3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

SANS NewsBites - Volume: V, Issue: 41

SANS NewsBites                     October 15, 2003                    Volume: V, Issue: 41

  Top 20 Vulnerabilities List Developed by International Consensus
  Student Arrested for Allegedly Using Trojan to Break into Brokerage Account
  European Union to Create Information Security Agency
  DHS to Launch Real-Time Data Collection System


  Cyber Security Efforts Could be Required in SEC Filings
  Home Users Investing More in Security
  Securing the Perimeter: Microsoft's New Security Initiative
  BSA Publishes Security Management Framework for Businesses
  House Passes Government Peer-to-Peer Security Bill
  Gartner Report Warns of Dangers Inherent in Reliance on a Single Platform
  UK's NHTCU Examining Malware Code for Clues to Authorship
  Teen Claims Computer was Hijacked
  Penetration Testing ROI
  Former Employee Pleads Guilty to Cyber Intrusion

************************** Sponsored by NetIQ *************************

Need security policies? Don't start from scratch..."Information Security Policies Made Easy" is the best security policy resource guide you can buy with 1300+ ready-to-use security policies that can be quickly customized for any company.  Build best practice security policies in half the time and expense.
Download a free policy now! http://www.netiq.com/products/pub/default.asp

Highlighted Training Programs of the Week
Small Class Size Alert: Attend smaller classes and get more time with
the great instructors at SANS regional conferences:
Amsterdam starts October 27, Toronto starts November 1
Philadelphia, Nashville and Vienna (Austria) start November 3
Details: http://www.sans.org


Top 20 Vulnerabilities List Developed by International Consensus (8 October 2003)
The Department of Homeland Security (DHS) and its counterparts in the UK and Canada have joined the SANS Institute in releasing a list of the top 20 security vulnerabilities most frequently exploited in Windows, Unix and Linux. This list is notable for its "multinational government/industry consensus." Experts from Singapore and Brazil had input as well.

Complete listing of the new Top 20, remediation strategies, and tools that can find them:

Student Arrested for Allegedly Using Trojan to Break into Brokerage Account (9/10 October 2003)
A Drexel University student has been arrested on charges he broke into someone else's brokerage account and used it in an attempt to mitigate investment losses he had incurred. Van T. Dinh allegedly lured on-line investors to a site which downloaded a Trojan horse program onto their computers; the program contained keystroke-logging software which enabled Dinh to gather user IDs and passwords. Dinh was arrested on a variety of charges, including "causing damage in connection with unauthorized access to a computer." The Securities and Exchange Commission (SEC) has also filed charges against Dinh. Dinh has been released on bond.
[Editor's Note (Grefer): Snoopware abuse is one of the fastest growing areas of on-line crime. Please take a look at the top news story of the latest edition of the SANS PrivacyBits for a more in-depth look at the issue:
If you would like to add the SANS PrivacyBits to your subscriptions, visit

European Union to Create Information Security Agency (9 October 2003)
The European Parliament has approved a proposal to establish the European Network and Information Security Agency with a five-year charter. The agency's focus will be on creating a common approach to cyber security matters among member nations.

DHS to Launch Real-Time Data Collection System (6 October 2003)
The Department of Homeland Security (DHS) is developing a real-time cyber event data collection system. The recently formed US CERT will be the hub for data collected by more than 200 private, public and university CERTs. The information will then be shared with private sector Information Sharing and Analysis Centers (ISACs). The system will be launched in December; Robert Liscouski, assistant secretary of homeland security for infrastructure protection, said that over the course of the next year, they hope to reduce response time to cyber events to an average of 30 minutes.

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) WATCH FOR ATTACKERS. THEN BOTCH THEIR ATTACKS. Foolproof Intrusion Prevention. FREE Demo.

(2) ALERT - Are you ready for Sobig.G? *** free white paper

(3) Free Yankee Group Report: Network Integrity Systems Clear Paths for Business Productivity



Cyber Security Efforts Could be Required in SEC Filings (9 October 2003)
Department of Homeland Security (DHS) Secretary Tom Ridge and Securities and Exchange Commission (SEC) chairman William Donaldson met to discuss the possibility of requiring companies to include information about their "cybersecurity efforts" in future SEC filings.

Home Users Investing More in Security (9 October 2003)
According to data from technology research company NPD Group, home computer users bought 127% more security products in August 2003 than they did the previous August.  Security software sales increased dramatically right after Sobig and MSBlast appeared.

Securing the Perimeter: Microsoft's New Security Initiative (8/9/10 October 2003)
Microsoft CEO Steve Ballmer says that in a renewed effort to improve the security of its products, the company will focus on improving its patching systems, improving security in Windows XP and educating its customers.  Microsoft will immediately begin releasing monthly software updates unless a specific vulnerability poses a significant threat of attack.  (In XP), certain security features will be turned on by default.  Senior VP Bob Muglia says the change will take time.
[Editor's Note (Ranum): Security 101 says that unnecessary features should be turned off by default. Never mind turning on XP's lame firewall filtering - give me the ability to turn off DCOM and SMB. Or better yet, give me the ability to turn them on only if I want them. ]

House Passes Government Peer-to-Peer Security Bill (8 October 2003)
The House has passed a bill requiring government agencies to implement plans that protect their computer systems from the security threats presented by peer-to-peer file sharing software.  Agencies would have six months from the time the bill is signed into law to establish their plans.
Text of H.R. 3159 as passed by the House:

Gartner Report Warns of Dangers Inherent in Reliance on a Single Platform (8 October 2003)
A Gartner paper says that businesses' heavy reliance on Windows operating systems makes them more vulnerable to cyber attacks.  Gartner recommends spreading "critical business functions" across a variety of platforms.  The report admits that diversifying platforms is costly, but points out that diversity adds immunity against malware that targets Windows systems, and also puts pressure on Microsoft to improve its products' security.
[Editor's Note (Ranum): The "diversity" model is getting a lot of air play recently but many people are forgetting that it's only an *analogy*. The actual differences between computer networks and biological immune systems are vast and fundamental. Putting so much weight behind an analogy is dangerous and possibly even deceptive. I've written a brief editorial on the flaws in the analogy and the danger of using analogy in such an argument and posted it on:

UK's NHTCU Examining Malware Code for Clues to Authorship (8 October 2003)
Britain's National Hi-Tech Crime Unit (NHTCU) is working with anti-virus firms to examine the source code of the most harmful worms and viruses to see if there are clues to the identities of the malware's authors. There is some suspicion that organized crime or subversive groups may be responsible.

Teen Claims Computer was Hijacked (8/9 October 2003)
Aaron Caffrey, the UK teenager who has been accused of launching an attack that brought down the computer system of the Port of Houston (TX) now claims that someone remotely accessed his computer to launch the attack.  Caffrey also claims that chatroom log files showing the precise moment of the attack had been altered.  Professor Neil Barrett, who testified as an expert witness, said there was no evidence that the log files had been altered.  He admitted that he did not examine the actual hard drive in question, but that he did have a "forensically sound" image on CD-ROM.

Penetration Testing ROI (7 October 2003)
The last in a four-article series on penetration testing discusses demonstrating return on investment (ROI).

Former Employee Pleads Guilty to Cyber Intrusion (6 October 2003)
Andrew Garcia, who used to be a network administrator for ViewSonic, has pleaded guilty to accessing a company computer and deleting files shortly after he was fired.  Garcia used another employee's account to gain access to the server.  He will be sentenced early next year and could face five years in prison and a $250,000 fine.

NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites.  For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/