|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites_at_sans.org)
Date: Wed Nov 06 2002 - 09:45:21 CST
From: Alan for the SANS NewsBites service
Re: November 6 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SANS has added new classes for the end of 2002 offering penetration
testing, three new Flight School opportunities, and a rich assortment
of our classic certification tracks. Details at http://www.sans.org
Alan
***********************************************************************
SANS NewsBites November 6, 2002 Vol. 4, Num. 45
***********************************************************************
TOP OF THE NEWS
31 October & 1 November 2002 Clarke: Government Should Fund Internet
Protocol R&D
31 October 2002 Three More Microsoft Security Bulletins
31 October 2002 WPA is New Wireless Standard
30 October 2002 T0rnkit Author Case Will Set Precedent
29 October & 1 November 2002 Open Source Software Instrumental to
DOD Security
THE REST OF THE WEEK'S NEWS
4 & 5 November 2002 W32/Braid
4 November 2002 Microsoft Judgment Found Prior to Official Release
4 November 2002 Fraudulent Job Posting Used for Identity Theft
4 October 2002 More Root Servers Planned
4 November 2002 East Palo Alto Phone Phreaking
3 & 4 November 2002 SBC Communications to Establish Laboratory
1 November 2002 Manitoba Government Web Site Intrusion
1 November 2002 IG Report Says State Dep. Security Still Weak
1 November 2002 Linksys Router Vulnerable to DoS
1 November 2002 W32.HLLW.Merkur
31 October, 1 & 4 November 2002 Mueller Promises Secrecy To Encourage
Private Sector Sharing
31 October 2002 e-Commerce Site Doesn't Encrypt Credit Card Data
31 October 2002 Wireless Keyboard Writes on Neighbor's Computer
31 October & 3 November 2002 Horse Racing's Computerized Wagering
Systems to be Examined
30 October 2002 NIST and NSA Release Five Protection Profiles
29 & 30 October 2002 Windows 2000 Receives Common Criteria
Certification
29 & 30 October 2002 CIA Warns of Cyberthreats from Extremist Groups
29 October 2002 Don't Put Security in the Hands of Home Users
29 October 2002 Security Flaws in Half of Crypto Modules Submitted
for FIPS Validation
29 October 2002 Chinese Government Thwarted May 2002 Cyberattacks
29 October 2002 DoD's Defense Procurement Payment System has
Security Flaws
29 October 2002 IP Smart Spoofing
28 October 2002 Global Cyber Security Center Possible
28 October 2002 Cyber Attacks Up at Air Force Base
23 October 2002 Reverse Engineering Malware
SECURITY TRAINING NEWS
*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
features the eight highest rated teachers in the security
field. If you can attend only one conference this winter, try to
get a place in the courses in San Francisco. Also features a free,
evening step-by-step program for implementing a Top 20 vulnerability
remediation program. San Francisco is often warmer and less crowded
in December than in August.
*Twelve new Local Mentor Programs start in the next few weeks. Combine
online program with live training/practice sessions. Offers
the most cost-effective local training for both CISSP and GSEC
Certifications. Also included: Free updated Internet Threat Briefing.
*See: http://www.sans.org for details on San Francisco, Local Mentor
and other programs.
*************** This Issue Sponsored by Websense **********************
Did the Nimda worm cost you $2.6 billion in clean-up?
Use Websense Premium Group III to protect your network. Stop malicious
code at its source, block potentially harmful security-risk sites
and add protection against malicious code at the Internet gateway.
Try a free, 30-day trial of Websense Enterprise and start spending
those clean-up dollars somewhere else.
http://www.websense.com/?id=NL10109
***********************************************************************
TOP OF THE NEWS
--31 October & 1 November 2002 Clarke: Government Should Fund
Internet Protocol R&D
Presidential cybersecurity advisor Richard Clarke says the government
should fund theresearch and development in Internet protocols because
commercial interests do not have sufficient incentive to do the job
effectively. Protocols like BGP and the Domain Name System (DNS)
present opportunities for attacks or instabilities in the integrity
of the Internet. Clarke does not want the government to regulate
these protocols.
http://www.gcn.com/vol1_no1/daily-updates/20382-1.html
http://www.nwfusion.com/edge/news/2002/1101clarke.html
[Editors' Note (Northcutt and Paller): Let's take a moment as
a community to reflect on the enormous success of the Internet
Engineering Task Force, and the contributions it has made to
our society. The IETF's 55th meeting is in a couple of weeks in
Atlanta, http://www.ietf.org/meetings/agenda_55.html. A quick scan
of the agenda will demonstrate IETF's interest in security issues.
A small amount of government money given to the IETF could be helpful
in accelerating the group's security initiatives.]
--31 October 2002 Three More Microsoft Security Bulletins
Microsoft has warned of a "critical" buffer overflow flaw in
its Point-to-Point Tunneling Protocol (PPTP), a VPN protocol
supported by Windows 2000 and XP; the vulnerability could result in
a denial-of-service. Server and client systems are both at risk if
PPTP has been enabled. A patch is available for the flaw. A second
Microsoft security bulletin warned that default permission settings in
the Windows 2000 "everyone" group could allow a Trojan horse attack;
Microsoft recommends that administrators change the permissions on
the root directory. Microsoft also released a patch for its Internet
Information Server (IIS) Web server that addresses four new fixes
and a handful of old ones.
http://www.computerworld.com/securitytopics/security/story/0,10801,75519,00.html
http://news.com.com/2100-1001-964106.html
http://www.eweek.com/article2/0,3959,661933,00.asp
http://www.theregister.co.uk/content/55/27874.html
PPTP Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-063.asp
Windows 2000 Permissions Flaw Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-064.asp
IIS Patch info: http://www.microsoft.com/technet/security/bulletin/MS02-062.asp
--31 October 2002 WPA is New Wireless Standard
The Wireless Fidelity Alliance has released a new standard called Wi-Fi
Protected Access (WPA). The standard will replace the easily broken
security presently used by many wireless networks. WPA employs dynamic
key encryption in the form of the Temporal Key Integrity Protocol
(TKIP); WPA also provides improved network user authentication.
http://www.usatoday.com/tech/news/computersecurity/2002-10-31-wireless-security_x.htm
http://www.pcworld.com/news/article/0,aid,106530,00.asp
http://www.computerworld.com/securitytopics/security/story/0,10801,75533,00.html
http://news.com.com/2100-1033-964046.html
[Editor's Note (Shpantzer) Who will go to the trouble of implementing
this temporary 'solution' only to replace it when 802.11i comes out?
Ted Ipsen, from the Information Risk Management practice at KPMG LLP,
says users should skip the WPA purchase altogether. Cisco put TKIP
and its own proprietary implementation of EAP (Cisco LEAP) into their
hardware about a year ago, and it's still only a stopgap measure.
Layer 2 security should still be considered to be broken, even after
WEP2 comes out next year. Ted always ask clients: "Do you rely
on your CAT5 cable and your Ethernet switches to provide you with
confidentiality, integrity and availability?" Use Layers 3 through
7 and architecture to defend your resources.
(Ranum): How long will TKIP last? This is basically a layer of
re-keying atop a broken cryptosystem. You can't build a castle on
foundations of used chewing gum!]
--30 October 2002 T0rnkit Author Case Will Set Precedent
The case in which a UK man is being prosecuted under the 1990 Computer
Misuse Act for creating T0rnkit will set a precedent for how authors
of such software are to be dealt with. While T0rnkit itself is not a
virus and the author has not been charged with computer intrusions,
the kit has been used to create the Lion worm. The author is being
tried for writing and distributing the kit.
http://www.viruslist.com/eng/index.html?tnews=1007&id=57660
--29 October & 1 November 2002 Open Source Software Instrumental
to DOD Security
A study commissioned by the U.S. Defense Department (DOD) concludes
that banning the use of open source software would have a devastating
effect on the DOD's cybersecurity capabilities. The study, "Use
of Free and Open Source Software (FOSS) in the U.S. Department of
Defense," conducted by Mitre Corp., recommends creating a list of safe
open source software, developing policies to encourage broader use
of open source software and encouraging its use to promote diversity
and reduce costs and risks of depending on a single product.
http://www.theregister.co.uk/content/4/27822.html
http://www.fcw.com/fcw/articles/2002/1028/web-open-11-01-02.asp
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Uncover hacks, attacks and system vulnerabilities
utilizing eV3TM technology, CONTINUOUS perimeter monitoring!
http://www.sans.org/cgi-bin/sanspromo/NB96
(2) DITCH DETECTION. THINK PREVENTION. Neutralize unknown threats
outside the firewall. FREE paper.
http://www.sans.org/cgi-bin/sanspromo/NB97
(3) Earn a Norwich University Master's Degree in Information Security
in 24 months. http://www.sans.org/cgi-bin/sanspromo/NB98
***********************************************************************
THE REST OF THE WEEK'S NEWS
--4 & 5 November 2002 W32/Braid
W32/Braid is a visual basic worm that exploits an incorrect MIME header
vulnerability in Internet Explorer to propagate. The worm e-mails
every address in the Outlook Express address book and addresses found
in .htm and .dbx files; it also overwrites the MSconfig.exe file.
It can also slow computer response time or cause a computer to crash.
http://news.com.com/2100-1001-964476.html
http://www.smh.com.au/articles/2002/11/05/1036308298493.html
--4 November 2002 Microsoft Judgment Found Prior to Official Release
The judgment in the Microsoft anti-trust case was apparently put on the
court web site nearly two hours before its scheduled official release.
While there was no publicly released link to the documents, they were
not password protected, and their URL was easily guessed.
http://zdnet.com.com/2100-1104-964415.html
[Editor's Note (Schultz): The way the release of the information about
this case was handled paralleled the way the Bush Administration
handled the case itself. Clearly, the events associated with this
case will go down as black marks in U.S. history.]
--4 November 2002 Fraudulent Job Posting Used for Identity Theft
Fraudulent job postings on Monster.com have been used to harvest
information that could be used to steal applicants' identities.
Monster.com's FAQ section advises applicants not to provide social
security credit card or bank account numbers to prospective employers.
http://www.msnbc.com/news/830411.asp?0dm=B21AT
--4 October 2002 More Root Servers Planned
As a precaution against additional attacks on the Internet's root
name servers, more servers will be added to each of the 13 root
server locations.
http://www.newsfactor.com/perl/story/19831.html
--4 November 2002 East Palo Alto Phone Phreaking
Hackers apparently broke into East Palo Alto (CA) City Hall phone
system and used it to make $30,000 worth of calls to the Philippines.
AT&T and East Palo Alto are at odds over who is responsible for
the bill.
http://www.bayarea.com/mld/mercurynews/news/local/4439758.htm
[Editor's Note (Murray): It has been quite a while since we have seen
one of these. Both carriers and users have done a good job.]
--3 & 4 November 2002 SBC Communications to Establish Laboratory
SBC Communications, Inc., one of the largest Internet service providers
in the U.S., plans to create the Internet Assurance and Security Center
(IASC), a laboratory for developing technologies to fight malware
and cyberattacks. Some see SBC's move as evidence that industry is
taking security seriously and doesn't require government regulations.
http://www.washingtonpost.com/wp-dyn/articles/A62201-2002Nov3.html
http://news.com.com/2100-1033-964425.html
[Editor's Note (Murray): Security represents a big profit opportunity
for ISPs. It had been a great product differentiator for AOL.
The bar is going up.]
--1 November 2002 Manitoba Government Web Site Intrusion
A hacker broke into the Manitoba government web site, www.gov.mb.ca,
and accessed personal information contained in the online applications
for student loans.
http://www.newwinnipeg.com/news/d02-11-01hacker.htm
--1 November 2002 IG Report Says State Dep. Security Still Weak
A report from the State Department Inspector General (IG) found that
the State Department's information system security is still weak,
despite having been told about serious problems a year ago. While the
department has a system certification and accreditation plan, it does
not have a schedule for implementing the plan. Overseas posts were
also found to be lacking security plans. The IG's office plans to
make recommendations to address the security problems.
http://www.gcn.com/vol1_no1/daily-updates/20398-1.html
[Editor's Note (Ranum): And we are surprised by this? Many people
who have not worked with government security seem to think that the
feds are ahead of the private sector in securing their systems. The
truth is quite the inverse.]
--1 November 2002 Linksys Router Vulnerable to DoS
The Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch
with firmware earlier than version 1.42.7 is vulnerable to an easily
launched denial of service (DoS) attack that could crash the router.
Firmware 1.43 addresses the vulnerability.
http://www.eweek.com/article2/0,3959,663801,00.asp
--1 November 2002 W32.HLLW.Merkur
The Merkur worm, also known as W32.HLLW.Merkur, pretends to be an
anti-virus update e-mail and is spreading through peer-to-peer (p2p)
software. Users must click on an attachment called Taskman.exe in
order to become infected. Once it has been released into a computer,
Merkur sends itself out to everyone in the Outlook address book,
deletes multimedia files in p2p sharing directories and copies itself
into those directories, usually with an enticing name.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20269585,00.htm
--31 October, 1 & 4 November 2002 Mueller Promises Secrecy To
Encourage Private Sector Sharing
FBI director Robert Mueller told industry and government officials
that the private sector needs to be more cooperative about sharing
cybercrime information. Private businesses are usually reluctant to
share such information with law enforcement agents because they fear
negative publicity. In an effort to encourage the private sector to
share cyberattack information with the government, U.S. law enforcement
officials have said that they will strive to keep secret the identities
of the entities sharing the information. FBI director Robert Mueller
said FBI agents arriving to investigate crime will dress discreetly
rather than in jackets emblazoned with the agency's logo. They will
also use sealed court filings and protective orders.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,75532,00.html
http://207.27.3.29/dailyfed/1002/103102h1.htm
http://www.fcw.com/fcw/articles/2002/1028/web-fbi-11-01-02.asp
http://www.fcw.com/fcw/articles/2002/1104/news-fbi-11-04-02.asp
http://www.wired.com/news/politics/0,1283,56139,00.html
--31 October 2002 e-Commerce Site Doesn't Encrypt Credit Card Data
SETcom, a credit card gateway company, has suspended the account of
a South African e-commerce site, cybergames.co.za, after learning
that the site was not encrypting credit card information between
customers' browsers and their server. The anonymous tipster had
informed Cybergames of the security problem and had given the company
a week to address it before bringing it to SETcom's attention.
http://196.30.226.221/sections/internet/2002/0210311223.asp?A=SEC&S=Security&T=Section&O=FPSH
--31 October 2002 Wireless Keyboard Writes on Neighbor's Computer
A Norwegian man discovered that his neighbor's Hewlett Packard wireless
keyboard was transmitting a signal to his neighbor's computer, causing
what he was typing to appear on his neighbor's monitor. The signal
was traveling 150 meters though a wooden and a concrete wall. HP does
not have an explanation for the incident.
http://www.aftenposten.no/english/local/article.jhtml?articleID=427668
[Editor's Note (Grefer): This is a known vulnerability of wireless
keyboards, since they are only using a limited number of channels for
transmission. The distance of 150 meters, though, is more typical of a
clear signal path, rather than one blocked by wood and concrete walls.]
--31 October & 3 November 2002 Horse Racing's Computerized Wagering
Systems to be Examined
The New York State Racing and Wagering Board may use a computer
expert to help them determine whether or not computer manipulation
was involved in an unusual and lucrative series of winning tickets.
The holder of the winning tickets and an employee of Autotote, the
company that processed the bets, are known to have been fraternity
brothers. The National Thoroughbred Racing Association is planning
to examine the industry's computer wagering systems.
http://www.washingtonpost.com/wp-dyn/articles/A43807-2002Oct30.html
http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2002/11/03/SP242740.DTL
(Please note: The New York Times web site requires free registration)
http://www.nytimes.com/2002/11/03/sports/othersports/03RACI.html
http://www.nytimes.com/2002/11/04/sports/othersports/04RACI.html
--30 October 2002 NIST and NSA Release Five Protection Profiles
The National Institute of Standards and Technology (NIST) and the
National Security Agency (NSA) have established Protection Profiles
for operating systems, firewalls, intrusion detection systems, tokens
and public-key infrastructures. The profiles will become part of
the Common Criteria certification process.
http://www.gcn.com/vol1_no1/daily-updates/20373-1.html
--29 & 30 October 2002 Windows 2000 Receives Common Criteria
Certification
Microsoft's Windows 2000 has received Common Criteria certification,
making the operating system easier to sell to the governments of
15 countries that recognize the certification. The certification
does not guarantee freedom from bugs, but attests to the fact that
the development and support of the product meet certain standards.
The process took nearly three years and cost Microsoft millions
of dollars. Microsoft says the certification is evidence of its
commitment to Trustworthy Computing.
http://news.com.com/2100-1001-963776.html
http://www.nwfusion.com/auddev/pop/MicrosoftFOC211.html
http://www.theregister.co.uk/content/55/27845.html
[Editor's Note (Ranum): People who don't understand Common Criteria
are sure to be impressed by this. Just as Windows NT was evaluated as
"C2," this is not a significant result.
(Grefer) "Trustworthy Computing" was introduced by MS this year;
how can they claim an evaluation they had performed for easing
their government sales efforts to be evidence of their commitment to
Trustworthy Computing?]
--29 & 30 October 2002 CIA Warns of Cyberthreats from Extremist
Groups
In a report to the Senate Intelligence Committee, the CIA warned of
terrorist cyberthreats. Several of the groups named have reportedly
put developing cyber skills at the tops of their lists. The FBI is
monitoring potential threats. The report also warned of the danger
of making sensitive scientific data, like nuclear weapons information,
available on the Internet.
http://news.com.com/2100-1023-963771.html
http://www.vnunet.com/News/1136404
--29 October 2002 Don't Put Security in the Hands of Home Users
The author of this commentary contends that relying on individuals
to help secure cyberspace, as is suggested in the National Strategy
to Secure Cyberspace, is not a workable plan because home users
are unreliable, often failing to understand the basics of computers
and the dangers lurking in unsafe Internet practices. The author
suggests that Internet service providers (ISPs) bear a portion of
the security burden by implementing measures like egress filtering,
which is likely to result in higher costs to users.
http://zdnet.com.com/2100-1107-963665.html
[Editor's note (Schultz): I'm glad to see this view expressed, and
agree with its author 100 percent. Calling on home users to become
more secure as part of a strategy to secure the critical infrastructure
was and is ludicrous.
(Paller) Though I see real value in educating home users about
security risks, expecting them to take the principal responsibility
for computer safety is not all that different from asking air travelers
to buy parachutes and bring them along on airplanes.]
--29 October 2002 Security Flaws in Half of Crypto Modules Submitted
for FIPS Validation
The director of the National Institute of Standards and Technology's
(NIST's) Cryptographic Module Validation program said that 80 of the
164 modules submitted for Federal Information Processing Standard
(FIPS) validation contained security flaws, as did 88 of the 332
validated algorithms. Federal agencies have to use FIPS compliant
cryptography products for sensitive, unclassified data.
http://www.gcn.com/vol1_no1/daily-updates/20344-1.html
--29 October 2002 Chinese Government Thwarted May 2002 Cyberattacks
Air Force Maj. Gen. John Bradley, deputy commander of the Pentagon's
Joint Task Force on Computer Network Operations, said that the Chinese
government asked its citizens not to launch cyberattacks in May 2002.
There was a barrage of attacks in April and May 2001, marking
the anniversary of the bombing of the Chinese embassy in Belgrade.
Bradley says that the Defense Department is its "own worst enemy" when
it comes to computer security; 85% of cyberattacks on DOD computers
could be prevented if administrators applied patched in a timely
manner and used good security procedures.
http://www.upi.com/view.cfm?StoryID=20021029-121924-5101r
[Editor's Note (Schultz): Bradley's findings are nothing new, but can't
the military, with its well-defined chain of command and well-defined
consequences for not following orders, fix its vulnerabilities much
easier than industry, civilian government, and academia?]
--29 October 2002 DoD's Defense Procurement Payment System has
Security Flaws
According to a report from the Pentagon's Inspector General, the
Defense Department's Defense Procurement Payment System (DPPS)
lacks adequate access controls and a failure contingency plan.
The vulnerabilities could delay the system's deployment, which is set
for September 2003. The DPPS does not comply with the 2000 Government
Information Security Reform Act.
(GISRA). DPPS does not presently use adequate encryption or password
protection, and it does not adequately test continuity plans.
http://207.27.3.29/dailyfed/1002/102902a2.htm
--29 October 2002 IP Smart Spoofing
This paper describes IP Smart Spoofing, an IP spoofing technique that
uses ARP Cache Poisoning, network address translation and routing.
http://www.althes.fr/ressources/avis/smartspoof-en.pdf
--28 October 2002 Global Cyber Security Center Possible
Representatives from US and European business and government discussed
the possibility of creating a global IT security center modeled on
the international center that helped stave off problems for Y2K.
http://207.27.3.29/dailyfed/1002/102802tdpm2.htm
--28 October 2002 Cyber Attacks Up at Air Force Base
John Gilchrist, chief of information assurance at Hill Air Force Base
in Utah, confirms that the number of cyberattacks on base computer
networks has shown a steady increase since September 11, 2001. It is
hard to tell who is behind the attacks. Gilchrist said the people
in his department have warded off every attempted attack. There is
no classified data on military systems connected to the Internet,
but intruders could shut down systems.
http://deseretnews.com/dn/view/0,1249,415016145,00.html
--23 October 2002 Reverse Engineering Malware
This article describes the tools and procedures involved in reverse
engineering Trojans, viruses and other "hostile code."
http://online.securityfocus.com/infocus/1637
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans
sans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9ySWk+LUG5KFpTkYRAhNGAJkBmAa4AM7ITmat9xe9qpX3iX0fogCgnI83
LHNM3y8lIjGH7ABh6xyYk0Y=
=Pwzc
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]