From: The SANS Institute (NewsBitessans.org)
Date: Wed Mar 26 2003 - 09:21:38 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New Salary Data for Security Professionals and SysAdmins
Please invest 20 minutes to help make sure you and others are getting
the pay you deserve. You'll receive the data if you complete the form.
https://registration.sans.org/cgi-bin/salsur
More data about the survey may be found at the end of this issue.

Nearly 400 people have already registered for SANS Inner Harbor
starting in two weeks (April 7 - 12) and the hotel has extended
the early registration hotel discount until this Friday (March
28). Seven immersion training tracks plus an Audit and Security
Controls workshop and a great exposition. More information at
http://www.sans.org/innerharbor03/

                                  Alan

***********************************************************************
SANS NewsBites March 26, 2003 Vol. 5, Num. 12
***********************************************************************

TOP OF THE NEWS
  Conflict in Iraq Sparks Hundreds of Web Defacements
  Email Viruses Spreading: Claim To Have Iraq News and Pictures
  CERT/CC Quarterly Summary Shows Top 10 Current Attack Threats
  Survey Indicates Human Error is Perceived to Be Cause of Most
     Security Incidents

THE REST OF THE WEEK'S NEWS
  Microsoft Pulls Advertisement Implying Hacker Extinction
  California State University Computer System Flaw Exposes Student and
     Employee Data
  Federal Court Ruling Restricting Junk Faxes May Help Curb Spam Emails
  Microsoft Will Help Universities Establish Hands-On Security Courses
  Antivirus Industry Finds Problems with XML in Office 2003 Beta
  State Agencies Not Keeping Pace with Federal Agencies' Cybersecurity
     Measures
  OIS to Release Vulnerability Disclosure Plan
  Thornberry to Head House Cybersecurity Subcommittee
  Army Denies its Systems Were Compromised by Zero-Day Vulnerability
  ISA Server 2000 DNS Vulnerability
  IIS 5.0 on Windows 2000 Patch Freezes Some Systems
  Buffer Overflow Flaw in Windows Script Engine
  CERT/CC Advance Notices Posted on Security Mailing List
  Linux Kernel Vulnerability
  Online Scheme Bilks $230 Million From Customers Of Pornography Sites
  Integer Overflow Flaw in Sun RPC XDR Library Routines
  Federal Judge Rules Hacker Was a Police Informant
  Australian Bank Customers Targeted by E-Mail Scam
  Opinion: Open Source Software is More Secure, Less Expensive
  NIST Rates Facial Recognition Systems

  The 2003 SANS Salary Survey

SECURITY TRAINING UPDATE
If employees have responsibility for security -- whether as system
administrators or as security officers, analysts, or consultants --
their employer deserves to know that they have mastered the minimum
set of essential skills needed to do the job. Those are the skills
covered in the GIAC Security Essentials course (SANS Track 1) and
examinations. (Track 1 Boot Camp also includes the CISSP CBK.) If
Track 1 is too advanced, SANS Security+ (SANS Track 9) program is a
great starting point. Attend live training in ten cities, mentored
training in thirty more cities, or ask to schedule a course at your
location. Details at http://www.sans.org

************** This Issue Sponsored by Tripwire, Inc. ****************

ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.

Tripwire integrity assurance solutions pinpoint changes to your servers
and network devices, accelerating discovery and increasing uptime,
making you the hero of your IT organization. Click here to get a FREE
copy of our Security Exploit and Vulnerability Matrix Poster.

http://www.tripwire.com/literature/poster/index.cfm?djinn=986

***********************************************************************

TOP OF THE NEWS

 --Conflict in Iraq Sparks Hundreds of Web Defacements
(21 March, 2003)
Hundreds of web sites have been defaced by proponents and opponents
of the war in Iraq. In addition, a worm purporting to show US spy
satellite pictures of Iraq was spreading in Europe. The worm actually
tries to disable antivirus and other security tools.
http://www.vnunet.com/News/1139641
http://msnbc.com/news/888816.asp?0si=-
[Editor's Note (Northcutt): Be cautious taking these stories at face
value. Both the articles listed are based on statements from the
Finnish Anti-Virus company F-Secure. The URL can be found:
https://www.europe.f-secure.com/virus-info/iraq.shtml
The F-Secure article is troubling since it claims a number of
things it does not support including a statement the White House web
server was defaced: "One hacker group claims that they have defaced
www.whitehouse.gov successfully. The site was apparently restored
very quickly and independent observers were not able to confirm
this defacement."]

 --Email Viruses Spreading: Claim To Have Iraq News and Pictures
Virus writers have created malicious software that claims to have
pictures and news from Iraq. In at least one case the wife of a
soldier had her computer damaged by such a worm.
http://go.hotwired.com/news/infostructure/0,1377,58143,00.html/wn_ascii

 --CERT/CC Quarterly Summary Shows Top 10 Current Attack Threats
CERT/CC released its quarterly update to draw attention to the types
of attacks reported to its incident response team, as well as other
noteworthy incident and vulnerability information.
http://www.cert.org/summaries/CS-2003-01.html WebDAV (ntdll.dll),
sendmail and Windows shares top the list.
http://www.cert.org/summaries/CS-2003-01.html

 --Survey Indicates Human Error is Perceived to Be Cause of Most
    Security Incidents
(18 March 2003)
Respondents to a survey said that 63% of security breaches could
be blamed on human error, while only 8% could be blamed on solely
technical failures. Only 11% of the 638 respondents said their
entire IT staff had security training, while 69% said less than one
quarter of their staff had training and 22% had none. There were
overwhelming recommendations for increasing training and security
certifications for IT staff. Representative Adam Putnam (R-Fla),
chair of the House Government Reform Subcommittee on Technology,
Information Policy and , said his committee had similar findings.
http://www.computerworld.com/careertopics/careers/training/story/0,10801,79485,00.html
http://www.govexec.com/dailyfed/0303/031803td2.htm
http://www.gcn.com/vol1_no1/daily-updates/21439-1.html
[Editor's Note (Pomeranz): I'm dubious about this study - especially
the 63% blamed on human error - given the small sample space and
the fact that the methodology seems to be simply calling people on
the phone and asking their opinions, rather than actual post-mortem
research.
(Shultz): This finding should come as no shock. I also suspect that
many incidents classified as insider attacks are actually cases in
which human error has occurred. Information security professionals
have for the most part not delved deeply enough into the relationship
between human error and incidents.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
     them. FREE WP.
http://www.sans.org/cgi-bin/sanspromo/NB149

(2) Snort creators hosting FREE "Future of IDS" Sourcefire seminars.
    Register Here!
http://www.sans.org/cgi-bin/sanspromo/NB150

(3) SPAM and VIRUSES threatening your network? Find out.
     MX Logic's Threat Assessment.
http://www.sans.org/cgi-bin/sanspromo/NB151

***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Microsoft Pulls Advertisement Implying Hacker Extinction
(23 March, 2003)
When South African regulators determined that Microsoft's claims were
unsupported, the company stopped using an advertisement implying
Windows XP and .NET Server 2003 would render computer hackers as
extinct as saber tooth tigers and the dodo bird.
http://story.news.yahoo.com/news?tmpl=story2&cid=562&ncid=738&e=9&u=/ap/20030324/ap_on_hi_te/south_africa_microsoft

 --California State University Computer System Flaw Exposes Student
    and Employee Data
(22 March 2003)
California State University (CSU) officials said they have known about
a vulnerability in the CSU computer system that exposes student and
employee personal data, including Social Security numbers, for years,
but did not plan to fix the problem because it would be too expensive.
Instead, employees had been asked to sign confidentiality agreements to
protect student and employee privacy. The vulnerability was revealed
in a state audit report released last week. A CSU spokesman said
they might reconsider their approach to the problem.
http://www.fresnobee.com/local/story/6425479p-7370408c.html
The audit report is available here: http://www.bsa.ca.gov/bsa/
CSU's response is available here: http://cms.calstate.edu/

 --Federal Court Ruling Restricting Junk Faxes May Help Curb Spam
    Emails
(21 March, 2003)
The US Eighth Circuit Court of Appeals reversed a lower court ruling
and said that a law restricting junk faxes did not violate the
First Amendment's guarantee of freedom of expression. This event is
significant for information security because it may set a precedent
for suppressing spam.
http://news.com.com/2100-1028-993749.html?tag=fd_top
[Editor's Note (Shpantzer): This is a sensible ruling, but we must
ask ourselves, "Will extending this decision to spam emails, making
them illegal, help at all in curbing spam in our inbox?" Given the
low costs of sending international email, as opposed to faxes, which
must be billed to the sender, the answer may be 'not much.' When was
the last time you got a junk fax from Europe or Asia?]

 --Microsoft Will Help Universities Establish Hands-On Security Courses
(21 March 2003)
Microsoft is working with a number of universities to establish
courses in which students will learn to write secure code by performing
security audits on software and fixing the flaws they have exploited.
The University of Leeds in the UK is the first school to begin
developing a course which will be offered starting next year.
Though Microsoft is partially funding the endeavor, its sponsorship
does not require the students to work solely on Microsoft products.
http://www.pcworld.com/news/article/0,aid,109935,00.asp
http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2423804

 --Antivirus Industry Finds Problems with XML in Office 2003 Beta
(21 March 2003)
The antivirus industry has found a problem with the way Microsoft's
Office 2003 beta version handles XML; in this latest version, macros
can be anywhere in the document, which means scanners have to scan the
entire file instead of the locations where macros are known to reside.
Antivirus companies want headers placed in the files so scanning
engines will know where to look for macros. They would also like to
see the Office productivity suite run only those macros identified
by the header. Microsoft says the problem is applicable to all XML
documents, not just those in Office 2003.
http://news.com.com/2100-1002-993696.html

 --State Agencies Not Keeping Pace with Federal Agencies' Cybersecurity
    Measures
(21/24 March 2003)
Zeichner Risk Analytics released a study showing that state agencies
are lagging behind federal agencies in adopting cybersecurity policies
and programs, despite Homeland Security Act mandates.
http://www.washingtonpost.com/wp-dyn/articles/A5694-2003Mar21.html
http://www.fcw.com/geb/articles/2003/0324/web-secure-03-24-03.asp

 --OIS to Release Vulnerability Disclosure Plan
(20 March 2003)
The Organization for Internet Safety (OIS) plans to release its
vulnerability disclosure plan in the next month. The document is based
on the one submitted to the Internet Engineering Task Force (IETF)
two years ago by two OIS members. That proposal called for vendors
to work closely with the people who discover the vulnerabilities,
with vendors responding to the notice of a vulnerability within ten
days and developing a solution to the problem within thirty days.
http://www.eweek.com/article2/0,3959,950860,00.asp

 --Thornberry to Head House Cybersecurity Subcommittee
(20 March 2003)
Representative Mac Thornberry (R-Texas) will lead the House
subcommittee on Cybersecurity, Science, Research and Development.
The subcommittee will focus on examining computer security policy as
it relates to government and private sector systems. The subcommittee
also hopes to foster cybersecurity cooperation between government
and the private sector.
http://www.washingtonpost.com/wp-dyn/articles/A64074-2003Mar20.html

 --Army Denies its Systems Were Compromised by Zero-Day Vulnerability
(18/19/20 March 2003)
The US Army denies reports that its systems were compromised by an
exploit for a buffer overflow vulnerability in the WebDAV protocol
in Internet Information Server (IIS) 5.0 running on Windows 2000
systems. Pentagon sources say an attack on a military server is
under investigation. The possible attack is an example of a zero-day
exploit, meaning attackers took advantage of a vulnerability that
was at the time not publicly known and for which there was no patch.
http://www.pcworld.com/news/article/0,aid,109915,00.asp
http://www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp
http://www.gcn.com/vol1_no1/daily-updates/21446-1.html
http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,79478,00.html

 --ISA Server 2000 DNS Vulnerability
(20 March 2003)
Microsoft has issued a warning about a vulnerability in its Internet
Security and Acceleration (ISA) Server 2000's Domain Name Service
(DNS) intrusion detection application. The vulnerability could be
exploited to create a denial of service attack against the ISA server.
The vulnerability has been rated "moderate" and a patch is available.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79537,00.html
http://www.microsoft.com/technet/security/bulletin/MS03-009.asp

 --IIS 5.0 on Windows 2000 Patch Freezes Some Systems
(19/20 March 2003)
A patch for a flaw that affects Windows 2000 machines running
Internet Information Server 5.0 apparently makes some systems freeze.
The patch was hastily released because the vulnerability had already
been exploited. Microsoft has revised the Frequently Asked Questions
section of its related security advisory to include information about
how to check if the patch will adversely affect your system.
http://www.computerworld.com/securitytopics/security/story/0,10801,79504,00.html
http://news.com.com/2100-1002-993515.html
Microsoft's Revised Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
[Editor's Note (Northcutt): If you are running Windows 2000 and IIS
and receive hotfixes from PSS this is important. The issue is listed
under Frequently Asked Questions where they say: "More information on
how to determine if you have installed a hotfix that is incompatible
with this patch is available in the Additional Information section
under Caveats." Right click on ntoskrnl.exe; Hit properties; Version
5.0.2195.4797 - 5.0.2195.4928 are not compatible with the patch.]

 --Buffer Overflow Flaw in Windows Script Engine
(19/20 March 2003)
A buffer overflow flaw in the Windows Script Engine could allow
attackers to run malicious code from a specially crafted web page
or HTML e-mail. Microsoft has posted patches for the flaw, which
affects all supported versions of Windows.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79521,00.html
http://www.cnn.com/2003/TECH/ptech/03/20/microsoft.warning.ap/index.html

 --CERT/CC Advance Notices Posted on Security Mailing List
(19/20 March 2003)
Someone using the handle Hack4life posted details of three Computer
Emergency Response Team Coordination Center (CERT/CC) draft security
vulnerabilities to the Full-Disclosure security mailing list before
they were intended to be released to the public. CERT/CC provides
advance notice of vulnerabilities to members of its Internet Security
Alliance, who pay a fee for the privilege, as well as to affected
vendors. CERT/CC is asking these organizations to examine their
systems for signs of compromises.
http://zdnet.com.com/2100-1105-993375.html
http://www.wired.com/news/infostructure/0,1377,58106,00.html

 --Linux Kernel Vulnerability
(19 March 2003)
A vulnerability in the ptrace component of the 2.2 and 2.4 series
of Linux kernels could allow a local user to obtain root privileges.
RedHat has posted a patch for the flaw
http://news.com.com/2100-1016-993278.html
https://rhn.redhat.com/errata/RHSA-2003-098.html?tag=nl

 --Online Scheme Bilks $230 Million From Customers Of Pornography Sites
(March 19, 2003)
Federal prosecutors charged the head of the company that publishes
Playgirl and two others in a scheme that allegedly defrauded thousands
of people out of nearly a quarter of a billion dollars. The victims
were promised free pornographic images but were allegedly charged
$90 per month.
http://www.startribune.com/stories/789/3766250.html

 --Federal Judge Rules Hacker Was a Police Informant
(18 March 2003)
Defense attorneys believe charges against a California Superior Court
Judge, for allegedly storing child pornography on his computers at
home and in the court, may be thrown out because the evidence used
against him was gathered by a hacker who believed he was acting on
behalf of the US government.
http://www.bayarea.com/mld/mercurynews/news/local/5417918.htm

 --Australian Bank Customers Targeted by E-Mail Scam
(18 March 2003)
Customers of Australia's Commonwealth Bank received e-mails asking
them to log in to a certain web site to reactivate their accounts; the
web site was phony. Some customers provided their account numbers and
passwords, and there were attempts to remove money from some accounts.
http://www.smh.com.au/articles/2003/03/18/1047749771323.html

 --Opinion: Open Source Software is More Secure, Less Expensive
(18 March 2003)
Steve Schlesinger argues that because open source software is
considerably less expensive than its proprietary counterpart, companies
that use open source software will have more resources to devote to
security, including broader protection and end-user security education.
He also argues that while no software is entirely secure, because
open source software is scrutinized by constant peer review, it is
less likely to suffer vulnerabilities than is closed source software.
Vulnerabilities in open source software are fixed more quickly.
http://www.infosecnews.com/opinion/2003/03/19_01.htm
[Editor's Note (Ranum): The history of security shows that just
because people have time and resources to devote to it doesn't mean
they will. I think the rates of security bug reports don't bear out
his argument.
(Multiple) Both sides of this argument can be made effectively.
(Paller): The number of vulnerabilities in software is related more
to the number of lines of code and the age of the software than
other factors.]

 --NIST Rates Facial Recognition Systems
(17 March, 2003)
The US National Institute of Standards and Technology has tested and
rated fifteen different facial recognition programs. Accuracy rates
varied widely based on system and age of photographs tested, among
other factors.
http://www.gcn.com/vol1_no1/security/21408-1.html

 -- The 2003 SANS Salary Survey
A note from David Turley and Stephen Northcutt:

In the past year there have been a number of changes in the
compensation for system administrators and security professionals.
The pay premium for all but the toughest certifications has been
dropping. As the year started all data indicated information security
positions were getting higher pay raises than other IT positions.
There is some evidence that trend is changing. Are you getting
the compensation you deserve given your skill and experience?
Are some parts of the world hot markets, while others are not?
For years SANS has run salary surveys to track the market and give
you the information you need and it is more important now than ever.
This is the largest survey SANS has ever offered to the community, it
takes about 20 minutes to complete. In order to make the end product
truly significant we are teaming with Usenix and Sun's BigAdmin list.
Of course, 100% of your personal information will be stripped out
before the results are pooled, but doing this will give us the best
possible results. People that participate will get results faster
and receive more information than those that do not participate.
Please invest 20 minutes of your time to visit and be part of the
2003 SANS Salary Survey.
https://registration.sans.org/cgi-bin/salsur

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+gaw6+LUG5KFpTkYRAm2UAJ9pWH0LKvJc5DOLVCr2ZrZK0Dk33QCfRcET
v8ZS1xLt2GWOqQjGm5vHP30=
=+kvG
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]