-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites February 19, 2003 Vol. 5, Num. 7
***********************************************************************

TOP OF THE NEWS
  Millions of Credit Card Numbers May Have Been Compromised
  Class-Action Law Suit Filed Claiming Liability For Security Breach
  Final Draft of National Strategy to Secure Cyberspace Released
  NIPC Warns Against Patriotic Hacking
  Seventeen Indicted for Satellite Television Hacking

THE REST OF THE WEEK'S NEWS
  Confidential Canadian Documents Exposed
  Addamark Technologies Alleges Competitor Viewed Confidential Document
  When Did Symantec Know About Slammer?
  PayPal Users Receiving Trojan-Laden e-Mail
  Timeline of Viruses and Other Malware
  Microsoft Updates Buggy Cumulative IE Patch
  FTD.com Exposes Customer Data
  Catherine Zeta-Jones Virus
  NSF Expands Scholarship for Service Program
  Linux to be Submitted for Common Criteria Certification
  Red Hat Linux Receives Defense Department COE Certification
  CERT/CC Warns of CVS Vulnerability
  BLM Smart Card Program
  Sixth Grader Suspended for Altering His Grades
  GAO Says Financial Industry Needs to Improve Continuity Plans
  Microsoft Introduces Security Update for Home Users

TUTORIAL
  How Can We Stop Identity Theft For Good

HIGHLIGHTED SECURITY WORKSHOP
  Audit and Security Controls That Work

SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 cover both CISSP and GIAC GSEC
topics and earns much higher teacher ratings than plain CISSP courses.
And Track 9 gives you both Security+ and GIAC GISO training. Two for
the price and time of one - and SANS award-winning teachers, too.
Both are available for groups in house, as are our nine other training
tracks. They are also being held in San Diego, Baltimore, and many
other cities in the US and around the world.
See: http://www.sans.org

********* This Issue Sponsored by Internet Security Systems *********

Webinar: "Security Best Practices for Critical Servers"

Servers and server-based applications are the obvious target for most
attacks and misuse. JoinInternet Security Systemsto learn howto keep
them safely up and running.

Click to register: http://www.iss.net/about/events/webinars.php

***********************************************************************

 -- Millions of Credit Card Numbers May Have Been Compromised
(17/18 February)
A hacker broke into the computer system of a company that processes
credit card transactions, gaining access to more than 8 million Visa,
MasterCard, American Express and Discover accounts. VISA and the
other credit card companies notified the banks that issued the cards,
and Visa says that no accounts have been used fraudulently. The FBI
is investigating.
http://money.cnn.com/2003/02/18/technology/creditcards/index.htm
http://reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2246735
http://news.bbc.co.uk/1/hi/business/2774477.stm
[Editor's Note (Northcutt): This is the largest known credit
card compromise to date. The news stories do not tell which card
reseller/processor had a security failure. A search of Google for 5.6
million credit card numbers leads me to think that the tenth largest
bankcard issuer might be the one.]

 -- Class-Action Law Suit Filed Claiming Liability For Security Breach
(29/30 January 2003)
Attorneys have filed a class action lawsuit against Tri-West Healthcare
after hard drives containing personal information about more than
500,000 were stolen. The lawsuit seeks monetary damages and asks that
Tri-West pay for monitoring the credit reports of all those affected
by the theft for the next twenty years.
http://www.kold.com/Global/story.asp?S=1105006
http://www.arizonarepublic.com/arizona/articles/0130triwest30.html
[Editor's Note (Paller): Damages sought in this lawsuit are not based
on actual use of the stolen information, but rather for the cost of
monitoring credit reports for years in the future. If the class is
certified and the court holds in favor of plaintiffs, the price of
carelessness in protecting client's and employee's information could
rise substantially.]

 -- Final Draft of National Strategy to Secure Cyberspace Released
(14/15/16 February 2003)
Following close on the heels of the elevation of the country's
alert status to Code Orange, Homeland Security Secretary Tom Ridge
has released the final draft of the National Strategy to Secure
Cyberspace. The strategy establishes five priorities: create a
national security response system, work with private industry to reduce
vulnerabilities, improve security training, secure government systems
and develop strategies to improve security on an international level.
http://www.washingtonpost.com/wp-dyn/articles/A10274-2003Feb14.html
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,78562,00.html
http://www.gcn.com/vol1_no1/daily-updates/21156-1.html
Homeland Defense Web Page with relevant press release:
http://www.dhs.gov/dhspublic/display?theme=87&content=450
The strategy may be found at:
http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf
[Editor's Note (Northcutt): If you are a security professional you
probably should invest an hour to read this. It is well written,
easy reading and a bit watered down from the earlier drafts.]

 -- NIPC Warns Against Patriotic Hacking
(12/14 February 2003)
The FBI's National Infrastructure Protection Center (NIPC) is concerned
that increasing tensions between the US and Iraq could inspire hacking
from both sides. NIPC has issued a warning about the situation,
saying that it does not condone "Patriot Hacking," and reminding
people that such activity is considered a felony in the US.
http://www.washingtonpost.com/wp-dyn/articles/A64049-2003Feb12.html
http://news.bbc.co.uk/1/hi/technology/2760899.stm
http://www.nipc.gov/warnings/advisories/2003/03-002.htm

 -- Seventeen Indicted for Satellite Television Hacking
(11/12/13 February 2003)
A federal grand jury has indicted 17 people in connection with hacking
into television satellite transmissions; six of the people have been
charged with violating the criminal antidecryption provisions of the
Digital Millennium Copyright Act (DMCA).
http://www.washingtonpost.com/wp-dyn/articles/A63056-2003Feb12.html
http://www.msnbc.com/news/871516.asp?0dm=C218T
http://zdnet.com.com/2100-1104-984408.html
[Editor's Note (Shpantzer): Is this finally a good case
for the DMCA? For details on the spectrum of intellectual
property cases prosecuted at the federal level, see
http://www.usdoj.gov/criminal/cybercrime/ipcases.htm]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step
       White Paper
http://www.sans.org/cgi-bin/sanspromo/NB134

(2) Stop spam! - Top 10 enterprise techniques to control spam
    ***white paper ***
http://www.sans.org/cgi-bin/sanspromo/NB135

(3) Earn a Norwich University Master's Degree in Information Security
    in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB136

***********************************************************************

THE REST OF THE WEEK'S NEWS

 -- Confidential Canadian Documents Exposed
(17 February 2003)
Employees at Transport Canada posted thousands of documents,
some confidential, in a database that was accessible to
all its employees. The computer system was supposed to use
encryption to protect confidential information, but it was never
implemented. Officials say they have removed confidential documents
from the database and they are assessing their system's vulnerability
to attacks.
http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1035777855362&call_pageid=968332188492&col=968793972154

 -- Addamark Technologies Alleges Competitor Viewed Confidential Document
(17 February 2003)
Addamark Technologies, Inc. alleges that a competitor, ArcSight
Inc. viewed a confidential, password-protected document. ArcSight does
not deny the allegations; someone who had legitimate access to the
document apparently provided someone at ArcSight with the necessary
user ID and password.
http://www.eweek.com/article2/0,3959,892577,00.asp

 -- When Did Symantec Know About Slammer?
(14 February 2003)
Symantec claims to have detected the Slammer worm hours before (the
public was made aware of it) but released the information only to
paying customers of its DeepSight Threat Management System. Members
of the security community have expressed disapproval of Symantec's
actions because information about such virulent malware should be
shared with everyone as quickly as possible. Others have dismissed
Symantec's claims as marketing hype, saying the company may have
detected traffic anomalies, but not its source.
http://www.wired.com/news/infostructure/0,1377,57676,00.html
[Editor's Note (Northcutt): Whether or not Symantec was first to
detect Slammer, what is certainly true is that detection using a
distributed sensor network like SANS Internet Storm Center (dshield) or
Symantec's sensor network is important. The harder task is analyzing
and responding. Page 6 of the National Strategy to Secure Cyberspace
says that the NIMDA worm had infected nationwide in just one hour.
What I remember was that at the end of the day, hours after it had
reached saturation, there was still an incomplete analysis of the
infection vectors. Several days passed before there was a reliable
disassembly. Part of the problem is there are so few people in the
world who can do this type of work. For a limited time (until the
instructor starts grad school) we are offering reverse engineering
of malware as an onsite class: http://www.sans.org/onsite/]

 -- PayPal Users Receiving Trojan-Laden e-Mail
(14 February 2003)
PayPal customers have been targeted by at least four fraudulent
e-mail messages that purport to be security upgrade announcements,
but which actually contain Trojan Horses programs. The e-mails ask
the recipients to run .exe or .vbs programs to receive the updates,
or they would be locked out of their PayPal accounts.
http://www.wired.com/news/ebiz/0,1272,57673,00.html

 -- Timeline of Viruses and Other Malware
(14 February 2003)
A timeline of significant developments and events in computer security.
http://www.securityfocus.com/news/2445

 -- Microsoft Updates Buggy Cumulative IE Patch
(13/14 February 2003)
A recently released cumulative patch for Microsoft's Internet
Explorer versions 5.01, 5.5 and 6.0 left some users who applied it
unable to access their e-mail accounts and other web sites requiring
authentication. The patch does, however, address the security flaws
it was designed to fix. Microsoft has released an updated version of
the patch.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78510,00.html
http://www.washingtonpost.com/wp-dyn/articles/A7648-2003Feb14.html
http://www.microsoft.com/technet/security/bulletin/MS03-004.asp

 -- FTD.com Exposes Customer Data
(13/14 February 2003)
A security flaw allowed people using the FTD.com website to view
information about other customers' purchases simply by altering a
character in a cookie. Customer names and credit cards were among
the available data. The site allows unencrypted transactions and used
sequential identifiers, making valid cookies easy to guess. FTD has
released a statement declaring that they have "resolved the situation
and ... have added additional levels of security."
http://news.com.com/2100-1017-984585.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78564,00.html

 -- Catherine Zeta-Jones Virus
(13 February 2003)
A virus that claims to offer pictures of the actress Catherine
Zeta-Jones has been spreading through the KaZaa file-sharing network
and through IRC instant messaging. The virus has been reported in
the wild but there are no known instances of infection.
http://zdnet.com.com/2100-1105-984484.html

 -- NSF Expands Scholarship for Service Program
(13 February 2003)
The National Science Foundation is expanding its Scholarship for
Service program to four more schools, bringing the total number of
universities participating to 13. The program gives scholarships
to students studying information assurance in return for a one-
or two-year assignment in the government's Cyber Corps. An infusion
of $19 million from last August's supplemental appropriation will
increase the number of students participating to 300.
http://www.fcw.com/fcw/articles/2003/0210/web-schol-02-13-03.asp

 -- Linux to be Submitted for Common Criteria Certification
(12/13 February 2003)
Red Hat, IBM and Oracle all plan to submit Linux for Common Criteria
certification. If approved, it could then be used by government
agencies. The process could take nearly a year and cost as much as
$1 million.
http://news.com.com/2100-1001-984383.html?tag=fd_top
http://www.techweb.com/wire/story/TWB20030213S0003
http://www.eweek.com/article2/0,3959,886729,00.asp
[Editor's Note (Grefer): In this context it is important to keep
the following statement by the National Infrastructure Assurance
Partnership (NIAP) in mind: "The security evaluation results
are only applicable to that particular version and release of the
product in its evaluated configuration. Consumers are responsible for
determining the security impact of installing or operating an evaluated
IT product in a configuration other than the configuration in which it
was evaluated." http://niap.nist.gov/cc-scheme/consumer-guidance.html
In other words, any patch or upgrade applied to the certified product
invalidates the certification. This applies not only for the upcoming
certification of Linux, but also for the current certifications of
Oracle, Windows NT and Solaris.
(Paller) In other words, when you rely on a vendor's promotion of
his Common Criteria certification, you, the buyer, have an absolute
obligation to require the vendor to deliver the software configured
safely in accordance with the benchmarks published by NSA and/or the
Center for Internet Security (http://www.cisecurity.org). Otherwise
you may be buying a great lock, but leaving the key in it for any
thief to use.]

 -- Red Hat Linux Receives Defense Department COE Certification
(11/12 February 2003)
Red Hat's Advanced server version of Linux has received the Defense
Department's Common Operating Environment (COE) certification.
http://news.com.com/2100-1001-984202.html?tag=rn
http://www.itworld.com/Comp/2388/030213redhat

 -- CERT/CC Warns of CVS Vulnerability
(12 February 2003)
The Computer Emergency Response Team/Coordination Center (CERT/CC)
has issued an advisory warning of a vulnerability in the open source
Concurrent Versions Systems (CVS) management tool that could be
exploited to change the way the CVS program runs, launch denial of
service attacks or access "sensitive information." The flaw affects
CVS releases 1.11.4 and earlier; most vendors have issued patches
for the problem.
http://www.vnunet.com/News/1138702
http://www.cert.org/advisories/CA-2003-02.html

 -- BLM Smart Card Program
(12 February 2003)
The Bureau of Land Management (BLM) plans to implement a smart card
system for its 13,000 employees; the cards would be used for physical
and computer access. BLM previously ran a smart card pilot program
with 1,000 users.
http://www.fcw.com/fcw/articles/2003/0210/web-blm-02-12-03.asp

 -- Sixth Grader Suspended for Altering His Grades
(12 February 2003)
A Florida sixth grader has been arrested on charges of altering
his grades in his reading teacher's electronic grade book. While
the grade books are accessible with passwords, the reading teacher
had left hers open. The student was not able to access the school's
mainframe computer nor was he able to access other teachers' grade
books; he has been suspended and may be expelled.
http://www.gopbi.com/partners/pbpost/epaper/editions/wednesday/martin_stlucie_e394fc8032005260000b.html
[Editor's Note (Schultz): This news item certainly reinforces the
need to educate children as early as possible concerning ethics in
computing and proper use of computing systems.]

 -- GAO Says Financial Industry Needs to Improve Continuity Plans
(12 February 2003)
A report from the General Accounting Office (GAO) says that US
financial companies need to improve their business continuity plans in
order to help them defend themselves better against possible attacks
in the future.
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,78486,00.html

 -- Microsoft Introduces Security Update for Home Users
(11 February 2003)
Microsoft is now offering a home user version of its Security Update
newsletter; home users often don't want to wade through the technical
details of security issues. Last year, Microsoft began offering home
user versions of its security bulletins.
http://www.eweek.com/article2/0,3959,883280,00.asp

TUTORIALS

 -- How Can We Stop Identity Theft For Good
It's no secret: Identity theft is a growing problem in the U.S., with
complaints rising 73 percent from 2001 to 2002. But there's a mistaken
impression that identity theft is carried out merely by rogue hackers.
That's not the case.
http://www.zdnet.com/anchordesk/stories/story/0,10738,2910503,00.html
Supporting document from the Federal Reserve Bank of Boston
http://www.bos.frb.org/consumer/identity/idtheft.pdf

HIGHLIGHTED SECURITY WORKSHOP

 -- Audit and Security Controls That Work (Registration now open)
April 5-6 Baltimore Inner Harbor

Can you imagine working for an organization where security is
integrated into the operations lifecycle from the beginning,
resulting in repeatable and auditable processes and products? "Audit
and Security Controls That Work" is your chance to learn exactly
how this organization and other successful security leaders actually
achieved these incredible results. Nobody has all the answers, but we
are finding organizations that are head and shoulders above the rest
and have proven what is good for security is good for operations. This
workshop will have a single track, because we want everyone to have
a chance to learn and discuss the same information:
- -- Operations, Security, Audit, and Management can work together to
   solve common objectives
- -- Best practices increase productivity and decrease thrash
- -- Metrics guide continual process improvement
- -- Repeatable processes allow organizations to do more with less,
   and spending fewer cycles on unproductive, reactive tasks, such as
   incident handling

Please join us! Registration is now open. For details or to register,
please visit http://www.sans.org/audittech/

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Guest Editors: Bruce Schneier, Hal Pomeranz

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+U40k+LUG5KFpTkYRAguMAJ9z5b7Ndb6PTCo4GkShbVFLMPLQ5QCfR4oS
ogOvuW0ZE4CgMJuLOcG9KBY=
=9Nma
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]