OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: The SANS Institute (NewsBites_at_sans.org)
Date: Mon Dec 30 2002 - 20:48:26 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ***********************************************************************
    SANS NewsBites December 30, 2002 Vol. 4, Num. 53
    ***********************************************************************

    TOP OF THE NEWS
    24 December 2002 Stolen DoD Contractor Computer Equipment Contains
                      Personal Data
    21 & 23 December 2002 Internet Monitoring Center Won't Spy on Citizens

    THE REST OF THE WEEK'S NEWS
    27 December 2002 ID Thief Turns Extortionist
    26 December 2002 Kroger Co. is Testing Fingerprint Payment System
    26 December 2002 CMU Researchers Developing Software to Weed Out Bot
                      e-Mail Accts
    26 December 2002 South Carolina Computer Crime Center Established
    24 December 2002 TSA Documents' Protection Easily Circumvented
    23 December 2002 Microsoft Auto Update Proves Frustrating
    23 December 2002 Securing e-Mail in Outlook

    TRAINING QUOTE OF THE WEEK
    "SANS Institute picks up where most IS Security seminars fall short -
    down to the brass tacks. Practical and applicable content. Not for
    wussies." (Kathryn Lawderm, Sharp Health Care)
    Complete security training schedule at http://www.sans.org

    ******** This Issue Sponsored by VeriSign - The Value of Trust ********

    FREE E-COMMERCE SECURITY GUIDE

    Is your e-business built on a strong, secure foundation? Find out
    with VeriSign's FREE White Paper, "Building an E-Commerce Trust
    Infrastructure." Learn how to authenticate your site to customers,
    secure your web servers with 128-Bit SSL encryption, and accept secure
    payments online.
    Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n20390113340057000

    ***********************************************************************

    TOP OF THE NEWS

     --24 December 2002 Stolen DoD Contractor Computer Equipment Contains
                         Personal Data
    Thieves stole notebook computers and server hard drives from the office
    of a Defense Department health care service contractor in Phoenix,
    AZ. The stolen items contained personal data about beneficiaries;
    the contractor is providing the beneficiaries with information about
    protecting their personal information. The FBI is involved in the
    investigation, along with the Defense Criminal Investigative Service
    and local police.
    http://www.gcn.com/vol1_no1/daily-updates/20735-1.html
    [Editor's Note (Murray): My understanding from another report is
    that there is no evidence that the thieves have exploited or sold
    the data. Seems an unlikely target of choice.]

     --21 & 23 December 2002 Internet Monitoring Center Won't Spy on
                              Citizens
    The Bush administration says the National Strategy to Secure
    Cyberspace's proposed Internet monitoring center would not examine the
    e-mail and surfing habits of individuals. Instead, the Center will
    be focused on monitoring the "health" of the Internet and watching
    for traffic spikes indicative of denial of service attacks. Civil
    liberties advocates have expressed concern at the possibility the
    center will be federally managed; early drafts of the strategy indicate
    the Center will be privately managed.
    http://zdnet.com.com/2100-1106-978717.html
    http://www.cnn.com/2002/TECH/internet/12/23/cyber.security.ap/index.html

    ************************ SPONSORED LINKS ******************************
    Privacy notice: These links redirect to non-SANS web pages.

    Event Correlation - Is it Security's Holy Grail? View our White Paper
    at http://www.sans.org/cgi-bin/sanspromo/NB114

    ALERT: How a hacker launches a Web application attack, step-by-step
    http://www.sans.org/cgi-bin/sanspromo/NB115

    ***********************************************************************

    THE REST OF THE WEEK'S NEWS

     --27 December 2002 ID Thief Turns Extortionist
    An identity thief tried to use a California woman's on-line accounts
    to steal money, but she thwarted the majority of his efforts. The
    thief then tried to extort money from the woman, offering to disclose
    his methods and provide advice on protecting her information for
    $400. When his offer was ignored, he reportedly became belligerent,
    threatening harassment and making clear he knew personal details about
    her life. Cyberstalking laws exist in most states, and people should
    report such events to law enforcement officials.
    http://www.msnbc.com/news/851175.asp?0cv=CB10

     --26 December 2002 Kroger Co. is Testing Fingerprint Payment System
    Kroger Co. is testing a biometric pay-by-fingerprint system in three of
    its Texas stores. People can register for the program with a driver's
    license, a credit or debit card or electronic check, and an index
    finger image.
    http://www.cnn.com/2002/TECH/ptech/12/26/kroger.fingerprint.reut/index.html

     --26 December 2002 CMU Researchers Developing Software to Weed Out
                         Bot e-Mail Accts
    Researchers at Carnegie Mellon University are developing software
    that will prevent web bots from creating free e-mail accounts used
    to send spam. The technology relies on distorting a word that humans
    can easily decipher but machines cannot; if the entity trying to
    establish the e-mail account is unable to type in the word correctly,
    the e-mail account is denied.
    http://www.cbsnews.com/stories/2002/12/26/tech/main534348.shtml
    [Editor's Note (Shpantzer): The fact that the computers send the
    failed tests to humans to complete is essentially a win for the CAPTCHA
    (Completely Automatic Public Turing Test to tell Computers and Humans
    Apart) concept. It reduces automation significantly and introduces more
    expensive and labor intensive processes (humans completing captchas)
    into the loop. This technology will be featured in a SANSNight at
    the SANS 2003 San Diego conference.]

     --26 December 2002 South Carolina Computer Crime Center Established
    The South Carolina Computer Crime Center will analyze electronic crime
    evidence and train people in computer forensics. The Center, which
    is a joint effort of the FBI, the Secret Service and South Carolina
    Law enforcement agencies, provides individuals and businesses with
    a place to report computer crimes. Three other centers have been
    established across the country and two more are planned.
    http://www.gcn.com/vol1_no1/daily-updates/20736-1.html

     --24 December 2002 TSA Documents' Protection Easily Circumvented
    Several restricted U.S. Transportation Security Administration (TSA)
    documents are accessible to anyone with an Internet connection. While
    they are password protected within Microsoft Word, once they are
    downloaded, they can be attacked with password cracking software at
    the user's leisure.
    http://reuters.com/newsArticle.jhtml?type=internetNews&storyID=1958544

     --23 December 2002 Microsoft Auto Update Proves Frustrating
    People using older versions of Microsoft products have reported
    technical problems with automated updates; when they contact
    the company's support staff, they are advised to upgrade to newer
    products. Some of the patches are available only through the automated
    update system.
    http://www.nyq.eweek.com/article2/0,6071,801273,00.asp
    [Editor's Note (Shpantzer): Updates for the Office suite are sometimes
    impossible without the physical CD's, which many users have not
    retained or never owned (pirated software or legitimate software on
    second-hand hardware). This leaves millions of systems out of the
    update process and puts the rest of us downrange from their unpatched
    applications.
    (Schultz): I've never been very enthusiastic about Microsoft Auto
    Update. Too often users who rely on this feature find out later
    that patches they thought had been automatically installed were not
    installed at all. If you look at Microsoft's web site, you'll see many
    postings about types of update failures that occur and a variety of
    solutions, all of which are bound to confuse the average user.
    (Murray): Even rocket science can be mastered. If AOL can do it
    routinely without even evoking comment, then Microsoft can learn.]

     --23 December 2002 Securing e-Mail in Outlook
    The second of two articles about securing Microsoft Outlook focuses
    on securing e-mail, including blocking unsafe files, changing system
    settings and turning on file extensions.
    http://online.securityfocus.com/infocus/1652

    ===end===

    NewsBites Editorial Board:
    Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
    Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

    Please feel free to share this with interested parties via email,
    but no posting is allowed on web sites. For a free subscription,
    (and for free posters) e-mail sanssans.org with the subject:
    Subscribe NewsBites

    To update your address, visit http://www.sans.org/sansurl and enter
    your SD number (from the header of this email.) You will receive your
    personal URL via email.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+EPlS+LUG5KFpTkYRAuMmAKCL1GnO9OLI+UKW1zKKJgCfZiXXOgCfQP7w
    mrqF2j8YGnuUc6sVwO6OiGA=
    =rBV/
    -----END PGP SIGNATURE-----