From: The SANS Institute (NewsBitessans.org)
Date: Wed Jun 25 2003 - 12:56:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites June 25, 2003 Vol. 5, Num. 25
***********************************************************************

TOP OF THE NEWS
  Guess Settles FTC Charges, Agrees to Invest In Improved Security
  Hatch is in Favor of Destroying Copyright Violators' Computers, if
      Necessary
  McCain Promises Hearings on DMCA Subpoena Provision

THE REST OF THE WEEK'S NEWS
  Vulnerability Management
  Student Breached University Computer System and Disrupted Election
  Fortnight Worm Exploits Old Vulnerability
  Stumbler Trojan
  Senate Bill Would Have FBI Address P2P Piracy
  Cash Machines Exploited in 9/11 Aftermath
  RIAA Warns Individual File Traders
  Brokerages Must Retain IM Logs
  Companies Need to Establish E-Mail Retention Policies
  Japanese Police Systems Sustained More than 160,000 Attacks
  VPNs Offer Advantages Over Frame-Relay Networks
  DHS To Build Secure Network
  EU Security Agency to Begin Work in January
  Interview With GAO Infosec Director Robert Dacey

NEW TRAINING PROGRAMS JUST ADDED TO THE SANS SCHEDULE
 - Hacker Exploits Taught Live, On-Line - By popular demand one of the
two top rated hacker exploits teachers in the world will teach a live,
online version of this very popular track. Convenient hours, lots of
time between classes for hands on work. And Eric Cole is extraordinary.
Begins July 22.
More information: http://www.sans.org/onlinetraining/ilot/track4.php

 - Austin TX SANS Security Essentials (Track 1) and Intrusion Detection
In-Depth (Track 3) begin on July 26.
More information: http://www.sans.org/austin03

Programs in many other cities: http://www.sans.org

*************** Sponsored by Internet Security Systems ****************

New whitepaper from Internet Security Systems!

ISS' new, easily deployed appliances dynamically protect
regardless of network speed or threat type, without requiring
separate firewalls, antivirus and intrusion detection. Find out how:

http://www.iss.net/ad/appliance_sansappliancewp062503

***********************************************************************

TOP OF THE NEWS

 --Guess Settles FTC Charges, Agrees to Invest In Improved Security
(18/19 June 2003)
Guess, Inc. has settled charges brought by the Federal Trade Commission
(FTC) regarding security on its Guess.com web site. The FTC said that
Guess had promised its customers that their personal information,
including credit card numbers, would be protected, but the site was
vulnerable to known exploits, including the SQL injection attack. Guess
has agreed to create a security program, which must be certified
annually. The company must also refrain from making false claims about
the security of customer information. The FTC has also released a fact
sheet for guidance called "Security Check: Reducing Risks to Your
Computer System."
http://www.washingtonpost.com/ac2/wp-dyn/A12397-2003Jun19?language=printer
http://www.computerworld.com/printthis/2003/0,4814,82309,00.html
http://www.securityfocus.com/news/5968
FTC Settlement Announcement:
http://www.ftc.gov/opa/2003/06/guess.htm
Security Check Fact Sheet:
http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm
[Editor's Note (Paller): The Federal Trade Commission demonstrated that
there *are* legal consequences for organizations that have weak
security. Tens of thousands of organizations doing business on the
Internet are in the same (weak) position that Guess was in. Expect a
surge of security audits, demand for better training for system
administrators and application developers, and a quest for "minimum
standards of due care" in security.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) ALERT: "How a Hacker Launches a SQL Injection Attack
     Step-by-Step"- White Paper
http://www.sans.org/cgi-bin/sanspromo/NB186

(2) Simplify secure file transfer! Download a white paper and free
     evaluation software.
http://www.sans.org/cgi-bin/sanspromo/NB187

***********************************************************************

 --Hatch is in Favor of Destroying Copyright Violators' Computers, if
     Necessary
(19 June 2003)
At a hearing on the dangers of peer-to-peer filesharing services, Senate
Judiciary Committee chairman Orrin Hatch (R-Utah) suggested that the
computers of people who download material in violation of US copyright
laws should be destroyed. Senator Patrick Leahy (D-Vermont) called the
proposal "Draconian," and Hatch took a few steps back from his stance,
saying that something has to be done to stop Internet piracy and that
"extreme measures" should be taken only if other measures do not work.
Such action would violate current federal law. Ironically, Senator
Hatch has been found to be using unlicensed software on his web site.
http://news.com.com/2102-1028_3-1018845.html?tag=ni_print
http://www.computerworld.com/printthis/2003/0,4814,82317,00.html
http://www.wired.com/news/print/0,1294,59298,00.html
http://www.wired.com/news/print/0,1294,59305,00.html
[Editor's Note (Schultz): It's downright hilarious that Sen. Hatch not
only apparently has unlicensed software on his Web site, but also that
at least until late last week his site definitely had a link to
pornographic pages
(http://www.senate.gov/~hatch/index.cfm?Fuseaction=Students.Utah).
Perhaps Sen. Hatch should do some local housecleaning before going on
his witch hunts.]

 --McCain Promises Hearings on DMCA Subpoena Provision
(19 June 2003)
Senator John McCain (R-Ariz.), chairman of the US Senate Commerce,
Science and Transportation committee, has promised to hold hearings on
the section of the Digital Millennium Copyright Act (DMCA) that allows
copyright holders to subpoena the identities of those they suspect of
violating their copyrights. There is some concern that people
pretending to be copyright holders could take advantage of the process
and violate individuals' privacy.
http://www.idg.net/ic_1322296_9719_1-5448.html

*********************MORE SPONSORED LINKS *****************************
(3) Earn a Norwich University Master's Degree in Information Security
     in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB188

(4) Email attacks and spam are escalating - learn 10 ways to stop them.
http://www.sans.org/cgi-bin/sanspromo/NB189

***********************************************************************

THE REST OF THE WEEK'S NEWS
 
 --Vulnerability Management
Good vulnerability management is, at the core, effective identification
of and response to vulnerabilities. Organizations would be well-advised
to employ tiered defenses, to keep current with patches and maintain an
effective patch deployment system and to use an automated vulnerability
assessment tool. In addition, security should be a factor in purchasing
decisions.
http://img.cmpnet.com/nc/1412/graphics/1412f1_file.pdf
[Editor's Note (Northcutt): It is actually a good article. I suggest
readers ignore the initial two screens, which are poorly laid out, and
go for the meat.]

 --Student Breached University Computer System and Disrupted Election
(23 June 2003)
Shawn Nematbakhsh, a computer science major at the University of
California at Riverside allegedly broke into a university computer
system and cast 800 votes for a fake candidate in a student election.
He has been arrested. If convicted of charges, Nematbakhsh could face
three years in prison and a $10,000 fine; he claims his actions were
intended to prove that the university network was vulnerable.
http://www.cnn.com/2003/TECH/internet/06/23/us.hacker.ap/index.html

 --Fortnight Worm Exploits Old Vulnerability
(23 June 2003)
The Fortnight JavaScript worm redirects Explorer browsers to a
pornographic web site. While the worm's payload is more annoying than
malicious, its spread is significant because it exploits an old
vulnerability in Microsoft VM Active X; a patch has been available since
October 2000.
http://zdnet.com.com/2102-1105_2-1019929.html?tag=printthis
[Editor's Note (Grefer): If the patch has been available since October
2000, users who regularly visit http://windowsupdate.microsoft.com
should already be protected. Also, if automation of regular upgrades to
MS Internet Explorer is desired, this can be achieved through accessing
the "Internet Options" in the "Tools" menu. On the "Advanced" tab, under
the "Browsing" heading, place a check mark in front of "Automatically
check for Internet Explorer updates."]

 --Stumbler Trojan
(20/23 June 2003)
The Stumbler Trojan, also known as Trojan 55808, does not spread itself;
it is manually installed on computers running Linux operating systems.
The Trojan then acts as a "distributed port scanner." Stumbler is
likely responsible for a spike in Internet traffic over the last few
weeks. It is possible that the program is a proof-of-concept for a
passive scanning technique that could later be used in conjunction with
a worm.
http://www.computerworld.com/printthis/2003/0,4814,82362,00.html
http://www.internetweek.com/shared/printableArticle.jhtml?articleID=10700746
http://news.com.com/2102-1002_3-1019759.html?tag=ni_print
http://www.theregister.co.uk/content/55/31341.html
[Editor's Note (Northcutt): I would advise you not to take what is said
in the news about this Trojan too seriously. There appears to be some
trickery afoot. Here's a relevant note from Guest Editor and SANS
Faculty member, Mike Poor: The most unusual aspect of the "mystery"
traffic generated by the 55808 trojan is that we have not seen people
reporting that they found traffic leaving their networks. If you have
TCPdump, put the filter 'tcp[14:2] = 55808' on your egress route, and
if you see outgoing traffic, please contact us at iscsans.org. The
incoming traffic that we have captured appears to be coming from
unallocated address space, from thousands of different spoofed sources.]

 --Senate Bill Would Have FBI Address P2P Piracy
(20/23 June 2003)
HR-2517, the Piracy Deterrence and Education Act of 2003, was introduced
last week in Congress. The bill would have the FBI develop a program
to tackle the problem of peer-to-peer sharing of copyrighted material.
One of the bill's sponsors is Representative Howard Berman (D-Calif.),
who last year introduced a bill that would have allowed copyright
holders to break into computers belonging to suspected content pirates.
http://news.com.com/2102-1028_3-1019811.html?tag=ni_print
http://www.theregister.com/content/6/31374.html

 --Cash Machines Exploited in 9/11 Aftermath
(19 June 2003)
As many as 118 people allegedly took advantage of bank machines that
were not working properly after the September 11, 2001 terrorist
attacks; as much as $15 million may have been stolen. Seventy-four
individuals have been arrested and 44 others are being sought; nearly
4,200 others are being investigated.
http://www.nzherald.co.nz/latestnewsstory.cfm?storyID=3508252&thesection=news&thesubsection=world

 --RIAA Warns Individual File Traders
(19 June 2003)
The Recording Industry Association of America (RIAA) has sent
cease-and-desist letters to five people it suspects of offering vast
quantities of copyrighted music through peer-to-peer filesharing
networks. The RIAA obtained the names of the four Verizon subscribers
and one EarthLink subscriber after an appeals court panel ordered
Verizon to provide the RIAA with the subscribers' identities. The RIAA
has not said whether it will pursue further legal action.
http://news.com.com/2100-1027_3-1019184.html

 --Brokerages Must Retain IM Logs
(19 June 2003)
US securities regulators are now requiring brokerages to retain instant
messaging (IM) records for at least three years, putting the use of the
communication tool in line with e-mail requirements. The companies were
also advised to monitor employee use of IM.
http://www.infoworld.com/article/03/06/19/HNfinancialim_1.html

 --Companies Need to Establish E-Mail Retention Policies
(17 June 2003)
The 2003 E-Mail Rules, Policies, and Practices Survey from the American
Management Association, the ePolicy Institute, and Clearswift found that
while more companies are being asked for e-mail records to be used in
lawsuits, only 34% of the 1,100 responding companies have written e-mail
retention and deletion policies. In December, a number of Wall Street
firms were fined $8.3 million for not retaining their e-mail records.
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700336
[Editor's Note (Northcutt): They tell us a problem, but don't give a
solution. So I took a crack at defining a first draft of a policy. It
is posted at http://www.sans.org/resources/policies/#email. If you will
take a look and send feedback (to infosans.org with subject Email
Policy Comments), I will incorporate your consensus into an updated
sample policy for the community.
(Shpantzer): A recent federal court ruling may help set the standard
for email records discovery. It might be prudent to go over this with
your corporate counsel and work out an email policy that works for your
organization. Article about the ruling:
http://www.abanet.org/journal/ereport/j6discovr.html The decision:
http://www.nysd.uscourts.gov/rulings/02cv1243_051803.pdf]

 --Japanese Police Systems Sustained More than 160,000 Attacks
(19 June 2003)
A report from Japan's National Police Agency (NPA) indicates that police
computer systems were the targets of more than 160,000 attacks between
July 2002 and March 2003. Approximately 39% were "ping" attacks, while
about 34% were port scans. According to the report, more than 25% of
the attacks originated in the US.
http://www.ds-osac.org/view.cfm?KEY=7E44534B4253&type=2B170C1E0A3A0F162820
[Editor's Note (Shpantzer): Sure the Japanese Police have some
sophisticated enemies that actually target them for 'attack' but these
figures are a little weak when examined closely: "In March, the virus
(SQL worm) accounted for 65 percent of all the attacks." Using this
metric, my home network is attacked hundreds of times a day.]

 --VPNs Offer Advantages Over Frame-Relay Networks
(19 June 2003)
This article describes the advantages of a virtual private network (VPN)
over a frame-relay network. Traffic on frame-relay networks is not
encrypted, all offices must use the same service provider, and the
networks are limited by geography. A VPN can offer twice the capacity
of a frame-relay network for the same amount of money. Some VPNs offer
encryption and do not require offices to use the same service provider.
The author concludes that VPNs offer more flexibility and cost less than
frame-relay networks while providing comparable performance and
reliability.
http://idg.net/ic_1322305_9677_1-5044.html

 --DHS To Build Secure Network
(19 June 2003)
Computer experts will be developing a secure network for all 190,000
workers in the Department of Homeland Security. The new network will
take years to develop; among the challenges it presents is the task of
keeping existing networks operational and secure. The networks are
tested regularly to ensure they are safe from attackers.
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700486

 --EU Security Agency to Begin Work in January
(16 June 2003)
The European Union's (EU) forthcoming Network and Information Security
Agency (NISA) will have 6 representatives from the European Council and
6 from the Commission on its board; however, plans call for only one
industry member. NISA plans to start in January, and will focus on
analyzing IT threats, fostering cooperation between security agencies
and promoting risk assessment within businesses.
http://www.vnunet.com/News/1141650

 --Interview With GAO Infosec Director Robert Dacey
(16 June 2003)
In an interview with Government Computer News, General Accounting Office
(GAO) director of information security Robert F. Dacey discusses the
GAO's role in assuring information security at government agencies, the
biggest challenges those agencies face in addressing cybersecurity and
elements of good security program management.
http://www.gcn.com/22_15/security/22435-1.html

==end==

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE++aSD+LUG5KFpTkYRAq+qAJ9g3plkFRgknn23XpiuF496/vtZRgCfZ7Cr
FckmixEyk7RPwbhrc5JKT10=
=yLLx
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]