From: The SANS Institute (NewsBitessans.org)
Date: Wed Jun 04 2003 - 13:10:09 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Correction: In the note we sent you Monday about new developments in
standards and benchmarks for security assessments, we inadvertently
pointed you to an out-of-date agenda for the June 21-22 National
Information Assurance Leadership Conference in Washington (which focuses
on the most important new standards and benchmarks, and an updated
threat briefing.). The updated information is at
http://www.sans.org/sansfire03/nial.php

Today (June 4) is the deadline for early registration for both SANSFIRE
2003 and the National Information Assurance Leadership Conference. To
help you decide whether they are applicable to your needs, we included
a brief description of both programs at the end of this issue of
NewsBites. Online registration: http://www.sans.org/sansfire03

***********************************************************************
SANS NewsBites June 4, 2003 Vol. 5, Num. 22
***********************************************************************

TOP OF THE NEWS
  Preparing for California's New Security Breach Disclosure Law
  Univ. of Calgary Defends Decision to Offer Virus-Writing Course
  CSI/FBI Study Shows Cyber Crime Losses are Dropping
  UK's NHCTU Will Offer PR Assistance to Companies that Follow Through
     with Prosecuting Cyber Criminals

THE REST OF THE WEEK'S NEWS
  Microsoft to Offer Windows Security Credentials
  W32/Sobig.C Worm
  Palyh and Fizzer More Prevalent than Klez
  Yahoo Offers Fixes for IM and Chat Clients
  Hacker Breaks Into Colorado Health Clinic System
  Company Releases Info on Sun Vulnerabilities Before Fixes are
     Available
  Tiger Team Program Teaches Teens Ethical Hacking
  Microsoft Issues Bulletins for Vulnerabilities in IIS and Windows
     Media Services
  Researcher Says Microsoft Bulletin is Misleading
  Microsoft Updates Two Bulletins from Earlier this Spring
  Apache HTTP Server Vulnerabilities
  Malware Myths Debunked, Part II
  OMB's FY 2002 GISRA Shows Improvement, Room for Growth
  Microsoft Pulls XP Update After Customers Complain of Losing Internet
     Connectivity
  IDC Survey Finds 72% of Asian Companies Suffered Network Intrusions
  KaZaA Patches FastTrack Vulnerability
  The Potential Risks of "Good Worms"

*********************** Sponsored by Websense ***********************

Deadly Internet Sin #2: GLUTTONY

Stop movies, music or Internet gaming from eating up your IT resources.
Limit multi-media downloads with Websense Enterprise software. A
superior database, flexible filtering options, comprehensive reporting
and seamless integration have made Websense the preferred employee
Internet management software of the Fortune 500.

Visit http://www.websense.com?id=NL15948 and download a free, 30-day
trial.

***********************************************************************

TOP OF THE NEWS

 --Preparing for California's New Security Breach Disclosure Law
(30 May 2003)
This article addresses the implications of California's new law
requiring businesses to report security breaches of unencrypted data to
affected California residents. Businesses worldwide will be affected
by the law, which goes into effect in less than one month. The law does
not require companies to report breaches of encrypted personal data.
The article also offers suggestions for getting ready to comply with
the new law, including creating incident response plans, reviewing
third-party contracts that involve sensitive data and evaluating the
cost-effectiveness of encrypting all stored customer data.
http://www.net-security.org/article.php?id=500

 --Univ. of Calgary Defends Decision to Offer Virus-Writing Course
(29/30 May 2003)
The University of Calgary has described the precautions that will be
taken apropos of a course in virus writing to be offered in the fall:
students' work will be limited to a closed network, no storage media
will be allowed out of the locked laboratory, and removable media will
be destroyed and hard drives scrubbed at the close of the semester. In
addition, students will receive instruction in cyber ethics and law.
Some anti-virus firms have made clear that they will not hire people
who have taken such a course.
http://www.zdnet.com.au/techcentre/antivirus/news/story/0,2000044973,20274911,00.htm
http://www.informationweek.com/story/showArticle.jhtml?articleID=10100515
http://www.pcworld.com/news/article/0,aid,110938,00.asp
[Editor's Note (Schultz): These precautions seem superfluous. At a
minimum, I would think that putting a measure for assigning any student
a failing grade during or even after the course if that student were to
misuse the knowledge gained in the course in place would be more
reasonable.
(Grefer): While such training increases knowledge of the inner workings
of malware and can be helpful in developing better defenses, it bears
a high risk, too. I have my doubts about the viability of enforcing the
"no storage media will be allowed out" policy. USB storage key chains
are very small, offer sufficient capacity, and can be hidden anywhere.
Short of a strip search and/or extremely sensitive scanners, they'll be
hard to detect. Similarly, a wireless card is easy to install and allows
for external access to the lab's computers. And this list could go on
and on and on.]

 --CSI/FBI Study Shows Cyber Crime Losses are Dropping
(29/30 May 2003)
The most recent Computer Crime and Security Survey from the Computer
Security Institute (CSI) and the FBI found that US losses from cyber
crimes have fallen significantly. Last year, 503 survey respondents
reported $455.8 million in losses from cyber crimes; this year, 503
respondents reported $201.8 million in losses. The number of
significant incidents reported has remained steady. The study also
found that only 30% of respondents reported cyber attacks to law
enforcement.
http://www.eweek.com/article2/0,3959,1112190,00.asp
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10100545
http://www.theregister.co.uk/content/55/30952.html

 --UK's NHCTU Will Offer PR Assistance to Companies that Follow Through
     with Prosecuting Cyber Criminals
(27 May 2003)
In an attempt to encourage more companies to follow through with
prosecution of people accused of cyber crimes, the UK's National Hi Tech
Crime Unit (NHTCU) has formed a public relations group to help those
companies manage any negative PR generated by publicity from the trials.
Though a confidentiality charter allows companies to report cyber crimes
without fear of public disclosure, many have been pulling out of
prosecutions for fear of the negative publicity.
http://www.vnunet.com/News/1141184
[Editor's Note (Schultz): What a clever idea! I would not at all be
surprised if it works.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
http://www.sans.org/cgi-bin/sanspromo/NB177

(2) FREE White Paper: "Top Web Application Attack Techniques!"
http://www.sans.org/cgi-bin/sanspromo/NB178
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Microsoft to Offer Windows Security Credentials
(2 June 2003)
Microsoft has created certification credentials for IT administrators
and engineers who focus on Windows security. The "Microsoft Certified
Systems Engineer (MCSE) Security on Microsoft Windows 2000"
certification requires passing grades on six core exams and
demonstration of a security specialty. The "Microsoft Certified Systems
Administrator (MCSA): Security on Microsoft Windows 2000" certification
requires a total of five exams.
http://www.computerworld.com/printthis/2003/0,4814,81715,00.html
[Editor's Note (Paller): Microsoft emphasizes that these are not "new
certifications" but rather new names for existing specializations within
MCSE and MCSA. These specializations have been available (without the
special names) for years, and a minuscule number of MCSE candidates have
chosen to pursue them. Most Windows security breaches are made possible
by unsafe configurations installed and maintained by people who have
Administrator privileges but do not have security skills. Continuing to
allow people to earn MCSE or MCSA certification without ensuring they
have mastered the basics of security, implies that Microsoft still
doesn't "get it."]

 --W32/Sobig.C Worm
(2 June 2003)
The W32/Sobig.C-mm worm arrives with a phony address, sometimes
appearing to be from Bill Gates. Sobig-C sends itself out to e-mail
addresses found on infected computers. The worm also uses a variety of
attachment names, including screensaver.scr, movie.pif and
documents.pif. Interestingly, Sobig.C appeared the same day Sobig.B
expired.
http://news.bbc.co.uk/1/hi/technology/2956646.stm
http://news.com.com/2100-1002_3-1012059.html
http://zdnet.com.com/2100-1105_2-1012016.html
http://www.f-secure.com/news/items/news_2003060201.shtml

 --Palyh and Fizzer More Prevalent than Klez
(30 May 2003)
The Palyh and Fizzer worms have bumped the Klez worm from the top
position on both the Sophos and MessageLabs monthly virus report lists,
a position it had held for 16 months. On Central Command's list, Palyh
bumped Klez down to the second spot.
http://www.silicon.com/news/500013/1/4427.html
http://www.theregister.co.uk/content/56/30961.html
http://www.centralcommand.com/30052003.html

 --Yahoo Offers Fixes for IM and Chat Clients
(30 May 2003)
Yahoo has patches available for buffer overflow vulnerabilities in its
Yahoo Instant Messenger and Yahoo Chat clients; the vulnerabilities
could be exploited to allow malicious code to execute on users'
machines. Users have been receiving messages encouraging them to apply
the patches.
http://news.com.com/2102-1032_3-1011847.html?tag=ni_print

 --Hacker Breaks Into Colorado Health Clinic System
(30 May 2003)
A hacker infiltrated the computer system at Southwest Family Medicine
in Littleton, Colorado, leaving staff and patients wondering what
personal data have been exposed. The clinic's office manager said they
had mistakenly believed that their computer consultants had addressed
security appropriately.
http://www.thedenverchannel.com/health/2239887/detail.html

 --Company Releases Info on Sun Vulnerabilities Before Fixes are Available
(30 May 2003)
Spi Dynamics on-line security consultants have released information
about a handful of vulnerabilities in Sun ONE Application Server 7.0
before Sun had released patches or workarounds for the flaws. A Sun
spokesperson said one of the flaws had been addressed in Update 1 for
Application Server 7.0 and that the others will be addressed in Update
2, due out in August. Spi Dynamics maintains that Sun never responded
to attempted communications regarding the vulnerabilities; a Sun
spokesperson says Spi was informed of Sun's plans to address the flaws.
http://www.internetnews.com/dev-news/article.php/2214731
[Editor's Note (Ranum): This story underscores the problem with today's
focus on disclosure instead of practicing security: we're left with a
vendor and a bunch of hackers or "security researchers" pointing fingers
at each other.]

 --Tiger Team Program Teaches Teens Ethical Hacking
(29 May 2003)
Teenagers in southern Maine with a demonstrated interest in and aptitude
for computer skills have the opportunity to participate in a program
called "Tiger Team." Developed by Andrew Robinson, who has an
information security company in Portland, the program teaches the
teenagers ethical hacking. Robinson hopes that the skills they acquire
will help them get jobs.
http://www.nytimes.com/2003/05/29/technology/circuits/29hack.html?pagewanted=print&position=

 --Microsoft Issues Bulletins for Vulnerabilities in IIS and Windows
     Media Services
(29 May 2003)
Microsoft has released two security bulletins. The first addresses
flaws in Internet Information Server (IIS), including a
denial-of-service vulnerability in IIS versions 5.0 and 5.1. Microsoft
has issued a cumulative patch for IIS, which covers versions 4.0, 5.0
and 5.1. The second bulletin addresses a flaw in the ISAPI Extension
for Windows Media Services; the vulnerability affects Windows NT 4.0
and 2000.
http://www.computerworld.com/printthis/2003/0,4814,81612,00.html
http://zdnet.com.com/2102-1105_2-1010884.html?tag=printthis
IIS Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
Windows Media Services Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp

 --Researcher Says Microsoft Bulletin is Misleading
(30 May 2003)
Marc Maiffret of eEye Digital Security says the recent Windows Media
Services bulletin is misleading. While the bulletin tells customers
that the vulnerability could allow a denial-of-service and that the web
server will automatically restart, Maiffret maintains "If you're running
Windows Media Services on IIS, attackers can spawn a remote shell
'command prompt' on your vulnerable system."
http://www.smh.com.au/articles/2003/05/30/1054177706964.html

 --Microsoft Updates Two Bulletins from Earlier this Spring
(29 May 2003)
Microsoft has released updates for two previously released bulletins.
The first updates MS03-007, originally released in March, and is for a
vulnerability in ntdll.dll. The patch now addresses the vulnerability
in the Windows NT and XP platforms. The second is for MS03-013,
originally released in April. The original patch caused performance
problems for some users after the fix was installed. The update
addresses those problems.
http://www.idg.net/go.cgi?id=805688
Updated bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp

 --Apache HTTP Server Vulnerabilities
(28/29 May 2003)
A newly released version of Apache HTTP Server, v 2.0.46, addresses a
handful of security vulnerabilities, including one in the component that
downloads WebDAV instructions which could let an attacker crash a
server, and another which allows a denial-of-service attack to be
launched on Apache's authentication module. The vulnerabilities affect
Apache versions 2.0.37 through 2.0.45; Apache is strongly encouraging
customers to download the new version.
http://www.nwfusion.com/news/2003/0528apachgroup.html
http://siliconvalley.internet.com/news/article.php/2213341
http://www.computerworld.com/printthis/2003/0,4814,81612,00.html

 --Malware Myths Debunked, Part II
(28 May 2003)
The second article in a three-part series dispels more myths people hold
about their protection from computer malware. This installment
addresses user beliefs about safe e-mail habits, firewalls and intrusion
detection systems.
http://www.securityfocus.com/infocus/1698

 --OMB's FY 2002 GISRA Shows Improvement, Room for Growth
(27/28 May 2003)
The Office of Management and Budget's (OMB) fiscal 2002 Government
Information Security Reform Act (GISRA) report found that federal
agencies have taken steps to improve their information technology
security when compared to the baseline data recorded in the fiscal 2001
GISRA report. However, the new report outlines some new concerns:
systems are not being evaluated annually, the same weaknesses appear
every year and agency program officials are not taking responsibility
for the security of their computer systems.
http://www.gcn.com/vol1_no1/daily-updates/22217-1.html
http://www.fcw.com/fcw/articles/2003/0526/web-gisra-05-27-03.asp
http://dc.internet.com/news/article.php/2213081

 --Microsoft Pulls XP Update After Customers Complain of Losing Internet
     Connectivity
(27 May 2003)
Microsoft has removed a Windows XP security update from its web site
because the update broke Internet connectivity. It was evidently
incompatible with certain security software. Connectivity was restored
upon removing the update. The update was to IPSec software.
http://www.washingtonpost.com/ac2/wp-dyn/A45119-2003May27?language=printer
http://www.computerworld.com/printthis/2003/0,4814,81575,00.html

 --IDC Survey Finds 72% of Asian Companies Suffered Network Intrusions
(27 May 2003)
An IDC survey of more than 1,000 companies in nine Asian countries found
that 72% reported having experienced network intrusions. Though 97% of
the companies surveyed have anti-virus protection, most of them use
off-the-shelf products.
http://zdnet.com.com/2102-1105_2-1010044.html?tag=printthis

 --KaZaA Patches FastTrack Vulnerability
(27 May 2003)
KaZaA has released a patch for a flaw in the program that drives the
FastTrack network. The flaw could allow attackers to gain control of
or crash supernodes to which the filesharers connect. The person who
found the vulnerability claims to have exploited it, but says he will
not make the exploit code public. Other peer-to-peer file sharing
services also use FastTrack.
http://news.com.com/2102-1027_3-1010022.html?tag=ni_print

 --The Potential Risks of "Good Worms"
(26 May 2003)
Martha Stansell-Gamm, chief of the Computer Crime and Intellectual
Property Section at the U.S. Department of Justice, addresses the
ethical and legal issues surrounding the potential release of "good
worms." Stansell-Gamm notes that while releasing such a worm may
constitute a felony, there are ways to obtain authorization to alter
data on someone else's computer.
http://www.eweek.com/article2/0,3959,1109605,00.asp

==end==

********************************************************************
Overview of the National Information Assurance Leadership Conference
Washington, DC July 21-22
The National Information Assurance Leadership is a special conference
designed uniquely for security managers, senior security professionals,
and the people who perform security audits and assessments. It
combines three unique programs in one:
(1) a set of completely new briefings on emerging standards and
benchmarks for security acquisition, audit, and assessments -- both
federal and commercial, and audit controls that work.
(2) technology updates on new security tools and issues from .net to
vulnerability management, and
(3) a breathtaking series of threat briefings that are more detailed
and incisive (and scary) than anything other than classified military
intelligence briefings

Add to all that keynote presentations by Marcus Sachs of the Department
of Homeland Security and by the nation's first Cyber Security Czar,
Richard Clarke, and the (surprising) Information Security Leadership
Awards presentations, and you have a program that should not be missed.

Registration information and detailed agenda at
http://www.sans.org/sansfire03/nial.php

**************************************************
Brief Summary of the training programs at SANSFire
Washington, DC, July 14-19

NIAL is running right after SANSFIRE, and they are both in Washington,
D.C. so we close by listing the wonderful, four, five, and six-day
tracks that provide immersion training by the nation's best security
teachers. Security and system administration staff cannot be expected
to have systems meet any standards if they do not have the opportunity
to get up-to-date training and certifications.

Here's what a few recent students said about these tracks:

   "The most valuable training experience I have had. Really
    opened my eyes to true information security and its
    implementation." (Nicole Saper, Los Alamos National Labs)

   "SANS has proven itself to be the premier leader in training.
    That they focus on security training makes it that much more
    beneficial for our industry. These guys have it down to an art."
    (Daniel Baker, The Consultant Registry)

SANS Security +S
(Track 9)
SANS' foundational course that allows someone new to security to
understand the main issues and concepts fast. This course is designed
to prepare the student for both the CompTIA Security + certification as
well as the GIAC GISO.

SANS Security Essentials and the CISSP 10 Domians
(Track 1)
Survival skills for system administrators who also have security
responsibility. It is also by far the best training for security
officers who want to know the CISSP material but also want to be able
to look at security through the eyes of system administrators - the only
people who can make sure systems are secured properly.

SANS Security Leadership Essentials for Managers
(Track 12)
The CIOs who attended the first run of this program said, "Just
perfect." It teaches the key concepts and technologies - from a
management perspective.

Firewalls, Perimeter Protection & Virtual Private Networks
(Track 2)
The minimum knowledge needed for anyone implementing and managing
firewalls or VPNs.

Intrusion Detection In-Depth
(Track 3)
The toughest, richest course in security - but an essential program for
anyone involved in intrusion detection.

Hacker Techniques, Exploits, and Incident Handling
(Track 4)
It is tough to stop hackers if you don't know how they get in. This
track teaches you their techniques and how to block them. It is also a
must-attend course for anyone involved in responding to security
incidents.

Securing Windows
(Track 5)
It is extraordinary what Microsoft fails to teach about threats and how
to block them. Track 5 fills the void with countermeasures that can be
used immediately upon returning to the office.

Securing UNIX
(Track 6)
Like Microsoft, the UNIX and Linux vendors fail to teach system
administrators about common threats and how to block them. Any CIO who
allows UNIX or Linux systems to be deployed in an important organization
without system admins certified in Track 6 material, is probably guilty
of malpractice. In both cases, Windows and Unix, it would be like
doctors sending samples to lab technicians without the right skills.

Auditing Networks, Perimeters, and Systems
(Track 7)
Auditors, even those with auditing certifications, are generally
untrained in the selection and use of automated tools for conducting
in-depth audits of systems. As more organizations demand security
audits, people with the skills taught in Track 7 will stand out more
and more from the rest of the audit community.

System Forensics, Investigation & Response
(Track 8)
Consultants and law enforcement people - in fact anyone who is called
in after an attack to find out what happened -will need the material
taught in Track 8.

====

That's actually not all. SANSFIRE will hold a large exposition of the
tools and services you need for a robust security program, as well as
nightly programs called SANSNIGHT that provide updates on the important
new developments in security.

 
Registration information:
     for SANSFIRE: http://www.sans.org/sansfire03/

Be afraid - very afraid! Load yourself with some armor for your
organization.
K. Taylor, U.S. Army Corps of Engineers

=================================================================

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+3eTP+LUG5KFpTkYRAiD7AJ9AQ43zph9f/+fxY2Zc3OLDAK13sQCbBoYc
BFXJjSGwAsh9pIgVst1cSR4=
=e+RR
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]