From: The SANS Institute (NewsBitessans.org)
Date: Wed Jul 16 2003 - 10:12:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites July 16, 2003 Vol. 5, Num. 28
***********************************************************************

TOP OF THE NEWS
  Rep. Putnam Promises Cyber Security Legislation
  House Select Committee on Homeland Security Holds Cyber Hearings
  Ridge Describes Security Plan for US Financial System

THE REST OF THE WEEK'S NEWS
  1,000 Personal Computers Hijacked For Pornography Ring
  French Teen Allegedly Defaced More Than 2,000 Sites
  Migmaf Trojan
  UK Teen Questioned in Connection with Fermi Lab Intrusions
  GSA Releases Draft e-Assurance Levels
  Adult Web Sites Targeted by Extortionist
  Microsoft Releases Three More Security Bulletins
  Massachusetts Stale Lottery Commission Web Site Spoofed
  NIST Report Suggests Metrics for IDS Performance
  Apache Updates HTTP Server
  US Information Security Law
  PriceWaterhouseCoopers Electronic Crime Survey
  Stop the Hype, Say Experts
  PayPal Customers Targeted by ID Data Theft Scam
  Defacers' Challenge Tally Site Hit with DDoS
  U of Illinois Receives Grant to Establish Anti-Cyber Attack
     Technology Research Center
  Microsoft Software Simplifies Identity Management

*************** Sponsored by Verisign - The Value Of Trust ************

Secure Your Servers

Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt
your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!

http://www.verisign.com/cgi-bin/go.cgi?a=n09440132960057000

***********************************************************************
Highlighted Security Training in August and September
SANS Rocky Mountain returns to Denver August 14-19 with six popular
immersion training tracks and a vendor exposition. Register soon:
http://www.sans.org/rockymountain03
Or come to Boston http://www.sans.org/newengland03 or Los Angeles
http://www.sans.org/losangeles03 in September for our two other
six-track programs.
Programs in more than 60 other cities as well: http://www.sans.org
***********************************************************************

TOP OF THE NEWS

 --Rep. Putnam Promises Cyber Security Legislation
(10 July 2003)
Speaking at an e-government conference last week, Representative Adam
Putnam (R-Fla.), chairman of the US House Government Reform Subcommittee
on Technology, said that what the US has done thus far to defend against
cyber attacks is "simply not acceptable" and has promised the
introduction of legislation "mandating" cyber security requirements for
the private sector. Putnam wants to address the cyber security problems
"before a major disaster happens." He says the blame for inadequate
cyber security can be shared among private sector firms and government
agencies, which are not doing enough to shore up their security, as well
as the present administration and Congress which have failed to give
the problem adequate attention. Robert W. Holleyman, president of the
Business Software Alliance, one of the conference's sponsors, spoke out
against government regulation; Putnam responded that business has not
done enough fast enough.
http://www.govexec.com/dailyfed/0703/071003td1.htm
http://www.gcn.com/vol1_no1/security/22714-1.html
http://www.pcworld.com/news/article/0,aid,111535,00.asp

 --House Select Committee on Homeland Security Holds Cyber Hearings
(15 July 2003)
At today's House Select Committee on Homeland Security, Cybersecurity
Subcommittee hearings, chaired by Cong. Mac Thornberry of Texas, major
vendors including Microsoft, Dell, AT&T, Sun, and AOL agreed that
industry could help solve part of the cyber security problem but that
government action was needed to complete the job. Most of them
supported the idea of establishing minimum configuration standards --
specific to various operating systems and environments -- that would be
recognized by government and the buying public. They further emphasized
that government procurement could be used to prove sufficient demand so
the computer industry develops products that are configured more safely.
Microsoft announced that it was working wit the Center for Internet
Security to bring its security recommendations and those of the Center
together. Although the threat of government regulation is ever present,
the vendors said that most of the impetus for their increased interest
in security was the growing level of us
http://www.pcworld.com/news/article/0,aid,111579,00.asp
[Editor's Note (Paller): The vendors' testimony will be posted at the
www.house.gov site within a couple of weeks. Testimony from Bruce
Schneier of Counterpane, Rich Pethia of CERT/CC, and me (for SANS) at
the Cybersecurity Subcommittee's first hearing on June 25, defining the
cybersecurity problem, has already been posted. Download it here:
Schneier: http://hsc.house.gov/files/Testimony_Schneier.pdf
Pethia: http://hsc.house.gov/files/Testimonty_Pethia.pdf
Paller: http://hsc.house.gov/files/Testimony_Paller.pdf]

 --Ridge Describes Security Plan for US Financial System
(8 July 2003)
Speaking at the Federal Reserve Board in New York, Homeland Security
Secretary Tom Ridge outlined plans to help protect the country's
financial system from criminals. Included in the plans is an expansion
of the electronic crimes task force from nine to thirteen cities; the
new cities are Columbia, S.C., Cleveland, Dallas and Houston. The task
forces focus on computer-based crimes such as identity theft, network
and computer intrusions, and telecommunications fraud. They will partner
with federal, state and local law enforcement, as well as segments of
the private sector, such as the telecommunications industry and academic
community, to identify and try to eliminate weaknesses in networks.
http://www.govexec.com/dailyfed/0703/070803td2.htm

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FREE White Paper: "Top Web Application Hacker Tricks"
http://www.sans.org/cgi-bin/sanspromo/NB198

(2) Simplify secure file transfer! Download a white paper and
     evaluation software.
http://www.sans.org/cgi-bin/sanspromo/NB196

(3) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
     them. FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB197

***********************************************************************

THE REST OF THE WEEK'S NEWS

 --1,000 Personal Computers Hijacked For Pornography Ring
(11 July 2003)
A pornography ring is hiding its location from ISPs who might shut it
down by using more than 1,000 personal computers that the ring had
hijacked. Pornography is stored on each computer for just a short time
and customers asking for it are served from whichever PC has the
material when the request arrives.
http://www.nytimes.com/2003/07/11/technology/11HACK.html?ex=1058500800&en=dfe68a99bce4317d&ei=5062

 --French Teen Allegedly Defaced More Than 2,000 Sites
(11 July 2003)
A seventeen-year-old French high school student is being investigated
in connection with approximately 2,000 web site defacements, including
one on a US Navy site. The attacks in question took place over the
course of 14 months. The young person could face up to three years in
prison and a fine of $50,850 if convicted.
http://www.cnn.com/2003/TECH/internet/07/11/young.hacker.ap/index.html

 --Migmaf Trojan
(11 July 2003)
A Trojan horse program, sometimes called Migmaf, is a reverse proxy
server. It hijacks home computers running some versions of Windows and
uses them to send advertisements for pornography. Migmaf has hijacked
approximately 2,000 computers with high-speed Internet connections; it
does not appear to damage compromised machines.
http://www.wired.com/news/print/0,1294,59608,00.html
http://www.theage.com.au/articles/2003/07/11/1057783339267.html
[Editor's Note (Northcutt): "Honest honey, it was the trojan!" While
the article does say some versions of Windows it would be more accurate
to say most versions.]

 --UK Teen Questioned in Connection with Fermi Lab Intrusions
(10/11 July 2003)
London police have arrested and are questioning an 18-year-old in
connection with unauthorized access to US Department of Energy (DoE)
computers at Fermi National Accelerator Laboratory in Batavia, IL. The
teen allegedly used the computers to store music and video files. He
has been released on bail.
http://www.theregister.co.uk/content/6/31674.html
http://www.securityfocus.com/news/6352

 --GSA Releases Draft e-Assurance Levels
(10 July 2003)
As part of the e-Authentication e-government initiative, the General
Services Administration (GSA) has released a draft policy describing
the four levels of assurance agencies will be required to use to
categorize their systems and transactions for authentication. Agencies
must assess risks of e-government projects and IT systems that conduct
transactions and adopt a level by the end of fiscal 2004.
http://www.fcw.com/fcw/articles/2003/0707/web-eauth-07-11-03.asp
http://www.gcn.com/vol1_no1/daily-updates/22725-1.html
http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-17634.pdf

 --Adult Web Sites Targeted by Extortionist
(10 July 2003)
Someone using the on-line name "Deepsy" has been attempting to extort
money from adult web sites, threatening to take them off-line with
denial-of-service attacks unless they pay him $1,500. "Deepsy" has
apparently made good on his threats; one of the targeted adult web sites
has contacted the FBI.
http://www.wired.com/news/print/0,1294,59574,00.html

 --Microsoft Releases Three More Security Bulletins
(9 July 2003)
Microsoft has released security bulletins for three vulnerabilities.
The most serious, rated "critical," is a buffer overflow flaw in the
HTML converter in all supported versions of the Windows operating
system. The flaw is rated only moderate for Windows Server 2003 because
of its Enhanced Security Configuration. The other two flaws, both rated
"important," concern another buffer overflow in Windows NT, XP and
Windows Server 2000 and a privilege elevation vulnerability in Windows
2000's utility manager.
http://zdnet.com.com/2102-1105_2-1024178.html?tag=printthis
http://www.computerworld.com/printthis/2003/0,4814,82895,00.html
http://www.microsoft.com/technet/security/bulletin/MS03-023.asp
http://www.microsoft.com/technet/security/bulletin/MS03-024.asp
http://www.microsoft.com/technet/security/bulletin/MS03-025.asp

 --Massachusetts State Lottery Commission Web Site Spoofed
(9 July 2003)
A phony web site that mimics the Massachusetts State Lottery Commission
site was being used in an attempt to try to steal personal data. Some
people received e-mails and text messages telling them they had won
$30,000 in a lottery and directing them to the phony site. Once there,
they found they were required to enter personal information and pay a
$100 processing fee in order to claim their prize. The site has been
taken down. The Commission is working with the FBI to find those
responsible for the scam.
http://www.computerworld.com/printthis/2003/0,4814,82892,00.html

 --NIST Report Suggests Metrics for IDS Performance
(9 July 2003)
A National Institute of Standards and Technology (NIST) report entitled
"An Overview of Issues in Testing Intrusion Detection Systems" observes
that there are no standard metrics by which to measure IDS performance.
The report lists some possible metrics, including the range of attacks
a system can detect, the number of attacks a system can detect within
a certain period of time and throughput, or how much traffic the system
can handle.
http://www.securityfocus.com/news/6327
http://csrc.nist.gov/publications/nistir/nistir-7007.pdf
[Editor's Note (Schultz): It's still amazing to me how so many vendors
and developers of intrusion detection systems somehow fail to obtain
and distribute benchmark metrics for their systems, possibly because of
fear that objective testing will reveal unfavorable hit and false alarm
rates. The user community needs such metrics, however.]

 --Apache Updates HTTP Server
(9 July 2003)
The Apache Software Foundation has released an updated version of its
Apache HTTP Server. The new version (2.0.47) corrects four security
flaws, including some which could result in denial-of-service attacks.
http://www.internetnews.com/infra/article.php/2232981

 --US Information Security Law
(9 July 2003)
The final installment in a four article series on US Information
Security Law examines "national security law in the United States as it
pertains to information security."
http://www.securityfocus.com/printable/infocus/1710

 --PriceWaterhouseCoopers Electronic Crime Survey
(9 July 2003)
The PriceWaterhouseCoopers Global Economic Crime Survey 2003 shows that
15% of the 3,623 companies surveyed reported suffering losses
attributable to cyber crime. Telecommunications and IT companies appear
to be among the most targeted.
http://www.computerworld.com/printthis/2003/0,4814,82864,00.html
http://www.pwcglobal.com/extweb/ncsurvres.nsf/docid/E4BD4A78EE004C2D85256D4D005C2023

 --Stop the Hype, Say Experts
(8/9 July 2003)
Some computer security experts are encouraging security companies to
refrain from "hyping" cyber threats that don't pose serious risks
because the plethora of warnings may inure people to threats that do
pose serious risks. The group of experts protested the hype surrounding
the July 6 Defacement Challenge. The hype benefits both the attackers
and the security companies because the former desire publicity, and the
latter want to sell more products.
http://zdnet.com.com/2102-1105_2-1024107.html?tag=printthis
http://www.wired.com/news/print/0,1294,59556,00.html
[Editor's Note (Schultz): These experts are correct. You can cry "wolf"
only so many times.]

 --PayPal Customers Targeted by ID Data Theft Scam
(8/9 July 2003)
Some PayPal customers have received messages telling them that their
billing information has been lost and that in order to keep their
accounts, they must re-enter the data on a specific site. Though many
of the sites' links point to the PayPal web site, the form which
requests personal information, such as name, address, credit card
information and social security number, is on an server at a different
IP address. The phony site uses a valid SSL certificate
http://www.computerworld.com/printthis/2003/0,4814,82888,00.html

 --Defacers' Challenge Tally Site Hit with DDoS
(7 July 2003)
Zone-h, the web site responsible for tallying the results of the
Defacers' Challenge on Sunday, 6 July fell prey to a "massive"
distributed denial of service attack that lasted for seven hours that
very same day. The attack was the work of a group protesting the event.
http://www.computerworld.com/printthis/2003/0,4814,82811,00.html

 --U of Illinois Receives Grant to Establish Anti-Cyber Attack
    Technology Research Center
(3 July 2003)
The University of Illinois' National Center for Supercomputing
Applications in Urbana-Champaign has received an initial $5.7 million
grant from the Office of Naval Research to establish a research center
devoted to developing technology to thwart enemy cyber attackers.
Developers at the center will focus on finding the best ways for
military forces to share information without it being intercepted.
http://www.securityfocus.com/news/6288

 --Microsoft Software Simplifies Identity Management
(2 July 2003)
Microsoft's forthcoming Microsoft Identity Integration Server (MIIS)
2003 will "unify" workers' user name and password information to provide
a picture of each employee "across the enterprise." The software will
allow for the creation of a variety of identities as soon as a new
employee is entered into the human resources database; it will also
allow for efficient removal of an employee's system access upon
termination.
http://news.com.com/2102-1009_3-1023054.html?tag=ni_print

==end==

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE/FS4S+LUG5KFpTkYRAkHiAJ4jB/3pMnf7PVsDvr8ZHlsQMPyqgQCeJxEh
EZOm8HbIjS182ryGx/2wJTA=
=ySCy
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]