To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: April 2 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forensics and enterprise security management are rapidly emerging as
key fields of security. To help you master these important subjects,
SANS will combine its existing immersion training programs with free,
focused technical conferences on forensics (in Boston at SANSFire 02)
and enterprise security management (in Washington for SANS Washington
02). Each person who registers for one of the training tracks in
Washington or Boston will be able to attend the technical conference
sessions at no extra cost.

In about 15 days, more than 500,000 people will receive conference
guides for Washington and Boston. To ensure you get a seat in the
course of your choice, please register early. (Orlando was sold out.)
SANS Washington DC, May 6-12, http://www.sans.org/CapitolHill
SANSFire, Boston, June 27-July 2: http://www.sans.org/SANSFIRE02

                                 Alan

**********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 14 April 2, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
             Marcus Ranum, Howard Schmidt, Eugene Schultz
**********************************************************************

TOP OF THE NEWS
01 April 2002 Cyber Czar Says Security Comfort 3-5 Years Away
25 March 2002 Supplemental Budget Request Includes IT Security Items
29 March 2002 Former Global Crossing Employee Arrested
27 March 2002 Media Player Could Present a New Wave of Attacks

THE REST OF THE WEEK'S NEWS
29 March 2002 Microsoft Releases Patch for Two IE Holes
27 & 28 March 2002 Airports Testing Biometrics
27 March 2002 FBI Must Produce More Carnivore Information
25 & 28 March 2002 Should the Law Consider Good Intentions?
25 & 28 March 2002 Weak Security on eBay Has Users Concerned
25 March 2002 Air Force Network Targeted With Copious Probes
25 March 2002 FrontPage Vulnerability Exploited
25 March 2002 Georgia Tech IT Handled Intrusion Well
25 March 2002 Web Services Security
21 March 2002 Gartner Explains Why Complete Software Security
               Won't Happen
20 March 2002 Open Source Software Review is Uneven

RECENT TUTORIAL ARTICLES
26 March 2002 Broadband Security
29 March 2002 The Internet A Root Server and Security
15 March 2002 Developing an Incident Response Plan

TRAINING OPPORTUNITIES IN THE NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in Toronto,
Boston, London, Washington, Denver, New York, and Los Angeles.
Smaller programs in Phoenix, Minneapolis, Portland, Colorado Springs,
Chicago, Detroit.
Details and registration information: www.sans.org

**************** Sponsored by SurfControl, Inc. **********************

YOUR NETWORK IS CONSTANTLY UNDER ATTACK.

If you could easily stop users from sapping your bandwidth, block
access to personal Web-based email accounts (the main way users
introduce viruses into your network), all w/out being the company
traffic cop, would you?

Then try SuperScout Web Filter FREE:
http://www.surfcontrol.com/go/zsnb0403
**********************************************************************

 --01 April 2002 Cyber Czar Says Security Comfort 3-5 Years Away
Presidential cybersecurity advisor, Dick Clarke says history of
Federal IT security is "a sad one," and worries that Congress may
not fully fund computer security efforts.
http://gcn.com/21_7/news/18305-1.html

 --25 March 2002 Supplemental Budget Request Includes IT Security
                  Items
The White House submitted a supplemental budget request for fiscal
2002 requests asking form more than $36 million IT security programs
for homeland security. That number includes $2.5 million for the GSA
to establish the Internet Vulnerability Management Office.
http://www.fcw.com/fcw/articles/2002/0325/news-budget-03-25-02.asp

 --29 March 2002 Former Global Crossing Employee Arrested
The FBI arrested Steven Sutcliffe, a former Global Crossing employee,
for making threats against company executives on his website.
A federal judge dismissed charges connected with Sutcliffe's posting
of employee names and social security numbers on the website because
he didn't intend to use the data for illegal purposes.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69684,00.html
[Editor's (Ranum) Note: This one is really interesting!! He posted
social security numbers "not for illegal purposes" and got away
with it? What happens when some hacker posts all the social security
numbers from some database "not for illegal purposes"?
(Schultz) There are some very interesting "truth in disclosure" issues
that surround this case. Because of the great potential for loss by
individual employees, why did Global Crossing wait so long to inform
its employees that their personal information had been compromised?]

 --27 March 2002 Media Player Could Present a New Wave of Attacks
Security experts say that Windows Media Player can be exploited to
run code disguised as a trusted file in HTML e-mail; the attack also
manages to bypass Outlook 2002 security measures.
http://www.wired.com/news/technology/0,1282,51361,00.html

*********************** Sponsored Links *****************************

Highest availability for Check Point! Download this FREE WHITE PAPER
from Resilience. http://www.sans.org/cgi-bin/sanspromo/NB20

(2) NEW White Paper - Content Inspection in High Capacity Networks
Aladdin & Radware. http://www.sans.org/cgi-bin/sanspromo/NB21

(3) THE Security Solution for Authentication, Adminsatration,
Auditing for UNIX/LINUX http://www.sans.org/cgi-bin/sanspromo/NB22
***********************************************************************

THE REST OF THE WEEK'S STORIES

 --29 March 2002 Microsoft Releases Patch for Two IE Holes
Microsoft has released a patch for two "critical" vulnerabilities
in Internet Explorer (IE) versions 5.01, 5.5 and 6.0. The first
vulnerability could allow a malicious script embedded in a cookie
to run in the local zone, potentially altering or deleting files.
The second involves object tags and could allow executable files
already on the computer to run. The patch is cumulative. Microsoft
is still investigating a debugging tool flaw in Windows 2000 and NT
that could be exploited to gain a higher level of privilege on the
operating system.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69683,00.html
http://news.com.com/2100-1001-871771.html
http://www.microsoft.com/technet/security/bulletin/ms02-015.asp

 --27 & 28 March 2002 Airports Testing Biometrics
Several airports are experimenting with biometric identification
systems for workers and for passengers. While some experts say the
technology will become widespread over the next few years, former
FBI agent and now professor of security Harvey Burstein observes that
human error will always be a factor in security.
http://zdnet.com.com/2100-1104-869437.html
http://www.cnn.com/2002/WORLD/europe/03/27/schiphol.security/index.html
A Gartner analyst says that while biometrics are helpful, they are
not likely to be a panacea for airport security.
http://zdnet.com.com/2100-1107-870372.html
[Editor's (Murray) Note: Biometrics are what we use in airports now.
We compare the individual's visage to a reference on a credential
issued by government authority. What is potentially new is the
automation of this process. Automation is not nearly as difficult as
will be the issuance of a suitable credential for automatic checking.
(Schultz) Burstein's statement is particularly applicable here because
of the prevalence of human error, But a good deal of the cause of
human error is due to poor usability design. I fear that the next
generation of two-step authentication technology is going to be
rushed out without sufficient attention being paid to human factors.
Experiments conducted two years ago at Purdue University show that
smart card and biometric authentication is often plagued by the need
for users to perform additional, unnecessary, and often difficult
actions.]

 --27 March 2002 FBI Must Produce More Carnivore Information
A federal judge has ruled that the FBI has 60 days to conduct
"a further search" of its records to produce more information on
Carnivore and EtherPeek. A prior search, conducted in response to
a suit filed by EPIC under the Freedom of Information Act, produced
only technical details and overlooking legal and policy references.
http://news.com.com/2100-1023-870028.html

 --25 & 28 March 2002 Should the Law Consider Good Intentions?
A panel at the recent "Information Security in the Age of Terrorism"
conference discussed whether or not well-intentioned cyber-intruders
should be prosecuted just like other cyber criminals. One of the
panelists was Adrian Lamo, the young man responsible for exposing and
then helping to fix security problems at major companies. The target
of his most recent foray, the New York Times, has not decided how
they plan to proceed. While the panelists shied away from condemning
actions like Lamo's, they conceded that he sat on his knowledge of
the vulnerabilities for too long.
http://online.securityfocus.com/news/358
[Editor's (Ranum) Note: Society takes into account good intentions
when laws are written. It doesn't need to revisit things that have
been decided to be illegal every time someone feels that the law
shouldn't apply to them because their motives are superior.]

 --25 & 28 March 2002 Weak Security on eBay Has Users Concerned
Some eBay users have had their accounts commandeered by crackers.The
online auction site does not have a lockout policy, so dictionary
attacks can be used to seek out passwords.
http://zdnet.com.com/2100-1106-868306.html
eBay does not use Secure Socket Layers (SSL) by default when
transmitting data between users' computers and company servers.
One analyst points out that though SSL may not actually add a great
deal of security, from the users' perspective, it decreases the
perceived security risk.
http://news.com.com/2100-1017-870959.html

 --25 March 2002 Air Force Network Targeted With Copious Probes
A computer network at Wright-Patterson Air Force base detected 125,000
probes in a two-hour period. A public affairs officer confirmed
reports that the probes originated outside the US and said that the
network was not breached.
http://www.fcw.com/fcw/articles/2002/0325/web-af-03-27-02.asp

 --25 March 2002 FrontPage Vulnerability Exploited
Using an exploit published by a computer security company, crackers
took advantage of a known buffer overflow flaw in IIS's FrontPage
Server Extensions to deface three Microsoft websites. A patch for
the vulnerability has been available since June of last year.
http://www.newsbytes.com/news/02/175442.html

 --25 March 2002 Georgia Tech IT Handled Intrusion Well
The IT people at the Georgia Institute of Technology handled a recent
intrusion into a business office server proficiently. They limited
access to the server as soon as the problem was discovered, held
meetings to assess what they knew and, within three days of the
incident, contacted everyone affected by the incident.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69478,00.html
[Editor's (Murray) Note: An ounce of prevention is worth a pound
of cure.]

 --25 March 2002 Web Services Security
Draft protocols to address web services security that have been
submitted to the World Wide Web Consortium (W3C) include XML encryption
and key management.
http://zdnet.com.com/2100-1107-867689.html

 --21 March 2002 Gartner Explains Why Complete Software Security
                  Won't Happen
Gartner analysts say that while open source software may reach a
certain level of security more quickly than proprietary software
will, neither will ever be completely secure. Businesses should make
purchasing decisions based on product security, and should bolster
software security with firewalls, vulnerability assessments and other
additional security measures.
http://zdnet.com.com/2100-1107-865731.html

 --20 March 2002 Open Source Software Review is Uneven
While open source software is available for users to inspect and
alter, Sardonix founder Crispin Cowan says that no one is auditing
the software; open source software review is uneven because people
tend to examine the more interesting sections of code and ignore the
duller ones.
http://zdnet.com.com/2100-1104-864256.html

RECENT TUTORIAL ARTICLES

 --26 March 2002 Broadband Security
Individuals with broadband connections at home lack the security
resources of a company with an IT department, but they need to protect
their machines from attacks nonetheless. Broadband users should
install a firewall and remove unnecessary services and components
from all their devices before putting them on line. Finally, users
need to make sure that their on-line behavior emphasizes security.
http://online.securityfocus.com/infocus/1560
[Editor's (Grefer) Note: Broadband users are urged to employ hardware
based solutions, like the LinkSys, NetGear or DLink DSL/Cable-Routers,
which typically include NAT and limited firewall capabilities. Using
personal firewall software like ZoneAlarm, Tiny, BlackIce, McAfee
Personal Firewall or Norton Internet Security will provide an
additional layer of defense.]

 --29 March 2002 The Internet A Root Server and Security
VeriSign's Network Operations Center, that houses the Internet's A root
server and several important domain servers, employs considerable
physical security, including cameras and biometric scanners in
"mantraps" which are triggered when an unauthorized palm is scanned.
Though security is high, a VeriSign VP said that even if the A root
server went down, the Internet would not feel a significant impact.
http://www.washingtonpost.com/wp-dyn/articles/A33447-2002Mar28.html

 --15 March 2002 Developing an Incident Response Plan
It's a good idea to have an incident response plan in place to deal
quickly and efficiently with cyber attacks. Among the recommended
steps to take: establishing a team, deciding who has the authority
to do what, and speaking with law enforcement ahead of time so you
know who to call when an incident does occur.
http://www.cio.com/archive/031502/plan.html

==end==

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8qaKQ+LUG5KFpTkYRAsBJAJ0fO31R/AB49QeLs+wGAVUMu3GEKACfaiAk
cByYhvcD3NHAq//PnWQJwAM=
=9CnR
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]