From: The SANS Institute (sanssans.org)
Date: Wed Apr 16 2003 - 11:54:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

More free resources:
To help you stay on top of security product developments, free
technical white papers from 22 vendor-sponsors of the current SANS
Security Tools Poster are available. The vendors often put a great
deal of quality technical work into these papers (but not always.) To
choose the papers you'd like, visit http://www.sans.org/tools.php

This is a wonderful summer for giving your security skills a boost
and for getting moving on security skills certification. There are
large programs in Portland (OR), Monterey, Denver, and London.
And SANS' most popular summer conference is SANSFire in Washington
DC. SANSFire classes always fill up early and 300,000 brochures
will start arriving in mailboxes next week, so to get a place in
the class you want, we suggest you start choosing this week or next
week. Visit http://www.sans.org and click on SANSFire (or any of the
other programs) to see a brochure.

                                       Alan

***********************************************************************
SANS NewsBites April 16, 2003 Vol. 5, Num. 14
***********************************************************************

TOP OF THE NEWS
  OpenBSD Release Protected Against Buffer Overflow Attacks
  Judge Throws Out ACLU's Challenge to DMCA
  Richard Clarke, Mike Vatis and Mark Forman Speak to Government's
     Cyber Security Efforts

THE REST OF THE WEEK'S NEWS
  Disaster Recovery and Continuity Guidelines for Financial
     Institutions
  Microsoft Issues Bulletins for Flaws in VM, Proxy Server 2.0 and ISA
     Server 2000
  Mueller Outlines FBI Budget Request
  GISRA Report Shows Progress, Leaves Room for Improvement
  ISS Revises Cyber Incident Statistics for First Quarter of 2003
  Windows Server 2003 License Key Leaked
  Pyramid Scheme Spam Temporarily Brings Down Montana ISP
  Secure Operating Systems
  Letter Author Claims to have Breached Prison Computer Security
  Digital Defense Apologizes for Releasing Samba Exploit Along with
     Advisory
  Integrating IT and Physical Security
  GAO Report Finds ISACs are Not Sharing Much information

SECURITY TRAINING UPDATE
Mark your calendar:
Four security training tracks in Portland, OR (May 5-10)
Six security training tracks in Monterey, CA (June 11-16)
Five security training tracks in London, UK (June 23-28)
Six security training tracks in Denver, CO (Aug. 14-19)
Our largest summer conference: SANS Fire in Washington DC (July 14-19)
Plus smaller programs in Raleigh, Atlanta, Melbourne (AU), and San
Francisco.
If you cannot travel, we have local mentor and evening programs in
thirty cities, or ask to schedule a course at your location. Details
at http://www.sans.org

********************** Sponsored by NetIQ *****************************

The 10 Reports Every CSO Lives For from NetIQ

Need to make sense of the security data that bombards you
daily? Download your free copy of the "The 10 Reports Every CSO Lives
For" from NetIQ to discover where to find key security information,
how to analyze it, and best of all, learn a few ways to improve how
you're managing security.

http://www.netiq.com/f/form/form.asp?id=1929&origin=NS_SANS_041603

***********************************************************************

TOP OF THE NEWS

 --OpenBSD Release Protected Against Buffer Overflow Attacks
(11 April 2003)
The most recent release of OpenBSD should eliminate buffer overflows,
according to the group's project leader. The group took three
approaches to hardening the software. First, the location of the
stack in memory is randomized. Second, the team added a tag to the
memory structure that will detect address modifications. Finally,
they managed to divide the main memory into two sections: writeable
and executable; the pieces of data and programs, called "pages",
would be stored in one or the other section, ensuring that no page
is writeable and executable at the same time.
http://news.com.com/2100-1002-996584.html
[Editor's Note (Schultz): Many kudos are in order here.
If what the OpenBSD people are doing really works, they will put
considerable pressure on other vendors and developers to do the same.
Buffer overflow problems continue to plague operating systems and
applications. Eliminating this category of vulnerabilities would be
a major victory for the information security arena.
(Schneier): It's great to see this kind of approach to buffer
overflows. This is an example of building in security instead of
trying to patch it afterwards.
(Ranum): It's GREAT to see that at least a few people are smart enough
to try to attack problems like this systemically, rather than keeping
stuck in the fruitless "penetrate and patch" while loop. This is how
to make progress in security: fundamental protections.
(Shpantzer): Initiatives like this should be taught as case studies
in computer science courses at the undergraduate level. ]

 --Judge Throws Out ACLU's Challenge to DMCA
(9 April 2003)
US District Court Judge Richard Stearns has thrown out a lawsuit
brought by the American Civil Liberties Union (ACLU) that challenged
the Digital Millennium Copyright Act (DMCA). The suit was brought on
behalf of a Harvard Law School student who wanted to reverse-engineer
certain Internet content-filtering software.
http://www.washingtonpost.com/wp-dyn/articles/A331-2003Apr9.html

 --Clarke, Vatis and Forman Speak to Government's Cyber Security
    Efforts
(8/9 April 2003)
At a congressional hearing, former presidential cyber security advisor
Richard Clarke spoke critically of the government's cyber security
efforts, saying the Department of Homeland Security needs to move
more quickly to organize the National Cyber Security Center and that
the Office of Management and Budget (OMB) should hire a full time
chief information security officer devoted solely to cybersecurity.
Clarke also said that congress should fund vulnerability scanning
sensors on all federal networks. Michael Vatis, director of Dartmouth
College's Institute for Security Technology Studies (ISTS), largely
agreed with Clarke and recommended that the Securities and Exchange
Commission (SEC) require companies to include their cybersecurity
measures on their reports to the SEC. The OMB's Mark Forman maintained
that the DHS would address cybersecurity, that the CIOs of various
agencies would be responsible, and wants market forces to drive cyber
security implementation.
http://www.gcn.com/vol1_no1/daily-updates/21652-1.html
http://www.govexec.com/dailyfed/0403/040803td1.htm
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,80183,00.html
http://www.washingtonpost.com/wp-dyn/articles/A55783-2003Apr8.html
[Editor's Note (Northcutt): I tell intrusion detection students that
for every dollar they spend on an IDS, they should plan to spend a
matching dollar on disk space to hold the detects. Similarly, for
every dollar you spend on a vulnerability scanner, plan to spend a
thousand dollars on the staff to handle the remediation. I support
Richard Clarke's advice, but the scanners just find problems. There
is no substitute for the trained admins to fix the problems.
Speaking of trained admins, the best unix instructor in the field,
Hal Pomeranz, is running a hands on, SANS unix security course in
Raleigh NC April 28 - May 3, 2003. This course was designed to fit
the small class model and is your opportunity to learn in a class with
a great instructor to student ratio: http://www.sans.org/raleigh03/ ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically prevent
     intrusions. FREE DEMO.
http://www.sans.org/cgi-bin/sanspromo/NB158

(2) Learn how to Arm Yourself Against Network Attacks. Free Guide.
http://www.sans.org/cgi-bin/sanspromo/NB159

(3) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step-
     White Paper
http://www.sans.org/cgi-bin/sanspromo/NB160

***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Disaster Recovery and Continuity Guidelines for Financial
    Institutions
(11 April 2003)
The Federal Reserve, the Office of the Comptroller of the Currency
and the Securities and Exchange Commission have published a white
paper outlining disaster recovery and business continuity guidelines
for financial institutions. The guidelines include establishing a
system that will allow for same day business recovery after a disaster;
that time frame would ideally be reuced to two hours after a disaster.
Many companies balked at an earlier proposal that suggested a minimum
distance of 200-300 miles between primary and secondary data centers;
the paper does not establish a minimum distance for back-up facilities.
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html

 --Microsoft Issues Bulletins for Flaws in VM, Proxy Server 2.0 and
    ISA Server 2000
(10 April 2003)
Microsoft has issued two security bulletins regarding vulnerabilities
in Microsoft Virtual Machine (VM), Microsoft Proxy Server 2.0 and
Microsoft ISA Server 2000. The first security flaw is in the VM
ByteCode Verifier and could allow an attacker to take remote control
of a vulnerable machine. The vulnerability affects Windows 98, NT
4, 2000, XP and Me; Microsoft has issued a patch for VM Build 3810.
A vulnerability in the Winsock Proxy service on Proxy Server 2.0 the
Firewall service on ISA Server 2000 could result in denial-of-service
attacks against both products. Patches are available for the
vulnerabilities.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80199,00.html
http://www.theregister.co.uk/content/55/30199.html
http://zdnet.com.com/2100-1105-996308.html
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/technet/security/bulletin/MS03-012.asp

 --Mueller Outlines FBI Budget Request
(10 April 2003)
In his budget presentation to the U.S. Senate Commerce, Justice and
State Appropriations Subcommittee, FBI director Robert Mueller said
cybersecurity is the agency's third priority area. The budget request
for the agency's Cyber Division for fiscal 2004 is $234 million;
the figure includes the hiring of 77 new agents to work in combating
cyber attacks and high tech crime.
http://www.govexec.com/dailyfed/0403/041003td2.htm

 --GISRA Report Shows Progress, Leaves Room for Improvement
(10 April 2003)
The final draft of the report to the U.S. Congress under the
Government Information Security Reform Act (GISRA) includes metrics
on federal computer system security. While only 40% of systems had
current security plans in 2001, that figure increased to 61% in 2002.
Systems with security certification and accreditation rose from 27%
to 40%, and systems that had undergone risk assessments rose from 44%
to 64%. Mark Forman, associate director for information technology
and e-government at the Office of Management and Budget (OMB), says
that while there has been improvement, the figures are not where
they should be; the OMB's goal for this fiscal year is to have 80%
of federal systems certified and accredited.
http://www.fcw.com/fcw/articles/2003/0407/web-gisra-04-10-03.asp

 --ISS Revises Cyber Incident Statistics for First Quarter of 2003
(8 April 2003)
A report from Internet Security Systems (ISS) found that the number
of cyber attacks and security breaches increased 37% from the fourth
quarter of 2002. The number was initially incorrectly reported to
be 84%.
http://www.internetweek.com/security02/showArticle.jhtml?articleID=8600208
http://www.newsfactor.com/perl/story/21218.html

 --Windows Server 2003 License Key Leaked
(8 April 2003)
A volume license key for Microsoft Windows Server 2003 has been leaked
to the Internet. Windows Server 2003 has not been officially released.
Volume license keys are intended for corporate users with multiple
systems. Microsoft is investigating. Copies of the Windows Server
2003 software, which is due to be released on April 24, have also
appeared on line.
http://www.computerworld.com/securitytopics/security/story/0,10801,80155,00.html
http://zdnet.com.com/2100-1105-995879.html

 --Pyramid Scheme Spam Temporarily Brings Down Montana ISP
(8 April 2003)
A Montana Internet service provider (ISP) was deluged with up to
20,000 e-mail messages an hour, causing the service to shut down
briefly. The messages were part of an electronic pyramid scheme.
The ISPs owner believes the attacks originated locally; the incident
is under investigation.
http://www.usatoday.com/tech/news/computersecurity/2003-04-08-isp-attack_x.htm

 --Secure Operating Systems
(8 April 2003)
Secure operating systems (OSes) are either hardened or trusted OSes.
Hardened systems are aimed at keeping intruders out of the system
altogether; network ports and services can be removed to lock systems
down. Trusted systems allow only people with specific access rights
to view and manipulate data. If intruders gain root access to a
properly configured trusted system, they do not control the system.
http://www.newsfactor.com/perl/story/21212.html
[Editor's Note (Grefer): A configured trusted system as described in
the abstract would not have a traditional super user (root) account;
rather, it would use role based access control (RBAC), therefore
limiting rights to those necessary for any particular role.
(Ranum): Trusted Operating systems are not news. They have been
around since the early 80's - and didn't work then any better than
they do now.]

 --Letter Author Claims to have Breached Prison Computer Security
(8 April 2003)
The Arkansas Democrat-Gazette received a letter containing the
social security numbers of several Arkansas prison employees from
someone claiming to be an inmate. The author of the letter alleges
that prison authorities were lax in allowing inmates to have access
to computers. A prison spokeswoman says the information would not
have been available through the Internet, but could have been found
on the prison's computer system. The incident is being investigated.
http://www.usatoday.com/tech/news/computersecurity/2003-04-08-inmate-hack_x.htm

 --Digital Defense Apologizes for Releasing Samba Exploit Along
    with Advisory
(7/8 April 2003)
The Samba team has released a patch for a vulnerability discovered by
the security company Digital Defense. The vulnerability could allow
attackers to compromise Samba servers connected to the Internet.
Because the vulnerability was already being actively exploited, the
Samba team and Digital Defense decided to release their advisories
before all the vendors had time to address the problem. Digital
Defense's advisory also included code for exploiting the vulnerability,
without managerial approval; the company has apologized.
http://news.com.com/2100-1002-995834.html
http://news.com.com/2100-1002-995939.html

 --Integrating IT and Physical Security
(7/10 April 2003)
Integrating IT security with physical security can improve threat
detection and response and streamline investigations. However, such
integration may be hard to implement because it requires a significant
change in business culture and processes.
http://www.computerworld.com/securitytopics/security/story/0,10801,80069,00.html
http://news.zdnet.co.uk/story/0,,t278-s2133258,00.html

 --GAO Report Finds ISACs are Not Sharing Much information
(3 April 2003)
A General Accounting Office (GAO) review of the Information Sharing
and Analysis Centers (ISACs) for the Telecommunications, Electricity,
Information Technology, Energy and Water critical infrastructures
found that the clearinghouses are not sharing much information with
the government. Some ISACs will not share information with other
ISACs; some will not let the National Infrastructure Protection Center
(NIPC) access their libraries of reported incidents. Some claim they
fear that the information they provide may become accessible to the
public through the Freedom of Information Act (FOIA).
http://www.securityfocus.com/news/3690
[Editor's Note (Schneier): May I say, "I told you so?"]

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+nUtM+LUG5KFpTkYRAj43AKCSNdkHZY+vnnaSbWF9dX/KJ7hzZgCePySN
RuuCwnVWmWVydOthWAmG00Q=
=R5ft
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]