From: The SANS Institute (NewsBitessans.org)
Date: Wed Mar 05 2003 - 08:20:48 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One of SANS' most important gifts to the community is the joint
project with the Center for Internet Security (CIS) that creates
consensus best practice security guides and audit checklists. We call
the project SCORE. More than a dozen audit guides have been developed
jointly and then grown and perfected by CIS who also add automated
testing tools. Plans for the following topics are being formalized:
ISO 17799, Mac OS X, Linksys broadband routers, Microsoft Xbox
systems, and Responsible Dial-In Computing. Four existing checklists
(generic UNIX, handhelds, generic firewalls and web applications)
are also planned for update, with new topics to be added based on
recommendations from the security community.

If you have substantial expertise in implementing and/or securing
these products and want to help develop the checklists, contact Algis
Kibirkstis at scoresans.org.

***********************************************************************
SANS NewsBites March 5, 2003 Vol. 5, Num. 9
***********************************************************************

TOP OF THE NEWS
  Sendmail Vulnerability Demonstrates New DHS Capabilities
  China Signs Up for Microsoft's Government Security Program
  EU Cybercrime Law Approved
  Monster.com Warns Customers About Perils of False Job Postings
  NIPC Moves to DHS, Joins Other Security Organizations in Directorate

THE REST OF THE WEEKS NEWS
  Survey Shows IT Salaries Holding Steady
  Indiana University School of Medicine Informs Patients of Security
     Breach
  Company Shuts Down After Serious Security Breach
  BSA Apologizes to University for Erroneous Accusation
   MessageLabs Virus Statistics for February
  Jon Johanssen to be Tried Again on Appeal
  Lexmark Case a Boost for DMCA
  Sixth Grader Who Changed Grade Won't be Expelled, Will Participate in
     Diversionary Program
  Bloomberg Extortionist Found Guilty
  Proposed Legislation in UK Addresses Financial System Attacks
  Intrusion Prevention Systems
  China Has Intelligence Signal Stations in Cuba
  Patch Available for Windows ME Vulnerability
  Gartner Urges Credit Card Companies to Notify Customers of Security
     Breaches
  e-Commerce Site Flaws
  Singapore Raid Nets $1 Million in Pirated Software
  UK Businesses Aren't Keeping Up With Virus protection
  Defense Department Wireless Policy Due by April
  Microsoft Releases Security Operations Guide for Windows 2000 Server
  Hacker Convicted, Ordered to Pay Reparation and Perform Community
     Service
  Manufacturers Place Security at Top of List
  Canadian Firm Informed Customers of Security Breach
  Company Recovers Server Data
  Microsoft Developing Windows Rights Management Services
  TK Worm Still Spreading

SURVEY ARTICLE
  U.S. Information Security Law, Part One: Protecting Private Sector
  Systems, and Information Security Professionals and Trade Secrets

SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 covers both CISSP and GIAC
Security Essentials and earns much higher ratings for practical value
and teacher quality than plain CISSP courses. Although it has sold
out in San Diego, it is available in multiple other cities around the
world and may be run at your site. SANS ten other training tracks --
Auditing, Intrusion Detection, Firewalls, Hacker Exploits, Windows
Security and more - are also available at our conferences and at your
site. See: http://www.sans.org.

**************** This Issue Sponsored by Tripwire, Inc ****************

TRIPWIRE PRESENTS: THE ART OF HACKING AND THE ART OF DEFENSE ONLINE
SEMINARS

Tripwire's FREE online seminar series is proud to present The Art
of Hacking and The Art of Defense. One will show you common hacking
techniques and the other will demonstrate how to protect your systems
against attacks.

Register for these seminars today!
http://www.tripwire.com/events/online_seminars/index.cfm?djinn=964

***********************************************************************

TOP OF THE NEWS

 --Sendmail Vulnerability Demonstrates New DHS Capabilities
(3 March 2003)
A vulnerability was reported in Sendmail that allows root access simply
by sending a specially crafted email. Action by the Department of
Homeland Security and affected vendors led to a coordinated program for
patch development, early warning for critical infrastructure industries
and government agencies, and broad information dissemination, while
maintaining secrecy until the
http://www.washingtonpost.com/wp-dyn/articles/A41859-2003Mar4.html http://www.cert.org/advisories/CA-2003-07.html
http://www.msnbc.com/news/880094.asp?0cv=CB10
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,00.html
http://news.com.com/2100-1009-990802.html
SANS web broadcast features people from sendmail.com, ISS,
SourceFire, and the SANS faculty experts answering questions about the
vulnerability, what systems are vulnerable, and what can be done to
protect Sendmail beyond patching. Also includes a brief discussion
of the new Snort vulnerability.
http://www.sans.org/webcasts/030303.php
Free, requires registration

 --China Signs Up for Microsoft's Government Security Program
(28 February 2003)
The Chinese government has joined those of Russia and the UK, as well
as NATO in signing up for Microsoft's Government Security Program
(GSP). The agreement allows participating governments to view Windows
source code. It is hoped that the governments will evaluate Windows'
security and be able to create secure applications to run on the
operating system. Thirty other governments are working with Microsoft
to sign on to the agreement.
http://news.com.com/2100-1007-990526.html
http://www.cnn.com/2003/TECH/02/28/china.microsoft.ap/index.html
http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2305396

 --EU Cybercrime Law Approved
(28 February 2003)
European Union justice ministers have approved a new cybercrime
law. People found guilty of accessing computer networks or servers
illegally face sentences of between two and five years, as would
those who are found guilty of spreading worms and viruses.
http://news.com.com/2100-1002-990669.html

 --Monster.com Warns Customers About Perils of False Job Postings
(28 February 2003)
Monster.com has sent an e-mail to its active customers warning them of
false job postings that are being used to gather personal information
that could be used to steal identities. Information being sought may
include credit card data and social security numbers. This problem
faces all job sites, though only Monster.com announced the hazard.
http://www.cnn.com/2003/TECH/internet/02/28/monster.theft.ap/index.html

 --NIPC Moves to DHS, Joins Other Security Organizations in Directorate
(27 February 2003)
As of March 1, the National Infrastructure Protection Center (NIPC)
moved from the FBI to the newly formed Department of Homeland Security
(DHS). NIPC is now part of the Directorate for Information Analysis
and Infrastructure Protection (IAIP), along with the Critical
Infrastructure Assurance Office and the Federal Computer Incident
Response Center (FedCIRC). IAIP still needs to fill many senior
positions. Many of the agents who were to be transferred from the
FBI to DHS have chosen to take other assignments within the FBI.
http://www.idg.net/go.cgi?id=788764

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) STOP INTRUSIONS with preventive countermeasures. Automatically
     block intruders. FREE DEMO shows how.
http://www.sans.org/cgi-bin/sanspromo/NB140

(2) 30% of the Global 100 use Permeo to secure their applications.
     Do you?
http://www.sans.org/cgi-bin/sanspromo/NB141

(3) STOP SPAM and unwanted email. Take control. FREE WHITE PAPER!!!
http://www.sans.org/cgi-bin/sanspromo/NB142
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Survey Shows IT Salaries Holding Steady
(3 March 2003)
Statistics from the Dice 2002 Annual Salary Survey show that last year,
US salaries for IT remained relatively stable; workers in government
and defense saw an average salary increase of 7%. The study also cites
cities with the greatest salary growth and geographic areas with the
highest average salary.
http://www.computerworld.com/careertopics/careers/labor/story/0,10801,78978,00.html

 --Indiana University School of Medicine Informs Patients of Security Breach
(28 February/3 March 2003)
Indiana University (IU) has send letters of apology to about 7,000
patients of their Center for Sleep Disorders after it became apparent
that a hacker had gained access to the system. While medical records
weren't exposed, patients' names, social security numbers and dates
of birth might have been viewed. An IU School of Medicine spokesman
said that the hacker planted a program in the computer that attempted
to break into other University computers.
http://www.indystar.com/print/articles/3/025875-2223-093.html
http://www.sagamore.iupui.edu/32/32-24/24hacker.html
[Editor's Note (Schultz): The many compromises of personal data in the
U.S. over the past few years show that it is time for the government
to intervene. The U.S. desparately needs privacy protection legislation
similar to Germany's Datenschutz law.]

 --Company Shuts Down After Serious Security Breach
(28 February 2003)
Janteknology, a company that distributes software to customers in New
Zealand and Australia electronically, has shuttered operations due to
an employee entering their computer system and stealing and corrupting
data files, according to one source. The company was already facing
tough market conditions, and the attack proved to be "devastating."
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20272494,00.htm
[Editor's Note (Grefer): It appears to me that this incident was
a welcome excuse to shut down the company. This incident may still
serve as a reminder to have and apply a minimal privilege policy,
and to consider background checks - especially of staff performing
business critical function and/or equipped with increased privileges.]

 --BSA Apologizes to University for Erroneous Accusation
(28 February 2003)
The Business Software Alliance (BSA) apologized to the University of
Muenster after erroneously accusing the University of distributing
unlicensed copies of Microsoft Office. In fact, the BSA had detected
OpenOffice files and mistaken them for Microsoft Office files.
http://www.theinquirer.net/?article=8054

 -- MessageLabs Virus Statistics for February
(28 February 2003)
Monthly statistics from MessageLabs indicate that Klez-H was the
most prevalent in February, followed by two Yaha variants, Sobig-A,
BugBear-A and SirCam-A.
http://www.theregister.co.uk/content/56/29523.html

 --Jon Johanssen to be Tried Again on Appeal
(28 February/3 March 2003)
Jon Johanssen, the Norwegian teenager who was recently acquitted
of theft charges regarding his creation of the DeCSS, will be tried
again on appeal in Oslo. The DeCSS utility can be used to pass the
copy protection on DVDs.
http://www.msnbc.com/news/878950.asp
http://www.theregister.co.uk/content/6/29543.html

 --Lexmark Case a Boost for DMCA
(28 February 2003)
In a lawsuit filed by printer maker Lexmark International Inc.,
a federal judge has issued an injunction against Static Control
Components Inc. of North Carolina, prohibiting it from manufacturing
and selling computer chips that can be used in refilled printer
cartridges. Lexmark's suit maintained that the company's actions
violated the Digital Millennium Copyright Act (DMCA).
http://www.informationweek.com/story/IWK20030228S0041

 --Sixth Grader Who Changed Grade Won't be Expelled, Will Participate
     in Diversionary Program
(28 February 2003)
The Florida sixth grader who changed his grade in his teacher's
open computer grade book will participate in a diversionary program
for first-time, non-violent offenders. He was suspended for 10 days,
but will not be expelled. He may also be ordered to perform community
service or write an apology.
http://www.gopbi.com/partners/pbpost/epaper/editions/friday/news_e3e53f3fe551216310b0.html

 --Bloomberg Extortionist Found Guilty
(27 February 2003)
Oleg Zezov of Kazakhstan has been found guilty of trying to extort
$200,000 from Michael Bloomberg's financial company. Zezov and
an accomplice tried to get Bloomberg to pay them the money so they
wouldn't go public with the computer system's flaws. Zezov's attorney
maintains his client was asking for payment for finding a vulnerability
in the system; he faces up to 20 years in prison when he is sentenced
on May 23.
http://www.theregister.co.uk/content/55/29501.html
http://www.cnn.com/2003/TECH/internet/02/27/internet.extortion.ap/index.html

 --Proposed Legislation in UK Addresses Financial System Attacks
(27 February 2003)
The UK government is considering legislation that addresses
the operation of the country's financial system in the event of a
physical or computer attack.The Treasury has published a "green paper"
addressing the reliance of the financial sector on IT systems. In
the event of a physical attack, proposed legislation would allow the
banks to channel their efforts to rebuilding or securing the necessary
infrastructure so that they may resume conducting business.
http://www.vnunet.com/News/1139090

 --Intrusion Prevention Systems
(27 February 2003)
This article describes five types of intrusion prevention systems
(IPS): Network Intrusion Detection Systems (NIDS), Seven Layer
Switches, Application Firewalls/IDS, Hybrid Switches and Deceptive
Applications. Businesses and other entities should examine their
needs and choose the best fit from the available technology.
http://www.securityfocus.com/infocus/1670

 --China Has Intelligence Signal Stations in Cuba
(27 February 2003)
Since 1999, the Chinese military has been operating two intelligence
signal stations in Cuba. The stations' are largely dedicated
to intercepting US telephone and satellite-based military
communications. A cyber warfare unit also monitors data traffic.
http://www.theage.com.au/articles/2003/02/26/1046064102910.html

 --Patch Available for Windows ME Vulnerability
(26/27 February 2003)
A buffer overflow vulnerability in the Windows Millennium Edition
(ME) Help and Support Center could be exploited to run code and access
and delete files. Microsoft has issued a patch for ME users.
http://zdnet.com.com/2100-1105-986292.html
http://www.eweek.com/article2/0,3959,904633,00.asp
http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
[Editor's Note (Schultz): Microsoft's bulletin (as well as numerous
response team bulletins patterned after Microsoft's bulletin)
concerning this vulnerability was inaccurate and misleading. It
stated that privilege elevation was possible if the vulnerability was
exploited, when in fact there are no levels of privilege in Windows
Me. The real problem is that a remote attacker could gain the same
type of access that a local user could obtain, that is, could see and
interact with the system the way someone who is locally logged on can.]

 --Gartner Urges Credit Card Companies to Notify Customers of Security
     Breaches
(27 February 2003)
Gartner has published a report critical of credit card companies'
efforts to inform customers of security breaches. Customers are often
not informed of security breaches; the card companies reason that the
consumers are not responsible for fraudulent charges; however, the
information could be used to steal identities. The report recommends
that credit card companies encrypt the databases containing customer
information, and that card issuers notify customers quickly in the
event of a security breach.
http://www.wired.com/news/privacy/0,1848,57823,00.html

 --e-Commerce Site Flaws
(27 February 2003)
A recent study of e-commerce site security published by NTA Monitor
says that the sites are not doing enough to protect customers'
information. Among the most frequently found problems are flaws that
allow root access to the server, logout functions not working properly,
and flaws that let sensitive information be transmitted across the
Internet in clear text.
http://www.vnunet.com/News/1139101
http://www.theregister.co.uk/content/55/29511.html

 --Signature- and Behavior-Based Detection Systems
(26 February 2003)
This article recommends using a combination of signatures
and behavioral rules to detect malicious activity on computer
networks. Signature based detection systems cannot detect new attacks
but don't generate as many false positives as behavior based systems
do. The article lists the benefits and drawbacks of each detection
method.
http://www.idg.net/ic_1187705_9677_1-5046.html

 --Singapore Raid Nets $1 Million in Pirated Software
(26 February 2003)
In a 10-hour raid, police in Singapore arrested 17 people and seized
an estimated $1 million in pirated software, the largest yield ever
in a single raid. If found guilty, the people arrested could face
jail terms of up to five years and fines of as much as $58,000.
http://news.com.com/2100-1046-986078.html

 --UK Businesses Aren't Keeping Up With Virus protection
(26 February 2003)
A Sophos survey of small and medium sized businesses in the UK found
that only 46% had virus protection at network gateways, and just
42% updated anti-virus software more than once a week, a practice a
Sophos senior technology consultant likened to "brushing your teeth
only once a week."
http://www.vnunet.com/News/1139077

 --Defense Department Wireless Policy Due by April
(25 February 2003)
The wireless device policy for the Defense Department will be released
in March or April; a policy released in October 2002 addressed wireless
device usage at the Pentagon. That policy requires wireless devices
to use authentication and encryption to protect information. The
policy is being created by the NSA, DISA and information assurance
staff from the Defense Department CIO's staff.

http://www.fcw.com/fcw/articles/2003/0224/web-wire-02-25-03.asp

 --Microsoft Releases Security Operations Guide for Windows 2000 Server
(25 February 2003)
Microsoft has released the Security Operations Guide for Windows
2000 Server, which addresses patch management, auditing, intrusion
detection, and hardening. The guide follows a fictional company through
the process, and describes the consequences of each choice that is
made. Guides for other operating systems should be out later this year.
http://www.eweek.com/article2/0,3959,903377,00.asp
http://www.microsoft.com/technet/security/prodtech/windows/windows2000/staysecure/Default.asp

 --Hacker Convicted, Ordered to Pay Reparation and Perform Community Service
(25 February 2003)
A hacker in New Zealand has pleaded guilty to a charge of "willful
damage" for breaking into a local ISP's network. The man exploited
a vulnerability in SSH to gain access to ISP customers' financial
information. He has been ordered to perform 100 hours of community
service and to pay $3,000 in reparation.
http://www.nzherald.co.nz/storydisplay.cfm?storyID=3197605&thesection=technology&thesubsection=general
http://www.nzherald.co.nz/storydisplay.cfm?storyID=3197764&thesection=technology&thesubsection=general

 --Manufacturers Place Security at Top of List
(24 February 2003)
Gartner's Dataquest survey of people who make IT decisions in the
manufacturing sector found that they considered security a top
priority. Security was followed by enterprise resource planning,
web services, data warehousing and IT architecture design.
http://www.infosecuritymag.com/2003/feb/digest24.shtml#news5

 --Canadian Firm Informed Customers of Security Breach
(24 February 2003)
After a hard drive containing sensitive information about its customers
was reported stolen from IBM Canada's Information Systems Management
(ISM), the Canadian firm Co-operators Life Insurance Company informed
all affected customers that there had been a security breach and that
their information may have been accessed. An ISM employee has been
arrested and charged in the case, and investigators are hopeful
that the data was not used for malicious purposes; the suspect
may have wanted the physical hard drive, not the information it
contained. Canadian law does not require companies to inform customers
in the event of a security breach.
http://www.computerworld.com/securitytopics/security/story/0,10801,78746,00.html

 --Company Recovers Server Data
(24 February 2003)
Russian hackers took control of five servers belonging to Grafix
Softech, F.A., encrypted the data on all of them and demanded a
ransom in return for the encryption key. The company allegedly paid
the ransom, and used the key on the servers. It worked on the four
support servers, but on the fifth, which contained operational data,
it appeared to have the effect of having erased all the information
on the hard drive. CBL Data Recovery Technologies was called in to
help address the situation; they figured out that because SQL servers
contain data in 32-kb pages, what they needed to was find all the
pages and put them in order.
http://www.ds-osac.org/view.cfm?KEY=7E4454404050&type=2B170C1E0A3A0F162820

 --Microsoft Developing Windows Rights Management Services
(23 February 2003)
Windows Rights Management Services, a technology under development
at Microsoft, is being deigned to help companies control who may
see, copy, print and forward internal documents. Critics fear that
the technology will allow companies to get away with breaking laws
because employees who would be whistleblowers would never see the
incriminating documents.
http://www.wired.com/news/infostructure/0,1377,57780,00.html
[Editor's Note (Shpantzer): In cases where the government is being
defrauded, the would-be whistleblower may be sufficiently motivated by
the reward money that waits at the end of the "qui tam" litigation
process. This, in addition to their good conscience, is often
sufficient for whistleblowers to come forward. If so, the 'secret
society' argument in the wired article is overridden by the need for
organizations to maintain control of their intellectual property.]

 --TK Worm Still Spreading
(21 February 2003)
This article provides a detailed account of the TK worm's evolution,
method of propagation and payload. The worm is still spreading,
though its DDoS (distributed denial of service) component is no longer
a threat.
http://www.idefense.com/Intell/CI022103.html

SURVEY ARTICLE
 --U.S. Information Security Law, Part One: Protecting Private
     Sector Systems, and Information Security Professionals and
     Trade Secrets
This is the first article in a four-part series exploring the
law of information security in the United States. The series is
designed to be a resource for information security professionals in
two respects. First, a legal perspective on security is valuable
in itself, as an aid to defining the assets and interests to be
protected and as the source of the prerequisites for and types
of recovery available when breaches of security occur. Second,
information about the intersection of law and information security
will help information security professionals and their counsel work
together more effectively.
http://www.securityfocus.com/infocus/1669

[Editor's Note (Paller): SANS has a Legal Liability project underway
that will lead to a training track. We are looking for attorneys who
want to help create a high standard of excellence in the materials.
Email legalliabilitysans.org if you have the legal credentials and
a desire to help create the consensus.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ZfuL+LUG5KFpTkYRAkh/AKCWjHv0iRJtxXJqjYnWZUza8jqrNgCePR8x
3G+RYfxYUOArZ2QBc6jOtBk=
=+Mzn
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]