From: The SANS Institute (NewsBitessans.org)
Date: Wed Apr 23 2003 - 12:25:22 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites April 23, 2003 Vol. 5, Num. 16
***********************************************************************

We rarely begin NewsBites with an editorial, but this week the first
two items in "Top of the News" combine to tell an important story.
First, Howard Schmidt is leaving the White House and the government,
and second, Microsoft is announcing a much more safely configured
server operating system. Many people (including one of our editors)
will say that Schmidt's leaving - so soon after Richard Clarke's
departure - means the government has lost its cybersecurity leadership.
Although we are very sad to see Howard go, the fact is that Richard
Clarke and Howard Schmidt have accomplished, magnificently, the
principal goal set for their positions. Their speeches and articles and
private meetings changed the mind set of the IT buying community. They
led the charge that caused security to become a required feature
rather than an afterthought. The proof - the second news item:
Microsoft's announcement, and five similar announcements from other
vendors you will hear over the next few months. Vendors do not change
their products because government leaders make speeches; they change
their products because their customers demand the changes. Kudos to
Dick Clarke and Howard Schmidt for helping to persuade the IT buying
community that security really matters.

The question still remains: can government lead in cybersecurity
without a highly-placed czar? Absolutely! Mark Forman (Office of
Management and Budget), Karen Evans (Department of Energy and the CIO
Council) and Van Hitch (Department of Justice and the CIO Council)
are working quietly and effectively to make the federal government
the smartest and largest buyers of safely configured software and
hardware. Add to that effort the new rapid response analysis and
information distribution system (called the US Cert) being set up in
the Department of Homeland Security by Bob Liscouski and Marcus Sachs
and you have a US government that is continuing to show leadership
by putting its money on improved security and, as a result, that is
making security a little easier and more effective for all of us.

                                       Alan

TOP OF THE NEWS
  Schmidt Resigns Post
  Windows Server 2003 Offers Improved Security
  NIST to Establish Cybersecurity Standards for Agency Systems
  DHS Proposes Rules for Info Sharing

THE REST OF THE WEEK'S NEWS
  Student Faces Charges for Alleged Server Intrusion
  Student Who Used Keystroke Logger to Steal Info Gets Probation
  Trojan Downloaded Pornographic Images
  Snort Vulnerabilities
  Windows 2000 Patch Contains Unidentified Files
  Military Academies Engage in Cyber Defense Exercise
  Proposed EU Hacking Law Has Loophole
  Survey Shows Security Needs Improvement
  TechNet and Others Developing Best Practices for Managers
  Sticky Legal Questions About Honeypots
  Students Cannot Present Talk on Smart Card Security Circumvention
  Naval Academy Students Disciplined for Downloading Music Files
  Application Vulnerability Description Language
  Admitted Australian ISP Hacker Let Go Without a Conviction

THREE PROFESSIONAL DEVELOPMENT NOTES FROM SANS:
1. How much are security and sysadmin and network admin jobs
worth? Trends are changing and you need to know what's happening. The
2003 SANS Salary Survey is teaming up with Usenix and Sun's Big Admin
list to offer the community the largest, most significant, survey to
date. This survey only takes about 20 minutes to complete. You will be
one of the first to receive the data if you complete this online form.
https://registration.sans.org/cgi-bin/salsur

2. SANS Press is pleased to announce three new, or just updated titles,
   * Securing Linux-A Survival Guide for Linux Security (Version 1.0),
   * Computer Security Incident Handling (Version 2.3.1), and
   * Securing Windows 2000 Professional Using the Gold Standard
        Security Template (Version 3.0).
They are available through the SANS Online Store at
http://store.sans.org. A description of each is included at the end
of this issue of NewsBites.

3. The SANSFire brochures began arriving in the mail arrived yesterday.
If you do not receive one by early next week, and think you may be
able to attend, email sansrosans.org with subject SANSFire brochure
your name and address (and the number you want) and we'll send a
package right out. The program (Washington DC July 14-19) combines
our most popular courses (SANS Security Essentials, Hacking Exploits,
Firewalls, Auditing and more) with our top rated instructors and adds a
new program (Track 12) that helps senior managers get their arms around
security and gives them tools to lead the technical security folks.
In addition the program describes the conference for security managers:
the National Information Assurance Leadership Conference on July 21-22
Complete online programs
SANSFire: http://www.sans.org/sansfire03
National Information Assurance Leadership Conference:
http://www.sans.org/sansfire03/nial.php

******** Sponsored by Application Security, Inc. (AppSecInc) *********

QUESTION: How vulnerable are your Oracle, Microsoft SQL Server, IBM DB2,
Sybase, and Lotus Domino installations to an attack?
ANSWER: Find out with AppDetective!

AppDetective DISCOVERS installations; performs ZERO KNOWLEDGE DATABASE
PENETRATION TESTS; and performs in-depth AUDITS without host-based agents.

Download your FREE EVALUATION of AppDetective and WHITE PAPERS on
database security TODAY from: http://www.appsecinc.com/sans/

***********************************************************************

TOP OF THE NEWS

 --Schmidt Resigns Post
(18/21 April 2003)
White House cybersecurity advisor Howard Schmidt has announced that he
will resign his post and return to the private sector. Schmidt plans
to meet with DHS Assistant Secretary of Infrastructure Protection
Robert Liscouski and others to make sure projects in progress make
a smooth transition. Schmidt's resignation means there is no high
ranking official whose primary focus is cybersecurity.
http://www.computerworld.com/securitytopics/security/story/0,10801,80549,00.html
http://www.gcn.com/vol1_no1/daily-updates/21815-1.html
[Editor's Note (Schultz): This is a huge setback. It once again
raises the suspicion that the government is really giving only lip
service to cybersecurity.]

 --Windows Server 2003 Offers Improved Security
(18 April 2003)
The impending release of Microsoft's Windows Server 2003 will serve as
a test for the company's trustworthy computing initiative. The new
operating system's default installation is very close to the safe
computing benchmarks developed by the US National Security Agncy
and the Center for Internet Security. The new system also includes
a security feature that will check a PC's configuration when it
connects to the network. If the PC does not meet the configuration
requirements, for instance, if its anti-virus signatures are not up to
date or it lacks a personal firewall, then that machine is quarantined
on a private segment of the network until the problem is addressed.
http://www.eweek.com/article2/0,3959,1034386,00.asp
[Editor's Note (Paller): Microsoft appears to be using the improved
security of Windows 2003 Server as a lever to push clients to switch
from Windows 2000 to Windows 2003. Gartner says that by the end of
2003, only 5% of Windows 2000 users will have switched to Windows
2003, and only 15% will switch by the end of 2004. Computer companies
like Dell and Hewlett Packard could become serious security heros by
configuring the Windows 2000 systems they deliver with the same sort of
safe configurations now being offered in Windows 2003. Every reader
of NewsBites can help make that happen by asking their CIOs to add
a safe configuration requirement to your procurement specifications
for computers delivered with Windows 2000. You can find safe and
compatible configurations in the benchmarks published by the Center
for Internet Security at http://www.cisecurity.org]

 --NIST to Establish Cybersecurity Standards for Agency Systems
(17 April 2003)
The National Institute for Standards and Technology's (NIST's)
Certification and Accreditation program will develop standards with
which to certify the security of agency computer systems. The first
phase of the program, which is underway, involves developing the
standards; the second phase involves establishing a group of accredited
organizations that can provide security certification services.
http://www.gcn.com/vol1_no1/daily-updates/21792-1.html
[Editor's Note (Ranum): None of this stuff is going to mean anything
unless the standards have teeth behind them.
(Paller) Agreed and also they will need to have substantial components
that are technical standards that can be measured by machine, or they
will become another exercise in report writing.]

 --DHS Proposes Rules for Info Sharing
(16/17 April 2003)
The Department of Homeland Security (DHS) has proposed rules for
protecting the private sector systems information it receives;
the rules would apply to hardware and software that is part of the
nation's critical infrastructure. All federal agencies, as well as
state, local and foreign governments and government contractors, would
be subject to the rules. Homeland Security Secretary Tom Ridge will
choose an undersecretary of the Information Analysis Infrastructure
Protection (IAIP) Directorate who will oversee collection and storage
of the critical infrastructure data in a database.
http://news.com.com/2100-1028-997218.html
http://www.gcn.com/vol1_no1/daily-updates/21773-1.html
[Editor's Note (Ranum): They should try it with the federal sector
first and get THAT working, then roll it to the private sector.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

1) ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
     FREE white paper!
http://www.sans.org/cgi-bin/sanspromo/NB161

(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
http://www.sans.org/cgi-bin/sanspromo/NB162

***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Student Faces Charges for Alleged Server Intrusion
(21 April 2003)
A business-college student in Erie, Pennsylvania, faces charges for
allegedly breaking into a server belonging to Ohananet, a Hawaiian
company. Jason Starr allegedly had control of the server, which was
located in Missouri, for about a year. Starr also allegedly changed
the server's password and attempted to access PayPal accounts belonging
to Ohananet's president. If convicted, Starr could face up to a year
in prison and a fine of as much as $100,000.
http://www.crime-research.org/eng/news/2003/04/Mess2002.html

 --Student Who Used Keystroke Logger to Steal Info Gets Probation
(18 April 2003)
Douglas Boudreau, a former Boston College student who used
keystroke-logging software to steal personal information of students,
faculty and staff, has been sentenced to five years of probation, and
ordered to undergo counseling, repay the school and have his computer
use monitored. Boudreau used the information he collected to alter
his own student ID card, enabling him to access campus buildings and
make purchases with illicitly obtained funds.
http://www.cnn.com/2003/TECH/internet/04/18/student.hacker.ap/index.html

 --Trojan Downloaded Pornographic Images
(18 April 2003)
A UK man was acquitted of charges of having pornographic images on his
computer after it became apparent that his computer had been infected
with a Trojan horse program that was responsible for downloading
the images.
http://www.theinquirer.net/?article=9023

 --Snort Vulnerabilities
(17 April 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC)
has issued an advisory warning of vulnerabilities in two preprocessor
modules of the Snort Intrusion Detection System. The vulnerabilities,
which affect versions 1.8 through 2.0 RC1, could be exploited to allow
a remote user to execute arbitrary code with the privileges of the
user running Snort. Users are encouraged to upgrade to Snort 2.0,
disable the affected preprocessor modules, or block outbound packets
from Snort IDS systems.
http://www.cert.org/advisories/CA-2003-13.html

 --Windows 2000 Patch Contains Unidentified Files
(17 April 2003)
Some security experts are recommending that users not install
Microsoft's recently released patch for a bug in the Windows 2000
kernel. The vulnerability also affects Windows NT and XP, but the
patch for Windows 2000 contains unidentified files, one of which had
been included in a patch for an earlier vulnerability and was found
to cause problems. NTBuqTraq's Russ Cooper recommends not installing
the patch unless you first test it in a non-production environment.
http://www.vnunet.com/News/1140296
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp

 --Military Academies Engage in Cyber Defense Exercise
(17 April 2003)
Students at West Point Military Academy, the Naval Academy, the Air
Force Academy, and the Coast Guard Academy engaged in the third annual
cyber defense exercise last week.
http://www.msnbc.com/news/901628.asp
  
 --Proposed EU Hacking Law Has Loophole
(17 April 2003)
A proposed European union (EU) cybercrime regulation is aimed at
unifying laws that protect servers and other systems from cyber
attacks. However, a loophole in the proposal would allow people who
access an unsecured computer, without the intent to cause damage or
to benefit financially, not to be considered to have committed a crime.
http://www.vnunet.com/News/1140284

 --Survey Shows Security Needs Improvement
(16 April 2003)
Respondents to a Human Firewall Council survey completed an on-line
self-assessment tool called the "Security Management Index" to grade
their company's security efforts in ten areas; 80% of respondents
earned a D or an F as an overall grade. The Human Firewall Council
believes the "dismal" ratings stem from the fact that businesses seem
to approach security by responding to each problem as it arises rather
than addressing security as an overall business concern.
http://www.csoonline.com/read/040103/survey.html

 --TechNet and Others Developing Best Practices for Managers
(16 April 2003)
TechNet, an information technology company lobbying group, will work
with the Internet Security Alliance and four major accounting and
audit firms to develop cybersecurity best practices for managers to
use in securing their companies. Howard Schmidt said the initiative
is "exactly what we had in mind when we created the National Strategy
to Secure Cyberspace."
http://zdnet.com.com/2100-1105-996997.html
http://www.computerworld.com/securitytopics/security/story/0,10801,80403,00.html
[Editor's Note (Northcutt): I expect Mr. Schmidt is misquoted;
hopefully our strategy to secure cyberspace is more comprehensive
than a list of ten or so things we ought to be doing. May I suggest
a reading of ISO 17799 might be a better use of their collective time.
(Paller) We'll know whether they are serious if none of the "Best
Practices" calls for buying any of the sponsors' products or services.]

 --Sticky Legal Questions About Honeypots
(16 April 2003)
Speaking at the RSA conference, senior counsel for the Justice
Department's computer crime unit Richard Salgado said that people who
deploy honeypots could potentially be charged with "interception of
communications," a felony which carries up to five years in prison,
or sued by hackers under the Federal Wiretap Act. Director of
Stanford University's Center for Internet and Society Jennifer Granick
recommends checking with an attorney before deploying a honeypot.
http://www.securityfocus.com/news/4004
http://www.siliconvalley.com/mld/siliconvalley/5646059.htm
[Editor's Note (Spitzner): While possible, these issues mainly apply
to research honeypots that capture extensive amounts of information,
such as Honeynets. Most production honeypots, such as Honeyd or
Specter, capture no more information than traditional technologies
such as IDS sensors or firewall logs.
(Ranum): In other words, some forms of honeypots MAY be intrusive
and may be a problem; the majority of production honeypots are not
a problem at all; Salgado's comments need to be read carefully and
not taken out of context.]

 --Students Cannot Present Talk on Smart Card Security Circumvention
(15/18 April 2003)
Two students have been blocked from presenting a talk that describes
how to break into and manipulate a university smart card network.
Blackboard Inc. obtained a temporary restraining order preventing Billy
Hoffman, a Georgia Tech student, and Virgil Griffith, a University
of Alabama student, from presenting at the Interz0ne conference
in Atlanta.
http://news.com.com/2100-1028-996836.html
http://www.washingtonpost.com/wp-dyn/articles/A48214-2003Apr17.html

 --Naval Academy Students Disciplined for Downloading Music Files
(15 April 2003)
Eighty-five students at the US Naval Academy have been disciplined
for illegally downloading music; computers belonging to 92 cadets
were seized in November 2002. The students could face demerits,
loss of leave time, extra duties and campus activity restrictions.
http://news.com.com/2100-1025-996990.html

 --Application Vulnerability Description Language
(14 April 2003)
The Application Vulnerability Description Language (AVDL) will provide
a standard for describing application security vulnerabilities.
AVDL will be managed through the Organization for the Advancement of
Structured Information Standards (OASIS) consortium.
http://www.theregister.co.uk/content/55/30243.html
http://www.avdl.org/

 --Admitted Australian ISP Hacker Let Go Without a Conviction
(9 April 2003)
An Australian man who admitted hacking into Optusnet, an Internet
service provider, and accessing customer details was released without
a conviction registered against him, angering members of the computer
security community. Stephen Craig Dendtler's lawyer called his
client's activity an "intellectual pursuit."
http://www.theage.com.au/articles/2003/04/09/1049567714193.html
[Editor's Note (Schultz): Although outcomes like this one are
unfortunately by no means rare when it comes to prosecuting cybercrime,
it appears that over time there has been an upward trend in the
number of people being tried and convicted on charges such as the
one in this case.]

THE NEW PUBLICATIONS
Available at http://store.sans.org

Securing Linux-A Survival Guide for Linux Security (Version 1.0)
As the Linux operating system has matured and grown in popularity,
security risks have increased. SANS is pleased to announce publication
of Securing Linux, a collaborative effort from many authorities who
work with and secure Linux on a daily basis. This new addition to the
Security Step-by-Step guides is not just an update to the previous
Linux Step-by-Step from SANS. The book is a complete rewrite from
the ground up, showing the latest in best practices for securing
a Linux system. Check it out: the 104-page definitive guide is not
only for security experts. The novice experimenting with Linux at
home or in the workplace will benefit from this guide, which covers
both workstations and many server setups.
Printed Version-Product ID: LIN.1, Price $39.
PDF Departmental License-Product ID: LIN.2, Price: $299.
PDF Unlimited User License-Product ID: LIN.3, Price: $1800
   
Computer Security Incident Handling (Version 2.3.1)
Slow down. Think. Follow procedures. In the heat of the
moment_. when an incident has been discovered, rushed decision-making
may not be effective. By setting up policies, procedures, and
agreements in advance, you minimize the chance of making catastrophic
mistakes. This is why even the most experienced incident handling
experts follow well defined and systematic procedures for responding
to security-related incidents. Computer Security Incident Handling
reflects the experience of incident handlers from more than 50
commercial, government and educational organizations. It is the first
step in creating a set of incident handling procedures tailored to
your organization's environment. Buy this book now and start reading.
Printed Version-Product ID: LIN.1, Price $39.
PDF Departmental License-Product ID: LIN.2, Price: $299.
PDF Unlimited User License-Product ID: LIN.3, Price: $1800

Securing Windows 2000 Professional Using the Gold Standard Security
  Template
(Version 3.0)
The Windows 2000 Gold Standard is the textbook for SANS' hands-on
course that combines labs and lectures to teach the tools and
process that can be used to establish, maintain and audit the Gold
Standard. The US National Security Agency studied the successful
system compromises of Windows 2000 during the past 18 months and
found that more than 85% of them would have been blocked had the
owners been using the Gold Standard, which was jointly developed
by the Center for Internet Security, NSA, NIST and GSA. Do you
know all of the settings and tweaks it takes to thoughtfully harden
the OS while keeping it operational enough to participate on your
network? To thoroughly understand the Gold Standard and how it can be
used, buy this book and start reading. Learn what it takes to secure
Windows 2000 Professional, with every setting clearly documented and
explained. Printed Version-Product ID: W2PG.1, Price: $39

Do you have questions? Write to us at storesans.org. You can order
these books today at http://store.sans.org.

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Lance Spitzner

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+poM/+LUG5KFpTkYRAhauAKCfzYdF5MKl/rtWH/uzZsAcycTwvwCffTMV
Oc4/v5MYtM3sqToIzs/MriI=
=abwW
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]