|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Wed Jul 03 2002 - 09:03:44 CDT
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: July 3 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Preliminary data from the SANS 2002 Security/Syadmin Salary Survey:
- -Average salary: $69,340 (median $67,000
- -Average bonus: 14.5% of base salary (median 10%).
- -Average salary increases 7% (down from 11.6% in 2000)
- -Global patterns: (variance from global average): US +5.6%, UK -9.7%,
Other W. Eur -13.3%, Australia -27.7%, Canada -34%,
Latin & S. America -51.2%
- -US regional patterns: (variance from US average) NY/NE +9.3%,
West Coast +4.2%, Mid-Atlantic +2.6%, Southwest -3.8%,
Southeast -5.6%, Midwest -6.1%
More data from the survey, including data on career paths (a new
feature this year) and factors affecting job satisfaction are at the
end of this Newsbites.
SANS salary survey is continuing through the summer.
You may get detailed data from the survey by filling it out at
http://rr.sans.org/survey In the process, you will also get access
to the 2,000 unique security research papers in the SANS Reading Room.
In a separate salary survey, reported in the second story below, SANS
GIAC and CISSP certifications accounted for the largest "certification
premium pay," ranging up to more than 10%.
Alan
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 4, Number 27 July 3, 2002
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
*********************************************************************
TOP OF THE NEWS
25 & 27 June 2002 NIST Study Says Software Flaws Cost the Country
a Bundle
1 July 2002 Security Salaries Up, Raises and Bonuses Down;
Certification Pays
1 July 2002 BIND and BSD Resolver Library Buffer Overflow Flaw
25, 26 & 27 June 2002 OpenSSH Buffer Overflow Vulnerability
27 June 2002 al Qaeda Could Pose Significant Cyber Threat to US
Critical Infrastructure
30 June 2002 Massive Cyber-Terrorism on Critical Infrastructure
Unlikely, Say Experts
25 & 26 June 2002 IT Professionals Not Confident Government Could
Handle a Cyber Attack
THE REST OF THE WEEK'S NEWS
28 & 30 June 2002 Media Player Patch EULA Harbors a Surprise
26 & 27 June 2002 Windows Issues Patch for Media Player
Vulnerabilities
27 June 2002 Microsoft Issues a Patch for Commerce Server Holes
28 June 2002 GameSpy Installer Infected with Nimda
26 June & 1 July 2002 Yaha.E Worm Targets Pakistani Government Site
27 June 2002 W32.dotor.A
25, 26 & 27 June 2002 Legislation Would Okay Hacking Back at
Filesharing Copyright Violators
27 June 2002 Polish Prosecutors Looking for NASA Hacker
26 June & 1 July 2002 Warchalking
24 & 26 June 2002 Florida Man Arrested for Keystroke Logging
26 June 2002 Site Will Tell You if Your Credit Card Number has
Been Stolen
26 June 2002 Who's Who in Government Cyber Security
26 June 2002 BestBuy Files Suit Against Spammers
26 June 2002 A Timeline of Worms, Viruses and Other Cyber Attacks
25 June 2002 Near North Suit Alleges Former Employees Stole Sensitive
Data
25 June 2002 Broadband Modem Password Problems
25 June 2002 NIPC, NIST and SBA to Offer Vulnerability Seminars for
Small Businesses
25 June 2002 FBI Deluged with Applicants
24 June 2002 Mitnick Testifies at Las Vegas Call Diversion Hearing
24 June 2002 Microsoft Will Release Some Palladium Source Code
22 June 2002 TSA Won't Endorse Trusted Traveler Airport Security
Project
IN-DEPTH TECHNICAL SECURITY TRAINING (AND SECURITY MANAGEMENT COURSES)
IN THE NEXT 120 DAYS
*If you are planning to attend any security conference this fall, make
it SANS Network Security 2002 - the largest security conference.
http://www.sans.org/NS2002
*More Large SANS Training programs: Denver, Marina Del Ray (CA),
Ottawa, New York
*Smaller SANS programs: Detroit, San Antonio, Virginia Beach,
St. Louis, San Diego, Vienna, VA, Omaha, London, Vancouver,
Kuala Lumpur.
*Online and mentor-led programs starting up in August/September
in 40 cities.
Details and registration information for all programs: www.sans.org
******************* This Issue Sponsored by VeriSign *****************
The Value of Trust
FREE E-COMMERCE SECURITY GUIDE
Is your e-business built on a strong, secure foundation? Find out
with VeriSign's FREE White Paper, "Building an E-Commerce Trust
Infrastructure." Learn how to authenticate your site to customers,
secure your web servers with 128-Bit SSL encryption, and accept secure
payments online.
Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n20390091010057000
**********************************************************************
TOP OF THE NEWS
--25 & 27 June 2002 NIST Study Says Software Flaws Cost the Country
a Bundle
According to a National Institute of Standards and Technology
(NIST) study, "buggy software" costs the US $59.9 billion annually,
with the lion's share of the burden falling on consumers. Better
testing could reduce the cost by as much as 1/3, or $22 billion.
http://www.computerworld.com/managementtopics/management/itspending/story/0,10801,72245,00.html
http://www.vnunet.com/News/1133047
http://www.nist.gov/public_affairs/releases/n02-07.htm
[Editor's Note (Schultz) Good testing is only a part of good software
engineering practices. Using the full gamut of software engineering
practices would reduce the cost substantially more.]
--1 July 2002 Security Salaries Up, Raises and Bonuses Down;
Certification Pays
Two salary surveys agree that raises for security professionals are
down substantially, but they are still getting better raises than
their peers in other areas of IT. Security certifications from GIAC
and ISC2 lead to substantial pay premiums.
http://www.nwfusion.com/news/2002/0701secpros.html
http://www.computerworld.com/careertopics/careers/story/0,10801,72432,00.html
--1 July 2002 BIND and BSD Resolver Library Buffer Overflow Flaw
A buffer overflow flaw in BIND and BSD resolver libraries could allow
attackers to take control of vulnerable systems. If applications
dynamically link to the library, the problem can be fixed by updating
the library. However, if the libraries are embedded, administrators
will have to recompile the applications.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,72408,00.html
--25, 26 & 27 June 2002 OpenSSH Buffer Overflow Vulnerability
Open Secure Shell (OpenSSH) versions 3.0 - 3.2.3 on Open BSD and
other operating systems are susceptible to buffer overflow attacks.
The vulnerability could be exploited to gain control of the computer
with a high level of access. OpenSSH developers have made a patch
available; users are encouraged to apply the patch or upgrade to
OpenSSH 3.4.
http://www.linuxsecurity.com/articles/cryptography_article-5185.html
http://www.theregister.co.uk/content/55/25910.html
http://zdnet.com.com/2100-1105-939887.html
http://www.openssh.com/txt/preauth.adv
http://www.cert.org/advisories/CA-2002-18.html
--27 June 2002 Al Qaeda Could Pose Significant Cyber Threat to US
Critical Infrastructure
Evidence indicates that al Qaeda's cyber capabilities are stronger than
previously thought. Digital control systems for various elements of
the nation's critical infrastructure have been probed. Distributed
control systems (DCS) and supervisory control and data acquisition
(SCADA) systems are configured with very little security as they were
not designed for public access. Additionally, information found on al
Qaeda computers indicates members have been studying the structural
integrity of a dam. The Washington Post article also describes the
ease with which an Australian man was able to manipulate a digital
control system to release sludge from a sewage treatment plant several
years ago.
http://www.washingtonpost.com/wp-dyn/articles/A50765-2002Jun26.html
http://news.bbc.co.uk/hi/english/sci/tech/newsid_2070000/2070706.stm
http://www.cnn.com/2002/US/06/27/alqaeda.cyber.threat/index.html
--30 June 2002 Massive Cyber-Terrorism on Critical Infrastructure
Unlikely, Say Experts
Computer security and terrorism experts are skeptical that al Qaeda
could do serious harm to the nation's critical infrastructure with
computers.
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2002/06/30/MN152350.DTL
--25 & 26 June 2002 IT Professionals Not Confident Government Could
Handle a Cyber Attack
Nearly half of 295 IT professionals participating in a recent survey
believe the US could be the target of a major cyber attack in the
next year; they do not think the government is adequately prepared
to deal with an attack and its fallout
http://www.gcn.com/vol1_no1/daily-updates/19113-1.html
http://www.computerworld.com/securitytopics/security/story/0,10801,72268,00.html
http://www.washingtonpost.com/wp-dyn/articles/A47680-2002Jun26.html
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop Unwanted E-Mail at the Server - FREE White Paper on Email
Security
http://www.sans.org/cgi-bin/sanspromo/NB49
(2) WEB SERVER BODY ARMOR! Protect you IIS Web Server with SecureIIS -
FREE Trial
http://www.sans.org/cgi-bin/sanspromo/NB50
***********************************************************************
THE REST OF THE WEEK'S NEWS
--28 & 30 June 2002 Media Player Patch EULA Harbors a Surprise
According to the End User License Agreement (EULA), when you install
Microsoft's patch for Media Player vulnerabilities, you grant Microsoft
the right to force automatic updates on your system.
http://bsdvault.net/article.php?sid=527&mode=&order=0
http://www.theregister.co.uk/content/55/25956.html
[Editor's Note (Murray): Without getting into the debate over how much
copyright owners should be able to cripple our systems to enforce their
rights, few businesses would want to authorize "automatic updates"
that might limit their use of their systems. Fewer still rely on
Windows Media Player. However, most end users understand that AOL
automatically updates their systems at its discretion.]
--26 & 27 June 2002 Windows Issues Patch for Media Player
Vulnerabilities
Microsoft has issued a patch for security flaws in its Windows
Media Player: an information disclosure vulnerability, a privilege
escalation flaw, and a script execution vulnerability. The first
and more critical of the flaws could let an attacker run rogue code
on a vulnerable computer.
http://zdnet.com.com/2100-1104-939873.html
http://zdnet.com.com/2100-1104-940063.html
http://www.theregister.co.uk/content/55/25919.html
http://www.microsoft.com/technet/security/bulletin/MS02-032.asp
--27 June 2002 Microsoft Issues a Patch for Commerce Server Holes
Microsoft has released a patch for security holes in its Commerce
Server software that could be exploited to run unauthorized code on
vulnerable computers.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,72282,00.html
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp
--28 June 2002 GameSpy Installer Infected with Nimda
GameSpy Arcade Installer 1.09 was infected with the Nimda virus
for several hours last week. An estimated 3,100 infected files were
downloaded, and the company is contacting all who might have downloaded
the affected software. The installer has been replaced with a clean
version. In a separate incident, kaZaA users were exposed to the
Backdoor.K0wbot1.3.B virus that contains a "remote backdoor component."
http://www.theregister.co.uk/content/56/25945.html
http://www.msnbc.com/news/773650.asp?0dm=T227T
--26 June & 1 July 2002 Yaha.E Worm Targets Pakistani Government Site
The Yaha.E worm carries a payload that lobs a slow denial-of-service
attack against www.pak.gov.pk, the official website of the Pakistani
government. According to some analysis, the worm also tries to
disable anti-virus and firewall software. In addition, Hotmail's
anti-virus scanner apparently did not detect Yaha.E as of June 26,
allowing members to both receive and send the worm. Yaha.E also
drops a text file on infected computers that claims the worm is the
work of sNAkeeYes,c0Bra.
http://online.securityfocus.com/news/501
http://theregus.com/content/56/25389.html
http://www.vnunet.com/News/1133119
--27 June 2002 W32.dotor.A
W32.dotor.A is a mass-mailer worm that poses as a fix for macro
viruses. It arrives as an attachment called Doctor.exe.
http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=54212&REQSTR1=silicon.com
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.dotor.amm.html
--25, 26 & 27 June 2002 Legislation Would Okay hacking Back at
Filesharing Copyright Violators
Congressman Howard Berman (D-Calif.) has proposed legislation that
would allow record companies to launch cyber attacks on peer-to-peer
content sharing networks that violate copyright laws. Permitted
defenses would include interdiction, redirection and spoofing, but
the law does not allow damage to computers or the spread of viruses.
The legislation would provide for penalties for those who abuse
their power.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_2069000/2069747.stm
http://news.com.com/2100-1023-939333.html
http://www.theregister.co.uk/content/6/25903.html
Press release: http://www.house.gov/berman/pr062502.htm
[Editor's Note (Schultz) I've lamented the lack of relevant computer
crime legislation in the past, but this proposed bill is not at all
what we need. Giving companies the right to launch attacks against
the networks of organizations that engage in peer-to-peer sharing is
extremely inappropriate. It is like giving a victim of home theft
the right to break into the thief's home. What Congressman Berman
is doing is promoting vigilanteeism instead of helping to promote
law and order. Hopefully, this legislation will fail.]
--27 June 2002 Polish Prosecutors Looking for a NASA Hacker
A Polish prosecutor says efforts are underway to find the person who
allegedly broke into NASA computer system, causing an estimated $1
million in damage.
http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=1139929
--26 June & 1 July 2002 Warchalking
Matt Jones has devised "warchalking," a system of sidewalk chalk
symbols that tell people where they can access wireless network nodes.
There are different symbols to denote open, closed, and WEP-protected
nodes, and each one is capped with the node's Service Set Identifier
(SSID). According to Jones, some system administrators have been
appreciative of the system because it helps them know where their
networks are exposed.
http://news.com.com/2100-1033-939546.html
http://news.bbc.co.uk/hi/english/in_depth/sci_tech/2000/dot_life/newsid_2070000/2070176.stm
Matt Jones's web site: http://www.blackbeltjones.com/warchalking/
--24 & 26 June 2002 Florida Man Arrested for Keystroke Logging
Dimitri Sinilnikov has been arrested at Pasadena (CA) City College
(PCC)as he was attempting to install keystroke capture software.
The 48-year-old Mr. Sinilnikov, a.k.a. Michael Negron, was convicted
of identity theft in Florida and faces parole violation charges for
leaving the state.
http://chronicle.com/free/2002/06/2002062401t.htm
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,72274,00.html
--26 June 2002 Site Will Tell You if Your Credit Card Number has
Been Stolen
CardCops has created a web site, http://www.Cardcops.com, where
people can enter their credit card numbers to find out if they have
been stolen. The group garnered the credit card information from
various chat rooms dedicated to credit card fraud, and they have turned
their database over to the Secret Service. Cardcops says they have
secured the database and they do not have people enter their cards'
expiration dates.
http://www.cnn.com/2002/TECH/internet/06/26/identity.theft.ap/index.html
--26 June 2002 Who's Who in Government Cyber Security
A list of people involved in the government's cybersecurity efforts
includes Bush administration officials, legislators from both houses,
and private sector representatives.
http://www.washingtonpost.com/wp-dyn/articles/A50625-2002Jun26.html
--26 June 2002 BestBuy Files Suit Against Spammers
Hackers managed to steal a BestBuy.com e-mail list and used it to
send spam with adult content. Best Buy Concepts, Inc. has filed
suit in U.S. District Court against the as yet unknown defendants,
referred to as John and Jane Doe, seeking damages greater than $75,000.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8399
--26 June 2002 A Timeline of Worms, Viruses and Other Cyber Attacks
An overview of virus and cyber-attack milestones.
http://www.washingtonpost.com/wp-dyn/articles/A50636-2002Jun26.html
--25 June 2002 Near North Suit Alleges Former Employees Stole
Sensitive Data
Near North National Group has filed a civil lawsuit against three
former employees who allegedly broke into company computers and
obtained intellectual property and other confidential data and shared
it with a Near North competitor. The company is seeking to recover
$645,000, the cost of investigating the incident and securing their
network. Near North has asked the FBI to investigate.
http://www.chicagobusiness.com/cgi-bin/news.pl?post_date=2002-06-25&id=5785
http://www.nnng.com/NewsAtNearNorth/press_releases/pr26.html
--25 June 2002 Broadband Modem Password Problems
Many broadband modems are installed with default passwords, leaving
them susceptible to hackers and spammers, and the directions for
changing the passwords are not always clear or easy. In addition,
hackers can access broadband modems even when computers are turned off.
A New Zealand programmer who found his modem was compromised wrote
a program that looked for vulnerable connections and sent warning
messages when they were found. He was threatened with possible
legal action.
http://www.nzherald.co.nz/storydisplay.cfm?storyID=2048412
[Editor's Note(Grefer): One more reason to place a NATing (netork
address translating) router directly behind the broadband modem.]
--25 June 2002 NIPC, NIST and SBA to Offer Vulnerability Seminars
for Small Businesses
The National Infrastructure Protection Center (NIPC), the National
Institute of Standards and Technology (NIST) and the Small Business
Administration (SBA) have joined forces to help small businesses
identify security vulnerabilities in their computer systems. The
alliance will begin by offering seminars in three cities this summer.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8394
http://csrc.nist.gov/securebiz
--25 June 2002 FBI Deluged with Applicants
The FBI has received 47,000 applications for 900 special agent
positions that director Robert Mueller hopes to fill with people
possessed of strong computer and information technology skills.
http://www.fcw.com/fcw/articles/2002/0624/web-fbi-06-25-02.asp
--24 June 2002 Mitnick Testifies at Las Vegas Call Diversion Hearing
Some purveyors of adult entertainment in Las Vegas, NV have
complained that calls to their businesses are being diverted, and
Sprint denies the allegation, maintaining their systems have never
been compromised. Kevin Mitnick testified at a hearing that he had
once gained control of Sprint's switching systems in that city.
http://online.securityfocus.com/news/497
--24 June 2002 Microsoft Will Release Some Palladium Source Code
Microsoft will release the source code to the secure processing
environment of Palladium. They hope that releasing the code will
boost trust in the project. The group product manager for the
Palladium project says releasing the code enhances its security.
The statement is an apparent about face from the company's previous
stance on open source code
http://news.com.com/2100-1001-938973.html
[Editor's Note (Schultz): Some proprietary software is secure, some
is insecure. The same applies to open software. The quality of the
development process is the critical value. At any rate, Microsoft
deserves credit for trying something new, releasing Palladium as open
software, which is quite a bold experiment.]
--22 June 2002 TSA Won't Endorse Trusted Traveler Airport Security
Project
The Transportation Security Administration (TSA) will not endorse the
"trusted traveler" project, which would use biometric technology
and smart cards to allow prescreened passengers a faster route
though airport security, because they believe the system could be
vulnerable to terrorist infiltration. The White House Office of
Homeland Security has shown interest in the project. It is unclear
when testing would begin. Civil liberties activists are opposed to
the idea.
http://www.washingtonpost.com/wp-dyn/articles/A25989-2002Jun21.html
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.
======
Additional data from the 2002 SANS Security/Sysadmin Salary Survey
- -Top paying industries: consulting, system integration, aerospace,
banking, computer and network manufacturing, and telecom.
- -Lowest paying industries: education, other not-for-profits, and
government agencies.
- -Employers with more than 10,000 employees paid their security and
system administration staff nearly 10% more, on average, than did
smaller employers.
- -Security and system administrators who work with UNIX reported
salaries nearly 25% higher than those who work primarily with
Windows systems.
Career Paths in Information Security
For the first time this year, SANS has tabulated information about
career paths by asking what positions people held three years ago.
Since most people are in the same position (at higher levels) the data
is sparse. Still it provides a fascinating picture of mobility among
various security and system administration jobs (with the exception
of auditing that seems to be more insular). The primary starting
points for people who want to work in security appear to be system
administration, network administration, and help desk analyst.
The Most Important Aspects of Job Satisfaction
Employers can affect job satisfaction for security and system
professionals in dozens of ways. The survey measured 25 of them.
Only five had a large impact:
Number 1:
Management that shows respect for and trust in your decisions
Tied for number 2:
Educational/training opportunity
Ability to work with and learn new, advanced technologies
Challenge of job/responsibility
Number 5:
Base pay
Among the lowest rated aspects were the reputation of the company,
availability of workout facilities, and stock options.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9IvY2+LUG5KFpTkYRAnxOAJ9f/oeED72g3y/HIBi55ONqa4y80QCePkMq
52EsLlWnKXaaKIP+q6WNeVo=
=4OEM
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]