From: The SANS Institute (NewsBitessans.org)
Date: Wed May 07 2003 - 12:00:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Useful New Free Security Data and a Call For Papers

What's the Best Firewall? How Does a Reverse Proxy Work?
For answers to these and other popular questions, go to the new:
Internet Guide To Popular Resources On Information Security
http://www.sans.org/resources/popular.php

Help us get real-world security solutions and knowledge into the
hands of front line practitioners and their managers. This is your
invitation to participate in a world-wide web broadcast on July 9th,
2003. The goal is to allow members of the security community to share
their unique security research and operational implementations with
peers all over the world. The focus of this technical symposium will be
Enterprise Infrastructure Protection: Securing Your Corporate Homeland.
Visit http://www.sans.org/esymposium2003/ for more information.

***********************************************************************
SANS NewsBites May 7, 2003 Vol. 5, Num. 18
***********************************************************************

TOP OF THE NEWS
  Lawsuit Against Microsoft and ISPs Filed Over Slammer Damage
  Four Students Reach Settlement Agreements with RIAA
  Microsoft Considering External Patch Testing
  Majority of Cyber Crime Losses are Due to Data Theft

THE REST OF THE WEEK'S NEWS
  Oracle Database Server Buffer Overflow Vulnerability
  ISS Confirms Web Hack; Claims It Was A Honeypot
  Apple Fixes On-Line Store Vulnerability
  Couple Arrested for Allegedly Stealing Credit Reports, Using Info to
     Make Purchases
  RIAA Sends Peer-to-Peer Users Warnings by Instant Messaging
  New Jersey Institute of Technology Disables Use of Peer-to-Peer Sites
  Peer-to-Peer Users Block Instant Message Warnings
  Internet Radio Network Hacked
  Klez Still Most Widely Reported Worm; Infections Rates are Down
  Remote Users' Anti-Virus Software Not Updated Frequently Enough
  Wisconsin High School Students Investigated for Altering Grades
  Pending New Hampshire Legislation Could Make it Harder to Prosecute
     War Drivers
  ITAA Survey Says IT Hiring is Likely to Decrease
  Study Predicts Significant Growth in Information Security Services
     Market
  Overseas Software Development is Cause for Concern

TUTORIAL
  Web Site Authentication Auditing: Part II

NEW SECURITY TRAINING PROGRAMS ANNOUNCED
SANS has added several additional cities to its schedule of immersion
security training:
  Chicago, IL, May 18-23 (2 tracks)
  Atlanta, GA, June 2-7 (2 tracks)
  Monterey, CA, June 11-26 (6 tracks)
  San Francisco, June 18-23 (2 tracks -including new management track)
  London, UK, June 23-28 (5 tracks)
  Washington, DC, July 14-19 (9 tracks -including new management track)
  Washington, DC, July 21-22 (Nat'l. Info. Assurance Leadership Conf.)
  Melbourne, AU, July 28 - Aug 2 (2 tracks)
  Plus online courses and local mentor programs in 45 cities.
    See http://www.sans.org

********************** Sponsored by GuardedNet ************************

Event Correlation - Security's Holy Grail?

GuardedNet's neuSECURE is a central monitoring system for log
aggregation and correlation of events from firewalls, IDS', native
systems and routers.

neuSECURE enables security teams to detect attacks in real-time,
pulling the proverbial needle out of the haystack.

Sign up to receive a free white paper on event correlation at
http://www.guarded.net/secondary/sans_correlation.html

***********************************************************************

TOP OF THE NEWS

 --Lawsuit Against Microsoft and ISPs Filed Over Slammer Damage
(30 April 2003)
A Korean civic group has filed a damage suit against Internet service
providers (ISPs), the Information Ministry, and Microsoft for damages
caused by the outbreak of the Slammer worm in January. The suit,
which was filed on behalf of Internet users, Internet salon owners
and an Internet shopping mall, alleges Microsoft servers came with
security flaws and the company did not inform them of the risks.
http://english.chosun.com/w21data/html/news/200304/200304300025.html

 --Four Students Reach Settlement Agreements with RIAA
(1/2 May 2003)
The Recording Industry Association of America (RIAA) has reached
settlements with four college students it says were running illegal
music file sharing services. The students will each pay the RIAA
between $12,000 and $17,500. Attorneys for a Princeton University
student involved in the case said their client had reached a settlement
with the RIAA but had not admitted guilt.
http://www.washingtonpost.com/wp-dyn/articles/A2755-2003May1.html
http://www.wired.com/news/digiwood/0,1412,58707,00.html
[Editor's Note (Schneier): The money is trivial (though not to the
students involved, most likely), but the precedent is interesting.
Looks like the RIAA pushed and they blinked.]

 --Microsoft Considering External Patch Testing
(30 April 2003)
Microsoft is considering testing patches externally before releasing
them to the general public. Because patches are often created very
quickly, there is not adequate time to test them for efficacy and to
ensure that they do not cause other problems.
http://www.theregister.co.uk/content/55/30464.html

 --Majority of Cyber Crime Losses are Due to Data Theft
(30 April 2003)
An IBM research report, Information at Risk, suggests that most
monetary losses businesses suffer from cyber crime are due not to virus
attacks but to data and intellectual property theft. The report,
which used data from the UK's National Hi-Tech crime Unit (NHTCU)
and the US Computer Security Unit, found that UK companies lost 145
million pounds (approximately $233 million) to cyber crime last year.
http://www.vnunet.com/News/1140571
[Editor's Note (Schneier): I had an article on just this subject back
in December <http://www.counterpane.com/crypto-gram-0212.html#7> --
not that it should come as news in any case.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FREE White Paper: How A Hacker Launches A Web App Attack!
http://www.sans.org/cgi-bin/sanspromo/NB165

(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
http://www.sans.org/cgi-bin/sanspromo/NB166

(3) Instantly stop DDoS attacks and port scans.
     Hands-on, online demo-- launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/NB167
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Oracle Database Server Buffer Overflow Vulnerability
(29 April 2003)
Oracle has released a patch for a buffer overflow vulnerability
in all supported versions of Oracle database servers. An attacker
could exploit the vulnerability to alter data and to take control of
the machine hosting the database server. The vulnerability affects
Oracle 7 Release 7.3.x, all released of Oracle 8 and 8i, and releases
1 and 2 of Oracle 9i database. Oracle has released patches for two
versions of 9i and one version of 8i, as well as a patch for version
8.0.6.3 for customers with extended maintenance support, but does
not intend to release patches for earlier versions.
http://www.infoworld.com/article/03/04/29/HNoraclepatch_1.html
http://www.eweek.com/article2/0,3959,1047710,00.asp
[Editor's Note (Schneier): So Oracle's "unbreakable" database isn't
after all? Imagine our surprise.
(Schultz): I presume that Larry Ellison will now retract his statement
that this product is hackproof?]

 --ISS Confirms Web Hack; Claims It Was A Honeypot
(6 May 2003)
A web site offering and delivering free versions of BlackICE to
college students was hacked. Shortly thereafter, ISS's Chris Klaus
declared that despite its use of a valid ISS domain name and its use
for delivering software to students, the system "was not a production
system" and was "configured to include numerous vulnerabilities,
including several well-known, older vulnerabilities."
http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274253,00.htm
http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274289,00.htm

 --Apple Fixes On-Line Store Vulnerability
(5 May 2003)
Apple has fixed a vulnerability in its on-line store that could have
allowed an attacker to hijack a customer account without knowing
anything more than an e-mail address. The flaw was in the part of
the store that helps people who have forgotten their passwords; the
person who discovered the flaw found that by cutting and pasting a
certain hash into another page, he was able to change his password
without having to answer the secret question.
http://www.wired.com/news/privacy/0,1848,58718,00.html

 --Couple Arrested for Allegedly Stealing Credit Reports, Using Info
    to Make Purchases
(1 May 2003)
A woman who worked at Weichert Financial Services in New Jersey
and a man she lives with have been charged with using fraudulently
obtained credit reports to make Internet purchases. Mary Louissaint
and Ronald Hyppolyte are being held without bail. More than 3,700
credit reports were allegedly illegally accessed through Weichert
Financial's computer system, some of them from a computer at an
address where Louissaint and Hyppolyte recently lived.
http://www.philly.com/mld/philly/news/local/5762824.htm

 --RIAA Sends Peer-to-Peer Users Warnings by Instant Messaging
(29/30 April 2003)
The Recording Industry Association of America (RIAA) has begun sending
instant messages to people using Grokster and Kazaa file-sharing
services, warning them that they may be violating copyright laws
which could result in legal action.
http://www.washingtonpost.com/wp-dyn/articles/A56869-2003Apr29.html
http://www.wired.com/news/digiwood/0,1412,58676,00.html
http://news.com.com/2100-1025-998825.html
[Editor's Note (Grefer): Instant messaging could also be used by the
RIAA to quickly identify which of the nodes previously detected by
their bots is currently active]

 --New Jersey Institute of Technology Disables Use of Peer-to-Peer
    Sites
(2 May 2003)
In light of the recent actions the Recording Industry Association of
America (RIAA) has taken against college students who allegedly ran
file swapping sites on school networks, the New Jersey Institute of
Technology has disabled the use of peer-to-peer sites on the campus
computer network.
http://www.wired.com/news/digiwood/0,1412,58698,00.html

 --Peer-to-Peer Users Block Instant Message Warnings
(30 April 2003)
Peer-to-peer users have begun blocking the ranges of IP addresses
used to send the copyright violation warning messages.
http://www.securityfocus.com/news/4359

 --Internet Radio Network Hacked
(2 May 2003)
Hackers broke into the computer network of Denver-based Internet radio
network w3w3 and stole names and e-mail addresses of 1,000 people
who had registered for a cybersecurity conference sponsored by w3w3.
Damages were estimated to be more than $50,000; the FBI is expected
to investigate.
http://www.rockymountainnews.com/drmn/business/article/0,1299,DRMN_4_1931529,00.html

 --Klez Still Most Widely Reported Worm; Infections Rates are Down
(30 April 2003)
The Klez worm heads the list of Central Command's most reported
viruses; however, the overall infection rate has dropped considerably
since last April. Klez was followed by Yaha, Sobig and Lovgate.
Klez also headed the list from Sophos, followed by Lovgate, Bugbear
and Sobig. Sophos has also called attention to the appearance of
Datemake, dialer malware that tries to dial up premium phone lines
and run up large phone bills.
http://www.centralcommand.com/30042003.html
http://news.zdnet.co.uk/story/0,,t269-s2134120,00.html

 --Remote Users' Anti-Virus Software Not Updated Frequently Enough
(29 April 2003)
A Sophos press release expresses concern that businesses are not
adequately protecting computers used by remote workers from worms,
viruses and other malware. Though 66% of 3,000 businesses polled
update their office anti-virus signatures daily, 70% update remote
computers' signatures less often than once a week, with 45% updating
them once a month. More and more businesses are employing remote
workers, which can increase network security risks.
http://www.sophos.com/pressoffice/pressrel/uk/20030429survey.html

 --Wisconsin High School Students Investigated for Altering Grades
(30 April 2003)
A group of students at Stoughton High School in Stoughton, Wisconsin
allegedly bought keystroke logging software for less than $100 on the
Internet and used it to break into their school's computer system and
alter their grades. Approximately 20 students are being investigated;
some have begun suspensions and are awaiting decisions on expulsion.
http://www.madison.com/captimes/news/stories/47911.php

 --Pending New Hampshire Legislation Could Make it Harder to Prosecute
    War Drivers
(29 April 2003)
A bill being considered by the New Hampshire state legislature would
protect people who access unsecured wireless networks. The legislation
would require wireless network operators to secure their networks
or lose ground in their ability to prosecute those who access them
without permission.
http://www.wired.com/news/wireless/0,1382,58651,00.html

 --ITAA Survey Says IT Hiring is Likely to Decrease
(5 May 2003)
A recent Information Technology Association of America (ITAA) survey
of 400 technology and nontechnology hiring managers indicates that
IT hiring is likely to stay the same or decrease over the next year.
Companies are also increasingly moving some of their operations
overseas to save on labor costs.
http://news.com.com/2100-1022_3-999782.html

 --Study Predicts Significant Growth in Information Security Services
    Market
(29 April 2003)
A study from IDC titled "Worldwide and U.S. Information Security
Forecast 2003 - 2007," predicts that the market for information
security services will grow to more than $23.5 billion over the next
four years, which amounts to more that 20% annual growth.
http://www.computerworld.com/securitytopics/security/story/0,10801,80790,00.html

 --Overseas Software Development is Cause for Concern
(5 May 2003)
Because of the current international security climate, some IT
professionals have expressed concern that US companies are outsourcing
software development to foreign countries, including India, China
and Pakistan, where it is more difficult to assess security risks.
http://www.computerworld.com/managementtopics/management/outsourcing/story/0,10801,80935,00.html
[Editor's Note (Northcutt): this really isn't news, but it is a
reminder for all of us to consider the risks of outsourcing no
matter where it is done. Just prior to Y2K, CIA analyst Terrill
Maynard released a report saying that these same countries have an
information warfare capability and might insert code during outsourced
Y2K remediation.
http://catless.ncl.ac.uk/Risks/20.61.html
http://www.chaosprotocol.com/reuters_oct1_1999.htm]

TUTORIAL
 --Web Site Authentication Auditing: Part II
(5 May 2003)
The second half of a two-part article on web site authentication
auditing provides a list of questions organizations can ask themselves
about user privacy, session authentication, user security and cookies.
http://www.securityfocus.com/infocus/1691

- ---end---

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+uPpO+LUG5KFpTkYRAsI8AJ0VKguVb+cYNs59+EfWks7reia0BgCfVWp4
YGSCm9xxu2g3bHT4qIJovZA=
=Ec2q
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]