Edition 9, October 28, 2002

Hello, this is the 9th SANS/GIAC update since January 2001. I write
these when I feel there is a lot of information that you might
otherwise miss. If you wish to unsubscribe from SANS mailings,
there is an opportunity to do so at the bottom of this note.

Contents
1. Highlights from Dick Clarke's speech at the SANS conference in
   Washington DC
2. Internet Threat Update by Ed Skoudis
3. Local Mentor Program Update
4. Hands-On Security Training Actually Works
5. Cyber Defense Initiative Conference Program Update for San Francisco
6. DDOS Attacks on the Root Name Server
7. Free SANS Security Web Broadcast Schedule Update
8. Second Women-Only Security Training Event
9. Gretel Johnson's summary of Ed Skoudis' talk

********************************************************************
1.Highlights from Dick Clarke's Keynote at the SANS conference in
Washington, DC, October 20, 2002

Many of the 2,300 security professionals attending the SANS Network
Security conference in Washington got a great treat when Richard
Clarke, President Bush's Cyber Security Advisor, briefed them on what
was happening in cyber security in Washington. A few highlights: (1)
Money for federal information security is going up by 60% to well over
$4 billion this fiscal year. [That will allow the government to lead
by example in demonstrating effective security.] (2) If the Senate and
House agree, the Department of Homeland Security will have a separate
division (one of four in the new Department) focused on Information
Analysis and Infrastructure Protection. It will bring together the
current federal components that have important roles: the National
Infrastructure Protection Center (now at the FBI), the Critical
Infrastructure Assurance Office (now at the Department of Commerce)
and the FedCIRC (now at the General Services Administration) and will
add substantially to their capabilities. (3) The President's National
Strategy for Securing Cyberspace was released in draft on September
18 and is open to public comment for three more weeks (until November
18.) Read it and provide feedback at http://www.whitehouse.gov/pcipb/
Criticisms are welcome, but it will also help to provide support
for those parts of the strategy you think it is most important to
implement. Dick pointed out the critical importance of finding and
eliminating vulnerabilities rather than waiting for threats to appear.
By the time we know a cyber attack is imminent, he emphasized, it
will be too late to fix the vulnerabilities. "As long as we have
enemies and we have vulnerabilities," he said; "it isn't a matter
of 'if' but 'when' those enemies exploit those vulnerabilities."
See the Cyber Defense Initiative in Number 5 below for how you can
play a greater role in eliminating vulnerabilities.

Special note to my international friends, I realize this item is
very USA-centric; however, the general concepts in the strategy are
applicable globally.

********************************************************************
2. Internet Threat Update from Ed Skoudis

Keeping up with new threats -- especially with all the changes in
tools that hackers use -- is challenging. The most effective monitor
of these tools is Ed Skoudis, author of the best selling book on
understanding and blocking cyber attacks (CounterHack). He provided
a "Threat Update" to the audience at last week's SANS conference,
detailing the important changes the hackers are making and how to
block the new types of attacks. It was an extraordinary talk.
Some in the audience called it "breath taking." An IDG reporter
attended his briefing and did a great job of capturing the essence
of the talk. A summary from Ed's talk that includes new tools like
LibRadiate, Setiri and the forensic countermeasure, the Defiler's
Toolkit is in the next to last item of this note.

Ed's up-to-the-minute Threat Briefings are one of the valuable benefits
available to people attending SANS training programs. New briefings
will be available to those who attend the live training programs such
as the Cyber Defense Initiative in San Francisco, December 15 - 20,
and via webcast to those who sign up for the Local Mentor Program.

********************************************************************
3. Local Mentor Program Update

Speaking of the Local Mentor Program, more than 500 people have
begun their ten-week, local programs just in the past three months.
They use the SANS' online program to study the material at their own
pace and then meet every week or every two weeks, with a group of
10-20 other students and mentor. SANS' mentors are people who have
gotten very high grades on GIAC certification programs. They use
their deep knowledge of the material to guide students through the
hands-on exercises and answer questions regarding the GIAC practicals.
Now that the Local Mentor program provides coverage of both the GIAC
Security Essentials Certification material and the CISSP Common Body
of Knowledge, it is by far the most cost effective security training
program for people who cannot take time off from work and do not
have funds for travel. More than 100 new local mentor programs will
start up in the next six months in cities all over the world. See
http://www.sans.org/onlinetraining/mentor.php for a description
of the program. If you don't see one near you, email Scott Weil,
sweilsans.org to ask about it. If you are someone who wants to
give back to the community by teaching, or if you have a goal of
joining the SANS faculty, becoming a local mentor is by far the
best first step. All you need to be eligible is a high score on the
certification exam for Track 1 (SANS Security Essentials), Track 2
(Firewalls and Perimeter Protection) or Track 4, (Hacker Exploits
and Incident Handling).

********************************************************************
4. Hands-On Security Training Actually Works

We have heard your demands for more hands on training and are
responding. By the time the San Francisco CDI conference starts in
mid-December, 80% of all SANS training programs at our conferences
will include hands-on components; by SANS 2003 starts in early March
2002, all tracks will be hands-on. The already impressive student
ratings that SANS programs earned have taken another jump up with the
addition of the hands-on programs. It costs us much more to operate
hands-on courses because we have multiple instructors and proctors to
help with the exercises, and we wire the classrooms, but we have not
raised prices. Our goal is to provide absolutely the best quality
security education available anywhere - to the most people we can
possibly serve.

Special note 1: At NS2002, we ran a two day, hands on course based
on the Security Essentials Toolkit book by Eric Cole, et al. It was
a success. I am going to try to run a couple of these before the
end of the year if I can get the venues, instructors, and proctors.
These will be called Security Essentials FlightSchool. Keep your
eyes on the web page if you would be interested in such a class.

Special note 2: If you are taking a hands on class please do your
part; if we send you instructions about how to configure your laptop,
please take those seriously. If you do not know what a "path", or
"command prompt" is, please select a security essentials BootCamp or
FlightSchool offering before enrolling in advanced training. Finally,
we are very careful with the power specifications we send to conference
hotels, but we are bound to blow a hotel's circuits sky high sometime
soon. If you can bring a spare charged battery that could help make
the difference when the inevitable happens.

********************************************************************
5. Cyber Defense Initiative Conference Update for San Francisco

SANS runs a major training conference with eight or more of its
twelve training tracks every few months. During what should be a
quiet week for many organizations, December 15-20, in San Francisco,
we'll have ten tracks, eight of them hands-on. Two extra programs
make San Francisco the conference you won't want to miss: Ed
Skoudis' updated Internet Threat Briefing and Alan Paller's Lessons
learned by the pioneers who implemented vulnerability remediation
programs. He'll provide you behind the scenes data on the new Top 20
Internet Security vulnerabilities and which tools actually work for
finding them. The Top 20 is one of the key components of the Cyber
Defense Initiative. Alan will fill you in on the others as well. San
Francisco is nice in December - often warmer than it is in August -
but still cool, with fewer tourists allowing you an actual seat on
the cable cars. Finally, if you are a procrastinator at holiday
shopping as I am, the conference hotel is right where the people in
San Francisco come to shop. Last year, I was able to get in, grab
the stuff for the people on my list and get back to the conference
in a little over an hour and a half.

The complete San Francisco program is posted at:
http://www.sans.org/CDI02/

********************************************************************
6. DDOS Attacks on the Root Name Server

Last Monday, nine of the thirteen root name servers at the core
of the Internet were put partially or completely out of service
by a distributed denial of service attack. The Internet survived.
The root name servers are like the phone book -- translating IP
addresses to domain names and back. The Internet survived because:
it has a great deal of redundancy built in, several ISPs acted quickly
to stop the attack on a couple of the root name servers, and because
the attackers didn't use as much fire power as they could have.

Most web sites do not have any defense against DDoS attacks; the
number of such attacks is rising rapidly. One federal agency web
site was out of operation a couple weeks ago for more than 24 hours -
until the attackers just stopped the attack.

For those of you looking for solutions to DDoS, here are the three
most promising:
(1)ISPs implement technology that rapidly finds the entry point
for DDoS floods and informs the network security staff what ACLs to
set on the routers to stop them. This will work for smaller ISPs -
those using OC48 or smaller pipes. It probably won't stop a very
large attack.
(2)ISPs (and any other organization that connects large numbers of
people to the Internet) implement a program that stops all spoofed
traffic from leaving their networks. This, too, will only work for
smaller ISPs, but it will limit the attackers' ability to hide.
(3)Implement a global program to rid the Internet of common,
easily-exploited vulnerabilities both by forcing software vendors to
take responsibility for fixing software they deliver and by asking ISPs
and others who connect computers to the Internet to take responsibility
for the damage done by their users' systems.

Note: I hope you will get a smile out of this; I certainly did. John
Stewart from Cisco worked hard to put together an excellent DDOS
Symposium at last week's SANS conference. Exactly one person signed
up. Instead of canceling, we decided to convert this to an evening
program and make it available for free. The program started on Monday
night, the same night as the root server attack. Needless to say,
it was well attended and there was a lot of interest and energy in
the air!

********************************************************************

7. Free SANS Security Web Broadcast Schedule Update

Every month, SANS brings an expert right into your desktop or portable
computer with a live web cast. These are open to all security
professionals. Here's the schedule for the next three months.

On November 6, Kathleen Moriarty, lead network security engineer at
MIT's Lincoln Labs, will present "Can't Boil an Egg Without a Shell
- Why Web Perimeter Security is a Necessary Step to a Secure Site"
and will provide an overview of the new tools careful organizations
are using to protect their systems. The program will be sponsored
by Sanctum.

On December 4, Joel Snyder, manager of the Opus One security testing
laboratory, will present "Intrusion Prevention Essentials" providing
a guide to this rapidly growing segment of the security product space
-- where smart sensors act automatically to block ongoing attacks.
This will be sponsored by Top Layer.

On January 8, SANS faculty member and Stanford staff member, Tina
Bird will provide some of the insights she has gained in her years
heading the Log File Analysis team at Counterpane Internet Security.
Her understanding of this important area is unparalleled.

********************************************************************
8. Second Women-Only Security Training Event - Advanced Notice

We received a great deal of criticism for our first women's only
security program, but not from the women who attended the program.
They loved it. So we are planning a second Women-only SANS
training conference - with an all-women faculty and an all-women
student population as part of SANS 03, March 7 - 12 in San Diego.
Registration will be limited to 50 students. It will be a boot camp
(hands on at night) version of Security Essentials. In addition,
when they are not in boot camp, students will have access to all
conference evening events. The web description and registration page
should be up next week.

Finally, for the first time since I have been in the security field,
I feel we now know what needs to be done to turn the tide against
cyber attackers. Our training programs are becoming more and more
effective in helping you implement effective programs. We look forward
to seeing you in San Francisco or at another one of SANS' conferences.

Thank you,

Stephen Northcutt - The SANS Institute

PS: Here's the IDG article on Skoudis's Threat Update Briefing
I promised.

By Gretel Johnston, IDG News Service
OCTOBER 25, 2002

WASHINGTON -- Over the past eight months, major new hacker tools have
been released or revealed, ending a lull in activity among hackers
that followed the Sept. 11 terrorist attacks and the enactment of
legislation that enhanced law enforcement's ability to prosecute
people who break code and wreak havoc on networks by exploiting
software vulnerabilities, hacking consultant Ed Skoudis said yesterday.

LibRadiate, Paketto Keiretsu, Setiri and The Defiler's Toolkit are some
of the newest tools that have cropped up since March and are keeping
security specialists awake at night, according to Skoudis, who gave a
threat update briefing here at a SANS Institute Inc. conference. SANS
is a security education and research organization in Bethesda, Md.

Skoudis, vice president of ethical hacking and incident response
at consultancy Predictive Systems Inc. in New York, said the
June-through-September period saw massive exposures of security
vulnerabilities in OpenSSH, Apache Web server software and Microsoft
Corp.'s Web browser Internet Explorer.

The popularity of war driving

"This summer has been a huge summer for hackers. There were huge issues
discovered all summer long, and things really opened up between March
and now," Skoudis said. "The golden age of hacking rolls on."

One of the latest developments involves the security of wireless LANs
and the ease with which people are able to detect them. For one week
in early September, amateur wireless LAN sniffers used freeware called
NetStumbler to detect hundreds of insecure business and home wireless
LANs in North America and Europe in an exercise called a "war drive"
(see story).

Skoudis said attackers have "flocked to this area" and are finding that
many wireless LANs are set up without basic security. After they detect
the wireless LAN, they can use a tool that's been available since May,
called LibRadiate, an application programming interface that allows
developers to easily capture, create and transmit arbitrary packets on
a wireless LAN using the IEEE 802.11b standard. The tool runs on Linux
(kernel 2.4) with wireless cards that have the Intersil Corp. Prism
2 chip set, Skoudis said.

Capturing TCP/IP packets with LibRadiate

LibRadiate makes it possible for hackers, using "fairly simple C
code," to capture TCP/IP packets or inject them into a network,
Skoudis said. Among the wireless attack tools expected to become
available for use with LibRadiate, according to Skoudis, are WEP
crackers, which exploit flaws in the Wired Equivalent Privacy (WEP)
protocol, allowing a hacker to determine encryption keys even when
WEP is in use; and malformed packet generators, which inject strange
and noncompliant packets into a network in an attempt to crash systems
that can't handle unusual packet structures.

"With tools like LibRadiate, the computer underground is starting to
develop far more sophisticated attack tools than what we have seen
in the past," Skoudis said.

Another tool, released two weeks ago, is Paketto Keiretsu, which
Skoudis referred to as a suite of tools for doing TCP/IP tricks. One
of its most fundamental capabilities involves rapid port scans,
which it does by separating the packet sender from the receiver.

Setiri, a Trojan horse

Skoudis also described Setiri, a new Trojan horse back door. The tool
can bypass personal firewalls, Network Address Translation devices,
proxies and advanced firewalls by starting up an invisible browser
on the victim's PC. Then Setiri, running on the victim's system,
uses OLE to communicate with the hidden browser. As long as the
victimized PC's browser can access the Internet, Setiri can reach
across the network and get the attacker's commands.

Setiri, developed by a small group of South African security
consultants and demonstrated in August at Def Con (see story), hasn't
been seen in the wild yet, Skoudis said. Nevertheless, he included
it in his presentation because its existence has been acknowledged
within the security community and writing the code is something a
moderately skilled coder could do.

Skoudis said the system strips out information about the user by going
through Anonymizer.com, a Web site that offers anonymous e-mail and
Web browsing, so blocking access to that site is a way of defending
against Setiri. Another solution would require changes in Internet
Explorer that limit the actions of an invisible browser. Skoudis said
Microsoft has said it will address the matter.

'Antiforensic' Defiler's Toolkit

In the new area of "antiforensics," hackers have had access to a tool
called the Defiler's Toolkit since July. It's able in a number of ways
to foil the Coroner's Toolkit, a tool that has been used by computer
forensic specialists for several years, Skoudis said. For example,
it can destroy or hide the traces of a hack that the Coroner's Toolkit
looks for. The Defiler's Toolkit targets the Linux Ext2fs file system,
but Skoudis said the concept could be extended to other platforms.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

Unsubscribing will take you off any news bulletin lists for NewsBites
or Security Alert Consensus as well as any conference information
notes.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]