|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites_at_sans.org)
Date: Wed Dec 04 2002 - 09:36:13 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The annual "Experts Predict the Future of Security" bonus issue
of NewsBites will be coming out in the next ten days. This year
we take you inside the crystal balls of Steve Northcutt, Bruce
Schneier, Gene Spafford, Marcus Ranum, Bill Murray, Gene Schultz,
plus executives of the largest security companies: Tom Noonan of ISS,
Gil Shwed of Check Point, Rob Clyde of Symantec, and Greg Akers of
Cisco. Their predictions for the next twelve months are eye-opening.
You'll receive the bonus issue if you hold a GIAC certification,
if you are a SANS alumnus, or if you have updated your surface
mail address in the past twelve months. If you haven't updated it,
directions are at the end of this email.
Alan
***********************************************************************
SANS NewsBites December 4, 2002 Vol. 4, Num. 49
***********************************************************************
TOP OF THE NEWS
27 November 2002 Cyber Security R&D Act Gets President's Signature
25, 26 & 27 November 2002 Three Arrested in Credit Report Identity
Theft Ring
25 November 2002 Pirated Software Smuggler Gets Nine Years
25 November 2002 Naval Academy Students' Computers Seized in Response
to RIAA Letter
A BIG WEEK FOR VULNERABILITY INFORMATION
25 November 2002 Proactive Vulnerability Management
27, 29 & 30 November 2002 Winevar Worm
3 December 2002 e-Commerce Shopping Cart Vulnerability
27 November 2002 Victoria's Secret Exposes Customer Order Info
2 December 2002 Mozilla Pulls New Browser Because of Security Problem
2 December 2002 Windows MDAC Flaw May Not be So Prevalent
25 November 2002 Recent Microsoft Patches May be Flawed, says
Security Company
25, 26 & 27 November 2002 RealNetworks Pulls Flawed Patch
THE REST OF THE WEEK'S NEWS
2 December 2002 eWeek Hacking Contest Winner Discloses Methods
29 November 2002 Sophos Malware Statistics for November
29 November 2002 ATM Hacker Thieves Arrested in Paris
27 November 2002 Sites Call for Cyber Jihad
24, 25 & 26 November 2002 Partnership for Public Warning Sees Need
for New, Integrated Warning System
26 November 2002 ISPs May Limit Bandwidth Consumption
26 November 2002 UK Government Cyber Attack Statistics
26 November 2002 Technique Slows Rate of Worm Infections
6 November 2002 CERT/CC Quarterly Summary
25 & 26 November 2002 Boston Hospital Computer System Gives Itself
Denial-of Service
25 & 26 November 2002 Another Domain Name server Attacked
22 November 2002 Cracker Claims He Was Hired to Find Vulnerabilities
21 November 2002 ISC2 Doesn't Think ISACA Should Offer New
Certification
SECURITY TRAINING UPDATE
SANS Cyber Defense Initiative Conferences in
* San Francisco (Dec 15-20/02) - http://www.sans.org/CDI02
* New Orleans (Jan 13-18/03) - http://www.sans.org/CDI03NewOrleans
* Austin (Jan 12-17/03) - http://www.sans.org/CDI03Austin
* San Antonio (Jan 25-30/03) - http://www.sans.org/CDI03SanAntonio
feature SANS most popular immersion training tracks, from Security
Essentials to Auditing to Hacker Exploits, to Intrusion Detection
to UNIX and Windows hardening. The instructors at these programs
include all of SANS top rated faculty. San Francisco also features a
special evening program for all attendees on Implementing a SANS/FBI
Top Twenty vulnerability remediation program.
****** This Issue Sponsored by VeriSign - The Value of Trust **********
Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and
learn everything you need to know about using SSL to encrypt your
e-commerce transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n20400109620057000
***********************************************************************
TOP OF THE NEWS
--27 November 2002 Cyber Security R&D Act Gets President's Signature
President Bush has signed the Cyber Security Research and Development
Act which allocates more than $900 million over the next five years
to undergraduate and graduate network and cyber security programs,
university and private sector research centers and National Institute
of Standards and Technology (NIST) hardware and software security
checklists for federal agencies.
http://www.washingtonpost.com/wp-dyn/articles/A47264-2002Nov27.html
http://news.com.com/2100-1023-975559.html
--25, 26 & 27 November 2002 Three Arrested in Credit Report Identity
Theft Ring
Three men have been arrested in connection with an identity theft
scheme that targeted more than 30,000 people and has so far cost
$3.7 million in losses. One of the men worked at the help desk for
a company that provides credit reports; he was able to access, steal
and sell reports to his cohorts.
http://zdnet.com.com/2100-1106-971196.html
http://www.wired.com/news/privacy/0,1848,56567,00.html
http://www.msnbc.com/news/839678.asp?0dm=T25AT
http://www.computerworld.com/securitytopics/security/story/0,10801,76227,00.html
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76252,00.html
http://www.wired.com/news/privacy/0,1848,56593,00.html
[Editor's Note (Murray): If this does not result in a class action law
suit, then our society is far more forgiving and less litigious than
they are painted as being. If one is going to traffic in sensitive
information about citizens, then one has a very high obligation to
know to whom one is talking. If there is an application, not to say
an industry, with a higher requirement for strong authentication,
I do not know what it is.]
--25 November 2002 Pirated Software Smuggler Gets Nine Years
Lisa Chen was sentenced to nine years in prison for her role in a
software piracy ring. Chen and others smuggled into the U.S. nearly
$100 million worth of forged software. Chen has also been ordered
to pay $11 million in restitution to Microsoft and Symantec.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76194,00.html
--25 November 2002 Naval Academy Students' Computers Seized in
Response to RIAA Letter
In response to letters from the Recording Industry Association of
America (RIAA) and other similarly concerned groups asking officials
at institutions of higher education to take steps to curb illegal file
swapping, the U.S. Naval Academy seized computers from approximately
100 students. Punishment for possessing the copyrighted material on
the computers could range from loss of leave to court martial.
http://news.com.com/2100-1023-971130.html
[Editor's Note (Schultz): What the Naval Academy has done seems
infinitely preferable to having the music industry attack Naval
Academy and other computers to stop copyright violations, as the
egregious Berman Bill would allow.]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Earn a Norwich University Master's Degree in Information Security
in 24 months. http://www.sans.org/cgi-bin/sanspromo/NB106
(2) STOP SPAM and unwanted email. Take control. FREE WHITE PAPER!!!
http://www.sans.org/cgi-bin/sanspromo/NB107
(3) Download a Free Whitepaper from e-Security (www.esecurityinc.com)
- - Security Intelligence for Incident Response.
http://www.sans.org/cgi-bin/sanspromo/NB108
***********************************************************************
A BIG WEEK FOR VULNERABILITY INFORMATION
Editors: A large number of important vulnerability reports have been
released. We cover the widely reported ones, and this week Stephen
Northcutt helps guide you through them.
For complete weekly vulnerability information (every Thursday),
subscribe to the Security Alert Consensus newsletter.
For a weekly summary of the most critical new vulnerabilities
(every Monday) and what large organizations are doing about them,
subscribe to the Critical Vulnerability Analysis newsletter. Both are
free. Subscribe at http://www.sans.org/newlook/digests/
--25 November 2002 Proactive Vulnerability Management
IT managers are having a hard time keeping up with the patches that
are issued for security flaws, leaving systems vulnerable to known
exploits. Part of this can be attributed to businesses running more
servers and the complexities with their integration. One idea for
addressing this problem is to have a dynamically updated blueprint of
systems so that it is easy to see hardware and software configurations
and what patches are needed; another is automated patch management.
http://www.newsfactor.com/perl/story/20084.html
[Editor's Note (Northcutt): This is a good article, but it understates
the problem. Vulnerability management is a nearly impossible task,
since it is hard to know the priority, what patches are really needed,
which ones are effective and what they break.]
--27, 29 & 30 November 2002 Winevar Worm
The Winevar worm exploits the IFrame vulnerability in Internet Explorer
and in Outlook, Outlook Express and other Microsoft e-mail clients.
The vulnerability allows for attachments to HTML e-mail messages to be
opened automatically. Winevar spreads by finding e-mail addresses in
e-mail files and sending itself out. It places the Funlove virus on
infected computers, tries to disable antivirus and security software,
and can wipe out the contents of hard drives. It also may be designed
to launch a denial of service attack against Symantec's web site.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,76290,00.html
http://news.com.com/2100-1001-975569.html
http://www.extremetech.com/article2/0,3973,735114,00.asp
http://www.cnn.com/2002/TECH/internet/11/28/insult.worm/index.html
[Editor's Note (Northcutt): To summarize, the IFRAME vulnerability
was originally announced by Microsoft in Oct. 1999 and affected
Internet Explorer 4.01 and 5. It allows an evil webpage to run
document.execCommand to read and write files on the local hard
drive. The patch had a couple problems in the early days, but it is
now the year 2002 and you can bet it is rock solid stable and should
be installed if you or someone you know uses the affected browsers.
Home and small office users can check to see whether the patch is
installed by using the information found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243638&sd=tech
(Shpantzer): To determine whether
your systems are vulnerable to this beast:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp
Scroll down to "How do I determine the build number for my version
of the Microsoft VM?"]
--3 December 2002 e-Commerce Shopping Cart Vulnerability
A vulnerability in ShopFactory, an on line e-merchant management
package, allows customers to alter the contents of on-line shopping
carts, including item prices. More than 100,000 e-commerce sites
use the package.
http://www.theage.com.au/articles/2002/12/03/1038712921934.html
--27 November 2002 Victoria's Secret Exposes Customer Order Info
For a while last week, Victoria's Secret on-line customers could view
others' orders by changing the customer number in their browsers.
The vulnerable order status feature was soon taken off line, and while
names and addresses were exposed, credit card information was not.
http://www.msnbc.com/news/840596.asp?0dm=T21AT
--2 December 2002 Mozilla Pulls New Browser Because of Security
Problem
Mozilla has removed downloads of its recently released browser,
Mozilla 1.2, after learning that it contains a security flaw in the
way it deals with dynamic HTML on some web sites. Mozilla plans to
release an updated version of the browser soon.
http://news.com.com/2100-1023-975724.html
[Editor's Note (Northcutt): Mozilla has already released the corrected
software, version 1.21, http://www.mozilla.org/]
--2 December 2002 Windows MDAC Flaw May Not be So Prevalent
An Internet research company has pulled together numbers that indicate
the Windows Microsoft Data Access Components (MDAC) flaw may not be as
pervasive as was first thought. In 2001, less than 10% of the sites
the company tested had the vulnerable Remote Data Services component
turned on; that figure dropped to 5% in 2002.
http://zdnet.com.com/2100-1105-975688.html
--25 November 2002 Recent Microsoft Patches May be Flawed, says
Security Company
A Danish security company says the two most recently released patches
from Microsoft, one for Windows Microsoft Data Access Components
(MDAC) and the other a cumulative patch for Internet Explorer, both
contain flaws. Microsoft says that the patch for Windows may not be
effective in all situations.
http://www.vnunet.com/News/1137085
--26 & 27 November 2002 Sun XFP Vulnerability
A buffer overflow vulnerability in Sun Microsystems's X Windows
Font Service (XFS) could allow crackers to crash or execute code
on machines running the vulnerable software; XFS runs by default on
all versions of Solaris. A patch is being developed; until it is,
users are advised to disable XFS unless it is absolutely necessary.
http://www.computerworld.com/securitytopics/security/story/0,10801,76241,00.html
http://zdnet.com.com/2100-1104-975405.html
http://www.theregister.co.uk/content/55/28318.html
http://www.securiteam.com/unixfocus/6P00L1P60G.html
http://www.cert.org/advisories/CA-2002-34.html
[Editor's Note (Northcutt): Keep your eyes open for an increase in
probes to TCP port 7100, which is the default for fs and I find the
Sun posting the most useful if you actually want to disable or enable
the Xwindows Font Server:
http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view]
--25, 26 & 27 November 2002 RealNetworks Pulls Flawed Patch
RealNetworks has removed a patch that it recently posted for buffer
overflow vulnerabilities in its RealOne Player and Real Player
products. The company that found the flaws said the patch was easily
worked around to exploit the flaws.
http://zdnet.com.com/2100-1104-975352.html
http://www.theregister.co.uk/content/55/28308.html
http://idg.net/ic_967556_1794_9-10000.html
Stories about the initial discovery of the RealPlayer vulnerabilities
and the patch:
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270157,00.htm
http://www.net-security.org/vuln.php?id=2251
THE REST OF THE WEEK'S NEWS
--2 December 2002 eWeek Hacking Contest Winner Discloses Methods
Oracle users, in particular, should read this article to learn the
methods Jeremy Poteet used to break into the eWeek security challenge
machine.
http://www.eweek.com/article2/0,3959,741368,00.asp
--29 November 2002 Sophos Malware Statistics for November
Sophos has published its virus and worm statistics for November 2002.
Bugbear-A accounted for 29.4% of reported worms, followed by Braid-A
and Klez-H.
http://www.net-security.org/virus_news.php?id=133
--29 November 2002 ATM Hacker Thieves Arrested in Paris
Police in Paris have arrested four people for using technology
to gather ATM card information and steal bank funds from about
150 victims. The individuals are accused of using a device to read
information from cards as they were swiped to open doors to off-street
ATMs; they also used tiny cameras to learn the cards' PINs.
http://www.theage.com.au/articles/2002/11/29/1038386298061.html
[Editor's Note (Shpantzer): Physical security counts. All the
encryption and access control can't save your data if the hackers
get a keystroke recorder installed between the keyboard and the cpu,
for example. In this case, it seems they placed a skimmer (card data
recorder) at the entrance to the ATM portal. This is also done in
restaurants by fraudulent staff, but without the benefit of the PIN
number obtained by the camera.
(Murray): How long will it take the card industry to recognize that
counterfeit machines, not counterfeit cards, is going to be their
problem? The necessary response, smart cards, is going to take years
to deploy. It is time to get on with it.]
--27 November 2002 Sites Call for Cyber Jihad
According to the Simon Wiesenthal Center, the Hamas group is
encouraging followers to participate in a three day cyber Jihad against
Jewish web sites. Information about the planned attacks was found
on two web sites; one of them contained a how-to manual for hackers.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=1818199
--24, 25 & 26 November 2002 Partnership for Public Warning Sees
Need for New, Integrated Warning System
A panel of emergency response experts wants the country to update and
streamline its emergency warning systems; a report from the Partnership
for Public Warning recommends that the new Department of Homeland
Security undertake the project. False alarms will be a major problem.
http://www.nytimes.com/2002/11/25/national/25WARN.html
(Note: the NYT site requires free registration)
http://www.gcn.com/vol1_no1/daily-updates/20569-1.html
http://zdnet.com.com/2100-1105-975287.html
http://www.partnershipforpublicwarning.org/ppw/
--26 November 2002 ISPs May Limit Bandwidth Consumption
Some high speed ISPs are considering placing limits on the amount of
bandwidth their customers may consume each month. If they decide
to do it, it could significantly curtail file-swapping activity,
which makes up a large portion of network traffic.
http://news.com.com/2100-1023-975320.html
[Editor's Note (Schultz): Peer-to-peer file sharing not only consumes
a great amount of network bandwidth, but it also often involves
illegal downloading of copyrighted materials. One would think that
ISPs would realize this and take measures to preclude such activity.
Where I work someone has developed "KO," the "KaZaA Obliterator,"
which detects and kills sessions involving use of KaZaA and other
peer-to-peer file sharing programs altogether.
(Shpantzer): One company working on the P2P bandwidth issue
claims that these applications hog as much as 60% of bandwidth
on the internet. Also see the link for a University of Chicago
study of the Gnutella P2P network effects on bandwidth patterns.]
http://www.theregister.co.uk/content/22/27092.html]
--26 November 2002 UK Government Cyber Attack Statistics
The UK government's computer systems have sustained more than 6,500
cyber attacks in the past year; incidents included virus infections,
probes and "hacking incidents." The Cabinet Office alone was targeted
by 5,857 attacks, none of which resulted in compromised or lost data.
http://www.vnunet.com/News/1137117
--26 November 2002 Technique Slows Rate of Worm Infections
A Hewlett Packard researcher has developed a method for slowing
the spread of worms like Code Red and Nimda. Matthew Williamson's
"throttle" restricts connections to "new" machines, not those contained
on a recent history list, to one a second; in comparison. Nimda tries
to connect to 400 new machines a second. The throttle also creates
a request backlog, so people can be alerted to the infection.
http://www.economist.com/science/displayStory.cfm?story_id=1454331
[Editor's Note (Murray): the mechanism described is useful against
attacks like Code Red and Nimda but not against the more general
class of viruses.
(Schultz): What this researcher says is certainly true -- that in
information security we tend to think of security as "on" or "off."
The concept of a throttle is a brilliant new idea. A problem, however,
is that if throttles are widely used, worm writers will simply slow
the rate at which worms attempt to connect to other potential victims.]
--26 November 2002 CERT/CC Quarterly Summary
The CERT/CC Quarterly Summary describes the incidents that have been
reported during the past three months; recent activity discussed
includes the Apache/mod_ssl worm, the sendmail, tcpdump and libpcap
Trojan horses, and the BIND vulnerabilities. The summary also includes
links to information for dealing with the vulnerabilities.
http://www.cert.org/summaries/CS-2002-04.html
--25 & 26 November 2002 Boston Hospital Computer System Gives Itself
Denial-of Service
Beth Israel Deaconess Medical Center in Boston experienced computer
network slowdowns and interruptions because analytic software it was
running generated heavy network traffic. The network uses web-enabled
and wireless applications. The hospital returned to its paper-based
system; no patients were put in danger. The medical center's CIO
decided to speak out about the incident to alert other health care
centers to potential problems.
http://www.nwfusion.com/news/2002/1125bethisrael.html
http://www.boston.com/dailyglobe2/330/science/Got_paper_P.shtml
[Editor's Note (Shpantzer): Dr. Halamka, the hospital's CIO, is
a brave man for sharing his experience with others in his field.
Many people in the security industry don't want to own up to the fact
that we too are human and can learn from incidents such as this one.
(Murray): This is one result of a flat network in which mission
critical applications are not adequately isolated from discretionary
ones. Notice that logical isolation, e.g., VPN, would not have worked
here. While this case was accidental, flat networks aggravate our
vulnerability to denial of service attacks.]
- --25 & 26 November 2002 Another Domain Name server Attacked
Domain name manager UltraDNS was the target of a distributed denial
of service attack in mid November. An investigation is underway.
http://zdnet.com.com/2100-1105-971178.html
http://www.theregister.co.uk/content/55/28291.html
--22 November 2002 Cracker Claims He Was Hired to Find
Vulnerabilities
A Dutch cracker broke into the network of a U.S. architectural
firm that is doing renovation work for the Defense Department and
accessed Pentagon and FBI building blueprints. The man claims he
was offered US$3,600 to identify security weaknesses in the firm's
computer network; instead, Dutch police searched his residence at
the behest of U.S. authorities.
http://www.europemedia.net/shownews.asp?ArticleID=13811
[Editor's Note (Schultz): This should serve as another reminder
to obtain a "get out of jail free" card prior to performing such
activities.]
--21 November 2002 ISC2 Doesn't Think ISACA Should Offer New
Certification
The International Information Systems Security Certification Consortium
Inc., or ISC2, has posted a statement indicating its displeasure with
the Information Systems Audit and Control Association's (ISACA's)
decision to offer a new security certification for IT managers. ISC2
feels that a new certification would require security professionals
to work for more certifications; until now, ISACA has focused on
security auditor certification.
http://www.eweek.com/article2/0,3959,718175,00.asp
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans
sans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
https://www.sans.org/sansurl/ and enter your SD number or email address
(from the headers.) You will receive your personal URL via email. You
may also use this link to update your surface mailing address if you
have not done so recently.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE97gSh+LUG5KFpTkYRAsOOAJ921ijNXW9LMB8PGUpREfzfGmsn1gCeIUlM
aY+lxU5xcVq0ED9UBSKRESs=
=4AKH
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]