-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Three quick notes:

Today: Attend the "Top Ten UNIX/Linux Internet Security Vulnerabilities
And How To Fix Them" web briefing by Hal Pomeranz, SANS top UNIX/Linux
security teacher, free, at 1 pm EST (1800 UTC) Wednesday, Feb
12. If you miss the live program, it will be archived by evening.
Please download the visuals well before 1 pm because the download
site closes a few minutes before the broadcast begins.
http://www.sans.org/webcasts/021203.php

Help SANS create a Vendor Security Leadership Report Card. What do
you expect industry leaders like Cisco and Microsoft and Sun and
IBM to do to make security better, easier, and less expensive for
their users? And how are they doing? Send your suggestions to
infosans.org with subject "vendor report card." We'll publish
the first draft report card at the National Information Assurance
Leadership Conference in San Diego in early March. (NIAL is the top
rated conference for chief information security officers.)
http://www.sans.org/SANS2003/nial.php

Today is the last day to register for SANS Annual Conference if you
want to avoid the late payment fee. And Friday is the last day to
get the low cost rooms at the hotel (right on the ocean in San Diego).
http://www.sans.org/SANS2003

***********************************************************************
SANS NewsBites February 12, 2003 Vol. 5, Num. 6
***********************************************************************

TOP OF THE NEWS
   Bush Authorized Development of Cyber Warfare Rules
   DOD's Computer Network Attack Task Force
   Feds Bypass Procurement Procedures To Buy More Secure Systems
   European Union to Create Cyber Security Agency
   Research Says IT Workers Looking to Government for Jobs; Security
     Certifications Pay Growing Fastest

THE REST OF THE WEEK'S NEWS
   Insurers Move Toward Stand Alone Policies for Hacking Protection
   Two Men Sentenced for Altering Data in California Court Computer
     System
   Boston College Student Indicted on Charges Related to Keystroke
     Logging Software
   Attacks on Internet Core Nodes Could Crash the Internet, Say
     Researchers
   ISM Canada's Missing Hard Drive Found; Charges Pending
   Slammer Hoax
   Three Arrested in Connection with TK Worm
   Man Convicted of Illegal Access to Judge's AOL Account
   Bloomberg Cyber Extortion Trial Begins
   Litchfield Says He Will Continue to Publish Proof-of-Concept Code
   Government Surplus Computer Contained AIDS Patients' Names
   Website Tells How to Hack London's Traffic Signals
   Microsoft Issues Security Bulletins for Flaws in IE and Windows XP
   Microsoft Releases Tools to Fight Slammer
   Former ViewSonic Employee Arrested on Cyber Sabotage Charges
   FedCIRC Wants Industry's Help in Establishing Info Sharing Standards
   Suspicious .gov Site Removed
   Santa Clara County Delays Choosing Electronic Voting System
   Microsoft Pulls Faulty NT 4.0 Patch
   Vulnerabilities Found in Opera Browser; New Version Released
   BBC Sends Sobig to Radio Show Mailing List
   Cybersecurity Market Growth Trends
   Korean Group Mulls Class Action Suit Over Slammer

SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 cover both CISSP and GIAC GSEC
topics and earns much higher teacher ratings than plain CISSP courses.
And Track 9 gives you both Security+ and GIAC GISO training. Two for
the price and time of one - and SANS award-winning teachers, too.
Both are available for groups in house, as are our nine other training
tracks. They are also being held in San Diego, Baltimore, and many
other cities in the US and around the world. See: http://www.sans.org

******** This Issue Sponsored by VeriSign - The Value of Trust ********

Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and
learn everything you need to know about using SSL to encrypt your
e-commerce transactions for serious online security.

Visit: http://www.verisign.com/cgi-bin/go.cgi?a=n20400113340057000

***********************************************************************

TOP OF THE NEWS

 -- Bush Authorized Development of Cyber Warfare Rules
(7 February 2003)
In July 2002, President Bush signed National Security Presidential
Directive 16, which orders the government to develop rules for
cyberwarfare. The directive seeks to establish when and how to attack
enemy computer networks, which targets should be attacked and who
should authorize and launch the attacks.
http://www.washingtonpost.com/ac2/wp-dyn/A38110-2003Feb6
http://www.gcn.com/vol1_no1/daily-updates/21122-1.html
[Editor's Note (Schneier): Although still nascent, cyber-warfare will
be an important part of 21st Century warfare. Rules of engagement
will be critical as we navigate this new military theatre.
(Grefer) The development of cyber attack tools would allow for a much
more realistic test and improvement of defensive mechanism.]

 -- DOD's Computer Network Attack Task Force
(7 February 2003)
The US Defense Department's (DOD's) Strategic Command Joint Task
Force-Computer Network Operations is being reorganized into two task
forces. One will concentrate on network defense, the other on computer
network attack (CNA).
http://www.fcw.com/fcw/articles/2003/0203/web-net-02-07-03.asp

 -- Feds Bypass Procurement Procedures To Buy More Secure Systems
(4 February 2003)
The final draft of the National Strategy to Secure Cyberspace suggest
that federal agencies will be able to purchase secure software outside
of normal procurement procedures. Microsoft's Susan Koehler claims
some agencies are already getting special approval to bypass the
purchasing process "because of the security of Windows Server 2003."
http://www.eweek.com/article2/0,3959,864577,00.asp
[Editor's Note (Paller): Procurement facilitation for more secure
systems can be an element of a powerful strategic initiative that
uses federal procurement to encourage vendors to deliver safely
configured software. However, it would be dangerous for agencies
to use this new flexibility to buy software simply because it
is approved under the Common Criteria. Common Criteria-approved
systems are often dangerously vulnerable, unless they are delivered
with installation scripts that comply with secure configuration
benchmarks - such as those published by the NSA and the Center
for Internet Security. Contracting officers who believe vendors'
claims that Common Criteria certification implies effective security,
may regret their decision when a worm like Slammer takes over their
systems and brings down their networks.]

 -- European Union to Create Cyber Security Agency
(6/10 February 2003)
The European Commission plans to establish a cybersecurity center
to help member states share information about cyber threats and to
promote best practice standards. The European Network and Information
Security Agency, which has a $26.3 million budget over five years,
is due to begin operations in January 2004.
http://www.vnunet.com/News/1138546
http://www.msnbc.com/news/869573.asp?0dm=C258T
http://www.computerworld.com/securitytopics/security/story/0,10801,78402,00.html

 -- Research Says IT Workers Looking to Government for Jobs; Security
     Certifications Pay Growing Fastest
(10 February 2003)
According to research from Foote Partners, IT workers from the private
sector are increasingly pursuing IT jobs in government in search of of
better employment security and shorter hours. In addition, premium
pay for those with security certifications has risen more than 30%
in two years.
http://www.computerworld.com/careertopics/careers/story/0,10801,78304,00.html?nas=CAR-78304

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Stop spam! - Top 10 enterprise techniques to control spam
    ***white paper ***
http://www.sans.org/cgi-bin/sanspromo/NB131

(2) PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
countermeasures! FREE DEMO.
http://www.sans.org/cgi-bin/sanspromo/NB132

(3) Event Correlation - Is It Security's Holy Grail? View our White
Paper at http://www.sans.org/cgi-bin/sanspromo/NB133

***********************************************************************
SANS National Information Assurance Leadership Conference (March 5-6
in San Diego) features the five top rated speakers in security, and
it is the only place where you will get the updated Internet Threat
Briefing. It is *the* conference to attend for CISO's, security
managers and team leaders. No vendor marketing fluff, and it is not
too technical for managers. You may even attend it and then attend
SANS immersion training in the same hotel right after the conference.
http://www.sans.org/SANS2003/nial.php
***********************************************************************

THE REST OF THE WEEK'S NEWS

 -- Insurers Move Toward Stand Alone Policies for Hacking Protection
(9 February 2003)
Insurance companies are now making businesses purchase stand-alone
policies for hacking instead of covering those losses under their
general liability policies. The market for hacking insurance is
expected to leap from $100 million this year to $900 million in 2005.
http://www.usatoday.com/money/industries/technology/2003-02-09-hacker_x.htm
[Editor's Note (Schultz): I am more than a little skeptical of the
projected numbers in this news item. Time-after-time we've seen
unfulfilled predictions concerning the growth of cybersecurity
insurance in the past.
(Schneier): Insurance is an important tool to manage security risks.
As insurance becomes more ubiquitous, the insurance industry will
begin driving security requirements much the same way that do so on
the physical world.]

 -- Proposed Legislation Would Impose Extra Sentence for Use of
     Encryption with Criminal Intent
(7 February 2003)
Among the provisions in a draft of the Domestic Security Enhancement
Act of 2003 is a proposed law that would provide for prison sentences
for those who "knowingly and willfully use[] encryption technology
to conceal any incriminating communication" in connection with a
federal crime. Other provisions would significantly expand government
surveillance abilities.
http://online.securityfocus.com/news/2296

 -- Two Men Sentenced for Altering Data in California Court Computer
     System
(7 February 2003)
Two hackers have pleaded guilty to breaking into Riverside County
(CA) court computer system and altering data to make it appear charges
had been dismissed in a number of cases, including one against one of
the hackers. The two obtained access to the system through a password
one of them had copied while working as an outside consultant to a
local police department. William Grace and Brandon Wilson were each
sentenced to nine years in prison.
http://www.msnbc.com/news/870163.asp?0dm=C17LT
[Editor's Note (Ranum): One has to ask how on earth the court's
systems had such poor audit, poor perimeter security, and why on
earth they were dial-up accessible. The hackers deserve appropriate
punishment for this, but whoever established a password-based security
access policy for such a critical system should lose their job
for it. I'm not "blaming the victim" but this represents stunning
security-incompetence. And systems admins and MIS managers will
continue to display such incompetence as long as nobody ever loses
their job for it.
(Grefer): This incident may serve as a timely reminder to our readers
to implement (and test) a policy of regular password changes.]

 -- Boston College Student Indicted on Charges Related to
     Keystroke-Logging Software
(6/7 February 2003)
Douglas Boudreau, a Boston College student, was indicted on charges
of installing keystroke-logging software on more than 100 computers at
his school; Boudreau then allegedly used the information he collected
to steal about $2000. He faces up to 20 years in prison if convicted.
http://news.com.com/2100-1023-983717.html
http://www.washingtonpost.com/wp-dyn/articles/A37471-2003Feb6.html
http://www.theregister.co.uk/content/55/29233.html
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78319,00.html
[Editor's Note (Schneier): This is a trivial case, but it's a harbinger
of things to come. Punishments need to fit the crime.]

 -- Attacks on Internet Core Nodes Could Crash the Internet,
     Say Researchers
(6 February 2003)
Researchers at Arizona State University have published a paper
describing how strategically designed attacks on high-load Internet
nodes could cause cascading failures and ultimately crash the Internet.
They recommend that high-load nodes should have extra protection
and that load redistribution mechanisms should be developed in case
high-load nodes fail.
http://www.newsfactor.com/perl/story/20686.html

 -- ISM Canada's Missing Hard Drive Found; Charges Pending
(6 February 2003)
A hard drive that contained personal information belonging to
over one million people and that had been reported missing from
ISM Canada Inc. has been recovered. A Regina (Saskatchewan) police
department sergeant says charges are pending against one individual.
Investigators are checking to see if the information on the disk had
been used. Several companies that had customer data on the disk
say they will not work with ISM Canada again until it can provide
assurance that the data it stores is secure.
http://www.theglobeandmail.com/servlet/ArticleNews/front/RTGAM/20030204/wdriv24a2a/Front/homeBN/breakingnews
[Editor's Note (Grefer): The case probably would have gained more
media attention if it had been pointed out earlier that ISM is a
(Canadian) subsidiary of IBM.]

 -- Slammer Hoax
(6 February 2003)
A recently published story claiming that the Slammer worm was the
work of terrorists has been proven to be a hoax. Brian McWilliams
purchased a website that was formerly run by a Pakistan-based
terrorist organization; in the guise of "Abdul Mujahid," McWilliams
claimed responsibility for spreading the Slammer worm. Computerworld
journalist Dan Verton was victimized by McWilliams' hoax. In his
account of the events, Verton concludes "So, I'm left here scratching
fleas as the price you sometimes pay for sleeping with dogs.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78238,00.html
[Editor's Note (Schultz): Mr. McWilliams owes some explanations, first
for by his own admission breaking into an email account allegedly
used by Saddam Hussein without authorization, and now more recently
for his reported involvement in spreading a foolish hoax.]

 -- Three Arrested in Connection with TK Worm
(6/7 February 2003)
Police in the UK have arrested two men believed to be a part of a
hacking ring responsible for creating the TK worm, which has infected
about 18,000 computers around the world, according to the UK's National
Hi-Tech Crime Unit (NHTCU). US law enforcement agents have been
aiding in the investigation into the ring. Computers infected with
the TK worm become hosts under the command of computers controlled
by the group. The two suspects have been released on bail. A third
man was also arrested in the US.
http://www.theregister.co.uk/content/56/29221.html
http://news.com.com/2100-1001-983804.html
http://news.bbc.co.uk/2/hi/technology/2733657.stm
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,78310,00.html

 -- Man Convicted of Illegal Access to Judge's AOL Account
(6 February 2003)
A Pennsylvania man was convicted of unlawfully accessing a judge's
America Online account on three different occasions. Brian T. Ferguson
could face up to three years in prison and a fine of as much as
$300,000 when he is sentenced in early April.
http://www.ds-osac.org/view.cfm?KEY=7E4455464155&type=2B170C1E0A3A0F162820

 -- Bloomberg Cyber Extortion Trial Begins
(6 February 2003)
The trial of Oleg Zezov, the man from Kazakhstan who is accused of
breaking into Bloomberg financial news services' computer systems and
attempting to extort $200,000 from the company, has begun. Zezov
could face up to 20 years in prison if convicted. Zezev's defense
team said he was simply attempting to receive payment in exchange
for demonstrating Bloomberg's computer security vulnerabilities. An
alleged accomplice in the case will be in court later this year.
http://www.theregister.co.uk/content/55/29218.html
http://www.newsday.com/news/local/newyork/politics/ny-nybloo063118900feb06.story
[Editor's Note (Shpantzer): Prosecutions like these owe much of their
success to Louis Freeh's vision of increased international cooperation
between law enforcement agencies, via the Bureau's expanded Legal
Attache program. Here are a couple of samples of Freeh's testimony
on international crime as Director of the FBI in the 90's.
http://www.fas.org/irp/congress/1996_hr/s960312f.htm
http://www.fas.org/irp/congress/1998_hr/s980421-lf.htm]

 -- Litchfield Says He Will Continue to Publish Proof-of-Concept Code
(5/6 February 2003)
David Litchfield acknowledged last week that proof-of-concept code he
published to demonstrate a vulnerability in Microsoft SQL was used as
the basis for the Slammer worm. He says he will continue to publish
code, asserting that such publication is beneficial to network and
computer security.
http://www.eweek.com/article2/0,3959,868083,00.asp
http://www.theregister.co.uk/content/55/29195.html
http://zdnet.com.com/2100-1105-983602.html
[Editor's Note (Schneier): The only reason security companies take
vulnerabilities seriously is because researchers publish exploit
code. The vulnerability is the problem, not the information about
the vulnerability. Keeping vulnerabilities secret, and not allowing
people information about their own risks, is irresponsible.]

 -- Government Surplus Computer Contained AIDS Patients' Names
(6 February 2003)
A computer that had been used by a Kentucky state agency and that
was being made available at a government surplus sale was found to
contain sensitive data about people with AIDS and other sexually
transmitted diseases. The State Auditor said the computer has never
left state custody, and that the security breach was discovered during
a random check for unpurged data. The Health Services Secretary said
the drive was thought to have been cleaned before the computer was
offered for sale and has ordered an investigation.
http://www.msnbc.com/news/869709.asp?0dm=T248T

 -- Website Tells How to Hack London's Traffic Signals
(6 February 2003)
Transportation officials in London have expressed concern about
a website that offers detailed instructions for hacking into the
computers that control London traffic signals. Experts say the
information provided could be used to cause turmoil on London streets.
http://www.thisislondon.co.uk/traffic/articles/3266323?source=Evening%20Standard

 -- Microsoft Issues Security Bulletins for Flaws in IE and Windows XP
(6 February 2003)
A "critical" flaw in Internet Explorer (IE) could let attackers
run code on vulnerable machines; IE versions 5.01, 5.5 and 6.0
are affected. A patch is available. An "important" flaw in the
Windows Redirector software in Windows XP could allow local privilege
elevation.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78232,00.html
IE Bulletin: http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
XP Bulletin: http://www.microsoft.com/technet/security/bulletin/MS03-005.asp

 -- Microsoft Releases Tools to Fight Slammer
(6 February 2003)
Microsoft has released three software tools designed to help
administrators check for the Slammer worm's presence and to fix the
vulnerabilities it exploits.
http://zdnet.com.com/2100-1105-983603.html
http://www.microsoft.com/sql/downloads/securitytools.asp

 -- Former ViewSonic Employee Arrested on Cyber Sabotage Charges
(6 February 2003)
Andy Garcia Montebello has been arrested on charges of sabotaging
computers of his former employer, ViewSonic Corp. Montebello's actions
allegedly caused $100,000 in damages and cost the company $1 million
in lost business If he is convicted, Montebello could receive a
15-year prison sentence.
http://www.msnbc.com/news/869572.asp?0dm=T238T
[Editor's Note (Shpantzer): This is only the latest of many
former-employee sabotage cases in recent months. Review your security
policies for inclusion of credentials-revocation for employees
on their way out, regardless of circumstances for separation.
Passwords, tokens, IDs and badges should be changed and/or revoked
as appropriate. Some organizations also acquire forensic images of
the exiting employee's company-owned computers and save them in case
investigations are later required.]

 -- FedCIRC Wants Industry's Help in Establishing Info Sharing
     Standards
(5 February 2003)
The Federal Computer Incident Response Center (FedCIRC) has released
a request for information (RFI) asking those in industry for help
in establishing standards for sharing information about computer
security incidents.
http://fcw.com/fcw/articles/2003/0203/web-fedcirc-02-05-03.asp

 -- Suspicious .gov Site Removed
(5 February 2003)
The General Services Administration (GSA) has removed the URL of an
unauthorized .gov site from the .gov directory name server. The site
in question, AONN.gov, purported to be a government agency that had the
support of the Defense Department; however, there is no such agency.
http://news.com.com/2100-1023-983384.html?tag=fd_lede2_hed

 -- Santa Clara County Delays Choosing Electronic Voting System
(5 February 2003)
The Santa Clara (CA) County Board of Supervisors, which is under court
order to find a replacement for its punch-card voting system by March
2004, has put off choosing a vendor for an electronic voting system.
The board expressed concerns about the security of such systems as
well as about the machines' accessibility to people with disabilities.
http://www.siliconvalley.com/mld/siliconvalley/5110653.htm

 -- Microsoft Pulls Faulty NT 4.0 Patch
(4/10 February 2003)
Microsoft has pulled a patch for a privilege elevation vulnerability in
Windows NT 4.0; the patch has been blamed for computers crashing and
rebooting. Microsoft plans to issue a new patch soon. Patches for
the same vulnerability in Windows 2000 and XP are not affected by
this problem.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78171,00.html
Microsoft has released an updated patch for the vulnerability.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78408,00.html
Updated security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-071.asp

 -- Vulnerabilities Found in Opera Browser; New Version Released
(4/5 February 2003)
GreyMagic Software says it has found five security vulnerabilities
in the Opera 7 web browser. Three of the flaws allow attackers to
browse vulnerable systems' hard drives and read files; the other
two expose browsing histories. Four of the vulnerabilities can be
addressed by disabling JavaScript. Opera has released an updated
version of the browser.
http://www.computerworld.com/securitytopics/security/story/0,10801,78175,00.html
http://www.theregister.co.uk/content/55/29177.html
http://zdnet.com.com/2100-1105-983435.html

 -- BBC Sends Sobig to Radio Show Mailing List
(4 February 2003)
The BBC inadvertently sent the Sobig worm to people on a mailing list
for a popular radio show. Several weeks ago, BBC computers became
infected with the ExploreZip virus.
http://www.theregister.co.uk/content/56/29180.html

 -- Cybersecurity Market Growth Trends
(4 February 2003)
An IDC study says the cybersecurity market will grow to $45 billion
by 2006; in 2001, that figure was $17 billion. Security hardware is
expected to offer the greatest growth opportunity, with a predicted
25% compound annual growth between 2001 and 2006.
http://www.infoworld.com/article/03/02/04/HNsecure_1.html?security

 -- Korean Group Mulls Class Action Suit Over Slammer
(3/4 February 2003)
The People's Solidarity for Participatory Democracy (PSPD), a Korean
civic group, is weighing the possibility of filing a class action
lawsuit against Microsoft Corp. for damages caused by the Slammer worm.
A recently passed product liability law holds companies liable for
damage caused by flaws in their products.
http://times.hankooki.com/lpage/nation/200302/kt2003020318021611960.htm
http://www.theregister.co.uk/content/56/29174.html

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Sc3++LUG5KFpTkYRAiKbAJ9NmlCGb3fJVr622rDaQLNqTjY7rgCaAsXj
HBLE/AJa5x+25B3NykO1jeY=
=SCF2
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]