|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites_at_sans.org)
Date: Wed Jan 08 2003 - 11:20:54 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
***********************************************************************
SANS NewsBites January 8, 2003 Vol. 5, Num. 1
***********************************************************************
TOP OF THE NEWS
6 January 2003 Administration Drafts Trimmed Down Cyber Security Strategy
20 December 2002 Wisconsin Man Will Serve Up To 20 Years In Prison
for Computer Crimes and Other Offenses
6 January 2003 California Disclosure Law May Apply Outside California
THE REST OF THE WEEK'S NEWS
6 January 2003 American Airlines Improves Wireless Security at
Denver Airport
6 January 2003 PR Firm Error Could Have Exposed Customer Data
3 & 6 January 2003 CSIS Paper Says Cyberterrorism is Overhyped
3 January 2002 Clarke Says Cyberterrorism is a Real Threat
3 & 6 January 2003 Supreme Court Justice Rescinds Stay in DeCSS Case
3 January 2003 Wall Street Business Disaster Recovery Centers Can be
in NYC
2 & 3 January 2003 Serebryany Charged with Stealing and Posting
DirecTV Documents
2 & 3 January 2003 Lindows.com CEO Admits He's Behind Xbox Hack Contest
3 January 2003 RIAA Hacked Again
3 January 2003 CIO Council Wants Agencies to Address Enterprise
Architecture Security
3 January 2003 Government Site Vandal Pleads Guilty
2 & 3 January 2003 Yaha Variant
2 January 2003 Killboot Macro Virus
2 January 2003 TSA Removes Password Protected Documents from Internet
2 January 2003 Confidence in On-Line Transactions is Increasing
1, 2 & 3 January 2003 Reward Offered in Government Contractor
Computer Theft
30 December 2002 Putty SSH Vulnerability Exploit Posted on Bugtraq
TRAINING QUOTES OF THE WEEK
"Courses are filled with content until late in the evening. This is
not a holiday experience - this is a serious learning week."
(Kauto Huopio, CERT-FI)
"Simply stated: learn security from the security experts."
(David Kemp, U.S. House of Representatives)
Complete security training schedule at http://www.sans.org
******************* This Issue Sponsored by BioNetrix *****************
Considering Single Sign-On? Download a Free SSO White Paper.
This paper surveys the landscape of existing Single Sign On (SSO)
architectures and technologies and outlines the requirements for a new
type of secure, enterprise SSO. Learn how a Secure SSO solution can
enable centralized control of application sign-on and user identity
verification, increasing security, convenience and productivity.
Visit: http://www.bionetrix.com/sso-sans
***********************************************************************
TOP OF THE NEWS
--6 January 2003 Administration Drafts Trimmed Down Cyber Security
Strategy
In a new draft of the National Strategy for Securing Cyberspace,
the Bush Administration has reduced the number of proposals by 40%.
The new draft eliminates many proposals for America's corporations
to improve security, focusing instead on suggestions for the US
government agencies. It also eliminates a proposal for the White
House to consult with privacy advocates on the impact of security
proposals on civil liberties.
http://www.msnbc.com/news/855722.asp?0cv=CB20
--20 December 2002 Wisconsin Man Will Serve Up To 20 Years In Prison
for Computer Crimes and Other Offenses
Joseph Konopka, 26-year-old Wisconsin man who has gone by the alias
Dr. Chaos, agreed to a plea bargain in which he will serve a sentence
of up to twenty years for a series of crimes that includes "creating
counterfeit software and interfering with computers." A person familiar
with the investigation notes "Konopka was an extremely capable systems
administrator, and of the six charges to which he pled guilty, ? four
were computer crime charges, including use of a sniffer, computer
intrusion, transmission of malicious code, and software piracy. He
was also a serious threat to critical infrastructures."
http://www.jsonline.com/news/metro/dec02/104890.asp
http://www.landfield.com/isn/mail-archive/2002/May/0063.html
--6 January 2003 California Disclosure Law May Apply Outside
California
A California law that will take effect July 1, 2003, requires companies
in the state to inform their customers in the event of a computer
intrusion that exposes customer names in conjunction with certain
sensitive personal data, like a social security number. According
to Scott Pink, deputy chair of the American Bar Association's
Cybersecurity Task Force, the law will also pertain to on-line
businesses with customers in California.
http://online.securityfocus.com/news/1984
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Alert! Top 10 SPAM CONTROL techniques for the enterprise ***
Free White Paper http://www.sans.org/cgi-bin/sanspromo/NB116
(2) Prevent DDoS, worm propagation, and unsanctioned network
traffic. Best practices white paper
http://www.sans.org/cgi-bin/sanspromo/NB117
(3) ALERT: Automated Vulnerability Audit for your Web Applications-15
Day FREE Trial http://www.sans.org/cgi-bin/sanspromo/NB118
***********************************************************************
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 30 days. Details and schedule at the SANS Web site:
http://www.sans.org/onlinetraining/mentor.php
***********************************************************************
THE REST OF THE WEEK'S NEWS
--6 January 2003 American Airlines Improves Wireless Security at
Denver Airport
American Airlines has improved the security of its wireless
bag-matching and curbside check-in systems at Denver International
Airport (DIA) by removing IP addresses from its kiosks and adding
authentication technology on top of 40-bit WEP encryption.
http://www.computerworld.com/mobiletopics/mobile/story/0,10801,77255,00.html
--6 January 2003 PR Firm Error Could Have Exposed Customer Data
The administrative password to a server run by Carmichael Lynch,
a public relations and advertising company, was posted on a web
site for at least six months. The password could have been used to
access a variety of files, including customer databases for some of
Carmichael Lynch's big clients. The posting containing the password
has been removed and a spokeswoman for the company said there is no
evidence that anyone took advantage of the vulnerability.
http://www.wired.com/news/infostructure/0,1377,57066,00.html
--3 & 6 January 2003 CSIS Paper Says Cyberterrorism is Overhyped
A paper from the Center for Strategic & International Studies (CSIS)
argues that the threat of cyberterrorism to critical infrastructures
has been exaggerated by the government and the media. The paper
draws a distinction between computer systems, which are vulnerable
to cyber attacks, and critical infrastructures, which it says are
not as vulnerable.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,77239,00.html
http://www.washtimes.com/business/20021226-40779202.htm
--3 January 2002 Clarke Says Cyberterrorism is a Real Threat
Chairman of the President's Critical Infrastructure Protection
Board Richard Clarke says the threat of cyberterrorism should not
be dismissed. Clarke maintains that solutions to cyberspace threats
aren't as clear as those to physical security threats, and that we
need to handle the threat by eliminating cyberspace vulnerabilities.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,77238,00.html
[Editor's Note (Murray): There is a difference between "not dismissing"
and what the government has been doing. In security we must strike a
difficult balance between false comfort and false alarm. The CSIS Paper
suggests that the government's present rhetoric risks desensitizing
us to alarms. This overstatement, not to say hype, is not limited to
cyber space. If one uses the Government's own (five point) scale it
seems to me that they are consistently one notch too high.
(Schultz): I hope that the use of the term "eliminating
vulnerabilities" in this news item was a misquote. Certainly
Richard Clarke knows that vulnerabilities can never be completely
eliminated. Terminology such as "minimizing vulnerabilities" or
"managing vulnerabilities" would have been far better.]
--3 & 6 January 2003 Supreme Court Justice Rescinds Stay in DeCSS Case
US Supreme Court Justice Sandra Day O'Connor rescinded an emergency
stay she had placed on a ruling by the California Supreme Court in
a case involving the publishing of DeCSS, a DVD encryption breaking
utility. As a result of O'Connor's action, the defendant in the case,
Matthew Pavlovich, may distribute DeCSS again, though he could also
be sued again. The Electronic Frontier Foundation's legal director
lauded O'Connor's action, observing "[t]he entertainment companies
need to stop pretending that DeCSS is a secret."
http://news.com.com/2100-1023-979197.html
http://www.cnn.com/2003/TECH/biztech/01/06/us.dvdencrypt.ap/index.html
[Editor's Note (Schultz): DeCSS encryption amounts to little more than
"security by obscurity." You'd think that by now the entertainment
industry would quit beating a dead horse and instead get real by
trying to develop a stronger encryption scheme.]
--3 January 2003 Wall Street Business Disaster Recovery Centers Can
be in NYC
Businesses located on Wall Street will not have to locate their
disaster recovery data centers at least 200 miles from their primary
centers; federal regulators dropped that provision in favor of
developing contingency plans that keep the centers in NYC.
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,77250,00.html
--2 & 3 January 2003 Serebryany Charged with Stealing and Posting
DirecTV Documents
The FBI has arrested a 19-year-old for allegedly distributing documents
containing technical information about DirecTV satellite smart cards
to several satellite pirate web sites; the documents could be used
to break DirecTV smart cards. Igor Serebryany will be charged under
the 1996 Economic Espionage Act and could face a ten-year prison
sentence and a fine of up to $250,000. There is no evidence indicating
Serebryany benefited financially from his actions.
http://www.wired.com/news/politics/0,1283,57039,00.html
http://news.com.com/2100-1023-979001.html
http://www.vnunet.com/News/1137793
[Editor's Note (Northcutt): This case has enormous importance. As we
become an information economy, trade secrets and other intellectual
property are among the most valuable assets any organization has. The
Economic Espionage act has not been used by the government as much
as it should have been so it will be interesting to see how this
plays out.]
--2 & 3 January 2003 Lindows.com CEO Admits He's Behind Xbox Hack
Contest
Michael Robertson, founder of Lindows.com, says he is behind a contest
offering $200,000 to the first successful hack of Microsoft's Xbox
console. The challenge emerged anonymously in July 2002. Robertson
says he posed the challenge because he believes restricting access
to the machine's processor "sets a dangerous precedent."
http://news.com.com/2100-1040-978957.html
http://www.wired.com/news/games/0,2101,57052,00.html
--3 January 2003 RIAA Hacked Again
The Recording Industry Association of America's (RIAA) website was
recently hacked for the sixth time in as many months. The site is
a target for hackers because of the association's stance on digital
file sharing.
http://www.wired.com/news/technology/0,1282,57048,00.html
--3 January 2003 CIO Council Wants Agencies to Address Enterprise
Architecture Security
The CIO Council sent a memo to federal agency CIO's advising
them to take steps to secure their enterprise architectures and
applications. The Council told the CIOs they should include their plans
for securing that software in their next quarterly update submitted
to the Office of Management and Budget OMB) under compliance with
The Federal Information Security Management Act (FISMA).
http://www.fcw.com/fcw/articles/2002/1230/web-cio-01-03-03.asp
http://www.gcn.com/vol1_no1/daily-updates/20764-1.html
--3 January 2003 Government Site Vandal Pleads Guilty
An Alabama man could spend up to ten years in prison for defacing
numerous government web sites. William Douglas Word pleaded guilty
to 17 counts of defacing sites at NASA, the Interior Department, the
Defense Department and other agencies. Word's sentencing is scheduled
for April 24.
http://www.dodig.osd.mil/DCIS/press/011228ww.htm
http://www.gcn.com/vol1_no1/daily-updates/20766-1.html
--2 & 3 January 2003 Yaha Variant
A new variant of the Yaha worm was detected at the end of 2002. Yaha
affects systems running Windows operating systems; a part of its
payload involves trying to disable firewalls and antivirus software. It
has its own SMTP engine and sends itself out via infected systems'
address books and through some Messenger software.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,77190,00.html
http://news.bbc.co.uk/1/hi/technology/2621419.stm
http://www.vnunet.com/News/1137805
--2 January 2003 Killboot Macro Virus
A macro virus called "Killboot" has the capacity to overwrite
the Master Boot Record (MBR) on physical hard drives of infected
machines. "Killboot" infects Word documents. There have been few
reports of infections in the wild.
http://www.vnunet.com/News/1137774
--2 January 2003 TSA Removes Password Protected Documents from
Internet
The Transportation Security Administration (TSA) has removed four
password-protected documents from its web site after concerns were
raised about the security of the documents' contents.
http://news.com.com/2100-1023-978981.html
--2 January 2003 Confidence in On-Line Transactions is Increasing
A quarterly survey from the Conference Board finds that consumer
confidence in the security of on line transactions is increasing. 33%
of those surveyed believed their transactions are secure, compared
with 27.5% a year ago. 25% believe their personal information is safe,
up from 22% last year.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=1985136
[Editor's Note (Schultz): It is important to understand that changes
in statistics over time could be due to sampling error, too. Whether
or not these statistical changes represent shifts in attitudes remains
to be seen.]
--1, 2 & 3 January 2003 Reward Offered in Government Contractor
Computer Theft
A $100,000 reward is being offered for information that leads to the
arrest and conviction of those responsible for stealing laptops and
hard drives from the office of a government health-care contractor
in Phoenix, Arizona. The stolen hardware contains personal data,
including names, addresses and social security numbers belonging to
more than 500,000 military personnel.
http://www.cnn.com/2003/TECH/biztech/01/01/pentagon.computerthef.ap/index.html
http://www.gcn.com/vol1_no1/daily-updates/20756-1.html
http://www.fcw.com/fcw/articles/2002/1230/web-dod-01-03-03.asp
--30 December 2002 Putty SSH Vulnerability Exploit Posted on Bugtraq
Exploit code for a vulnerability in the Putty SSH client was posted on
the Bugtraq mailing list. The code, which was posted by the security
research division of a Spanish firm called I-Proyectos, was accompanied
by a statement that it was only for educational and testing purposes.
http://www.eweek.com/article2/0,3959,801913,00.asp
[Editor's Note (Murray): Nice people do not publish exploit code or do
business with those that do. One certainly does not do business with
them for no better reason than that they publish exploit code. Imagine
one's reaction to IBM or Oracle publishing exploit code. While I admit
that this is a novel ethical decision for some individuals, I have
trouble understanding how so many businesses get it wrong. Emmanuel
Kant where are you when we really need you?]
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans
sans.org with the subject:
Subscribe NewsBites
To update your address, visit http://www.sans.org/sansurl and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+HEjb+LUG5KFpTkYRAj6GAKCEq/5LkAg6jbta1Asc5DGimtQTFgCgmN/0
viVrdHXKTbavbUdVjlveK80=
=jfem
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]