From: The SANS Institute (NewsBitessans.org)
Date: Wed Jun 18 2003 - 12:07:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are coming to SANSFire in Washington in July, you'll be joining
more than 1,200 serious security people for a wonderful training program
plus a big security tools expo, our SANSNight short courses and
briefings, the NIAL program for security managers, and much more.
Please make sure to take advantage of the special SANS rates for rooms
at the conference site, the Washington Hilton. Enjoy the convenience of
no morning commute and be on site to participate in all short courses,
technical briefings and catered networking events. The special SANS rate
is available only through June 20, so make your reservation today at
202-483-3000.
SANSFire Information:
http://www.sans.org/sansfire03/

***********************************************************************
SANS NewsBites June 19, 2003 Vol. 5, Num. 24
***********************************************************************

TOP OF THE NEWS
Proposed Legislation Would Allow Spammers to be Sued
  Bugbear Targets Banks; FBI is Investigating

  SPECIAL SECTION: "IS IDS DEAD?"
    Gartner IDS Report Evokes Strong Response

THE REST OF THE WEEK'S NEWS
  CERT/CC Vulnerability Info Leaked Again
  Software Piracy Ring Busted
  Indian Law Seeks to Allay Fears of Foreign Data Exposure
  New Trojan Spreading
  Spammers May be Spreading AVF Virus
  Man Sentenced for Sandia National Laboratories, Elgin AFB Intrusions
  Man Admits to Attack on Al-Jazeera Web Site
  Legal Issues Raised by Honeypots
  Thai Cyber Vandals Must Help the Site They Defaced
  Kifie-D Worm
  Junior High School Student Faces Expulsion for Deleting Teachers'
     Grade Files
  Microsoft to Buy Anti-Virus Firm
  Canadian Survey Finds IT Security Spending on the Rise
  UK Police May Call in IT Professionals for Cyber Crime Help
  Cisco Rolling Out Security Upgrades

GUEST EDITORIAL
  Bruce Schneier on CyberTerrorism?

********* Sponsored by Check Point Software Technologies Ltd.**********

Defend Your Network Against Damaging Application-level Attacks

Organizations across the board are facing serious threats from attackers
attempting to misuse critical business applications. Check Point
FireWall-1 NG with Application Intelligence (tm) is redefining Internet
security by providing protection against these new and growing sets of
threats.

Read more in the white paper: http://www.checkpoint.com/adv/sans_appint

***********************************************************************

TOP OF THE NEWS

 --Proposed Legislation Would Allow Spammers to be Sued
(13 June 2003)
US Senator Charles Schumer (D-NY) has introduced legislation that would
allow attorneys general, ISPs and individuals to file civil suits
against spammers. Dubbed the Stop Pornography and Abusive Marketing, or
SPAM Act, the bill would also require commercial e-mail to have accurate
headings and subject lines, have unsubscribe directions that work and
be labeled as advertising.
http://www.computerworld.com/printthis/2003/0,4814,82130,00.html
http://zdnet.com.com/2102-1105_2-1016779.html?tag=printthis

 --Bugbear Targets Banks; FBI is Investigating
(9/10/11 June 2003)
The FBI is now investigating the Bugbear.B worm because is reportedly
targets financial institutions; the FBI has warned banks to be
especially vigilant because the worm's code allegedly contains domain
names for more than 1,000 banks worldwide. Bugbear.B installs a
keystroke logger, sends captured passwords back to one of several
mailboxes and can install backdoors on infected machines. The FBI hopes
to track down the worm's author.
http://www.gcn.com/vol1_no1/daily-updates/22367-1.html
http://www.computerworld.com/printthis/2003/0,4814,82015,00.html
http://www.cnn.com/2003/TECH/internet/06/10/virus.banks.ap/index.html
http://www.msnbc.com/news/922529.asp?0dm=C259T

SPECIAL SECTION: IS IDS DEAD?
 --Gartner IDS Report Evokes Strong Response
(11/13 June 2003)
A recent Gartner report calls intrusion detection systems (IDS) "a
market failure" and recommends that IT managers instead focus their
spending on firewalls. Gartner maintains that IDS will be obsolete by
2005 due to their expense and lack of effectiveness. Cited problems
with IDS include false positives and negatives and the need for
full-time monitoring. Vendors disagree with the report's assertions.
http://www.eweek.com/print_article/0,3668,a=43256,00.asp
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=10300918
http://www3.gartner.com/5_about/press_releases/pr11june2003c.jsp
Several NewsBites editors certainly took exception, so we set aside a
special section for this discussion:

(Grefer): Distributed IDS with all their sensors can provide a wealth
of information not readily available from the intrusion prevention
systems he is touting. The audit function of an IDS should not be
eliminated from an information security in depth strategy without
spending considerable thought on the ramifications of such a decision.

(Schultz): The Gartner Group has done it again--made yet another wild
prediction from its "ivy tower" in the complete absence of hands-on
experience or having to live with the consequences of its prescriptions.
Part of what Gartner has said, namely that intrusion detection involves
a high financial cost, is true, but writing off intrusion detection
altogether, as Gartner has done, is completely irresponsible.
 
(Ranum): In private communications with Stiennon (the Gartner analyst),
he offered the shocking fact that - for all that they are hyping IPS -
the team at Gartner "doesn't know anyone who is using an IPS in inline
mode." That runs utterly contrary to the perception they are trying to
create that IPS is the "wave of the future" It just shows that P.T.
Barnum underestimated severely when he made his famous assessment of
Gartner's customer base. "There's a Gartner Customer born every minute."

(Northcutt): HYPE ALERT, they aren't actually saying ditch IDS, they
are really saying use a firewall with IDS capability instead, the so
called intrusion protection approach. This is an ancient discussion;
is an all in one plastic stereo like the one you had in your college
dorm room better than a carefully selected set of devices. It comes
down to the level of investment an organization wants to make, is the
increase in quality worth the price from an organization's perspective?
Since well over 50% of most organization's value is intellectual
property, the answer is probably a resounding yes; it is worth having
monitoring systems and people trained to analyze what they detect. An
intrusion detection system with trained analysts provides a means of
seeing the attacks and adjusting your defenses. IPS does not.

Here's what other smart people say about the value of IDS:
Arrigo Trizulli - Phd. & IDS Designer, Geneva
The reason IDS has been ineffective is that it has been badly deployed
and nobody bothered to train the analysts. An initial, guaranteed, road
to failure in any security model is to deploy monitoring systems and
then never look at the screens. Then you can complete the failure by
mis-configuring the monitoring systems: CCTV cameras pointing at the
sky have rarely caught burglars coming through the front door.

Jamie French IDS Analyst, Ottawa
Winn Schwartau's concept of time based security is key here. You need
the ability to detect malicious network activity. Until you detect,
you can't prevent or react!

Ben Bower Lead Author Windows 2000 Professional - The Gold Standard,
Canberra
Prevention is nice, Detection is a must. Until prevention is 100% we
will always require detection. Detection is the last line of defense
that many organizations possess.

Mark Cooper - Author Intrusion Signatures and Analysis 3rd edition.
Manchester UK
IDS systems are the (NSA/CIA/FBI/MI5/whatever) of the IT world. They
give you a real-time picture of who's trying to do what to your
business, so you can head the bad guys off at the pass

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Best Practices for Incident Response - Sign up for the
     practitioner's guide at
http://www.sans.org/cgi-bin/sanspromo/NB183

(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
http://www.sans.org/cgi-bin/sanspromo/NB184

(3) ALERT: "How a Hacker Launches a SQL Injection Attack Step-by-Step"-
     White Paper
http://www.sans.org/cgi-bin/sanspromo/NB185
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --CERT/CC Vulnerability Info Leaked Again
(16 June 2003)
Information from a Computer Emergency Response Team Coordination Center
CERT/CC vulnerability report intended for affected software vendors has
been leaked to a discussion list. The report described a flaw in PDF
readers for Unix that could allow execution of malicious code. The
information was to be released June 23. Other vulnerabilities being
investigated by CERT/CC were posted to a discussion list in March.
http://www.computerworld.com/printthis/2003/0,4814,82197,00.html

 --Software Piracy Ring Busted
(16 June 2003)
A successful sting operation on a software piracy ring has netted
Italian police 181 arrests and approximately 118 million euros (US$139.6
million) worth of pirated software. The Business Software Alliance
(BSA) lent support to the effort.
http://news.com.com/2102-1012_3-1017776.html?tag=ni_print

 --Indian Law Seeks to Allay Fears of Foreign Data Exposure
(16 June 2003)
Legislators in India have nearly completed drafting the Data Protection
Act. The law will ensure that data belonging to foreign companies
outsourcing work to India will not be shared with their rivals.
http://www.zdnet.com.au/printfriendly?AT=2000048600-20275413

 --New Trojan Spreading
(10/13 June 2003)
Researchers believe a new, "third-generation Trojan horse" program is
infecting machines on the Internet. While the details of the Trojan's
actions are not complete, what is known is that it scans random IP
addresses and probes with a TCP SYN request with window size of 55808.
It can also spoof the IP addresses of the packets it sends. It is
capable of scanning 90% of the Internet's IP addresses in a 24-hour
period.
http://www.eweek.com/print_article/0,3668,a=43352,00.asp
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=22371
[Editor's Note (Grefer): Readers should take into account the wise
counsel of Marty Lindner, team leader for incident handling at CERT/CC,
who said, "There is nothing there that hasn't been seen before." The
media coverage seems to rely on a press release by a vendor touting its
behavior-based intrusion detection solutions. Marketing hype alert!]

 --Spammers May be Spreading AVF Virus
(13 June 2003)
The infection of about 500,000 computers with the AVF virus is thought
to be the work of spammers. The virus installs a back door on infected
machines and uses it to send out spam.
http://news.bbc.co.uk/1/hi/technology/2987558.stm

 --Man Sentenced for Sandia National Laboratories, Eglin AFB Intrusions
(13 June 2003)
Adil Yahya Zakaria Shakour, who broke into computers at Sandia National
Laboratories and Eglin Air Force Base, has been sentenced to one year
and one day in federal prison. The eighteen-year-old will also pay more
than $88,000 in restitution and have only restricted computer use for
three years after his release.
http://www.siliconvalley.com/mld/siliconvalley/news/6079276.htm

 --Man Admits to Attack on Al-Jazeera Web Site
(12 June 2003)
Web designer John Racine II has admitted to launching a redirect attack
on Al-Jazeera, an Arab news web site. Racine has pleaded guilty to two
charges of wire fraud and unlawful interception of an electronic
communication. He is expected to receive a sentence of three years
probation and a $1,500 fine.
http://www.msnbc.com/news/925635.asp?0dm=T249T
http://news.com.com/2102-1002_3-1016447.html?tag=ni_print

 --Legal Issues Raised by Honeypots
(12 June 2003)
Lance Spitzner offers his opinions of the legal questions of entrapment,
privacy and liability raised by the use of honeypots. Spitzner points
out that as yet, there have not been any legal precedents set regarding
honeypots.
http://www.securityfocus.com/printable/infocus/1703

 --Thai Cyber Vandals Must Help the Site They Defaced
(12 June 2003)
As punishment for defacing Thailand's Information and Communication
Technology's (ICT) web site, Thai university undergraduate students have
been ordered to work on the site.
http://news.zdnet.co.uk/cgi-bin/uk/printerfriendly.cgi?id=2135940&tid=269

 --Kifie-D Worm
(12 June 2003)
The Kifie-D worm spreads via e-mail, peer-to-peer file sharing networks
and instant messaging systems. After copying itself to local drives
and editing the Registry, the worm displays a message warning of a
critical error in an application. The worm's payload, which is launched
on a Sunday, includes overwriting DOC and TXT files in Windows folders,
attempting to disable anti-virus software and mailing itself out to
addresses in the Outlook address book.
http://www.pcpro.co.uk/?http://www.pcpro.co.uk/news/news_story.php?id=43141

 --Junior High School Student Faces Expulsion for Deleting Teachers'
    Grade Files
(11 June 2003)
A New Jersey seventh grader allegedly broke into his junior high
school's computer system and deleted the grade files of 10 teachers.
The security breach delayed the mailing out of school progress reports.
The student may be expelled.
http://www.theargusonline.com/Stories/0,1413,83~1971~1448608,00.html
[Editor's Note (Schneier): At least they're not treating it like a
felony as happened in a similar situation some time ago. This is bad
behavior, but it's not serious criminal behavior. Being a dumb kid
should not cause the ruin of your life.]

 --Microsoft to Buy Anti-Virus Firm
(10/11 June 2003)
Microsoft intends to buy Romanian anti-virus company GeCAD; while it is
acquiring the company's intellectual property, Microsoft does not intend
to continue to develop GeCAD's products. Major anti-virus software
vendors on one hand view the acquisition as acknowledgment from
Microsoft that protection from viruses is important to cybersecurity;
on the other hand, they are quick to point out that anti-virus software
alone is not enough to adequately protect users from malware threats.
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=10300707
http://zdnet.com.com/2102-1105_2-1015096.html?tag=printthis
http://www.pcworld.com/resource/printable/article/0,aid,111091,00.asp

 --Canadian Survey Finds IT Security Spending on the Rise
(10 June 2003)
A Canadian study, Pulse of Internet Security in Canada, found that 73%
of 150 C-level Canadian executives surveyed are spending more on
security now than they were a year-and-a-half ago. 61% of the
executives said security is among their top five priorities Half of
those surveyed said they have had a security breach.
http://www.globetechnology.com/servlet/story/RTGAM.20030610.gtsecurityjune10/BNStory/Technology

 --UK Police May Call in IT Professionals for Cyber Crime Help
(10 June 2003)
The UK government plans to ask IT professionals to join the ranks of
the police force as special constables to help apprehend crackers and
malware creators. The plan is part of a larger cybercrime strategy
currently under consideration.
http://www.computerweekly.com/articles/article.asp?liArticleID=122475&liArticleTypeID=1&liCategoryID=2&liChannelID=28&liFlavourID=1&sSearch=&nPage=1

 --Cisco Rolling Out Security Upgrades
(17/21 May 2003)
Cisco is introducing a plethora of hardware and software upgrades aimed
at boosting the security of and adding features to its VPNs; it is also
upgrading its security management software to simplify support and
management of secure networks.
http://www.eweek.com/print_article/0,3668,a=41885,00.asp
http://www.infoworld.com/article/03/05/21/HNciscosecure_1.html

Editorial

Guest Editor Bruce Schneier shares his thoughts on CyberTerrorism
[Reprinted from Cryptogram http://www.counterpane.com./crypto-gram.html]

The Risks of Cyberterrorism

The threat of cyberterrorism is causing much alarm these days. We have
been told to expect attacks since 9/11; that cyberterrorists would try
to cripple our power system, disable air traffic control and emergency
services, open dams, or disrupt banking and communications. But so far,
nothing's happened. Even during the war in Iraq, which was supposed to
increase the risk dramatically, nothing happened. The impending cyberwar
was a big dud. Don't congratulate our vigilant security, though; the
alarm was caused by a misunderstanding of both the attackers and the
attacks.

These attacks are very difficult to execute. The software systems
controlling our nation's infrastructure are filled with vulnerabilities,
but they're generally not the kinds of vulnerabilities that cause
catastrophic disruptions. The systems are designed to limit the damage
that occurs from errors and accidents. They have manual overrides. These
systems have been proven to work; they've experienced disruptions caused
by accident and natural disaster. We've been through blackouts,
telephone switch failures, and disruptions of air traffic control
computers. In 1999, a software bug knocked out a nationwide paging
system for a day. The results might be annoying, and engineers might
spend days or weeks scrambling, but the effect on the general population
has been minimal.

The worry is that a terrorist would cause a problem more serious than
a natural disaster, but this kind of thing is surprisingly hard to do.
Worms and viruses have caused all sorts of network disruptions, but it
happened by accident. In January 2003, the SQL Slammer worm disrupted
13,000 ATMs on the Bank of America's network. But before it happened,
you couldn't have found a security expert who understood that those
systems were dependent on that vulnerability. We simply don't understand
the interactions well enough to predict which kinds of attacks could
cause catastrophic results, and terrorist organizations don't have that
sort of knowledge either -- even if they tried to hire experts.

The closest example we have of this kind of thing comes from Australia
in 2000. Vitek Boden broke into the computer network of a sewage
treatment plant along Australia's Sunshine Coast. Over the course of
two months, he leaked hundreds of thousands of gallons of putrid sludge
into nearby rivers and parks. Among the results were black creek water,
dead marine life, and a stench so unbearable that residents complained.
This is the only known case of someone hacking a digital control system
with the intent of causing environmental harm.

Despite our predilection for calling anything "terrorism," these attacks
are not. We know what terrorism is. It's someone blowing himself up in
a crowded restaurant, or flying an airplane into a skyscraper. It's not
infecting computers with viruses, forcing air traffic controllers to
route planes manually, or shutting down a pager network for a day. That
causes annoyance and irritation, not terror.

This is a difficult message for some, because these days anyone who
causes widespread damage is being given the label "terrorist." But
imagine for a minute the leadership of al Qaeda sitting in a cave
somewhere, plotting the next move in their jihad against the United
States. One of the leaders jumps up and exclaims: "I have an idea! We'll
disable their e-mail...." Conventional terrorism -- driving a truckful
of explosives into a nuclear power plant, for example -- is still easier
and much more effective.

There are lots of hackers in the world -- kids, mostly -- who like to
play at politics and dress their own antics in the trappings of
terrorism. They hack computers belonging to some other country
(generally not government computers) and display a political message.
We've often seen this kind of thing when two countries squabble: China
vs. Taiwan, India vs. Pakistan, England vs. Ireland, U.S. vs. China
(during the 2001 crisis over the U.S. spy plane that crashed in Chinese
territory), the U.S. and Israel vs. various Arab countries. It's the
equivalent of soccer hooligans taking out national frustrations on
another country's fans at a game. It's base and despicable, and it
causes real damage, but it's cyberhooliganism, not cyberterrorism.

There are several organizations that track attacks over the Internet.
Over the last six months, less than 1% of all attacks originated from
countries on the U.S. government's Cyber Terrorist Watch List, while
35% originated from inside the United States. Computer security is still
important. People overplay the risks of cyberterrorism, but they
underplay the risks of cybercrime. Fraud and espionage are serious
problems. Luckily, the same countermeasures aimed at cyberterrorists
will also prevent hackers and criminals. If organizations secure their
computer networks for the wrong reasons, it will still be the right
thing to do.

==end==

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+8Gqy+LUG5KFpTkYRAj+VAJ9zkNVFVCyzU9/ZWW/PHxNlXCQwgwCeIg48
RC6nJJIAh2lUT0P0CbqCI/M=
=4Uy8
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]