OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: The SANS Institute (NewsBites_at_sans.org)
Date: Wed Jan 15 2003 - 08:54:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ***********************************************************************
    SANS NewsBites January 15, 2003 Vol. 5, Num. 2
    ***********************************************************************

    TOP OF THE NEWS
     NSA Reports Benchmarks Eradicate 91% Of Tested Vulnerabilities
     Lawsuit Against Kazaa May Proceed
     NIAC Cyber Security Recommendations
     CSO Security Spending Survey
     Johansen Not Guilty of Piracy in DeCSS Case

    THE REST OF THE WEEK'S NEWS
     Web Application Security Problems
     Commission Seeks Comment on Guidelines for Sentencing Hackers
     Microsoft Adds Level to Security Rating System
     Researchers Show Info Sharing Reduces Cyberattack Risk
     DoD Task Force to Evaluate Healthcare Contractor Security
     Phreakers Target Texas A&M
     Vatican Warns Against On-Line Confession
     Satellite TV Hacker Will Help Feds in Plea Agreement
     West Point Establishes Secure Wireless Network
     Microsoft Reader e-Book Software Circumvention Code Posted
     Ethernet Device Vulnerability Could Expose Sensitive Data
     IETF, SANS, OASIS and Liberty Alliance Named Network Standards Leader

    WORMS AND OTHER MALWARE
     Malware Names Can be Confusing
     W32/Sobig Worm
     BBC Hit by ExploreZip Worm
     January 2003 Lirva Worm

    TRAINING QUOTES OF THE WEEK
    "It is refreshing to attend a training course taught by one of the
    best in the profession. Valuable information I can put to work in an
    upcoming audit in my company." (Greg Short, Lockheed Martin)
    "The level of experience the SANS instructor demonstrates on this
    subject surpasses all the security books I have ever read, put
    together!" (Jakob Pittner, Eltryon Enterprises)
    Twelve days left for early registration discounts for SANS Annual
    Conference in San Diego. Complete security training schedule at
    http://www.sans.org

    ******************** This Issue Sponsored by NetIQ *******************

    Security Webcast Featuring Kevin Mitnick

    Join former hacker turned consultant Kevin Mitnick, as part of our
    distinguished panel of security experts, for NetIQ's free security
    webcast-"People & Policies: Turning Your Weakest Security Link into
    a First Line of Defense."

    Register now.
    http://www.netiq.com/f/form/form.asp?id=1696&origin=NSSansNewsbites011503

    ***********************************************************************

    TOP OF THE NEWS

     --December 2002 NSA Reports Benchmarks Eradicate 91% Of Tested
                       Vulnerabilities
    The most recent US Department of Defense Information Assurance
    Newsletter reports that tests run by the National Security Agency
    measured the impact of applying security configuration benchmarks,
    specifically the Center for Internet Security/NSA/GSA/NIST Windows
    2000 Consensus Security Baseline Settings. Applying the baseline
    settings eliminated more than 95% of high priority vulnerabilities
    (as determined by a popular commercial scanner) and 91% of all
    vulnerabilities.
    Download the complete IA Newsletter at
    http://iac.dtic.mil/iatac/news_events/pdf/Vol5_No3.pdf
    The NSA data is presented and analyzed beginning on page 10.
    The baseline settings, referenced in the article, are available for
    download from www.cisecurity.org along with a free tool that tests
    your system for compliance.

     --10, 13 & 14 January 2003 Lawsuit Against Kazaa May Proceed
    A federal judge in Los Angeles has ruled that a lawsuit against
    Australia-based Sharman Networks, the parent company of Kazaa
    peer-to-peer file sharing service, may proceed in U.S. court because
    more than 143 million people have downloaded and used Kazaa software.
    Sharman argued it couldn't be tried in the U.S. because it is based
    in Australia and incorporated in Vanuatu. Sharman plans to fight
    the ruling.
    http://news.com.com/2100-1023-980274.html?tag=fd_top
    http://www.washingtonpost.com/wp-dyn/articles/A49320-2003Jan13.html
    http://www.zdnet.com.au/newstech/ebusiness/story/0,2000024981,20271194,00.htm
    http://www.theage.com.au/articles/2003/01/14/1041990270975.html
    [Editor's Note (Spantzer): This is big. Kazaa makes Napster look
    like a grade-school science project, and now it may suffer a similar
    legal fate.]

     --8 & 9 January 2003 NIAC Cyber Security Recommendations
    The National Infrastructure Advisory Council has finalized its
    recommendations for the National Strategy to Secure Cyberspace. The
    Council recommends that the government encourage marketplace
    development and use of standards, but refrain from imposing
    standards. The Council also recommends that the government use its
    influence in terms of purchasing power to encourage interoperability
    between the standards.
    http://www.gcn.com/vol1_no1/daily-updates/20797-1.html
    http://www.fcw.com/fcw/articles/2003/0106/web-niac-01-09-03.asp
    [Editor's Note (Murray): The best thing that government can do to
    improve the security of the public networks is to stop connecting
    weak systems to them.]

     --7 January 2003 CSO Security Spending Survey
    A CSO Survey indicates that companies will spend 10% of their IT
    budget on security in 2003; this figure marks an 8% increase over
    2002 spending. Investment in computer security is increasingly seen
    as a strategic move, and some security departments are likely to get
    their own budgets instead of being a part of the IT budget.
    http://www.csoonline.com/csoresearch/report50.html

     --7 & 8 January 2003 Johansen Not Guilty of Piracy in DeCSS Case
    Norwegian teenager Jon Johansen was found not guilty of DVD piracy
    charges for his role in creating and distributing the DeCSS DVD
    decryption program.
    http://news.com.com/2100-1023-979414.html
    http://news.com.com/2100-1023-979769.html
    http://www.wired.com/news/politics/0,1283,57107,00.html
    [Editorial Note (Schultz): Hopefully, U.S. court rulings over the years
    will achieve a reasonable balance between protecting the interests of
    copyright holders and the freedom to research vulnerabilities. This
    ruling leans towards the latter, but more rulings will undoubtedly
    come in time.]

    ************************ SPONSORED LINKS ******************************
    Privacy notice: These links redirect to non-SANS web pages.

    (1) ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
    FREE white paper!
    http://www.sans.org/cgi-bin/sanspromo/NB119

    (2) Instantly stop DDoS attacks and port scans.
    http://www.sans.org/cgi-bin/sanspromo/NB120

    (3) Earn a Norwich University Master's Degree in Information Security
    in 24 months. http://www.sans.org/cgi-bin/sanspromo/NB121

    ***********************************************************************
    SANS Local Mentor Programs begin in 31 cities in 5 countries
    during the next 16 days. Details and schedule at the SANS Web site:
    http://www.sans.org/onlinetraining/mentor.php
    ***********************************************************************

    THE REST OF THE WEEK'S NEWS

     --13 & 14 January 2003 Web Application Security Problems
    The Open Web Application Security Project (OWASP) has listed what its
    members feel are the most pressing web application security problems;
    these include unvalidated parameters, broken access control and
    cross-site scripting flaws.
    http://www.gcn.com/vol1_no1/daily-updates/20862-1.html
    http://www.theage.com.au/articles/2003/01/14/1041990273503.html
    http://www.owasp.org/
    [Editor's Note (Murray): These are not novel; they did not originate
    with web applications. They were identified and enumerated decades
    ago. We simply fail to teach them.]

     --13 January 2003 Commission Seeks Comment on Guidelines for
                        Sentencing Hackers
    The United States Sentencing Commission (USSC) is asking for
    public comment on sentencing guidelines for those convicted of
    cybercrimes. Currently, the guidelines for cybercriminals are the same
    as those for people convicted of embezzlement, theft and larceny. The
    deadline for comments is February 18, 2003.
    http://online.securityfocus.com/news/2028

     --13 January 2003 Microsoft Adds Level to Security Rating System
    Microsoft has expanded its security rating system to
    include "important" warnings; the new level is one step below
    "critical." Critics say Microsoft should have reduced the number
    of warning levels from three to two instead of adding a level; they
    maintain the increased number of levels makes it harder for people
    to know if they have to apply a patch immediately or if they can wait
    until a more convenient time.
    http://www.infoworld.com/articles/hn/xml/03/01/13/030113hnmsfourth.xml?s=IDGNS

     --12 January 2003 Researchers Show Info Sharing Reduces Cyberattack
                        Risk
    Two computer security researchers at Harvard University have
    developed a model that they claim demonstrates that companies that
    share information about security breaches and cyber attacks may be
    less likely to be the victims of such attacks.
    http://www.eweek.com/article2/0,3959,825430,00.asp
    [Editor's Note (Murray): I, for one, remain to be convinced.
    (Paller) The authors contend that users will be protected because
    attackers won't want their attack methods shared. This is a second
    order effect and is not needed to prove the value of sharing actual
    attack information. The Incidents.Org project run during 2000 and 2001
    proved that, during major attacks, hundreds of organizations' technical
    people willingly shared data about how the attacks were affecting their
    systems and what their attempts to block those attacks accomplished.
    In return, they were assured that the cumulative report published
    by Incidents.Org, on what was happening and what remedial steps were
    effective, reflected the best available information. That enabled the
    contributors to act quickly to improve protection for their systems.
    SANS made the information available to all who wanted it, so the
    people sharing data knew they were helping the whole community.
    Similar results have been shown by CERT/CC. The process works as
    long as technical people have complete trust that (1) the person to
    whom they are giving the data will guard the contributor's name and
    organization from any possible disclosure and (2) the people receiving
    the data have the technical skills to analyze it and integrate it in
    time to help protect the contributor and other organizations.]

     --10 January 2003 DoD Task Force to Evaluate Healthcare Contractor
                        Security
    In the wake of the theft of computers containing personal data from
    a Defense Department (DoD) medical records contractor's office, the
    DoD has formed a task force that will evaluate security at all its
    medical contractors' offices, and has ordered those contractors to
    audit their information security procedures.
    http://www.fcw.com/fcw/articles/2003/0106/web-med-01-10-03.asp

     --10 January 2003 Phreakers Target Texas A&M
    Texas A&M University's telephone system was hit by phone phreakers
    who guessed voice mailbox passwords and altered messages to accept
    charges for long distance calls. Everyone at the University has been
    advised to change voice mailbox passwords.
    http://www.cnn.com/2003/US/Southwest/01/10/university.phones.reut/

     --10 January 2003 Vatican Warns Against On-Line Confession
    The Vatican has warned against using the Internet to hear confessions,
    as hackers could potentially use the private information to blackmail
    people.
    http://www.timesonline.co.uk/article/0,,3-538079,00.html
    [Editor's Note (Grefer): It would be just as easy to bug a church's
    confessional.]

     --9 January 2003 Satellite TV Hacker Will Help Feds in Plea Agreement
    Federal prosecutors have reached a plea agreement with Stephen Woida,
    who has pleaded guilty to charges of conspiracy to steal satellite
    services. Woida is alleged to have cracked satellite television smart
    cards. As part of the plea agreement, Woida will help the government
    with international chip hacking cases.
    http://www.usatoday.com/tech/news/2003-01-09-hackers_x.htm
    [Editor's Note (Ranum): This sends a dangerous message: "if you're a
    really skilled hacker, you'll get away with it." We reward misbehavior
    and are puzzled by the results.]

     --8 January 2003 West Point Establishes Secure Wireless Network
    West Point has established what it believes to be a highly secure
    wireless network on its campus. The security measures, which include
    a virtual private network (VPN) and sixty access controllers, cost the
    school five times what it paid for the wireless network itself. Because
    its network is connected to the Defense Department's network, West
    Point wanted to make sure every security precaution was taken.
    http://chronicle.com/free/2003/01/2003010801t.htm

     --7 & 8 January 2003 Microsoft Reader e-Book Software Circumvention
                           Code Posted
    British programmer Dan Jackson has posted software that circumvents
    the copy protection on Microsoft Reader e-book software. Both the
    program and its source code are posted on Jackson's site; the program's
    creator wants to remain anonymous, according to Jackson. He says his
    involvement with the project stems from his desire "to read e-books
    on older platforms." Microsoft is examining its options, which include
    taking legal action.
    http://www.theregister.co.uk/content/4/28749.html
    http://news.com.com/2100-1023-979778.html
    [Editor's Note (Murray): We have heard that defense before. No one
    cares what he does to satisfy his own reading appetite. He does not
    have to publish on the Internet to do that.]

     --6 & 7 January 2003 Ethernet Device Vulnerability Could Expose
                           Sensitive Data
    A vulnerability in Ethernet device drivers broadcasts sensitive
    information over some networks. When packets of less than 46 bytes
    are sent, instead of padding the frames with null data, the flawed
    devices use sensitive information from memory buffers instead. CERT/CC
    has posted a list of vulnerable devices.
    http://www.eweek.com/article2/0,3959,809385,00.asp
    http://story.news.yahoo.com/news?tmpl=story&u=/cmp/20030107/tc_cmp/iwk20030107s0003
    http://www.kb.cert.org/vuls/id/412115
    [Editors' Note (multiple): The important thing to understand about this
    vulnerability is that it is at layer 2 and is hidden by routers. If
    someone is on the same network segment as you are, there are bigger
    holes through which you leak data to them than this one.]

     --23 December 2002 IETF, SANS, OASIS and Liberty Alliance Named
                          Network Standards Leaders
    Network World's 2003 guide to the people, companies, technologies,
    and ideas that lead the Internet named leaders of the IETF, the
    Internet Architecture Board, The Liberty Alliance, OASIS, and SANS
    as the people "working behind the scenes to make sure everyone plays
    by the same rules." The url below includes Network World's choices
    for vendors, users, government leaders, and thought leaders as well
    as the standards folks.
    http://www.nwfusion.com/power/2002/50most.html

    WORMS AND OTHER MALWARE
     --2 & 3 January 2003 Malware Names Can be Confusing
    Standardizing the way viruses and worms are named would help home
    users, who usually do not understand the convention used by anti-virus
    vendors, know if they are protected from various strains of malware.
    http://www.messagelabs.com/viruseye/report.asp?id=123
    http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2907878,00.html
    http://www.zdnet.com.au/newstech/security/story/0,2000024985,20271080,00.htm
    [Editor's Note (Murray): In a space in which one has tens of thousands
    of things to name, it is difficult to communicate much meaning in
    the names.]
    [Editor's Note on Worms (Northcutt): Three new worms are shown
    below. They are a moderate threat only; klez is still a larger
    problem. All three spread using well known, classic Windows problems,
    such as open file shares and attachments. Here's something we can
    do about them: Write a note in each of our organizations reminding
    our coworkers to (1) keep their anti-virus up to date, (2) check
    their hard drives for unprotected shares by typing "net view" in a
    command prompt window and (3) be careful with attachments especially
    from people we don't know. As security professionals we know these
    things, but we need to keep educating the rest of our organizations,
    our spouses, parents, children and neighbors if we are ever going to
    get these worms under control.]

     --13 January 2003 W32/Sobig Worm
    The Sobig mass mailing worm arrives as an attachment and affects all
    Windows operating systems. If it is opened, it will try to copy itself
    to all shared hard drives and send itself to e-mail addresses found
    in the address book and several other locations. Sobig can receive
    updates from the web, the most recent of which contains a back door.
    http://news.com.com/2100-1001-980415.html
    http://zdnet.com.com/2100-1105-980338.html

      --10 January 2003 BBC Hit by ExploreZip Worm
    A BBC computer system became infected with a new variant of the
    ExploreZip worm. The mass mailer worm, which spreads through Outlook,
    arrives as an .exe attachment; when executed, ExploreZip overwrites
    Microsoft Word, Excel and PowerPoint files and reduces their size to
    zero KB. Definitions and fixes are available.
    http://www.vnunet.com/News/1137952

      --9 & 10 January 2003 Lirva Worm
    The Lirva worm steals Windows passwords and e-mails them to a Russian
    address. Three times a month, it also opens Internet Explorer, connects
    to an Avril Lavigne website and displays a short message. Lirva spreads
    by sending itself to e-mail addresses it finds in various files on
    infected computers. The worm arrives as an .exe attachment. Lirva
    takes advantage of a vulnerability in several Microsoft products that
    allows attachments to execute when opened or previewed. Microsoft has
    released fixes for the vulnerability. Two variants of the originally
    identified worm are also circulating.
    http://www.computerworld.com/securitytopics/security/virus/story/0,10801,77380,00.html
    http://news.com.com/2100-1001-979992.html
    http://zdnet.com.com/2100-1105-980101.html
    http://www.vnunet.com/News/1137943

    ===end===

    NewsBites Editorial Board:
    Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
    Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

    Please feel free to share this with interested parties via email,
    but no posting is allowed on web sites. For a free subscription,
    (and for free posters) visit http://www.sans.org/sansnews

    To update your address, visit http://www.sans.org/sansurl and enter
    your SD number (from the header of this email.) You will receive your
    personal URL via email.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+JWfZ+LUG5KFpTkYRAq77AJ9D7H0VqYRvl2TPb2ToIHWVbwdELwCghYGX
    zGCSbM7T6ftFK17PADMzcT4=
    =CG0r
    -----END PGP SIGNATURE-----