|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites_at_sans.org)
Date: Wed Nov 13 2002 - 09:41:52 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
***********************************************************************
SANS NewsBites November 13, 2002 Vol. 4, Num. 46
***********************************************************************
TOP OF THE NEWS
11 November 2002 CA Law Requires Reporting of Certain Security
Breaches
5 & 8 November 2002 Breeders' Cup Investigation Continues
12 November 2002 One Week Left For National Cyber Security Strategy
Comments [Please Add Your Voice]
4 November 2002 Financial Sector Cyber Incidents Often Go Unreported
THE REST OF THE WEEK'S NEWS
14 November 2002 Cybersec Funding Bill Goes to the President
3 November 2002 National Cyber Forensics and Training Alliance
11 November 2002 Optical Antenna Improves Wireless Security
11 November 2002 US Military Site Hacker to be Indicted
11 November 2002 Some Interior Systems Still Disconnected
8 & 11 November 2002 Kaspersky Labs Mailing List Hit with Infected
Virus Warning
8 November 2002 Symantec Releases Patch for e-Mail Deletion Flaw
8 November 2002 Churchill Downs Implements Security Procedures
8 November 2002 UK Company to Use Signature Capture Biometrics
7 & 8 November 2002 Japan Police Sites Probed
7 November 2002 Michigan Man Pleads Guilty to Stealing Files from
Former Employer
6 & 7 November 2002 VeriSign Separates Two Root Servers
6 November 2002 Lotus Domino Security Flaw Troubles U.S. Navy Sites
6 November 2002 OASIS Approves SAML v.1
6 November 2002 e-Mail from Certain Business Sectors More Likely to
Carry Viruses
6 November 2002 Bermudan Bank Site Defaced
6 November 2002 CD Copy Protection Won't Work
6 November 2002 UK Government Seeking to Improve Disaster Recovery
Methods
5 & 7 November 2002 Bill Would Fund Cyber Censorship Circumvention
Technologies
5 November 2002 Phone Phreakers Rack Up $11,000 Bill in Ohio
5 November 2002 Cyber Sabotage Stories
5 November 2002 Self-Healing Database Software
5 November 2002 Mozilla Vulnerabilities
4,5 & 6 November 2002 e-Voting Needs Audit Trails
4 November 2002 Advice Isn't Always Worth the Cost
4 November 2002 Researcher Develops Prime Number Determination Method
VIRUSES AND OTHER MALWARE
12 November 2002 Maz.A Trojan
6 & 7 November 2002 Roron Worm
POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGY
***********************************************************************
A FEW WORDS FROM STEPHEN NORTHCUTT ABOUT YEAR END MONEY
I used to keep my lab up to date by spending year-end money other
people had not used. You may have year end training money available;
it couldn't hurt to check! SANS is offering conferences in Orlando FL,
San Francisco and the greater Washington DC area, http://www.sans.org
If you only have a little money available, you might want to invest
in a 2 day hands on "Flight School" workshop. If you have training
money, but can't travel, consider the local mentor or instructor led
online approaches to learning!
http://www.sans.org/onlinetraining/mentor.php
http://www.sans.org/onlinetraining/ilot.php
************** This Issue Sponsored by PentaSafe **********************
Make sense of security events and log files with PentaSafe's new
VigilEnt Intrusion Manager
Spending hours sorting through event data? The VigilEnt Intrusion
Manager - Log Analyzer consolidates raw event data from your operating
systems, firewalls, IDS systems and more, then uses a sophisticated
analysis engine to pinpoint security trends across your enterprise.
VIEW DEMO: http://www.pentasafe.com/products/vim
***********************************************************************
TOP OF THE NEWS
--11 November 2002 CA Law Requires Reporting of Certain Security
Breaches
California has passed a law requiring State agencies and private
businesses to report cyber security breaches that may have compromised
confidential information. As of July 1, 2003, those who fail to
comply with the law face civil or class action suits.
http://www.businessweek.com/technology/content/nov2002/tc20021111_2402.htm
--5 & 8 November 2002 Breeders' Cup Investigation Continues
The FBI has joined the investigation into whether three former
fraternity brothers were involved in a scheme to manipulate off-track
betting computers to guarantee a large win. One of the men, who
worked for Autotote, was fired a week ago. The three men allegedly
exchanged e-mail in the weeks before the suspicious October 26th bets;
the Autotote employee may have altered the bets after the first few
races were run. Officials were uncertain whether the Autotote system
generates reports when a "superuser" alters bets or other files.
http://espn.go.com/horse/news/2002/1105/1456465.html
http://www.msnbc.com/news/832689.asp
http://www.msnbc.com/news/828779.asp
--12 November 2002 One Week Left For National Cyber Security
Strategy Comments
In one week, the open comment period closes for the National
Strategy to Secure Cyberspace. At the end of this issue of NewsBites
(right after the VIRUSES stories), we've included several suggestions
developed by some of the people who have taken a lot of time to review
the strategy. Read the strategy, take a look at the suggestions,
and then express your thoughts. Whether or not the ideas presented
here are consistent with your views, please express your suggestions,
support and criticism. It's rare that policy makers ask for input from
the technical community. It would be a shame to waste the opportunity.
http://www.whitehouse.gov/pcipb/
--4 November 2002 Financial Sector Cyber Incidents Often Go
Unreported
World Bank security expert Tom Kellermann cites studies that indicate
as many as 80% of cybersecurity breaches at financial institutions
go unreported. Banks and other financial institutions are often
more willing to pay extortionists than they are to go public with
information that could damage their reputation.
[Editor's Notes (Ed Skoudis, Guest Editor): Based on what I've seen
in the financial sector, a lot of this 80% number depends on how you
define a "breach." Sure, financial institutions don't report every
scan they get, or every time someone finds a slight flaw in a web app.
That's a lot of the 80% right there. They are only required to report
incidents to the government that materially impact their customers,
which is a very small portion of all attacks indeed. That said, cyber
extortion does occur, just not at the rate implied in the article.
I have worked cases where brokerage firms did pay extortionists to
defuse logic bombs so that they could continue trading.
(Schultz): Information security staff members at financial institutions
are undoubtedly chuckling as they read this news item--80 percent is
certainly a gross underestimate!
(Murray): Though the publicity for banks is often significantly more
damaging than the original event (we have had at least one bank fail
because of the publicity of a loss that they could easily absorb), it
is a felony for banks to conceal material loses from the regulators.
This is the only industry for which this true. While they must tell
the regulators, they need not and should not tell the press. I do not
know of any banks that do or would pay extortion or any responsible
security consultants that would advise them to do so.]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Special Bundle Pricing on RealSecure(r) for Nokia latest technology
http://www.sans.org/cgi-bin/sanspromo/NB99
(2) IDS CRYING WOLF? Stop false positives. Stop scouring logs.
FREE white paper. http://www.sans.org/cgi-bin/sanspromo/NB100
***********************************************************************
THE REST OF THE WEEK'S NEWS
--14 November 2002 Cybersec Funding Bill Goes to President
H.R. 3394, which allocates $903 million for cybersecurity research,
was approved today on a voice vote. The bill, also known as the Cyber
Security Research and Development Act (CSRDA), includes $25 million
earmarked for increasing the number of qualified college-level
cyber-security instructors and $144 for establishing Computer and
Network Security Research Centers; it also requires the National
Institute of Standards and Technology (NIST) to create cybersecurity
checklists for use by government agencies. However, on urging from
the computer industry, Congress removed provisions asking federal
agencies to use the checklists.
http://www.atnewyork.com/news/article.php/1499391
[Editor's Note (Paller): Don't start spending the money yet. The
appropriations committees must specifically approve funds before
they can be spent. Any combination of a war in Iraq, prescription
drug measures, and additional tax cuts will put enormous pressure on
Congress to trim discretionary spending.]
--3 November 2002 National Cyber Forensics and Training Alliance
The National Cyber Forensics and Training Alliance in Pittsburgh
will train investigators in methods of tracking down cyber evidence.
The alliance is comprised of federal and local law enforcement
agencies, businesses and institutions of higher education in Pittsburgh
and West Virginia. Other such alliances exist around the country,
but the one in Pittsburgh is the first to have a training center.
http://www.phillyburbs.com/couriertimes/news/news/1103cybersleuths.htm
[Editor's Note (Northcutt):I hope this project succeeds and that
they reach out and team with the existing and respected High Tech
Crime Investigation Association, http://www.htcia.org/ that has been
serving a similar function for years without government funding.
More information about the NCFTA alliance can be found at:
http://www.geocities.com/teemukah/ncfta.html
Alliances like this must be part of the government's plan to disburse
the money from the Cybersecurity Funding Bill (described in the
previous story).]
--11 November 2002 Optical Antenna Improves Wireless Security
British research scientists have developed an optical antenna they
say can increase wireless network security. The antenna transmits
and receives infrared signals instead of radio signals, and so can
be more focused and controlled.
http://news.com.com/2100-1033-965239.html
--11 November 2002 US Military Site Hacker to be Indicted
A British man is likely to be indicted very soon in federal courts in
New Jersey and northern Virginia on charges stemming from a series of
cyberattacks against U.S. military computer networks. Authorities are
considering trying to have the man extradited to the U.S.
http://www.msnbc.com/news/833723.asp?0dm=C228T
--11 November 2002 Some Interior Systems Still Disconnected
Almost a year after a federal judge ordered the Department of the
Interior disconnected from the Internet due to serious cyber security
problems, 6 per cent of its systems remain off line; most of those
systems deal with the Department's Bureau of Indian Affairs trust
funds.
http://www.fcw.com/fcw/articles/2002/1111/web-interior-11-11-02.asp
--8 & 11 November 2002 Kaspersky Labs Mailing List Hit with Infected
Virus Warning
Hackers launched an attack against Kaspersky Labs' server, accessed
the company's newsletter e-mail distribution list, and sent a copy of
a newsletter with the Braid or Bridex worm attached. Kaspersky has
addressed the vulnerability the hackers exploited.
http://news.com.com/2100-1001-965130.html
http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,75812,00.html
--8 November 2002 Symantec Releases Patch for e-Mail Deletion Flaw
Symantec has released a patch for a security flaw in the anti-spam
feature of Norton Internet Security 2003 that deleted some users'
e-mails. The patch is available from the company's Live Update site.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,75765,00.html
http://www.theregister.co.uk/content/56/28010.html
--8 November 2002 Churchill Downs Implements Security Procedures
In the wake of a suspiciously large payoff for a series of bets
made at the Breeders' Cup, Churchill Down, Inc. is establishing a
number of security procedures in its computerized betting system.
Automatic betting will be locked out at least a minute before the
start of the race to allow final odds to be tabulated and posted
prior to the start of the race. Bets will only be accepted from hub
facilities that have front-end recording devices that leave audit
trails, and winning bets in multiple simulcasts races will be reviewed.
http://www.msnbc.com/news/832687.asp
--8 November 2002 UK Company to Use Signature Capture Biometrics
UK building concern Nationwide plans to use signature capture biometric
technology to help prevent fraud. Customers will be asked to sign
their names up to six times for the system to decide that it has an
accurate picture of that individual's writing style, including how
the pen is held, what type of pressure is exerted and how quickly
that person writes.
http://news.bbc.co.uk/2/hi/technology/2420143.stm
[Editor's Note (Schultz): I wonder how willing customers will be
to sign their names up to six times when competitor banks require
less rigorous authentication procedures. Human factors/useability
considerations are among the most important, yet neglected variables
in information security today.]
--7 & 8 November 2002 Japan Police Sites Probed
According to Japan's National Police Agency, hackers tried more than
51,000 times to break into their computer systems in July, August
and September of this year. The vast majority of the attacks were
aimed at discovering what programs the computers were running.
http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20021108a3.htm
http://www12.mainichi.co.jp/news/mdn/search-news/864225/hackers-0-1.html
--7 November 2002 Michigan Man Pleads Guilty to Stealing Files from
Former Employer
Gregg Wysocki of Rochester Hills, Michigan has pleaded guilty to
criminal computer intrusion. Wysocki could receive a prison sentence
of up to five years and be ordered to pay a $10,000 fine for stealing
files from his previous employer and using the information they
contained to get a job with a competitor.
http://www.usatoday.com/tech/news/2002-11-07-computer-intrusion_x.htm
[Editor's Note (Shpantzer): Some organizations make it a policy to
forensically image the computers of departing employees, whether
they quit or were fired. This allows them to come back later to a
properly archived image and analyze it for potential evidence.]
--6 & 7 November 2002 VeriSign Separates Two Root Servers
VeriSign has physically and electronically separated the two
domain name servers (DNS) it operates to help reduce the Internet's
vulnerability to attacks; the J root server was separated from the
A root server. Before their separation, the servers were set up on
the same system subnet in the same room.
http://www.msnbc.com/news/831631.asp?0dm=C228T
http://news.com.com/2100-1023-964978.html
http://www.computerworld.com/securitytopics/security/story/0,10801,75711,00.html
--6 November 2002 Lotus Domino Security Flaw Troubles U.S. Navy Sites
Security problems in two U.S.Navy websites running IBM's Lotus Domino
software made confidential Navy databases accessible to web surfers.
One of the sites has been shut down and the other now requires users
to log in.
http://www.wired.com/news/technology/0,1282,56219,00.html
--6 November 2002 OASIS Approves SAML v.1
The Organization for the Advancement of Structured Information
Standards (OASIS) has approved Security Assertion Markup Language
(SAML) v.1; the single sign-on standard would allow users to visit
multiple sites with one secure sign-on.
http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,75682,00.html
http://www.internetwk.com/story/INW20021106S0013
[Editor's Note (Murray): Perhaps it can be used that way but that is
not what it does. It simply tags such data as user ID and password
so that it can be recognized across systems or applications without
further prior agreement.]
--6 November 2002 e-Mail from Certain Business Sectors More Likely
to Carry Viruses
According to a MessageLabs report, e-mails from retailing and leisure
companies are at least seven times more likely to contain a virus
than are e-mails from accounting and legal businesses. The cause is
suspected to be the fact that retailing and leisure industries have
a closer relationship with home users, who are generally not careful
about computer security. The study showed the retail and leisure
industry with 1 in 50 infected e-mails, finance and banking with 1
in 101, and accounting and legal with less than 1 in 350.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20269688,00.htm
--6 November 2002 Bermudan Bank Site Defaced
Hackers may have exploited a Microsoft operating system vulnerability
to deface two Bermudan websites, including that of the Bank of
Butterfield. Bank officials say no customer data was compromised.
The site hosts are recommending that their clients who work with data
that needs to be protected switch to their Unix based hosting platform.
http://www.bermudasun.bm/cgi-local/edpull.pl?cat=01News&ord=03&ed=2002-11-06
[Editor's Note Schultz]: The recommendation in this news item should
add a considerable amount of fuel to the "whose operating system is
most secure" debate.]
--6 November 2002 CD Copy Protection Won't Work
Princeton University computer scientist John Halderman says that
CD copy protection is futile because both software and hardware
are constantly being upgraded. Halderman suggests that the music
industry reduce the cost of new CDs to the point where it would be
less expensive to buy one than to make a copy.
http://www.newscientist.com/news/news.jsp?id=ns99993020
[Editor's Note (Shpantzer): Making CDs available at a lesser cost
than copying them is not feasible. However there are now reasonably
priced internet-based music distribution sites such as PressPlay.com
and Listen.com. These are not free nor as cheap as making a copy,
but they are moving in the right direction for giving honest people
a way to get the custom download experience.]
--6 November 2002 UK Government Seeking to Improve Disaster Recovery
Methods
The UK government's Parliamentary Communications Directorate is
inviting bids for a data back-up and disaster recovery system
to replace their present tape systems. If it works well, other
departments are likely to implement similar systems.
http://www.vnunet.com/News/1136621
--5 & 7 November 2002 Bill Would Fund Cyber Censorship Circumvention
Technologies
Proposed legislation would provide $100 million over two years to
groups developing technologies that circumvent cyber censorship
measures such as those used by the Chinese government. There is
some concern that the technologies will be detected and thwarted by
Chinese authorities and that those found using them would be punished.
http://www.wired.com/news/politics/0,1283,56195,00.html
http://www.msnbc.com/news/831383.asp?0dm=B248T
--5 November 2002 Phone Phreakers Rack Up $11,000 Bill in Ohio
Hackers guessed an Ohio woman's voice mail password, and recorded a
message that would sound to operators as if someone were accepting
charges for a collect call so that they could use her line to
make lengthy international calls. Her one-month phone bill was
nearly $11,000, that she did not have to pay. People should choose
voice mail passwords that are hard to guess and should change them
frequently; they should also consider blocking or limiting access to
international calls.
http://www.ohio.com/mld/ohio/news/local/4446396.htm
--5 November 2002 Cyber Sabotage Stories
Examples of insider (or former insider) cyber sabotage include a
terminated temporary employee crashing servers which irretrievably
deleted all the data and an employee sabotaging product performance
test results.
http://www.techtv.com/cybercrime/viceonline/story/0,23008,3386967,00.html
--5 November 2002 Self-Healing Database Software
Researchers at Pennsylvania State University have developed software
that allows a database under attack to repair itself even as the
attack is occurring. The software monitors database user activity;
if it appears suspicious, the user is redirected to a "dummy" database.
If it turns out that the concerns were unfounded, the user's activity
can still be merged into the true database.
http://www.washtimes.com/upi-breaking/20021104-042833-3688r.htm
--5 November 2002 Mozilla Vulnerabilities
Versions of the open source browser Mozilla prior to 1.0.1 contain
a half-dozen security vulnerabilities that could be exploited to
execute code and read files from hard drives. Red Hat suggests that
users of vulnerable versions should update their software.
http://www.theregister.co.uk/content/55/27934.html
-- 4,5 & 6 November 2002 e-Voting Needs Audit Trails
The increased use of e-voting in the recent election has raised
concerns about the security of the systems. Some voters were
reporting that the systems were tallying their votes incorrectly.
Despite assurances of encryption, digital signatures and backups from
system providers, critics say the systems are not reliable enough.
The software they run on is proprietary and thus unavailable for
review. Current systems provide no audit trail to check for vote
tampering or to ensure that people's votes were counted accurately.
Cryptographer David Chaum has developed a system that gives voters
encrypted receipts they can use to check whether or not their vote
was tallied properly.
http://www.cnn.com/2002/TECH/ptech/11/05/touch.screen/index.html
http://www.computerworld.com/governmenttopics/government/story/0,10801,75674,00.html
http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1035773962641&call_page=TS_Business&call_pageid=968350072197&call_pagepath=Business/News&col=969048863851
[Editor's Note (Murray): The problem of ensuring the voter that his
ballot has been tallied properly while not compromising the secrecy
of that ballot, is a fundamental problem in all systems. No system
has ever done it well, least of all the voting machines that we have
been using for much of this century. However, we tend to expect both
higher integrity and demonstrability of novel technology.]
--4 November 2002 Advice Isn't Always Worth the Cost
The intrepid Security Manager, wanting to explore the options available
for migrating to a new PKI product, finds that high-priced consultants
offer little in the way of meaty advice.
http://computerworld.com/securitytopics/security/story/0,10801,75529,00.html
--4 November 2002 Researcher Develops Prime Number Determination
Method
Manindra Agrawal, a theoretical computer scientist in India, has
come up with a method for determining whether or not very large
numbers are prime. While his findings have "no immediate practical
application," Agrawal may eventually address the problem of factoring
very large numbers. The product of two very large prime numbers is
the basis for some Internet encryption.
http://www.msnbc.com/news/830300.asp
VIRUSES AND OTHER MALWARE
--12 November 2002 Maz.A Trojan
The Maz.A Trojan arrives in an e-mail with a subject line announcing a
great free site; it exploits an IE 5.01 and 5.5 incorrect MIME header
vulnerability to execute automatically. A patch is available for
the flaw.
http://www.theage.com.au/articles/2002/11/12/1036308674331.html
--6 & 7 November 2002 Roron Worm
The Roron, or Oror.B worm spreads through e-mail, shared drives and
the Kazaa peer-to-peer file-sharing network. The worm's payload
includes installing several tools that allow infected machines to
be controlled by IRC messages to launch denial of service attacks.
Users become infected only if they manually launch the attachment.
Roron also searches for and deactivates some anti-virus software and
tries to delete it; in certain circumstances, Roron deletes files
from hard drives.
http://news.com.com/2100-1001-964809.html
http://www.net-security.org/virus_news.php?id=118
POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGY
If any of these are consistent with your views, please
grab them and email them to the people collecting comments at
feedback
cybersecurity.gov. Don't forget to tell them who you are,
where you work, and what you do.
Whether or not these ideas are consistent with your views, please
express your suggestions, support and criticism. It's rare that policy
makers ask for input. It would be a shame to waste the opportunity.
1. From the Center For Democracy and Technology
The government needs to get it own house in order - it needs to force
agencies to do the right things. In this regard, we believe that the
National Strategy is not strong enough. We urge the Administration
to strengthen the power of OMB to mandate security [but only for
government agencies].
2. From leaders of the networking community
ISPs are the first line of defense when a cyber attack is
underway. However, the ISP community is at great risk of losing the
few remaining security experts who are capable of taking action
quickly. If the Federal government hopes to have a viable Rapid
Response capability, it must find a way to bolster the security staff
and tools available at the medium to large ISPs.
3. From another wise person
There is pressure from some people to remove the home user and
small business user from the National Strategy because, they say,
it is silly for a strategy dealing with terrorism to even consider
the home user. When the Leaves worm took over and controlled more
than 16,000 home computers, its creators had enough power to put any
site on the Internet out of business including major communications
facilities serving the military and emergency response systems. Home
users control more fire power, in the aggregate, than business users,
and they have less security, by far. Please continue to include them
in the plan.
4. From SANS Research Office (Alan Paller)
One of the most powerful ideas laid out in the draft National Strategy
is to use the government's combined buying power to provide economic
incentives for vendors to deliver and maintain safer systems.
The draft Strategy repeated the idea in the section dealing with
industry groups. Both government and industry groups can have a
profound impact. Working together they can move mountains. Please put
added emphasis in the Strategy on government-wide and industry-wide
purchasing using minimum security standards.
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
visit https://www.sans.org/sansnews/
To change your subscription, address, or other information, visit
https://www.sans.org/sansurl/ and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE90lKp+LUG5KFpTkYRAtJcAJ0czbhVRypUgvO+4zhtOTAR3jRDlwCeMN30
JqzwAaORyPoRt2fFufT+d+Q=
=qUc3
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]