|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans_at_sans.org)
Date: Wed Oct 16 2002 - 10:26:30 CDT
From: Alan for the SANS NewsBites service
Re: October 16 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
***********************************************************************
SANS NewsBites October 16, 2002 Vol. 4, Num. 42
***********************************************************************
TOP OF THE NEWS
14 October 2002 NASA's Security Remediation Works
10 October 2002 Proposed Legislation Would Make GISRA Permanent
9 October 2002 Chinese Computers Have High Rate of Virus Infection
8 October 2002 Clarke Pushes for Internet Operations Center
8 October 2002 UCSB Students Not Allowed To Connect Windows 2000 or
NT Machines to School Net
THE REST OF THE WEEK'S NEWS
14 October 2002 Schmidt Says Cyber Security Cost is Increasing
11 October 2002 Buffer Overflow Flaw in Outlook Express
11 October 2002 Three New NIST Draft Guides
11 October 2002 U.S. Copyright Office Invites Public Comment on DMCA
11 October 2002 Australian Customs to Pilot Facial Recognition
Passport System
8 & 10 October 2002 Carnegie Mellon Gets $35.5 Million Grant for
Cyber Security Research
10 October 2002 Henpeck Worm Spreads Via MSN Messenger
10 October 2002 Sustainable Computing Consortium
10 October 2002 Proposed legislation Indemnified Government
Contractors
9 October 2002 Microsoft May Offer New Security Products
9 October 2002 Treasury to Start Deploying Smart Cards
9 October 2002 Why PKI is Not Hot
8, 9 & 10 October 2002 Some Sendmail Distributions Contain Trojan
Horses
8 October 2002 Trend Micro Will Pay Fines for Late Virus Signatures
7 & 8 October 2002 Bugbear Revives Jdbgmgr.exe Hoax
7 October 2002 Top 20 a Good Remedy for Audits
7 October 2002 OASIS Member Disagreement May Delay Web Services
Standard Release
7 October 2002 Budget Increase Not Enough to Properly Address
Security, Says Gartner
SECURITY TRAINING NEWS
*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
Featuring 8 hands-on SANS immersion training tracks plus SANS
Night
featuring action plans for fighting back by implementing a Top Twenty
remediation program.. San Francisco is often warmer and less crowded
in December than in August.
*Advanced security training in fifteen additional cities, plus Local
Mentor programs in 25 cities.
See: http://www.sans.org for details on these programs
*************** This Issue Sponsored by Tripwire, Inc. ****************
ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.
Tripwire data integrity assurance solutions pinpoint changes to your
servers and network devices, accelerating discovery and increasing
uptime, making you the hero of your IT organization.
Click here to get a FREE copy of our Security Exploit and Vulnerability
Matrix Poster.
http://www.tripwire.com/literature/poster/index.cfm?djinn=703
***********************************************************************
TOP OF THE NEWS
--14 October 2002 NASA's Security Remediation Works
NASA's "scanning and remediation program" has proven successful in
addressing cyber security problems at the agency and reducing the
number of successful compromises even as attempted compromises
surged. Three years ago, NASA identified the 50 top security
vulnerabilities on its machines and began scanning for them. NASA
challenged its centers to reduce the vulnerability to computer ratio
from 1:1 to 1:4; the present ratio is about 1:10. When it reached
that goal it went on to a second set of lower priority vulnerabilities
and then again to a third set.
http://www.fcw.com/fcw/articles/2002/1014/mgt-nasa-10-14-02.asp
[Editor's Note (Schultz): Where I work {a major national research
lab and university} we've launched an aggressive vulnerability
scanning program; the results have been incredible. On the basis of
our results, I have no doubt whatsoever that NASA is achieving the
success it claims to have achieved.]
(Paller) NASA was the model that motivated the development of the
SANS/FBI Top Ten and Top Twenty Internet Vulnerabilities - giving
people all over the Internet the initial set of vulnerabilities
to attack. The lessons learned by NASA and the techniques NASA
developed, will be taught in a series of evening sessions in the
Cyber Defense Initiative conference in San Francisco the 3rd week
in December. The program will be open to all delegates at the
conference. http://www.sans.org/CDI02/]
--10 October 2002 Proposed Legislation Would Make GISRA Permanent
Senate bill 3067, introduced last week, would make the Government
Information Security Reform Act (GISRA) permanent; under current
provisions, GISRA expires on November 22, 2002. GISRA requires
that government agencies evaluate the security of their information
technology systems and provide reports to the Office of Management
and Budget (OMB).
http://www.gcn.com/vol1_no1/daily-updates/20236-1.html
--9 October 2002 Chinese Computers Have High Rate of Virus Infection
The China Daily newspaper reported the results of a survey conducted
by the National Computer Virus Emergency Response Center that found
that 80% of computers in China are infected with viruses.
http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=1557133
http://www1.chinadaily.com.cn/news/cn/2002-10-10/88972.html
--8 October 2002 Clarke Pushes for Internet Operations Center
Richard Clarke is trying to gather support for a public/private
Internet operations center which would monitor the Internet for cyber
attacks and issue warnings. The center would receive data from 15-20
Internet service providers (ISPs) and router and security companies
and would be hosted by a university or national laboratory. The center
would not be run by the government, but would receive some federal
funding. Clarke hopes to include the creation of the center in the
final draft of the Strategy to Secure Cyberspace.
http://www.govexec.com/dailyfed/1002/100802tdpm1.htm
http://www.gcn.com/vol1_no1/daily-updates/20223-1.html
-- 8 October 2002 UCSB Students Not Allowed To Connect Windows 2000
or NT Machines to School Net
Students at the University of California at Santa Barbara (UCSB) may
not connect their computers to the university network if they are
running Windows 2000 or NT; many computers running those operating
systems were found to be compromised by malware.
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanS.db&command=viewone&id=66&op=t
http://www.resnet.ucsb.edu/information/win2k.html
[Editor's Note (Paller): Note the words at the second link: "Providing
a reliable, high performance network for [every] user is the entire
reason we are here. Because of that, we have to consider the overall
health of our network when dealing with vulnerable operating systems,
virus protection, and network security threats." UCSB's approach,
where protection of the community is valued highly, is spreading
and will ultimately lead to ISPs taking responsibility for ensuring
the people they connect to the Internet do not place others at
risk. Bravo UCSB! If you know of other organizations following (or
leading) this trend, let us know so we can share their stories, too.]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Dorian Software Creations: Automate Event Log
and Syslog Monitoring, Archiving, and Analysis!
http:///www.sans.org/cgi-bin/sanspromo/NB87
(2) 90% of attacks continue to bypass firewalls &
IDS. Prevent it! Visit Top Layer - White Papers
http://www.sans.org/cgi-bin/sanspromo/NB88
(3) FREE WEB SECURITY REPORT FROM STRATUM8 - Protect
Web Applications from all hacks and vulnerabilities.
http://www.sans.org/cgi-bin/sanspromo/NB89
***********************************************************************
THE REST OF THE WEEK'S NEWS
--14 October 2002 Schmidt Says Cyber Security Cost is Increasing
White House cyber security advisor Howard Schmidt says, "cyber-related
incidents are increasing in number, sophistication, severity and
cost," and urges cooperation within and between the public and
private sectors.
http://www.cnn.com/2002/TECH/biztech/10/14/crime.cyberspace.reut/index.html
[Editor's Note (Murray): It is a little early for cooperation. We are
having enough difficulty controlling our own domains without worrying
about each other. What the private sector expects of government is
that it put its own house in order, that it remedy its weak systems
that put us all at risk.]
--11 October 2002 Buffer Overflow Flaw in Outlook Express
A buffer overflow in the way Microsoft's Outlook Express versions 5.5
and 6.0 handles messages with MIME components could allow attackers to
take control of vulnerable machines; earlier versions may be affected
but they are no longer supported. Service Pack 2 for OE 5.5 and
Service Pack 1 for IE 6.0 are not vulnerable to the buffer overflow
attack. Microsoft has released an alert about the vulnerability and
has posted a patch for it on its website.
http://www.computerworld.com/securitytopics/security/story/0,10801,75067,00.html
http://news.com.com/2100-1001-961769.html
Alert: http://www.microsoft.com/technet/security/bulletin/MS02-058.asp
Patch: http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp
--11 October 2002 Three New NIST Draft Guides
The National Institute of Standards and Technology's Computer Security
Division has released three draft guides: Selecting IT Security
Products (SP800-36), IT Security Services (SP800-35) and Security
Considerations in Federal IT Procurements (SP800-4A). The guides are
available on the NIST web site; comments are due by 11 November.
http://www.fcw.com/fcw/articles/2002/1007/web-nist-10-11-02.asp
http://csrc.nist.gov/
--11 October 2002 U.S. Copyright Office Invites Public Comment
on DMCA
The United States Copyright Office is inviting public comment on
the Digital Millennium Copyright Act (DMCA), the controversial law
that sent Russian programmer Dmitry Sklyarov to jail. The office is
looking specifically for instances in which the law's restrictions
cause actual problems in the marketplace.
http://news.com.com/2100-1023-961783.html
http://www.copyright.gov/1201/fr2002-4.pdf
[Editor's Note (Schultz): It's ironic that no one in the government
seems to be asking questions about how this Act can and has been
used by security-negligent corporations to hassle people who discover
vulnerabilities in their products.]
--11 October 2002 Australian Customs to Pilot Facial Recognition
Passport System
The Australian Customs Service (ACS) plans to begin testing a facial
recognition passport verification system at Sydney Airport. The ACS
will evaluate the system over the next six months, and then decide
whether to expand the program to other airports.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20269008,00.htm
--8 & 10 October 2002 Carnegie Mellon Gets $35.5 Million Grant for
Cyber Security Research
Carnegie Mellon University has been awarded a $35.5 million
grant over five years for antiterrorist policy and technology
development. Research will focus on the availability and security of
information and communications infrastructure and secure device and
physical access with the use of biometrics.
http://www.wired.com/news/politics/0,1283,55649,00.html
http://www.fcw.com/fcw/articles/2002/1007/web-cyber-10-10-02.asp
--10 October 2002 Henpeck Worm Spreads Via MSN Messenger
The Henpeck worm spreads through MSN messenger by convincing users
to download a file. Once the file is downloaded and executed, the
machine is infected and the worm sends instant messages encouraging
its spread to everyone on the user's buddy list. The file, which was
located on line, has been removed from the web. Infected machines may
have backdoors installed, which would allow attackers to use infected
computers to launch distributed denial of service attacks.
http://news.com.com/2100-1001-961693.html
--10 October 2002 Sustainable Computing Consortium
In an interview, William Guttman, professor of economics and technology
and director of the Sustainable Computing Consortium at Carnegie
Mellon University, describes the group's goals of improving software
quality and reliability.
http://zdnet.com.com/2100-1104-961521.html
--10 October 2002 Proposed Legislation Indemnified Government
Contractors
Senate bill 3076 would indemnify government contractors for liability
claims made against products and services sold to the government for
the purpose of homeland security.
http://www.govexec.com/dailyfed/1002/101002td2.htm
--9 October 2002 Microsoft May Offer New Security Products
Microsoft chief technical officer Craig Mundie said the company
may offer security services at an added cost to users; Steve Ballmer
clarified the point, saying Microsoft has no plans to charge customers
for security services, but it may release new security products. Mundie
also defended his company's position of legal liability for its
products, observing that if Microsoft were to assume liability,
it would be reflected in increased costs of their products.
http://news.com.com/2100-1001-961351.html
[Editor's Note (Murray): We are more interested in improvement in the
security of the products that we already get from MS than we are in
having MS offer security products.]
--9 October 2002 Treasury to Start Deploying Smart Cards
Seven thousand Treasury Department employees will receive smart
cards embedded with digital certificates as part of the Federal
Bridge Certification Authority, which allows digital certificate
interoperability between federal agencies and departments. Other
members include NASA, the Defense Department and the National Finance
Center.
http://www.gcn.com/vol1_no1/daily-updates/20232-1.html
--9 October 2002 Why PKI is Not Hot
Security experts at the RSA conference discussed reasons why PKI has
not taken off as originally expected. It is expensive to implement,
and it is not terribly valuable until it is ubiquitous. There are,
however, programs in US government that are trying to promote PKI.
http://zdnet.com.com/2100-1105-961350.html
[Editor's Note (Murray): PKI becomes valuable when one wants to share
existing certificates or keys across applications. Most of us hardly
have the first application.]
--8, 9 & 10 October 2002 Some Sendmail Distributions Contain
Trojan Horses
Someone apparently hacked the Sendmail FTP server so that every tenth
download of the open source e-mail service contained a Trojan horse,
which installs when the source code is compiled. Users are encouraged
to use PGP signatures and checksums to verify the integrity of
downloaded software.
http://www.cert.org/advisories/CA-2002-28.html
http://news.com.com/2100-1001-961311.html
http://news.com.com/2100-1001-961469.html
http://www.theregister.co.uk/content/55/27511.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74988,00.html
[Editor's Note (Shpantzer): Using the signatures and hashes that
distribution sites make available is effective, free and takes
very little time and effort. Use of this integrity check can help
administrators avoid serious headaches, not to mention calls from
management for heart-to-heart talks.]
--8 October 2002 Trend Micro Will Pay Fines for Late Virus Signatures
Anti-virus company Trend Micro says it will pay fines of up to $3,000
to its premium customers who submit virus signatures if they haven't
issued a virus pattern file within two hours of submission. The Virus
Response Service Level Agreement is available to premium customers
only; the fines vary based on the level. Present premium support
customers will be required to upgrade in order to participate. The
program addresses virus detection but not removal, and there are
certain types of viruses that are exempt from coverage in the program.
http://www.computerworld.com/securitytopics/security/story/0,10801,74972,00.html
[Editor's Note (Schultz): Trend Micro's idea here is intriguing in
that a major security vendor is coming one step closer to taking
responsibility for what it does. I trust that to avoid the "fine,"
the pattern file will also have to be correct.]
--7 & 8 October 2002 Bugbear Revives Jdbgmgr.exe Hoax
The Bugbear worm, which is the most prevalent worm now in the wild,
is beginning to slow its spread across the Internet. However, its
presence has brought a resurgence of the Jdbgmrg.exe hoax e-mail. The
hoax warns people to delete that file from their computers because
it is a virus, when in fact, it's a necessary file. The file appears
with a teddy bear icon, which probably leads people to believe it's
somehow connected to Bugbear.
http://www.msnbc.com/news/815117.asp?0dm=C279T
http://www.smh.com.au/articles/2002/10/08/1033538935349.html
--7 October 2002 Top 20 a Good Remedy for Audits
Many security audits produce tomes of data, leaving administrators
overwhelmed and uncertain where to begin addressing the multitude of
problems. The recently released Top 20 Internet Security Risks list,
which is accompanied by a list of tools to address the problems,
provides an inroad to security holes. IT would also help if consumers
refused to buy IT products that aren't secure.
http://www.computerworld.com/securitytopics/security/story/0,10801,74856,00.html
[Editor's Note (Paller) I made an error in the interview that formed
part of the basis for the Computerworld editorial. I left the word
untrained out before "security auditors" - incorrectly implying
that all security auditors made the mistake. Many auditors are well
trained, know which vulnerabilities matter, and focus their reports
on what is feasible and what can do the most good. Separately,
several organizations have begun programs of active auditing
involving quarterly or monthly testing for the Top 20 across all
Internet-connected systems, as a means of enforcing a minimum standard
of due care and thereby reducing their exposure to tort liability if
their systems are used in attacks on other sites.]
--7 October 2002 OASIS Member Disagreement May Delay Web Services
Standard Release
A disagreement between Organization for the Advancement of Structured
Information Standards (OASIS) Security Technical Committee members
about a proposed web services security specification may stall its
release. IBM, Sun Microsystems and other companies feel the standard
needs more work, while Microsoft and others think it is fine the way
it is.
http://www.eweek.com/article2/0,3959,590669,00.asp
--7 October 2002 Budget Increase Not Enough to Properly Address
Security, Says Gartner
The proposed 2003 federal budget includes an increase of 64% in
spending on computer security, but much of the money is designated for
known problems, according to an announcement from Gartner Inc. This
is not adequate to improve government computer system security.
http://www.infoworld.com/articles/hn/xml/02/10/07/021007hnusbudget.xml?s=IDGNS
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9rXKT+LUG5KFpTkYRAqW7AKCXAZMlO0vIB4R0VJMGDWRWXfknkgCfSEzH
6i8tmFfd1nMBSY817iB5hwc=
=iwk9
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]