To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: April 10 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 15 April 10, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
             Marcus Ranum, Howard Schmidt, Eugene Schultz
**********************************************************************

TOP OF THE NEWS
8 April 2002 Cyber Attacks Are Up But Not Reported
5 April 2002 LANL Security Improvements
3 April 2002 Cyber Crime Conviction Overturned
2 & 3 April 2002 Judge Denies Dismissal Motion in DMCA Case

THE REST OF THE WEEK'S NEWS
4 April 2002 NIST Releases Two More Draft Guides
4 April 2002 Sentencing Study Examines Cyber Crime Motives
3 April 2002 eBay Fixes One Security Hole, Still Working on Another
3 April 2002 Expiration Dates for Open Source Software
3 April 2002 Pirates' Software Supplier Pleads Guilty
3 April 2002 Office XP Flaws
2 & 3 April 2002 Brilliant Network Software Bundled with Kazaa
2 April 2002 Cyber Insurance Market is Thriving
2 April 2002 Some Government Sites are Leaking Information
1 April 2002 Proactive Antivirus Software
1 April 2002 What Makes A Great CIO
1 April 2002 Survey Says Only Half of Businesses Have Continuity
               Plans
1 April 2002 CVE Dictionary Expands to More than 2,000 Items
1 April 2002 Some Sites Still Using Flawed Shopping Cart Software
1 April 2002 Protecting Company Information on the Internet

IN-DEPTH TECHNICAL SECURITY TRAINING (AND MANAGEMENT COURSES) IN THE
NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in Toronto,
Boston, London, Washington, Denver, New York, and Los Angeles.
Smaller programs in Phoenix, Minneapolis, Portland, Colorado Springs,
Chicago, Detroit.
Details and registration information: www.sans.org

************************ SPONSORED BY NetIQ **************************

FREE - SANS Top Trends in Security Management

What's the hottest trend shaping security this year? Read the FREE
SANS report co-distributed by NetIQ to find out what top industry
experts had to say about security management in 2002.

Don't get left behind--download the must-have report today!
http://www.netiq.com/f/form/form.asp?id=1009

**********************************************************************

TOP OF THE NEWS
 --8 April 2002 Cyber Attacks Are Up But Not Reported
An FBI survey indicates that most businesses have been victims of
cyberattacks, but few have chosen to contact law enforcement officials
largely because they feared bad PR.
http://www.usatoday.com/life/cyber/tech/2002/04/08/fbi-survey.htm
http://www.bayarea.com/mld/siliconvalley/business/special_packages/security/3014527.htm
[Editor's (Ranum) Note: I wonder whether they feared bad PR or
whether they simply expect that nothing would come of getting law
enforcement involved.
(Schultz) I am sure that, as stated in this news item, organizations
avoid contacting the FBI after incidents occur because they are afraid
of negative PR. But that is not the only reason. Despite good efforts
on its part, the FBI has not really established the level of trust and
rapport with industry to make turning to the FBI a viable alternative.]

 --5 April 2002 LANL Security Improvements
Los Alamos National Laboratories has taken measures to improve security
without impeding employee productivity. Employees use tokens that
require them to memorize only one PIN; computer peripherals have been
moved to a secure vault, and employees have been educated about the
Internet security.
http://www.govexec.com/dailyfed/0402/040502td2.htm

 --3 April 2002 Cyber Crime Conviction Overturned
A computer technician who was convicted of sending his employer a
computer virus has had that conviction erased because the jury found
the damages to be less than $5,000, the minimum requirement in such
a case.
http://www.usatoday.com/life/cyber/tech/2002/04/03/hacker-conviction.htm
http://www.theregister.co.uk/content/55/24688.html
[Editor's (Schultz) Note: This outcome illustrates more flaws in
U.S. computer crime legislation.]

 --2 & 3 April 2002 Judge Denies Dismissal Motion in DMCA Case
A lawyer for Russian software firm ElcomSoft argued that the US
does not have jurisdiction in the case because the transactions took
place over the Internet; the judge disagreed and denied the motion
to dismiss. Two other motions to dismiss maintain that the Digital
Millennium Copyright Act (DMCA) is "too broad and vague" and that
the charges against the firm are likely to be unconstitutional.
http://www.usatoday.com/life/cyber/tech/2002/04/02/russian-programmer.htm
http://www.theregister.co.uk/content/55/24691.html

************************** SPONSORED LINKS ****************************

(1) Get flexible, reliable USB-based strong authentication with
Aladdin's eToken.
http://www.sans.org/cgi-bin/sanspromo/NB23

(2) THE Security Solution for Authentication, Administration, Auditing
for UNIX/LINUX
http://www.sans.org/cgi-bin/sanspromo/NB24

(3) Why anti-virus is no longer enough - FREE Beyond Viruses white
paper.
http://www.sans.org/cgi-bin/sanspromo/NB25

***********************************************************************

THE REST OF THE WEEK'S STORIES

 --4 April 2002 NIST Releases Two More Draft Guides
The National Institute of Standards and Technology (NIST) has released
two draft guides: one concerned with securely configuring e-mail
servers and another outlining a systematic process for dealing with
software patches. Comments on the first draft guide are due by April
30; comments on the second are due by May 2.
http://www.fcw.com/fcw/articles/2002/0401/web-nist-04-04-02.asp

 --4 April 2002 Sentencing Study Examines Cyber Crime Motives
A member of the United States Sentencing Commission is conducting
a study that could produce new sentencing guidelines for computer
criminals. The USA Patriot Act lumps all cyber criminals together, but
the results of the study could provide for lesser sentences for some,
depending on their motives. Jennifer Granick, litigation director at
the Stanford Center for Internet and Society, is skeptical that the
minimum sentences will be reduced.
http://online.securityfocus.com/news/363

 --3 April 2002 eBay Fixes One Security Hole, Still Working on Another
On-line auction company eBay has fixed a security hole in a
password-changing function that could have allowed unauthorized people
to gain access to others' accounts. The company is also working on
a fix for a dictionary attack vulnerability.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69781,00.html
http://zdnet.com.com/2100-1106-874389.html

 --3 April 2002 Expiration Dates for Open Source Software
Jon Lasser proposes building expiration dates into open source
networking and security software to ensure that people are running
more secure and interoperable versions.
http://online.securityfocus.com/columnists/72
[Editor's (Ranum) Note: If a new vulnerability comes out you need to
be able to expire a version of software _right_ _now_ - in order to
make that work, it's just a small incremental cost (I'm not saying
this is an easy problem, though!) to simply make the software update
itself with a newer version in near-real time.
(Grefer) Any such immediate expiration functionality can and will
also be targeted as an additional attack vector]

 --3 April 2002 Pirates' Software Supplier Pleads Guilty
Nathan Hunt, who supplied software to an international piracy group,
pleaded guilty to one count of conspiracy to commit copyright
infringement; he could receive a sentence of up to five years in
prison and a fine of $250,000.
http://www.msnbc.com/news/733694.asp?0dm=T218T

 --3 April 2002 Office XP Flaws
Georgi Guninski has found two security holes in Microsoft's Office XP.
The first hole, in Outlook XP, could allow active content to be
embedded in e-mail, which could forcibly direct a user to a specific
web page. The other hole, in Office XP's spreadsheet, could be
used to put certain files in the start-up directory and when used in
conjunction with the first hole, could be exploited to take control
of the affected machine.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69779,00.html

 --2 & 3 April 2002 Brilliant Network Software Bundled with Kazaa
Brilliant Digital Entertainment has been sending out software bundled
with Kazaa file-trading software; Brilliant's goal is to create
a giant network for content distribution or distributed computing
projects, but the company CEO says no computer would be used without
its owner's permission.
http://zdnet.com.com/2100-1105-873416.html
http://zdnet.com.com/2100-1107-874885.html
http://zdnet.com.com/2100-1105-875111.html
How to uninstall the Brilliant Software:
http://zdnet.com.com/2100-11-875278.html

 --2 April 2002 Cyber Insurance Market is Thriving
Revenues from cyber insurance purchases reached almost $100 million
in 2001. Businesses are purchasing the policies because traditional
business coverage policies are being written to exclude the threats
posed by digital vectors of attack. Some experts say the insurance
industry could begin to mandate security practices and products.
http://www.businessweek.com/bwdaily/dnflash/apr2002/nf2002042_8163.htm
[Editor's (Paller) Note: The estimates of industry growth information
in this article are far greater than estimates SANS has received
from insurance industry insiders. One potential explanation is that
marketing people in the insurance industry are renaming policies
they already had in place (and are renewing), and calling them cyber
insurance policies. Reinsurance industry executives tell us that
there is a critical problem in the application of the insurance model
to cyber crimes - leading to policy language that excludes many of
the more important threats.]

 --2 April 2002 Some Government Sites are Leaking Information
A French security group says that several US government web sites
running on Domino servers have allowed access to internal documents.
A spokesman for the Federal Judicial center, which tuns one of the
affected web sites, says no sensitive data were exposed.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69764,00.html

 --1 April 2002 Proactive Antivirus Software
New software from Network Associates looks for holes that worms are
likely to exploit so they can be fixed before an infestation.
http://news.com.com/2100-1001-873157.html
[Editor's (Grefer) Note: Interesting how they are trying to sell a pair
of old shoes (with holes in them) as brand new sandals. Vulnerability
scanners have been around for quite a while, as have a multitude of
utilities to check current patch levels.]

 --1 April 2002 What Makes A Great CIO
Tips for becoming a top-notch CIO include advice in such areas
as communication, vision, security sense and best practices.
Also included are examples of excellence among government CIOs and
deputy CIOs.
http://www.govexec.com/features/0402/0402s5.htm
http://www.govexec.com/features/0402/0402s5s2.htm
http://www.govexec.com/features/0402/0402s5s1.htm

 --1 April 2002 Survey Says Only Half of Businesses Have Continuity
                  Plans
A survey conducted by Ernst and Young two months after the September
11th attacks revealed that only about half of the companies polled
had business continuity plans in place; even fewer had awareness and
training programs established. While some security experts say two
months is enough time to get a plan in place, others maintain the
process requires more time. The article includes a list of questions
to ask about your business and security.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69705,00.html

 --1 April 2002 CVE Dictionary Expands to More than 2,000 Items
The Common Vulnerabilities and Exposures (CVE) lexicon, which began in
1999 with 321 entries, now contains 2,032 standardized descriptions of
security holes. There are nearly 2,000 additional entries currently
under review.
http://www.gcn.com/vol1_no1/daily-updates/18320-1.html
http://cve.mitre.org/

 --1 April 2002 Some Sites Still Using Flawed Shopping Cart Software
Two web sites are still running unpatched versions of PDG shopping
cart software that publishes customer credit card details on the web.
The security hole was discovered nearly a year ago and PDG contacted
its customers by phone and e-mail to inform them about the problem
and tell them how to fix it.
http://www.msnbc.com/news/732515.asp?0dm=C11LT

 --1 April 2002 Protecting Company Information on the Internet
Companies may be surprised at how much of their intellectual property
is available on the Internet. Companies would be well advised to see
who is linking to their web site and not to put too much information
in their job postings.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69658,00.html

**************** Awesome TCP/IP Header T-Shirt Offer *****************

One of the most popular items that we sell at conferences is our TCP/IP
Header T-shirt. The unique aspect of the shirt is that the TCP and
IP header diagram is upside down, allowing the wearer to actually
use the shirt to decode packets. Show the world you can decode hex!
For a limited time, we are making the shirt available via mail order
from the SANS Store, so if you missed it at a conference, this is
your chance. While supplies last, the T-shirt is available for 15.00
(plus shipping), a five dollar savings from the normal price. To get
yours, visit: http://www.sansstore.org/

***********************************************************************

==end==

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8tIHA+LUG5KFpTkYRAmx+AKCWTGuG94dSiWFsCBrOBE1h4MGBjgCdHdA6
RLLSYVHh7E/ofbnHrlWAHz4=
=h47G
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]