|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Wed Apr 17 2002 - 10:40:53 CDT
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: April 17 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 4, Number 16 April 17, 2002
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz
*********************************************************************
A new version of the Router Analysis Tool, running on both UNIX and
Windows, was released yesterday by the Center for Internet Security.
CERT/CC issued a report late last fall saying routers are a new
favorite target of attackers. If you use Cisco routers, it makes
sense to test their security settings using this free program.
(http://www.cisecurity.org and click on the Cisco IOS Router Security
Benchmark Tool.)
US government agency officials are meeting later this week to begin
discussions on alternative configuration benchmarks that could be
used for site certifications. If your organization uses a benchmark
and testing system that has significantly improved security across
many sites, please let us know the details so we can share that
information with them. Email infosans.org with subject "site
certification benchmarks."
Washington DC's spring computer security training conference is
scheduled for May 6-12. http://www.sans.org/CapitolHill
Alan
TOP OF THE NEWS
15 April 2002 Microsoft Baseline Security Analyzer Misses The Mark
8/9 April 2002 Microsoft's Baseline Security Analyzer
15 April 2002 Buyers Shifting Security Liability To Software Vendors
11 April 2002 Aphex/Aplore Worm
11 April 2002 Red Hat To Issue Vulnerability Alerts Using CVE
10/11 April 2002 Microsoft Releases Cumulative IIS Patch, Thanks
Bug Finders
THE REST OF THE WEEK'S STORIES
15 April 2002 British Hacking Losses Put at 10 Billion Pounds ($16B)
15 April 2002 Hungarian Internet Law Amendments Outlaw All Hacking
15 April 2002 Argentine Law Does Not Provide for Prosecuting Hackers,
Says Judge
15 April 2002 New Threats Could Slip Past Intrusion Detection Systems
14 April 2002 Hidden Programs on Free Software Could Pose Problems
8/13 April 2002 Companies are Increasingly Monitoring IM
12 April 2002 Tell People How to Erase Data, says JEITA
12 April 2002 Experts Disagree About Insider Threat
11 April 2002 Voice Mail Not So Secure
11 April 2002 Companies Work Together on Web Services Security
Specification
10 April 2002 Textron Hacker Sentenced to Sixteen Months
10 April 2002 DoD Policy Discourages Hiring Non-Citizens
10 April 2002 Baylor Implements Security for Handheld Blackberries
8 April 2002 Security Manager's Journal: Forensic Investigation
8 April 2002 What Would Make Trustworthy Computing Initiative Work?
5 April 2002 Webster Commission Report Says Security Seen as
Inconvenient at FBI
RECENT TUTORIAL ARTICLES
12 April 2002 The Not-to-Do List
10 April 2002 Buffer Overflow Attacks
IN-DEPTH TECHNICAL SECURITY TRAINING (AND MANAGEMENT COURSES) IN THE
NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in London,
Washington, Toronto, Boston, Denver, New York, and Los Angeles
Smaller programs in Minneapolis, Portland, Colorado Springs, Chicago,
Detroit, Ottawa, and Melbourne
Details and registration information: www.sans.org
******* This Issue Sponsored by PentaSafe Security Technologies *******
"I forgot my password." These are expensive words!
PentaSafe's new VigilEnt User Manager will drastically reduce password
calls to your help desk, make your passwords safer, and save your
company money. See a demo and use our FREE ROI CALCULATOR to find
out how much your company is really spending on manual password resets.
Visit: http://www.pentasafe.com/products/vum.htm
***********************************************************************
TOP OF THE NEWS
--15 April 2002 Microsoft Baseline Security Analyzer Misses The Mark
A user-friendly version of HFNetChk, released last week. Has been
misdiagnosing various Windows systems - both by ignoring patches and
reporting phantom flaws.
http://www.eweek.com/article/0,3658,s=712&a=25576,00.asp
--8/9 April 2002 Microsoft's Baseline Security Analyzer
Microsoft has released the Microsoft Baseline Security Analyzer
(MBSA), a free, 2.5MB tool that will scan for vulnerabilities and
missing patches. MBSA generates a report card for each system scanned
and offers instructions for downloading fixes.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69987,00.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q320454
--15 April 2002 Buyers Shifting Security Liability To Software Vendors
IT managers and CIOs are including clauses in contracts that hold
software vendors liable for security breaches and cyber attacks
connected to their products. It is hoped that the trend will encourage
more secure software development.
http://www.eweek.com/article/0,3658,s=1884&a=25494,00.asp
[Editor's (Paller) Note: A related contracting trend is one in
which large buyers require software vendors to deliver their tools
configured according to industry standard benchmarks such as those
being published by the US National Security Agency (www.nsa.mil)
and the Center for Internet Security (www.cisecurity.org) Federal
buyers have taken the lead in this new initiative.]
--11 April 2002 Aphex/Aplore Worm
The Aphex or Aplore worm spreads through IRC and AIM and uses
several methods of infection. It can send itself out via Outlook
and recipients must open an attachment for their systems to become
infected. It can also send instant messages on its own or replace
messages sent by an infected user that may contain a pop-up window;
recipients are told they need a browser plug-in and if they click
the download button, they become infected.
http://www.cnn.com/2002/TECH/internet/04/11/messenger.worm.idg/index.html
--11 April 2002 Red Hat To Issue Vulnerability Alerts Using CVE
Linux supplier, Red Hat, announced that it will begin using the Common
Vulnerabilities and Exposures (CVE) standards list for future security
alerts and advisories. The US Government-funded CVE project provides
standardized definitions for security vulnerabilities and exploits.
http://linuxtoday.com/news_story.php3?ltsn=2002-04-11-002-26-SC-RH
[Editor's (Paller) Note: This announcement demonstrates security
awareness and leadership. Other system vendors may well follow Red
Hat's lead. Security vendors, such as ISS and Symantec, already provide
CVE references for the vulnerabilities they report. In addition,
the new global site security certification process is being based
on a consensus list of highest priority vulnerabilities developed
using CVE numbers. The complete CVE list with valuable additional
reference list is searchable at http://icat.nist.gov.]
--10/11 April 2002 Microsoft Releases Cumulative IIS Patch, Thanks
Bug Finders
Microsoft has released a cumulative patch for ten security holes
in its Internet Information Server (IIS); the company urges people
hosting IIS web servers on Windows NT 4.0, Windows 2000 or Windows
XP to install the patch. In its bulletin, Microsoft thanks a number
of security vendors and others for reporting the security holes;
Microsoft also found two of the flaws on its own.
http://news.com.com/2100-1001-880179.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO70010,00.html
http://www.theregister.co.uk/content/55/24795.html
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
************************** SPONSORED LINKS ***************************
(1) Dorian Software Creations: Automate Event Log Archiving, Analysis,
and Detection! http://www.sans.org/cgi-bin/sanspromo/NB26
(2) VULNERABLE TO 'SQL INJECTION' ATTACK? Download white paper from
SPI Dynamics! http://www.sans.org/cgi-bin/sanspromo/NB27
**********************************************************************
THE REST OF THE WEEK'S STORIES
--15 April 2002 British Hacking Losses Put at 10 Billion Pounds ($16B)
The UK Department of Trade and Industry (DTI) found that attacks
by hackers on firms have more than tripled in the past two years,
accounting for 10 billion Pounds in losses. According to the report,
half of all businesses were victims of such attacks, compared with
a quarter in 2000 and less than one in five in 1998.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7869
--15 April 2002 Hungarian Internet Law Amendments Outlaw All Hacking
Amendments to Hungary's criminal code outlaw all hacking and make no
distinction between events which caused damage and those that did not.
http://www.bbj.hu/user/article.asp?ArticleID=146648
--15 April 2002 Argentine Law Does Not Provide for Prosecuting
Hackers, Says Judge
Calling it a "dangerous legal void," a judge in Argentina has ruled
that hacking is legal there because the law covers only people,
animals and things, not cyber attacks. The defendants in the
case were accused of defacing an Argentine Supreme Court web page.
A similar situation in the Philippines led to the release of the
purported author of the Love Bug worm two years ago.
http://www.iwon.com/home/technology/tech_article/0,2109,227677|technology|04-15-2002::17:26|reuters,00.html
http://www.theregister.co.uk/content/6/24877.html
--15 April 2002 New Threats Could Slip Past Intrusion Detection
Systems
Signature-based Intrusion Detection systems (IDSes) could allow new
(methods) of attacks to slip past; polymorphic buffer overflows
alter or encrypt a known attack's shell code. IDSes need to start
incorporating anomaly and behavior-based detection
http://www.nwfusion.com/news/2002/0415idsevad.html
--14 April 2002 Hidden Programs on Free Software Could Pose Problems
Programs piggy-backing on free software can take actions ranging from
sending users ads to gathering surfing habits to changing Internet
settings. Some can make computers crash. They could eventually be
used by hackers to take more malicious action.
http://www.cnn.com/2002/TECH/ptech/04/14/tag.along.software.ap/index.html
[Editor's (Paller) Note: This article points out risks in legitimate
free programs. An even more dangerous related risk is posed by the
screen savers, fake pictures and music, and bogus security patch
alerts created as malicious software. Unsuspecting users receive spam
instant messages or spam email or visit web sites telling them to
take advantage of a free download. When they execute the downloaded
program, their systems are immediately infected. See April 11 Aphex
Worm story for a current example.]
--8/13 April 2002 Companies are Increasingly Monitoring IM
Instant Messaging (IM) use in businesses more than doubled between
September 2000 and September 2001. Some companies have become concerned
about sensitive data leaking out and employees wasting company time,
and they have begun to monitor such communications, raising questions
about employee privacy.
http://www.cnn.com/2002/TECH/internet/04/13/instant.messages.eavesdropping.ap/index.html
http://news.com.com/2100-1023-878439.html
[[30]] -12 April 2002 Tell People How to Erase Data, says JEITA
The Japan Electronics and Information Technology Industries Association
(JEITA) has warned that data from hard disks on scrapped or donated
PCs can be retrieved even if the disk has been reformatted. The
organization urges PC makers to give their customers information on
erasing data from the disks. Under Japanese law, corporate PCs must
be recycled, and the government is considering legislation requiring
consumers to recycle their PCs as well.
http://www.computerworld.com/itresources/rcstory/0,4167,STO70116_KEY73,00.html
--12 April 2002 Experts Disagree About Insider Threat
While some experts say the threat of externally launched cyber attacks
is more serious than that of internal threats, others disagree.
NIPC's Robert Wright points out that people have internal access
through contracts or partnerships, and that new technology can make
insider attacks harder to detect.
http://www.computerworld.com/storyba/0,4125,NAV47_STO70112,00.html
[[Editor's (Schultz) Note: I'll have to side with those who say that
the insider threat is worse. So many external attacks are "ankle
biter" attacks, and insiders are in a much better position to do things
that can cripple an organization. At the same time, however, to say
that insider attacks outnumber external attacks is downright wrong.
It is amazing how many people who claim that insider attacks outnumber
external attacks have never looked at their organization's firewall
logs to see just how many external attacks there are.]
--11 April 2002 Voice Mail Not So Secure
Voice mail systems are often not very secure, as is evidenced by the
recent leak of a message left by Hewlett Packard Chairwoman and CEO
Carly Fiorina for CFO Robert Wayman.
http://www.computerworld.com/storyba/0,4125,NAV47_STO70048,00.html
--11 April 2002 Companies Work Together on Web Services Security
Specification
Microsoft, IBM and VeriSign together have published WS-Security,
a security specification for web services.
http://www.newsfactor.com/perl/story/17218.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO70049,00.html
http://zdnet.com.com/2100-1105-880621.html
--10 April 2002 Textron Hacker Sentenced to Sixteen Months
Armen Oganesyan was sentenced to sixteen months in jail and fined
$10,000 for hacking into Textron's computer systems and shutting
them down for a day in March 2000. Oganesyan had lost his job a
month earlier.
http://www.siliconvalley.com/mld/siliconvalley/business/special_packages/security/3035838.htm
--10 April 2002 DoD Policy Discourages Hiring Non-Citizens
A recent Washington Post report indicated that a new Department of
Defense (DoD) policy would require IT companies with DoD contracts to
hire only US citizens on unclassified projects. Security companies
are concerned that they would lose valuable expertise and that hiring
inexperienced people could lead to poorly written code. DoD deputy
director of personnel said it does not intend to forbid the hiring
of visa workers and that everyone would be subject to strict security
checks.
http://online.securityfocus.com/news/367
Washington Post story:
http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A57913-2002Mar7
--10 April 2002 Baylor Implements Security for Handheld Blackberries
Security technology used at Baylor Health Care System in Dallas allows
users of handheld Blackberries to be locked out if the device is unused
for a set period of time. The technology can also set passwords and
erase data remotely.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69996,00.html
--8 April 2002 Security Manager's Journal: Forensic Investigation
After learning that someone may have copied some of his company's
source code, the security manager decides to outsource the forensic
investigation.
http://www.computerworld.com/community/security/security_manager
--8 April 2002 What Would Make Trustworthy Computing Initiative Work?
Frank Hayes isn't impressed with Microsoft's Trustworthy Computing
Initiative, pointing out that the company criticized Georgi Guninski
for disclosing a pair of security holes when they themselves had
created the problems. He suggests that if Microsoft wants to make
good on its security position, it should address vulnerabilities
quickly and search out security holes itself.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69915,00.html
[Editor's (Murray) Note: Guninski's fame, not to say notoriety, is
the result of his not cooperating with MS. If he cooperated with MS
he might have no public identity at all.]
--5 April 2002 Webster Commission Report Says Security Seen as
Inconvenient at FBI
The Webster Commission report reveals that FBI agents view security as
a hindrance to operations and "an impediment to career advancement."
The report suggests that the FBI foster security professionals within
the agency, and recommends restricting employee access to documents
and computers that contain sensitive data.
http://www.govexec.com/dailyfed/0402/040502m1.htm
[Editor's (Murray) Note: Convenience is one of the costs of security;
that is fundamental and cannot be helped. That security is not good
for one's career is not fundamental and can be helped. The other
interesting observation in the report was that IT in the Bureau is ten
years behind the state of the practice. Intelligence and forensics
must be ahead of the curve, not behind. Imagine trying to do either
without current tools. The bureau is unable to appreciate tools that
they have never had the chance to use.]
RECENT TUTORIAL ARTICLE
--12 April 2002 The Not-to-Do List
A list of 21 things you can do to invite cyber attacks includes not
updating virus signatures, not patching software and not educating
employees about security practices.
http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO70076,00.html
--10 April 2002 Buffer Overflow Attacks
Software developers can address buffer overflows by writing software
that automatically checks the size of the data going in to buffers,
though the checking process could slow the software's performance.
This article also offers a description of how buffer overflow
vulnerabilities work.
http://zdnet.com.com/2100-1107-879619.html
[Editors' (multiple) note: Could the fact that college programming
texts and courses do not teach these truths be considered malpractice?]
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8vYaT+LUG5KFpTkYRAnzEAJ9F14r57NgQRqeys0RwhJcdYXI3xQCdEFoj
Qx/PVkzle8IrvUiyhd0gqsY=
=jd91
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]