From: Alan for the SANS NewsBites service
Re: August 7 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites August 7, 2002 Vol. 4, Num. 32
***********************************************************************

TOP OF THE NEWS
1 & 2 August 2002 OpenSSH Contaminated with Trojan
1 & 2 August 2002 HP Won't Invoke DMCA Against SnoSoft
1 August 2002 Clarke Urges Companies to Stop Selling Buggy Software
31 July & 1 August 2002 Keep Finding Holes but Report Them
                         Responsibly, Says Clarke

THE REST OF THE WEEK'S NEWS
5 August 2002 National Strategy to Secure Cyberspace Will Address
               Wireless Security
31 July, 1,2 & 5 August 2002 DoD to Restrict Use of Wireless Devices
31 July 2002 AT&T and Time Warner Push For Improved Wireless Security
29 July & 5 August 2002 Cyber Attack Victims Should Have Recourse
5 August 2002 Platform Allows Pursuit of Cyber Attackers
5 August 2002 Security Manager's Journal: Great Intrusion Detection
               Training
5 August 2002 Two Cyber Corps Programs
2 August 2002 Italian Police Arrest Hackers Who Attacked DoD
2 August 2002 Collaborative Effort On New Security Vulnerabilities
2 August 2002 Honeypot Liability Risks
1 August 2002 Cisco TFTP Buffer Overflow
31 July & 1 August 2002 Virus Count Down; Klez Still on Top
31 July 2002 Surnova-B Worm Targets Kazaa Users
30 July 2002 Time to Update Internet Protocols
30 July 2002 Web Operator Nabs al Qaeda Site, But to No Avail
29 July 2002 Hacker Says Activity was Unethical, Not Illegal

SECURITY TRAINING NEWS
3 August 2002 Gold Standard Training for Securing Windows 2000 using
the new consensus standards and free testing tools got top ratings in
both Melbourne Australia and Washington DC. 38 additional cities are
now scheduled for this one-day, hands-on training. Detailed information
on the new standards training is provided at the end of this issue.
For locations: http://www.sans.org/Win2KWorldTour/

31 July 2002 SANS announces that Richard Clarke will keynote the
Network Security 2002 and the National Information Assurance Leadership
Conference in October in Washington. http://www.sans.org/NS2002

5 August 2002 National Information Assurance Leadership Awards
nominations are now open. If you know of a group or consortium that
has made a substantial difference in improving information security
in the US (and the world) over the past twelve months, write a summary
of their contribution and send it before August 20 to awardssans.org.

*************** Sponsored by Internet Security Systems ****************
Complete Desktop Protection: FREE 30-Day Trial from Internet Security
Systems

RealSecure(tm) Desktop Protector is an advanced desktop/laptop
protection system with full-featured intrusion detection and
response. Designed to work with popular virtual private network (VPN)
products, Desktop Protector is an ideal remote end-point security
solution for protecting teleworkers, mobile employees, and individuals
using PCs inside a traditional office environment.

Download your FREE 30 Day Trial: http://www.iss.net/ad/dp_sans080702
***********************************************************************

TOP OF THE NEWS
 --1 & 2 August 2002 OpenSSH Contaminated with Trojan
The Computer Emergency Response Team Coordination Center (CERT/CC) has
issued an advisory warning that certain versions of OpenSSH contain
a Trojan horse, which could allow an attacker to gain control of
vulnerable systems. Anyone who downloaded OpenSSH versions 3.2.2p1,
3.4p1 or 3.4 on of after July 30 should verify the integrity of
that software.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73159,00.html
http://www.theregister.co.uk/content/55/26492.html
CERT/CC Advisory: http://www.cert.org/advisories/CA-2002-24.html
OpenSSH Advisory: http://www.openssh.com/txt/trojan.adv

 --1 & 2 August 2002 HP Won't Invoke DMCA Against SnoSoft
Hewlett Packard has backed off of threats it made to invoke the
Digital Millennium Copyright Act (DMCA) and the Computer Fraud
and Abuse Act against a security research team called SnoSoft.
Members of the group had been threatened with large fines and
prison time. A member of SnoSoft apparently posted an exploit for
a buffer overflow vulnerability in Hewlett Packard's Tru64 Unix OS.
In a statement, the company asserts its commitment to security,
acknowledges the vulnerability - promising a patch within two days,
and indicating that it will not use the DMCA to "stifle research or
impede the flow of information."
http://news.com.com/2100-1023-947745.html
http://zdnet.com.com/2100-1106-947740.html
http://www.theregister.co.uk/content/55/26508.html
[Editor's Note (Schultz): I've always had a lot of respect for HP and
I am glad they came to their senses with respect to the DCMA issue.
I fear, however, that more cases of this nature are going to emerge.
DMCA has not proven to be a good thing for the security community;
it enables vendors angry over discovery of vulnerabilities in their
products to threaten or taken legal action against those who have
discovered the vulnerabilities.
(Murray) It is not as though the security community did not complain
about this law while it was under consideration. We were simply
no match for the publishers' lobby. At the time they dismissed our
concerns as "alarmist." (Same with UCITA). Now we find them using
the literal language of the law for exactly the purposes that they
disavowed while it was being debated.]

 --1 August 2002 Clarke Urges Companies to Stop Selling Buggy Software
Speaking at the Black Hat computer security conference in Las Vegas,
White House cybersecurity advisor Richard Clarke said that software
companies need to stop selling unsecure software, and that users
should refuse to buy products that don't provide adequate security.
It's possible that with the release of the national cyber security plan
to be released in September, all federal agencies will be required to
purchase only those IT products on a list of independently certified
products; only the DoD is presently bound by such a requirement.
http://www.computerworld.com/securitytopics/security/story/0,10801,73140,00.html

 --31 July & 1 August 2002 Keep Finding Holes but Report them
 Responsibly, Says Clarke
White House cyber security advisor Richard Clarke said that security
professionals and hackers should continue to find security holes in
software because the manufacturers are not going to find them all.
Those who find the vulnerabilities should report them responsibly,
first alerting the manufacturer and then the government. Exploits
should not be published without first giving the companies a chance
to address them with an update or a patch.
http://www.washingtonpost.com/wp-dyn/articles/A26698-2002Jul31.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73146,00.html
[Editor's Note (Schultz): Richard Clarke is right on track about this
issue--it's good to hear him speak out.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) STOP chasing alerts & AVOID detailed firewall log analysis. Learn
How! http://www.sans.org/cgi-bin/sanspromo/NB60

(2) Aberdeen Alert! FREE Research Report on Web App Attacks
http://www.sans.org/cgi-bin/sanspromo/NB61

(3) TRUSTWORTHY COMPUTING? Learn to Stop 7 Deadly Classes of IIS
Attacks Free Whitepaper: http://www.sans.org/cgi-bin/sanspromo/NB62
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --5 August 2002 National Strategy to Secure Cyberspace Will Address
                  Wireless Security
The National Strategy to Secure Cyberspace is almost complete
and will address such topics as wireless security and the related
Internet instability due to wireless interconnectivity. The report
will recommend that the government provide funding for research and
development on wireless security issues.
http://www.fcw.com/fcw/articles/2002/0805/news-wire1-08-05-02.asp
[Editor's Note (Murray): Low-cost, low-power, digitally encoded,
relay wireless promises to be the solution for persistent broadband
connectivity over the last mile. While I prefer end-to-end security
for applications, it is still essential that we address the potential
of this technology to punch holes in the network. The price of this
technology is dropping as fast as that of storage; it is urgent that
we address security before it proliferates.]

 --31 July, 1,2 & 5 August 2002 DoD to Restrict Use of Wireless
                                  Devices
Pentagon CIO John Stenbit says he will release new policy guidelines
that drastically curtail the use of wireless devices at military
installations. Pentagon officials are concerned that the basic
insecurity of wireless devices could pose a threat to classified
meetings; specifically, the new generation of wireless phones could
be used to eavesdrop on conferences. The new policy extends beyond
normally secured conference rooms to anywhere confidential and
sensitive information may be discussed. In May, a security expert
using his laptop and a wireless LAN card was able to scan the Defense
Information Systems Agency's (DISA's) wireless network while sitting in
a parking lot across the street from the DISA. The National Institute
of Standards and Technology (NIST) has also released a draft guide
outlining basic steps to take to secure such wireless devices.
http://www.computerworld.com/mobiletopics/mobile/story/0,10801,73150,00.html
http://www.fcw.com/fcw/articles/2002/0805/news-wire-08-05-02.asp
http://www.govexec.com/dailyfed/0702/073002tdpm.htm
http://www.gcn.com/vol1_no1/daily-updates/19509-1.html
http://www.msnbc.com/news/788080.asp?0dm=T12PT

 --31 July 2002 AT&T and Time Warner Push For Improved Wireless
                 Security
Someone living next door to an AT&T Broadband subscriber was able to
access that subscriber's wireless network to send a pirated movie
out to the Internet. AT&T Broadband is now asking its customers
to turn on Wi-Fi encryption. Time Warner Cable has gone so far
as to send letters to some broadband customers who share their
bandwidth on wireless networks suggesting that they could be liable
if the bandwidth they contract for is used for unlawful purposes.
The National Institute of Standards and Technology (NIST) has called
wireless networks "unacceptable risk[s]" for government agencies.
http://zdnet.com.com/2100-1105-947496.html

 --29 July & 5 August 2002 Cyber Attack Victims Should Have Recourse
Tim Mullen proposes that people be allowed to take action against
unsecured computers that are used to launch attacks like Nimda and
Code Red. He doesn't agree with the idea that administrators who
did not secure machines are victims, and suggests that people take
measures to take attacking machines off line without damaging them.
Taking such action runs the risk of charges of trespassing or targeting
the wrong machine.
http://online.securityfocus.com/columnists/98
http://www.cnn.com/2002/TECH/industry/08/05/defcon.hack.back.reut/index.html
[Editor's Note (Schultz): I hope that no one will take Mr. Mullen
seriously. We've taken a beating as the result of attackers'
activity, true, but striking back is in almost all cases not the proper
solution. It is unethical to act like a vigilante and furthermore it
is in most cases illegal.]

 --5 August 2002 Platform Allows Pursuit of Cyber Attackers
A systems architect and two colleagues at PRC, a division of defense
contractor Northrop Grumman, have received a patent for a computer
platform that allows people to pursue cyber attackers as the attack
is taking place.
(Note: This site requires free registration)
http://www.nytimes.com/2002/08/05/technology/05TRAP.html?ex=1029124800&en=20f303c67bb75334&ei=5040&partner=MOREOVER

 --5 August 2002 Security Manager's Journal: Great Intrusion
                  Detection Training
Computerworld's security manager's journal provides a first person
review of SANS's Intrusion Detection In-Depth training class. He
lauded the speakers' depth of knowledge, the hands on aspect, and
the overall pace of the course. After arriving home, he reconfigured
his sensor filters, making his IDS more efficient.
http://www.computerworld.com/securitytopics/security/story/0,10801,73190,00.html

 --5 August 2002 Two Cyber Corps Programs
There are two Cyber Corps scholarship-for-service programs offered
by the US government and participating colleges and universities.
One is managed by the National Security Agency (NSA) for the Defense
Department (DoD); that program has 36 designated schools, and students
must apply first to a defense or intelligence agency which then
sponsors their scholarships. The other is managed by the National
Science Foundation (NSF) and the Office of Personnel Management;
that program has six participating schools across the country.
Some students would like government agencies to be made more aware
of the NSF's Cyber Corps.
http://www.fcw.com/fcw/articles/2002/0805/mgt-cyber1-08-05-02.asp
http://www.fcw.com/fcw/articles/2002/0805/mgt-cyber2-08-05-02.asp

 --2 August 2002 Italian Police Arrest Hackers Who Attacked DoD
Italian police have arrested fourteen people belonging to two
different hacking groups. The groups are allegedly responsible for
a number of intrusions into US Army, Navy and NASA computer systems.
The groups also allegedly broke into some Italian web sites, pirated
movies and ran up fraudulent charges on credit cards. The crackers,
who include a network security manager and a number of IT consultants,
could face eight-year prison sentences. The U.S. Army CID (Criminal
Investigation Command), U.S. Navy and the U.S. Secret Service assisted
in the investigation.
http://www.smh.com.au/articles/2002/08/02/1028157832175.html
http://zdnet.com.com/2100-1105-948179.html

 --2 August 2002 Collaborative Effort On New Security Vulnerabilities
The Internetworked Security Information Service (ISIS) is a
collaboration among the Open Source Vulnerability Database, Alldas.de,
PacketStorm and VulnWatch. The group will gather and offer information
about security vulnerabilities and related tools at no cost.
http://news.com.com/2100-1001-948127.html

 --2 August 2002 Honeypot Liability Risks
Speaking at the Black Hat Briefings, Justice Department attorney
Richard P. Salgado warned that honeypot law is "untested" and that
people setting up the servers and networks designed to attract crackers
could face such legal issues as liability for an attack launched
from a compromised honeypot and charges of entrapment from crackers
"charged with illegal activities."
http://www.gcn.com/vol1_no1/daily-updates/19506-1.html
[Editor's Note (Murray): "Entrapment," as a legal offense, is
one that can only be committed by law-enforcement. A honeypot,
like any other system connected to the Internet can be compromised.
However, it is probably less likely to be so than most systems and
the liability issues are the same. That said, counter-intelligence
is not an activity for amateurs.]

 --1 August 2002 Cisco TFTP Buffer Overflow
A buffer overflow security hole in Cisco's Trivial File Transfer
Protocol (TFTP) could allow an attacker to crash routers by requesting
transfer of a file with too long a name.
http://www.extremetech.com/article2/0,3973,430036,00.asp

 --31 July & 1 August 2002 Virus Count Down; Klez Still on Top
Central Command, an antivirus company, says its numbers of tracked
viruses were lower on July than in June, though the company is not
sure what is responsible for the decrease. The Klez virus is still
topping the charts at a number of antivirus firms.
http://zdnet.com.com/2100-1105-947608.html
http://zdnet.com.com/2100-1105-947611.html
http://www.theregister.co.uk/content/56/26473.html

 --31 July 2002 Surnova-B Worm Targets Kazaa Users
The Surnova-B worm has appeared on the Kazaa filesharing network as
a file purporting to be Star Ward episode two and nude pictures of
Britney Spears. The worm creates more false files for other users
to download (mistakenly). Infected computers that are running MSN
Instant Messenger could also send the virus to their contact list.
http://www.web-user.co.uk/news/article/?afw_source_key={2A4A70CA-A3BB-4B01-8B05-2BF7925D19B5}

 --30 July 2002 Time to Update Internet Protocols
White House security advisor Richard Clarke thinks it might be time
to revamp Internet protocols to address wireless security concerns.
http://www.washingtonpost.com/wp-dyn/articles/A22535-2002Jul30.html

 --30 July 2002 Web Operator Nabs al Qaeda Site, But to No Avail
A web operator managed to grab the web address of an al Qaeda
communications site when the address registration expired; he
quickly filled it with content from a previous version of the site
and reportedly presented it to the FBI, hoping they could use the
site for spreading false information or gathering information on
terrorist sympathizers. The FBI didn't act quickly enough and people
eventually became aware that the site was not under al Qaeda control.
http://www.washingtonpost.com/wp-dyn/articles/A21523-2002Jul30.html

 --29 July 2002 Hacker Says Activity was Unethical, Not Illegal
Robert Starks admits he intercepted sensitive e-mail from his former
employer's systems and posted it on his web site. He maintains that
he used his access privileges as system administrator to obtain the
e-mail and therefore did nothing illegal.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8608

UPDATE: The Windows 2000 Professional Gold Standard Training Program

Many organizations are moving quickly to implement the
NSA/NIST/GSA/DISA and Center for Internet Security Gold Standard
for securing and auditing Windows 2000 Professional because they
really work. In the new Gold Standard training programs, offered in
38 cities over the next two months, you will get the training needed
to build your confidence and skills.

Who should attend? System administrators, auditors, security
officers, or technically advanced managers responsible for Windows
2000 systems will all benefit from this course. To register:
http://www.sans.org/Win2KWorldTour/

Tools you will learn include:
SECEDIT.EXE
SECURITY CONFIGURATION & ANALYSIS
SECURITY TEMPLATES TOOL
HFNETCHK.EXE
CIS SCORING TOOL

The secedit.exe tool is included as part of the Windows 2000 operating
system. It is a command line utility and as such can be called from
a batch file or logon script. Secedit.exe is used to Analyze and
Configure security on a Windows 2000 machine. It can be used to apply
a security template.

Security Configuration and Analysis is a GUI snap-in for the MMC that
includes functionality of the Secedit.exe tool, plus a lot more. It
is not a part of any built-in consoles but can be added to a custom
console.

The templates tool is also available as an MMC snap-in. It is not a
part of any built-in consoles but can be added to a custom console. The
templates tool will list all the built-in security templates by
default, located in the C:\Winnt\Security\Templates directory.

The HFNetChk tool was developed by Shavlik Technologies for
Microsoft in response to many administrators' complaints
about needing a reliable method for determining the exact
local and remote service Pack and Hotfix level of target
machines. HfNEtChk.exe is freely available from the Microsoft website,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/hfnetchk.asp

The Center for Internet Security tool is available on
http://www.cisecurity.org/

To register: http://www.sans.org/Win2KWorldTour/

== end ==

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Bill Murray, Stephen
Northcutt, Alan Paller, Marcus Ranum, and Eugene Schultz

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9UUOk+LUG5KFpTkYRAnHdAJ4pcnLPCF+iUUQMAdBoeDzhSaye1QCfX2bn
9+EB3LH6/KMk4TJq3WcIGyo=
=3LUz
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]