-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In about six weeks more than 1,400 security and audit professionals
will arrive in San Diego (at a hotel right on the ocean, a great
escape from arctic blasts) for immersion training at SANS 2003 Annual
Conference. (http://www.sans.org/SANS2003) Three quick notes:
(1)If you have already registered or do so within the next three
weeks, you will get an email enabling you to participate in SANS'
extraordinary online Internet Threat Update that details the new
methods attackers are using and available techniques for blocking
them. This is the keynote (and highest rated) presentation at the
National Information Assurance Leadership Conference and we want to
make sure all SANS2003 attendees get the benefit of having access to
the newest information.
(2)Monday January 27 is the deadline for the early registration
discount for SANS 2003.
(3)If you received more than one SANS 2003 conference program
(it's 100 pages long) please pass the extra along to someone who
can gain from SANS security training. If you need an extra copy,
email infosans.org with subject SANS2003 brochure.

***********************************************************************
SANS NewsBites January 22, 2003 Vol. 5, Num. 3
***********************************************************************

TOP OF THE NEWS
  $4.7 Billion Budgeted for Federal IT Security
  Virus Writer Jailed for Two Years
  Rumsfeld Orders Material Removed from Web
  Ohio State Computer System Overwhelmed with 11 Million e-Mails
  Microsoft to Share Windows Source Code

THE REST OF THE WEEK'S NEWS
  Peer-to-Peer Hydra Worm Claim is a Hoax
  Study Shows Old Drives Not Adequately Cleaned
  Allstate Banned from On-Line CA DMV Access
  SPV Phone Vulnerability
  Advice for Choosing a VPN
  Agencies are Encouraged to Use FedCIRC's Patch System
  DHCP Buffer Overflow Flaws
  New Mexico to Deploy Identity Management Program for State Web Access
  Sobig Worm Upgraded
  Spammer's Site Exposes Customer Data
  Mullen Defends Striking Back at Systems Running Worms
  Instant Messaging Security Risks
  Microsoft Will Release APIs to Ensure Longhorn Works Well with AV
   Products

SECURITY COMMUNITY PROJECTS
SANS seeks reviewers for Business Law and Computer Security and for
  New SSH Step-by-Step
  Dartmouth ISTS Seeks Comments on Security Research Gap Analysis

TRAINING QUOTE OF THE WEEK
"SANS is on the cutting edge of security and is recognized as the
standard everyone else wants to be." (Wade Gaines, US Department
of Energy)
Full schedule of courses in the US, Europe, Australia and Asia, plus
on line and local mentor programs in 40 cities: http://www.sans.org

******************** This Issue Sponsored by NetIQ *******************

Security Webcast Featuring Social Engineering Experts

Join our distinguished panel of security experts, for NetIQ's free
security webcast-"People & Policies: Turning Your Weakest Security
Link into a First Line of Defense."

Register now.
http://www.netiq.com/f/form/form.asp?id=1696&origin=NSSansNewsbites012203
***********************************************************************

TOP OF THE NEWS

4.7 Billion Budgeted for Federal IT Security
(21 January 203)
President Bush will ask Congress for $59 billion in new information technology spending in his FY 2004 budget. $4.9 billion of that is targeted for computer security.
http://www.govexec.com/dailyfed/0103/012103h1.htm

Virus Writer Jailed for Two Years
(21 January 2003)
Simon Vallor, a Welsh web designer, was jailed for 24 months for
writing and spreading viruses. This sentence is four moths longer
than the one given in the US to David Smith, author of Melissa.
http://news.independent.co.uk/uk/crime/story.jsp?story=371624

Rumsfeld Orders Material Removed from Web
(16 January 2003)
Defense Secretary Donald Rumsfeld has issued an order restricting
what information is to be available on armed forces web sites. An al
Qaeda training manual found in Afghanistan indicates the group used
US military web sites to gather information.
http://online.securityfocus.com/news/2062
http://news.com.com/2100-1023-981057.html?tag=fd_top
[Editor's Note (Ranum): Some of us pointed this out back in the early
1990's, when (for example) Ft Huachuca posted intelligence analysts'
training manuals on the web. It's sad that something so obvious had
to go as high as the SecDef.
(Denning): The DoD has been cracking down on this since at least 1998.
See the 1998 memo from the secdef on information vulnerability on
the web http://www.defenselink.mil/other_info/depsecweb.pdf .
The official DoD policy on web content (issued Nov 98 and updated
Jan 02) is at http://www.defenselink.mil/webmasters/]

Ohio State Computer System Overwhelmed with 11 Million e-Mails
(15 January 2003)
Police believe they know who is responsible for sending 11 million
e-mail messages into Ohio State University's computer system.
The attack made Internet access difficult and delayed e-mail delivery
for several days.
http://www.marionstar.com/news/stories/20030115/localnews/780708.html

Microsoft to Share Windows Source Code
(15 January 2003)
Microsoft will share Windows source code with governments and
international organizations to allow them to conduct security reviews.
Participants in the Government Security program will also be able to
visit Microsoft's development facilities.
http://www.computerworld.com/securitytopics/security/story/0,10801,77599,00.html.
http://www.fcw.com/fcw/articles/2003/0113/web-gsp-01-15-03.asp
http://www.theregister.co.uk/content/55/28869.html
http://www.eweek.com/article2/0,3959,830236,00.asp

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Fortinet's ASIC-powered Antivirus Firewalls stop viruses in real
time - FREE WHITEPAPER http://www.sans.org/cgi-bin/sanspromo/NB122

(2) Bulletin: Instantly stop DDoS attacks and port scans.
http://www.sans.org/cgi-bin/sanspromo/NB123

(3) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
them. FREE WP (White Paper).
http://www.sans.org/cgi-bin/sanspromo/NB124

***********************************************************************
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 16 days. Details and schedule at the SANS Web site:
http://www.sans.org/onlinetraining/mentor.php
***********************************************************************

THE REST OF THE WEEK'S NEWS

Peer-to-Peer Hydra Worm Claim is a Hoax
(14/16 January 2003)
A hacking group called Gobbles Security admitted that claims it had
been hired by the Recording Industry Association of America (RIAA)
to create a worm to infect peer-to-peer file sharing networks was
a hoax. However, the phony announcement included a description of
a real security flaw and source code to exploit it. The flaw could
be exploited to delete files on Unix-based computers.
http://www.wired.com/news/infostructure/0,1377,57229,00.html
http://news.com.com/2100-1023-980649.html
http://www.eweek.com/article2/0,3959,827970,00.asp

Study Shows Old Drives Not Adequately Cleaned
(15/16 January 2003)
According to a study conducted by two MIT graduate students, people who
sell their old disk drives are not doing an adequate job of ensuring
the information they hold is removed. Of 158 drives purchased on eBay
or computer salvage stores, only 12 had been appropriately sanitized;
of the rest were either broken or contained personal data that were
easy to recover and read. The report says people need to be better
educated about methods for cleaning their data off drives they are
selling.
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,77623,00.html
http://www.msnbc.com/news/859843.asp?0dm=T216T
[Editor's Note (Shpantzer): IT assets should be tracked and
managed in some sort of formal manner. One way to do this is to
use the System Development Life Cycle model (SDLC). This model
includes the disposal phase of assets, which should be given
due regard in accordance with the data sensitivity, as well as
updated to defend against new threats such as advances in forensic
recovery techniques. Here is how one agency works with the SDLC:
http://wwwoirm.nih.gov/security/nih-sdlc.html]

Allstate Banned from On-Line CA DMV Access
(16 January 2003)
Allstate Insurance has been banned from checking on line driving
records at the California Department of Motor Vehicles after officials
discovered that employees at the company were violating confidentiality
rules. Among the infractions: a confidential home address of one
driver was given to another driver, computer passwords were shared,
and false claim numbers were submitted to gain access to friends and
family members' records.
http://www.siliconvalley.com/mld/siliconvalley/4965810.htm
[Editor's Note (Grefer): Who'd believe that they're the only ones
abusing the system?]

SPV Phone Vulnerability
(16 January 2003)
Microsoft and Orange, a mobile phone operator, are together developing
a patch for a vulnerability in the SPV phone, which they market
in Europe. The SPV phone is able to run certain downloadable
applications; users and developers who were unhappy with the
restrictions apparently circulated information about disarming that
security feature.
http://www.pcworld.com/news/article/0,aid,108834,00.asp

Advice for Choosing a VPN
(16 January 2003)
This article describes the differences between trusted virtual
private networks (VPNs) and secure VPNs. The article also discusses
implementing VPNs, deciding how they will be managed and what to
expect to pay for VPN gateways and client software.
http://www.idg.net/ic_1020898_9677_1-5044.html

Agencies are Encouraged to Use FedCIRC's Patch System
(16 January 2003)
Presidential cyber security advisor Richard Clarke and the Office of
Management and Budget's (OMB's) associate director for IT Mark Forman
both recommend that government agencies make use of the Federal
Computer Incident Response Center's (FedCIRC's) security patch
distribution service. The Patch Authentication and Dissemination
Capability (PADC) could help agencies meet the FISMA requirements.
Agencies can enter system profiles and receive information about
potential vulnerabilities and how to address them. Patches will
be tested and stored to a secure server for agencies to download
as needed.
http://www.gcn.com/vol1_no1/security/20885-1.html

DHCP Buffer Overflow Flaws
(16 January 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC)
has issued an advisory warning of buffer overflow vulnerabilities
in Internet Software Consortium's (ISC) Dynamic Host Configuration
Protocol (DHCP) software. DHCP versions 3.0 through 3.0.1RC10 are
affected. The ISC has released an update that addresses the flaws.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,77622,00.html
http://www.cert.org/advisories/CA-2003-01.html
http://www.kb.cert.org/vuls/id/284857#systems
http://www.isc.org/products/DHCP/

New Mexico to Deploy Identity Management Program for State Web Access
(16 January 2003)
Within the next month, the state of New Mexico plans to implement a
centralized identity management program so that employees and citizens
can access web applications securely. Administrators will be able
to alter employees' profiles, so that if they leave their job, their
permissions change at the same time.
http://www.fcw.com/geb/articles/2003/0113/web-nm-01-16-03.asp
[Editor's Note (Schultz): New Mexico's system appears to be a big
step forward. Too often organizations neglect revoking access to
former employees. Hopefully, the changes in profiles and permissions
that New Mexico is implementing will occur soon after employees leave
their jobs.]

Sobig Worm Upgraded
(15 January 2003)
Several anti-virus companies have upgraded warnings for the Sobig worm
which spreads through e-mail and shared folders affects Windows-based
systems.
http://www.computerworld.com/securitytopics/security/story/0,10801,77598,00.html
http://www.vnunet.com/News/1138044

Spammer's Site Exposes Customer Data
(15 January 2003)
A web site operated by a spammer who mass mails people with offers
of cheap, pirated software has exposed customer data, leaving it ripe
for picking by other spammers.
http://www.internetnews.com/IAR/article.php/1569901

Mullen Defends Striking Back at Systems Running Worms
(13 January 2003)
Tim Mullen defends his "strikeback" position; he believes people
should be allowed to "neutralize a worm process" on others' systems.
He reasons that if an entity has no responsibility for worms running
on their systems without their knowledge, they have no rights to the
process, either. In other words, if entities claim their rights were
violated by a strikeback, that claim carries with it an acknowledgment
of responsibility for the worm's actions.
http://online.securityfocus.com/columnists/134
[Editor's Note (Ranum): "Blame the victim" is not a moral position.
(Paller) Whether or not it is moral, blaming the victim may be
legal. In the BNA Electronic Commerce Law Report, Raul, Volpe and
Meyer write, "Under a tort liability model, security breach victims
may be able to seek damages from a company if they can prove the
existence of: (1) a reasonable duty of care necessary to prevent
security breaches, (2) a breach of that duty, (3) a proximate
relationship between the breach of the duty and the injury, and
(4) actual loss or damage sustained as a result of the breach."
<http://www.sidley.com/cyberlaw/features/liability.asp?print=yes>
The problem with Tim Mullen's thesis is that he is not asking for
damages from the victim, but for a right to break into the victim's
computer. Federal statutes clear say that is illegal without the
victim's permission.
(Schultz) Mr. Mullen certainly has the right to his opinions, but
frankly, I'm disappointed that a well-respected site like Security
Focus would resort to publishing a white paper that advocates the
right to become a cyber-vigilante.]

Instant Messaging Security Risks
(13 January 2003)
This article describes the various security threats associated with
Instant Messaging clients: worms, backdoors, hijacking, and denial
of service. Because the use of Instant Messaging is increasing, the
possibility of becoming infected with malware is increasing as well.
http://online.securityfocus.com/infocus/1657

Microsoft Will Release APIs to Ensure Longhorn Works Well with
 AV Products
(13 January 2003)
Microsoft is taking steps to ensure that its next-generation operating
system, code-named Longhorn, will work well with anti-virus software.
The company is releasing approximately 100 APIs to anti-virus
vendors, which should help with virus scanning and detection and
reduce interference with operating systems and applications.
http://www.nwfusion.com/news/2003/0113antivirus.html

SECURITY COMMUNITY PROJECTS

SANS seeks reviewers for Business Law and Computer Security and for
New SSH Step-by-Step
Two consensus research opportunities:
The first draft of our new SANS SSH Step-By-Step is ready for review.
This work includes configuration, usage and verification steps for SSH.

In addition, we are seeking Attorneys who are interested in reviewing
the first draft of our new SANS one day course that is slated to be
come the book: Business Law and Computer Security

To participate in either project, please include any relevant
experience and credentials along with your Bio/resume and respond
to reviewsans.org

Selected reviewers who make substantial contributions will receive
credit by having your name and organization listed on the inside
front cover. In addition, you will receive a free copy of the book.

Dartmouth ISTS Seeks Comments on Security Research Gap Analysis
The Institute for Security Technology Studies (ISTS) is doing an
analysis of the gap between needs and available technology for cyber
attack investigation. If you have tools that are useful in this field,
email Andrew MacPherson at amacphersonists.dartmouth.edu.

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Lpo2+LUG5KFpTkYRAjuJAJ9nV0qDvA1h1c+j28/ftrAGVZf2gACdGaB+
YmJFHQllpiEAlvAGm1CS+o0=
=fe6w
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]