To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: June 12 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 24 June 12, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
                    Marcus Ranum, Eugene Schultz
**********************************************************************

TOP OF THE NEWS
6, 7 & 10 June 2002 Homeland Security Department Designed To Bring
                     Cyber Security Efforts Together
7 June 2002 Kazaa Users May Inadvertently Share Private Files
6 June 2002 Tenebaum Receives New, Longer Sentence
5 June 2002 Microsoft Admits Contribution to Think Tank That Published
Anti Open-Source Paper
3 June 2002 MIT Grad Student Cracks Xbox
3 June 2002 Security Skills In Demand; Jobs Tight

THE REST OF THE WEEK'S NEWS
10 June 2002 Administration to Establish Cybersecurity Board
10 June 2002 Software Piracy on the Rise
10 June 2002 Old Code Could be a Liability
7 June 2002 Florida Students Suspended for Changing Grades
7 June 2002 World Cup Virus
6 June 2002 Shakira Worm
6 June 2002 Using Old Software Could be Smart Security Move
6 June 2002 Group Copies Deceptive Duo Behavior
6 June 2002 UK Cyber Snooping Center
4, 5 & 6 June 2002 IE Gopher Hole
5 & 6 June 2002 CERT/CC Warns of BIND Buffer Overflow Flaw; Sun
Releases Patches for Solaris Holes
5 June 2002 Simile.D Calls for a New Spin on Virus Detection
5 June 2002 Subpoena Asking for MSNBC Reporter's Notes is Withdrawn
5 & 10 June 2002 Norwegian Database Password Uncovered
5 June 2002 Canadian Man Arrested for Cyber Attack
4 June 2002 State AG Personnel Can Get Cybercrime Training
4 June 2002 Taiwan Reportedly Developing Open Source Project
4 June 2002 Biometrics Best Used Complementarily
3 June 2002 Rogue Access Points Pose Security Threat

IN-DEPTH TECHNICAL SECURITY TRAINING (AND SECURITY MANAGEMENT COURSES)
IN THE NEXT 90 DAYS
*SANSFire (Boston, June 27) classes in Forensics and Intrusion
    Detection near capacity. Seven other tracks (Hacker Exploits, SANS
    Security Essentials, Auditing, more) still have space.
*Large SANS Training programs: Boston, Denver, Marina Del Ray, New York
*Smaller SANS programs: Chicago, Detroit, San Antonio, Virginia Beach,
    St. Louis, San Diego, Vienna, VA, Omaha, London, Vancouver, Kuala
    Lumpur.
Details and registration information: www.sans.org

******************** Sponsored by PentaSafe **************************

Enterprise security? Have you got the four critical areas covered?

Join us for a free live webcast on July 10: "Managing Security for
Results" sponsored by PentaSafe, KPMG, and SC Magazine. Find out how
you can more effectively manage security in the four critical areas
of policy, vulnerability, intrusion, and user management.

Register today! http://www.pentasafe.com/events

**********************************************************************

 --6, 7 & 10 June 2002 Homeland Security Department Designed To
                        Bring Cyber Security Efforts Together
qThe new Homeland Security Department would consolidate federal cyber
security efforts, bringing together the FBI's National Infrastructure
Protection Center (NIPC), the Commerce Department's Critical
Infrastructure Assurance Office (CIAO) and the GSA's Federal Computer
Incident Response Center (FedCIRC), among others. The Department
would serve as a "central clearinghouse" for terrorism-related data.
http://www.fcw.com/fcw/articles/2002/0610/news-bush-06-10-02.asp
http://www.fcw.com/fcw/articles/2002/0610/news-bush2-06-10-02.asp
http://www.gcn.com/vol1_no1/daily-updates/18897-1.html
http://www.govexec.com/dailyfed/0602/060702td1.htm

 --7 June 2002 Kazaa Users May Inadvertently Share Private Files
A study shows that many Kazaa users are unaware which files on
their computers they are making available for the peer-to-peer file
swapping system. Researchers found they were able to access email
files, financial data and web browser caches and cookies.
http://zdnet.com.com/2100-1105-933836.html

 --6 June 2002 Tenebaum Receives New, Longer Sentence
Ehud Tenebaum, the Israeli man who as a teenager broke into computers
at MIT, NASA, FBI and the US Department of Defense DoD, received
an 18-month jail sentence for his intrusions. Tenebaum initially
received a year's probation, a fine and six months of community
service, but an appeals court overruled the earlier ruling.
http://www.msnbc.com/news/762951.asp

 --5 June 2002 Microsoft Admits Contribution to Think Tank That
                Published Anti Open-Source Paper
Microsoft admits that it provides funding to the Alexis de Tocqueville
Institution, the think tank that recently released a white paper that
maintains open source software is not secure and that government
should instead use proprietary software. The Institution will not
comment on specific funding for the report.
http://www.wired.com/news/business/0,1367,52973,00.html
[Editor's (Paller) Note: Last year, the same think tank published a
paper extolling the benefits of Microsoft's certification programs.]

 --3 June 2002 MIT Grad Student Cracks Xbox
An MIT graduate student has posted on the Internet his method for
hacking Xbox security, which could allow people to use the video
game console to run other software. Andrew Huang attached a custom
board to the data path between the Xbox's media chip and its central
processor to devise his hack.
http://www.msnbc.com/news/761330.asp?0dm=T25AT

 --3 June 2002 Security Skills In Demand; Jobs Tight
With security budgets being tightened, many companies are training
existing employees to take on additional security responsibilities.
http://www.computerworld.com/securitytopics/security/story/0,10801,71579,00.html

************************* Sponsored Links ****************************

(1) NO FALSE POSITIVES. Free white paper shows you how!
http://www.sans.org/cgi-bin/sanspromo/NB41

(2) ALERT: Top 14 Web Application Attack Techniques and Methods to
Combat them www.sans.org/cgi-bin/sanspromo/NB42

**********************************************************************

THE REST OF THE WEEK'S NEWS

 --10 June 2002 Administration to Establish Cybersecurity Board
The Bush administration plans to establish a Cybersecurity and
Continuity of Operations Board. Members would include representatives
from the Departments of Defense, State and Commerce as well as from
intelligence and other agencies.
http://www.computerworld.com/securitytopics/security/story/0,10801,62106,00.html

 --10 June 2002 Software Piracy on the Rise
The rate of software piracy is increasing, a trend which may be
attributed to the growth of computer markets in countries that
traditionally have high piracy rates, such as China, India and Vietnam.
http://www.cnn.com/2002/TECH/industry/06/10/software.piracy.ap/index.html
[Editor's (Murray) Note: While polls suggest that the American people
generally support these initiatives, I hope that I am not the only
one that detects an ominous pattern.]

 --10 June 2002 Old Code Could be a Liability
Microsoft will retire old code more quickly as part of its Trustworthy
Computing Initiative, according to the company's director of security
assurance, Steve Lipner. The problem of vulnerabilities stemming from
old code is underscored by the Gopher Hole vulnerability unearthed
this week. However, figuring out how to cut out code is a complex
process since it is interdependent. eEye's Marc Maiffret says the
problem is not that the code is old, but that the programmers are
not reviewing the code before they use it.
http://news.com.com/2100-1001-934363.html

 --7 June 2002 Florida Students Suspended for Changing Grades
Two Florida high school students received 10-day suspensions for
allegedly charging classmates $5 to alter grades and attendance
records in the school's computer system.
http://www.vnunet.com/News/1132421

 --7 June 2002 World Cup Virus
The VBS.Chick-F virus claims to be results from the World Cup soccer
tournament in Korea, but actually spreads itself though IRC channels
and Microsoft Outlook. It arrives with the subject "RE: Korea
Japan Results."
http://news.com.com/2100-1023-933888.html

 --6 June 2002 Shakira Worm
Shakira was created with a VBS worm generator kit and spreads through
Microsoft Outlook or IRC. It displays a message that your computer
is infected but otherwise has no destructive payload. It makes a
few alterations to the registry, including one that will ensure it
won't spread twice through the same machine.
http://zdnet.com.com/2100-1105-933309.html

 --6 June 2002 Using Old Software Could be Smart Security Move
Because script kiddies and hackers tend to focus on the latest
software releases, using nearly obsolete software could be viewed as
a security measure. Older software can also be more secure by virtue
of the fact that bugs have been discovered and patches released.
http://www.theregister.co.uk/content/55/25608.html
[Editor's (Schultz) Note: I do not buy this notion at all. It is at
best yet another "security by obscurity" ploy in that it will only work
until the bad guys learn that old software versions are being deployed.
(Murray) Another way of looking at it is that a population is at risk
from homogeneity and a little diversity reduces that risk marginally.
That is an effect but hardly a "security measure."]

 --6 June 2002 Group Copies Deceptive Duo Behavior
Though the two men who called themselves the "Deceptive Duo" and
defaced numerous government and business web sites with database
screenshots in the name of security improvement have been arrested,
another group has apparently picked up where they left off. The group,
which calls itself "Infidelz," defaced a US Navy subdomain with a
document allegedly taken from the Navy's human resources department.
Though that site was taken down, another was soon similarly defaced.
http://www.vnunet.com/News/1132407

 --6 June 2002 UK Cyber Snooping Center
The National Technical Assistance Centre (NTAC), an Internet
surveillance center for the UK government, will be housed at MI5
headquarters. NTAC will decrypt Internet traffic and e-mail for
law enforcement and security and intelligence agencies. Some have
expressed concern that the presence of the centre will encourage
cyber criminals to adopt stronger encryption technology.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_2027000/2027377.stm
http://www.vnunet.com/News/1132384

 --4, 5 & 6 June 2002 IE Gopher Hole
A buffer overflow vulnerability in Internet Explorer's gopher client
could allow an attacker to use a specially crafted web page or HTML
e-mail to gain access to affected computers. Users can protect
themselves by disabling the protocol. Microsoft is investigating
the problem, and has criticized the company Oy Online Solutions for
making the flaw public so soon.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71713,00.html
http://www.cnn.com/2002/TECH/internet/06/05/microsoft.security.flaw.ap/index.html

 --5 & 6 June 2002 CERT/CC Warns of BIND Buffer Overflow Flaw;
                    Sun Releases Patches for Solaris Holes
CERT/CC has warned of a flaw in BIND versions 9.2.0 and older that
could allow denial of service attacks to be launched on DNS servers
running the vulnerable software. Most Internet services depend on
DNS servers. BIND versions 4 and 8 are unaffected. In an unrelated
development, Sun Microsystems has released two patches for Solaris.
The vulnerabilities lie in the snmpdx (format string vulnerability)
and mibiisa (buffer overflow) agents in versions 2.6, 7 and 8 of the
Solaris operating system; the flaw could allow attackers to gain root
access to vulnerable systems. BIND needs to be restarted before it
will run again.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71715,00.html
http://www.theregister.co.uk/content/55/25607.html
http://zdnet.com.com/2100-1105-932573.html
http://www.cert.org/advisories/CA-2002-15.html

 --5 June 2002 Simile.D Calls for a New Spin on Virus Detection
Though the Simile.D virus may not pose a huge threat to computers, it
employs some unusual tactics that could have anti-virus researchers
reevaluate current virus detection methods. Simile.D changes its
characteristics, rendering signature-based detection ineffective.
It also changes its size and is able to infect Linux-based machines
from Window machines and vice versa.
http://zdnet.com.com/2100-1105-932447.html
[Editor's (Grefer) Note: Heuristic detection has been available
for quite some time by now; though it has a much higher performance
"penalty" than signature-based detection.]

 --5 June 2002 Subpoena Asking for MSNBC Reporter's Notes is Withdrawn
US prosecutors issued a subpoena for MSNBC reporter Bob Sullivan's
notes and other information pertaining to interviews with Adrian Lamo,
the hacker who broke into New York Times computers, accessing private
information about numerous luminaries whose writings had appeared
on the newspaper's Op-Ed page. The FBI withdrew the subpoena after
it became evident that the attorney who had issued it had not had it
reviewed by the Department of Justice.
http://www.usatoday.com/life/cyber/tech/2002/06/05/hacker-subpoena.htm
http://www.theregister.co.uk/content/6/25574.html
http://news.com.com/2100-1023-933010.html

 --5 & 10 June 2002 Norwegian Database Password Uncovered
The New Norwegian Culture Center in Oresta, Norway offered a reward
for unlocking a dBase database that holds a catalogue of books and
magazines written in New Norwegian. The man who compiled the database
died before disclosing the password. Having to unlock passwords isn't
an unusual request, though the cause is usually an unhappy employee who
has left the company. A Swedish engineer used a program to help him
discover the password, which turned out to be the database creator's
last name spelled backwards.
http://www.wired.com/news/culture/0,1284,52997,00.html
http://www.computerworld.com/securitytopics/security/encryption/story/0,10801,71894,00.html
http://news.com.com/2100-1001-934653.html
Info:
http://webon.prodat.no/wsp/aasentunet/webon.wsp?func=list&table=CONTENT&func_id=20020606b&template=content

 --5 June 2002 Canadian Man Arrested for Cyber Attack
The Royal Canadian Mounted Police (RCMP) have arrested a Montreal
man in connection with an attack last month on a US Postal Service
web site. The man allegedly made 500 illegal Internet connections
from his home.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8251

 --4 June 2002 State AG Personnel Can Get Cybercrime Training
Personnel in the offices of the Attorneys General of all 50 states will
have the opportunity to receive training in cybercrime prosecution
and investigation. The expertise in this area varies widely from
state to state. The National Association of Attorneys General is
working with The National Center for Justice and the Rule of Law
(NCJRL) to develop the training program.
http://www.fcw.com/geb/articles/2002/0603/web-train-06-04-02.asp
[Editor's (Murray) Note: The issue is not availability, but motivation
and opportunity.]

 --4 June 2002 Taiwan Reportedly Developing Open Source Project
According to a report from Taiwan's Central News Agency, the country's
government is developing its own open-source project; the move
would provide Taiwan with significant savings in royalty payments.
The Taiwanese government plans to train open source developers around
the country.
http://news.com.com/2100-1001-931765.html

 --4 June 2002 Biometrics Best Used Complementarily
Biometric identification technology is best used in conjunction
with other authentication and security measures, such as passwords,
personal identification numbers (PINs) or tokens.
http://www.newsfactor.com/perl/story/18052.html
[Editor's (Murray) Note: True but not unique to biometrics.
All authentication techniques, particularly passwords, are best used
complimentarily.]

 --3 June 2002 Rogue Access Points Pose Security Threat
Many companies are unaware that they have rogue wireless access points
access points installed on their corporate networks. Employees often
install the access points without getting permission from the IT
department. Companies are advised to establish and enforce strict
policies regarding installing access points and to use SNMP tools
and physical inspections to detect unauthorized access points.
http://www.computerworld.com/mobiletopics/mobile/technology/story/0,10801,71656,00.html
[Editor's (Murray) Note: One cannot successfully resist rogue access
by policy and detection. One must use prevention. It is time to
close our networks in any case. However, cheap wireless adds to
the urgency.]

==end==

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Bzpw+LUG5KFpTkYRAp4AAJwMkJI88rFgDN5actWDR1ZvT/Na4wCcCVJw
vCN/aQ6gANZOCwOxXcKm2c4=
=6czL
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]