-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SANS is now able to offer its award-winning training courses in-house
at user sites where 20 or 30 or more people need to learn to harden
UNIX or Windows, learn intrusion detection in depth, learn the
essentials of security, or learn the technical side of security
auditing. These courses are taught by the same extraordinary
faculty for which SANS programs are best known. By bringing the
courses in house you save travel costs, get reduced student fees,
and facilitate information sharing among your co-workers. Details:
http://www.sans.org/onsite

                                    Alan

***********************************************************************
SANS NewsBites November 26, 2002 Vol. 4, Num. 48
***********************************************************************

VULNERABILITY MISMANGEMENT
19 & 20 November 2002 Study Shows Many Haven't Patched OpenSSH
                       Vulnerability
19 & 20 November 2002 Federal Agency Security Still Weak, Says GAO
18 & 21 November 2002 BIND Patch Delay Causes Frustration

THE REST OF THE WEEK'S NEWS
25 November 2002 Three Charged in Massive Identity Theft
22 November 2002 Alcatel Vulnerability
20 & 21 November 2002 Microsoft Releases a Patch for MDAC Flaw and
                       a Cumulative IE Fix
20 November 2002 Cyber Extortionist Detained in Russia
20 November 2002 Study Shows Internet Resilient, but Security Measures
                  are Still Needed
17 & 20 November 2002 Breeders' Cup Suspect Pleads Guilty
20 & 22 November 2002 Unsecured Microsoft Server Exposes Customer Data
19 November 2002 Students Caught Using Technology to Cheat on GRE
19 November 2002 Microsoft Tailors Bulletins to End Users
20 & 22 November 2002 Data Thieves target e-Bay Customers
19 November 2002 eBay Informs Customers of Possible Security Breach
19 November 2002 Tracking Down the Military Systems Hacker
19 November 2002 U.K. Firms Must Comply with Software Licenses
18 November 2002 al Qaeda May Turn to Internet for Attack Vector
18 November 2002 National Cyberspace Response Center Proposed
18 November 2002 Active Internet Content is a Growing Problem

SECURITY TRAINING NEWS
*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
Includes a free, evening step-by-step program for implementing a Top
20 vulnerability remediation program. San Francisco is often warmer
and less crowded in December than in August.
*Smaller classes in Orlando, Vienna, VA, New Orleans, and Austin and
San Antonio, TX, Honolulu (in February!) and more.
*See: http://www.sans.org for details all SANS training and
certification programs.

********* This Issue Sponsored by Internet Security Systems ***********

***** FREE Security Paper: ARE YOU PROTECTED FROM HYBRID THREATS? *****

Intrusion Protection Solutions from ISS automatically detect, prevent
and respond to vulnerabilities and attacks--before they can disrupt
or destroy online business interactions.

Download White Paper here: http://www.iss.net/ad/ht_sans112702

***********************************************************************

VULNERABILITY MISMANAGEMENT
We begin this week with three stories that show how all of us, security
practitioners, policy makers, and researchers, are mismanaging the
critical process of finding and removing security vulnerabilities.

 --19 & 20 November 2002 Study Shows Many Haven't Patched OpenSSH
                          Vulnerability
A recent study showed that 30% of systems running OpenSSH remained
unpatched even after the Slapper worm illuminated the OpenSSH
vulnerability. Speculations about why the problem has not been fixed:
(1) lack of full time administrators, (2) stringent deadlines that
don't allow time for installing patches and (3) server maintenance
responsibility being given to people who have little security training.
It is also possible that some systems weren't patched because of
fears the patch might have an adverse effect on the system.
http://news.com.com/2100-1001-966398.html
http://www.newscientist.com/news/news.jsp?id=ns99993090
[Editor's Note (Murray): This report is exceptionally well done.
An ounce of it is worth a pound of intuition or two pounds of good
intentions.]

 --19 & 20 November 2002 Federal Agency Security Still Weak, Says GAO
According to a General Accounting Office (GAO) report, 24 U.S. federal
agencies and departments suffer from "pervasive" computer system
security problems. Many were found to be vulnerable to internal
sabotage. The report came down especially hard on the Transportation
Department.
http://www.wired.com/news/politics/0,1283,56474,00.html
http://www.govexec.com/dailyfed/1102/111902h1.htm
http://www.gcn.com/vol1_no1/daily-updates/20547-1.html
http://www.gao.gov/new.items/d03303t.pdf
http://www.washingtonpost.com/wp-dyn/articles/A12321-2002Nov19.html
[Editor's Note (Ranum): That this is news to anyone is amazing... With
the number of times GAO has skewered fed computing, why is this problem
persistent? In corporate America there would be a house-cleaning of
the IT department following years of such consistently poor showings
in audits.
(Murray): Rather than focusing on the findings, the average reader
would do well to look at what was measured.
(Paller): Murray gets the gold star. The grades are especially low
because they measure report-writing skills in areas of security that
can never be fully effective, rather than areas where security must
be and is being substantially improved in federal agencies. Until
the metrics being used reflect progress toward actual best practices,
the grades will be no more than fodder for Fed-bashers.]
(Northcutt): I have serious concerns about what is being measured.
I think that over the past two years it has becoming increasingly
clear that removing unneeded software, vulnerability scanning and
rapid patching give you the biggest bang for the buck.]

 --18 & 21 November 2002 BIND Patch Delay Causes Frustration
While organizations and people who paid to be on the Internet Software
Consortium's (ISC's) early alert list received warning of the BIND
vulnerabilities in late October, others had to wait until November 12
for a patch to be released. Even then, people had to e-mail requests
for patches; the next day the patch was made publicly available on
ISC's web site.
http://computerworld.com/securitytopics/security/story/0,10801,75954,00.html
http://zdnet.com.com/2100-1105-966669.html
[Editor's Note (Murray): This was a public relations disaster, with
some indication of questionable intent, but not much else.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Dorian Software Creations: Automate Event Log and Syslog
Monitoring, Archiving, and Analysis!
http://www.sans.org/cgi-bin/sanspromo/NB104

(2) ALERT! Outsmart attacks such as: SQL Injection, XSS and Cookie
Manipulation http://www.sans.org/cgi-bin/sanspromo/NB105

***********************************************************************

THE REST OF THE WEEK'S NEWS

 --25 November 2002 Three Charged in Massive Identity Theft
Philip Cummings of Bayshore, NY, and two associates were charged with
selling stolen personal credit reports to other people who used the
credit information for personal profit. The alleged crime involved
tens of thousands of credit reports and millions of dollars.
http://story.news.yahoo.com/news?tmpl=story&ncid=578&e=3&cid=578&u=/nm/20021125/ts_nm/crime_identity_dc

 --22 November 2002 Alcatel Vulnerability
CERT/CC has issued a warning about a back door in Alcatel Operating
System version 5.1.1. Customers are advised to upgrade their software.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270140,00.htm
http://www.cert.org/advisories/CA-2002-32.html
[Editor's Note (Ranum): This is an important reminder that "appliances"
still run software inside and are vulnerable to the same kind of
mistakes as general purpose environments. Just because you can't see
a Login: prompt doesn't mean that there's no Telnetd. Just because
it's not Windows or UNIX doesn't mean VXworks has no root shell. (and
just because you call it something other than VXworks doesn't mean
it's not VXworks)]

 --20 & 21 November 2002 Microsoft Releases a Patch for MDAC Flaw
                          and a Cumulative IE Fix
Microsoft has released a bulletin about and a patch for a buffer
overflow vulnerability in the Remote Data Services (RDS) component
of Microsoft Data Access Components (MDAC) v 2.1, 2.5 and 2.6.
The flaw could be exploited to run malicious code on vulnerable
systems. The flaw affects certain versions of Windows NT, 2000 and
ME and possibly other operating systems; Windows XP is not affected.
Microsoft has also released a cumulative patch for Internet Explorer.
http://news.com.com/2100-1001-966575.html
http://www.computerworld.com/securitytopics/security/story/0,10801,76085,00.html
http://www.cert.org/advisories/CA-2002-33.html
MDAC Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms02-065.asp
IE Bulletin:
http://www.microsoft.com/security/security_bulletins/ms02-066.asp

 --20 November 2002 Cyber Extortionist Detained in Russia
Moscow police have detained a man who allegedly tried to extort
$4,000 from a U.S. company in exchange for not destroying data on
its web site.
http://www.interfax.ru/one_news_en.html?lang=EN&tz=0&tz_format=MSK&id_news=5606700

 --20 November 2002 Study Shows Internet Resilient, but Security
                     Measures are Still Needed
A report from the National Academy of Sciences says that though the
Internet held up surprisingly well under the attacks of September 11th,
2001, Internet service providers would be well advised to prepare for
future emergencies. Businesses that rely on the Internet should have
disaster recovery plans in place.
http://story.news.yahoo.com/news?tmpl=story2&cid=528&ncid=528&e=5&u=/ap/20021121/ap_on_hi_te/attacks_internet
http://www.internetnews.com/xSP/article.php/1546321
[Editor's Note (Ranum): It's not surprising that the Internet held up
well under the attacks of Sept 11 - the Internet wasn't under attack!!!
(Northcutt): Northcutt: Concur, I was getting ready to award this the
worst example of journalism for the week, but it turns out the writer
took it directly from the National Academy of Science press release:
http://www4.nationalacademies.org/news.nsf/isbn/0309087023?OpenDocument
The article is probably not going to sell many National Academy
of Science pre-publication softcovers which is too bad because
the authors include Craig Partidge and David Clark and those
boys have been around and know their stuff. So if you can
look past the advertising, the report is probably pretty
solid. http://www.nap.edu/catalog/10569.html?onpi_topnews_112002
(Murray): The Internet served us well on 9/11 under unusual load
and circumstances, not under attack. This was precisely the set of
conditions that it was designed to deal with. It was not designed
to deal with attacks. That it coped well with what it was designed
to cope with tells us little about how it will cope with things for
which it was not designed.]

 --17 & 20 November 2002 Breeders' Cup Suspect Pleads Guilty
A former Autotote employee pleaded guilty to manipulating computerized
racing wagers. Chris Harn apparently fixed it so that a friend won
the Pick Six wager in the Breeders' Cup race in October. Harn also
manipulated smaller bets and pocketed the money. Though he could face
up to 25 years in prison for his actions, Harn will probably serve
far less time. He could be made to pay $280,000 in restitution.
Two other men in the case could face sentences of up to five years
for wire fraud. The second half of the Sunspot article offers a
detailed account of the events leading to the investigation of the
three men's activities.
http://www.sunspot.net/sports/horseracing/bal-sp.picksix17nov17,0,7543893.story
http://www.wired.com/news/politics/0,1283,56498,00.html

 --20 & 22 November 2002 Unsecured Microsoft Server Exposes Customer
                          Data
Microsoft took a file transfer protocol (FTP) server offline after
becoming aware that numerous files, including a database containing
millions of customer e-mail and home addresses, were accessible.
Some speculate that an inadequately enforced internal security policy
was to blame for the data exposure. The server was intended for use
by Microsoft and its customers to exchange patches and other data.
Some employees were apparently treating it as if it were a secure
internal server. The confidential files were protected by a password
which was easily obtained by a password cracking program. Microsoft
put the server back on line with the confidential files removed.
http://www.wired.com/news/infostructure/0,1377,56481,00.html
http://www.theregister.co.uk/content/55/28252.html

 --19 November 2002 Students Caught Using Technology to Cheat on GRE
Two Columbia University students have been arraigned on charges of
unlawful duplication of computer material and third-degree burglary.
The pair allegedly attempted to use $12,000 worth of technology
to gather questions from the Graduate Record Examination (GRE).
They claimed they were trying to boost their scores so they could
get scholarships to graduate school, but authorities suspect they
were gathering the data to sell it for profit.
http://www.nytimes.com/2002/11/20/education/20EXAM.html

 --19 November 2002 Microsoft Tailors Bulletins to End Users
In addition to the technical bulletins it publishes for professionals,
Microsoft will begin publishing less technical security bulletins
for end users. The end-user bulletins will provide steps they can
take to secure their computers. The list will also limit which
vulnerabilities home users hear about; presently they get all the
bulletins, including those which do not apply to their systems.
The new alert service should be up and running by the end of the year.
http://www.computerworld.com/securitytopics/security/story/0,10801,76033,00.html
http://news.com.com/2100-1001-966347.html
Microsoft has also revised its vulnerability rating system:
http://www.microsoft.com/technet/security/policy/rating.asp
[Editor's Note (Schultz): This is a great idea! Why overwhelm home
users with information they cannot use?]

 --20 & 22 November 2002 Data Thieves target e-Bay Customers
Some of the e-mails eBay.com customers have been receiving are
legitimate, but others are phony, coming from scammers hoping to obtain
their personal information. One week ago, eBay.com inadvertently
exposed some customer e-mail addresses, giving data thieves opportunity
to get their hands on information that would allow them to perpetrate
such scams. Victims are led to phony pages that appear to be from
eBay asking for account update information. A stolen credit card
number was used to set up one of the fraudulent sites.
http://www.msnbc.com/news/837882.asp?0dm=T249T
http://news.com.com/2100-1017-966835.html

 --19 November 2002 eBay Informs Customers of Possible Security Breach
Some eBay.com customers have been receiving e-mails from the company
informing them that their accounts may have been compromised and asking
them to establish new passwords. One member was asked to fax eBay.com
a copy of his driver's license in order to reinstate his account.
http://www.msnbc.com/news/837329.asp?0dm=T279T

 --19 November 2002 Tracking Down the Military Systems Hacker
Benjamin Winter, a network specialist who works for Illinois Century
Network, helped the Navy to track down U.K. cracker Gary McKinnon, who
has been indicted on charges of breaking into U.S. military computer
systems. Winter was doing some work for a public library when the Navy
notified him that Internet traffic there was under investigation; they
asked Winter to keep the site up and to monitor the suspicious traffic.
http://www.news-gazette.com/story.cfm?Number=12728
[Editor's Note (Murray): Our readers should be very careful when
asked to cooperate in an investigation that they know who they are
cooperating with. They should also consult legal counsel to ensure
that the activity that they are asked to engage in is both legal
and properly authorized. The request may not really be from law
enforcement; rogue hackers pose as good guys.]

 --19 November 2002 U.K. Firms Must Comply with Software Licenses
New provisions amended to the U.K.'s 1988 Copyright, Designs and
Patents Act allow law enforcement authorities to seize equipment from
businesses found to be in violation of the terms of their software
user licenses.
http://news.zdnet.co.uk/story/0,,t269-s2126185,00.html

 --18 November 2002 al Qaeda May Turn to Internet for Attack Vector
al Qaeda and groups with similar sympathies are planning to use
the Internet to attack the West, possibly targeting stock markets.
Experts say the threats should not be taken lightly.
http://www.computerworld.com/securitytopics/security/story/0,10801,76000,00.htmlS

 --18 November 2002 National Cyberspace Response Center Proposed
Among five priorities proposed by the president's Critical
Infrastructure Protection Board (CIPB) for the National Strategy to
Secure Cyberspace is the creation of a national cyberspace response
center. The center would alert federal, state and local governments
as well as private businesses to cyber security concerns and share
information.
http://www.fcw.com/fcw/articles/2002/1118/news-cyber-11-18-02.asp
[Editor's Note (Ranum): Sharing information is OBVIOUSLY not the
problem. Getting government computer and network admins to fix their
systems is a much bigger problem. This "sharing information" stuff is
nonsense; enough information is already being shared today - people
need to LISTEN to, and ACT on, what is already public knowledge.]

 --18 November 2002 Active Internet Content is a Growing Problem
A report from the Aberdeen group says that active Internet content
is a greater security problem than are viruses. Active Internet
content can contain software that logs keystrokes to gather passwords
and other sensitive data or redirect data to spoofed DNS addresses.
The report suggests that most businesses' and home users' computers
are infected with some sort of active Internet content.
http://advisor.com/doc/11501

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
https://www.sans.org/sansurl/ and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE943zi+LUG5KFpTkYRAlKjAJ9Ys2ZAZUq8A1KoEiVZIvEP9ZE3HQCfd8V0
Q6IvM7N8jZbnINFjHGhHPYk=
=BzbS
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]