************

TOP OF THE NEWS

 --25 March 2002 GSA To Provide Patches For All Feds
The General Services Administration has signed a contract to find,
verify, and disseminate customized patch sets. System administrators
will register their system configurations and receive data only about
patches required for their systems
http://www.fcw.com/fcw/articles/2002/0325/news-patch-03-25-02.asp

 --21 March 2002 Security Vendors Adopt CIS Standards
Three Internet security software companies have submitted their
products to the Center for Internet Security (CIS) for certification
against a set of standards and benchmarks. This certification is
essential for ensuring a security vendor's tool actually is testing
for the most critical vulnerabilities.
http://www.washingtontechnology.com/news/1_1/daily_news/18011-1.html

 --21 & 22 March 2002 Government Sites to Remove Sensitive Info
White House Chief of Staff Andrew Card sent a memo to the heads of all
government agencies and departments directing them to remove sensitive
information from their websites, re-examine public documents and send
a report to the Office of Homeland Security within 90 days.
http://www.govexec.com/dailyfed/0302/032102tdam1.htm
http://www.wired.com/news/politics/0,1283,51236,00.html
http://news.com.com/2100-1023-866132.html
http://www.usatoday.com/life/cyber/tech/2002/03/21/web-sites-attacks.htm
[Editor's (Murray) Note: We call this kind of security "throw out
the baby." I can understand removing the material from public web
sites but surely we understand enough about access control to make
it available for legitimate uses and known users.]

 --21 March 2002 Antispam Admin Could Face Felony Charges for
                  Crashing Server
A system administrator at an antispam company could face felony
charges of computer intrusion for sending a seemingly innocuous
query that crashed a mail server that belongs to the city of Battle
Creek, Michigan. There is a patch available for the bug that enabled
the crash.
http://www.wired.com/news/politics/0,1283,51218,00.html

 --20 March 2002 CERT Warns of Social Engineering IM/IRC Attacks
CERT/CC has released an advisory warning that people using instant
messaging (IM) and Internet Relay Chat (IRC) have been tricked into
downloading malicious software that could be used to glean personal
data, take remote control of an infected computer or to take part in
a distributed denial of service attack (DDoS).
http://www.computerworld.com/storyba/0,4125,NAV47_STO69329,00.html
http://zdnet.com.com/2100-1105-864508.html
http://www.theregister.co.uk/content/55/24511.html
Advisory: http://www.cert.org/incident_notes/IN-2002-03.html

********************* Sponsored Links ********************************

NEW White Paper - Content Inspection in High Capacity Networks,
by Aladdin & Radware.
http://www.sans.org/cgi-bin/sanspromo/NB17

Application-level security appliance for Exchange/Notes mail
servers...IronMail *** Free WHITE PAPER ***
http://www.sans.org/cgi-bin/sanspromo/NB18

Attack Mitigator Stops Hackers Dead. How? SANS2002 Booth #605, Free
White Paper:
http://www.sans.org/cgi-bin/sanspromo/NB19

**********************************************************************

THE REST OF THE WEEK'S NEWS

 --26 March 2002 Virus "WildList" Closes
For many years, volunteers have prepared the authoritative list of
viruses that are actually infecting computers. Now Shane Courson,
the head of that volunteer group, says March, 2002 is the final
WildList. He's seeking full-time employment.
http://www.theregister.co.uk/content/56/24587.html

 --22 March 2002 New MyLife Variant has Nasty Payload
A new variant of the MyLife worm, this one with a caricature of former
President Clinton, is spreading quickly, according to anti-virus firms.
This version packs a stronger punch than the version that circulated
several weeks ago because several bugs in its code have been fixed,
allowing the worm to drop a nasty payload that destroys files.
Additionally, the message body that accompanies the worm tries to trick
the reader into believing the attachment has been found "Viruse" free.
http://www.msnbc.com/news/728077.asp?0dm=C12NT
http://zdnet.com.com/2100-1105-866811.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO69455,00.html

 --22 March 2002 Image-Based Passwords
Microsoft researchers are developing image-based passwords; users
would click on certain points of their choosing in a series of
pictures on the screen; the corresponding pixels are converted into
a random number.
http://zdnet.com.com/2100-1104-866544.html
[Editor's (Schultz) Note: The notion of image-based passwords is
certainly intriguing, but it is by no means new. Boeing was exploring
this technology as early as the late 1980's. Still, if image-based
passwords can circumvent the inherent weaknesses in how passwords
for Microsoft operating systems are formed, Microsoft would do well
to try image-based passwords.]

 --21 March 2002 Mueller Mulling Dividing NIPC
FBI Director Robert Mueller is apparently considering splitting the
National Infrastructure Protection Center (NIPC) and placing parts
of it among different agency divisions. Senator Charles Grassley
(R-Iowa) sent Mueller a letter enumerating the reasons the decision
would prove detrimental to information sharing.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69370,00.html
http://www.govexec.com/dailyfed/0302/032102j1.htm
http://www.cnn.com/2002/TECH/internet/03/21/fbi.cybercrime.ap/index.html

 --21 March 2002 Lieberman Asks Ridge for Information
Senator Joseph Lieberman (D-Conn.), who chairs the Governmental
Affairs Committee, sent a letter to Homeland Security director Tom
Ridge asking him questions about federal cybersecurity and critical
infrastructure protection.
http://www.gcn.com/vol1_no1/daily-updates/18229-1.html

 --21 March 2002 Richard Smith on Outlook 2002 and HTML
Richard Smith has released a list of security concerns he has about
Microsoft's Outlook 2002, which focus largely on HTML e-mail.
http://news.com.com/2100-1023-866307.html

 --20 March 2002 Apache Flaw on IRIX
Two security holes have been found in versions of Apache server
older than 1.3.22 running on SGI IRIX operating system versions
6.5.12, 13 or 14. A split-logfile program flaw could allow crackers
complete system access; a flaw in Multiviews could allow attackers to
determine the locations of sensitive files on a vulnerable machine.
SGI has not released a patch and recommends upgrading to a system
newer than 6.5.14, or if that is not possible, disabling Apache.
http://zdnet.com.com/2100-1105-864599.html

 --20 March 2002 Microsoft Warns of Another Java Hole
Microsoft has released a security bulletin warning of another Java
flaw that could allow Java programs to run outside the "sandbox"
or restricted area on computers. The patch issued on March 4th for
the earlier Java hole should take care of this problem as well.
http://www.usatoday.com/life/cyber/tech/2002/03/20/java-security.htm
http://www.computerworld.com/storyba/0,4125,NAV47_STO69331,00.html

 --18 & 20 March 2002 NSA Assesses Security Consultants
Seven companies had their information security vulnerability assessment
abilities evaluated and rated by the National Security Agency's
Infosec Assessment Training and Rating Program (IATRP).
http://www.gcn.com/vol1_no1/daily-updates/18209-1.html
http://www.fcw.com/fcw/articles/2002/0318/web-nsa-03-20-02.asp
[Editor's (Paller) Note: The vendors that passed the NSA reviews
may be doing excellent assessments, but the NSA program does not
measure quality of their assessments or their skills. NSA takes
pains to point out that IATRP assessments look only at management
processes at the company, not whether the company's employees can
audit systems or networks. There is no verification, for example,
of whether the consultants can test a firewall configuration for
effectiveness, audit a UNIX system to see whether it meets minimum
security configuration standards, assess the network architecture for
obvious security weaknesses or correct even the top twenty Internet
security vulnerabilities. Agencies seeking such assurance are
converging on the GIAC certification for system and network auditors
(GSNA) as a means of identifying consultants and employees who have
the minimum technical knowledge and skills necessary to undertake
effective security audits.]

 --19 March 2002 Transportation Mulls Smart Cards
The Transportation Security Administration is considering using
smart cards for employee authentication; proposals for the system
are presently being accepted.
http://www.gcn.com/vol1_no1/daily-updates/18217-1.html
[Editor's (Murray) Note: While the cost of smart cards is approaching
that of early mag-stripe cards, they are still much more expensive here
than in Europe. In my mind, the difference is in usage and maturity.
I am sure that we will find other form factors that will work, this
is the only one that will interoperate with the pervasive mag-stripe
technology.]

 --18 March 2002 Georgia Tech Server Compromised
A server at Georgia Institute of Technology that held employee
reimbursement records, including university credit card numbers,
was compromised earlier this month. The intrusion came to light
when the webmaster noticed that the server logs had been erased.
University officials speculate that the attacker used the server as
a repository for large files of some sort that were later removed.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69213,00.html

 --15, 19 & 21 March 2002 Vulnerability Reporting Standards Draft
                           Withdrawn from IETF
A draft guideline for reporting vulnerabilities which had been
submitted to the Internet Engineering Task Force (IETF) has been
withdrawn because the issues it raises with are beyond the scope of
the technical protocols with which the IETF is normally concerned.
Members of the technical standards body were displeased that they
had not been asked for input on the document, and also voiced concern
that the authors had not solicited enough comments from others.
http://www.theregister.co.uk/content/55/24482.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO69391,00.html
http://www.counterpane.com/crypto-gram-0203.html#2
http://zdnet.com.com/2100-1105-863165.html

==end==

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8ogLA+LUG5KFpTkYRAu5AAKCKCZgEkxQv8sjQR2k4awdvR5Hu0wCeMdu4
Duzafxb09Lka07CFb1DLsqQ=
=R5AL
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]