SANS NewsBites - Volume: VI, Issue: 24


At the end of this issue we provide a review of methods and resources available from SANS that federal agencies may use to meet the training requirements in FISMA.

*************************************************************************
SANS NewsBites                     June 16, 2004                    Volume: VI, Issue: 24
*************************************************************************
TOP OF THE NEWS

  OPM Releases IT Security Training Guide
  Defense Department Software Security Initiative
  Survey Finds Intrusions and Attendant Losses are Down Again
  Ohio Officials Certify Voting System with Paper Audit Trail

THE REST OF THE WEEK'S NEWS

  NIST Releases Final Information Mapping Guide
  Arrests in Half-Life Code Theft
  Taiwanese Man Arrested for Alleged Data Theft
  Saudi Graduate Student Acquitted of Patriot Act Charges
  Stolen Laptop Contains Information About Blood Donors
  Laptops Purchased at Auction Still Hold Old Data
  AT&T CSO Sings Intrusion Prevention Systems' Praises
  Time Spent Planning for Business Continuity and Disaster Recovery is Well Worth the Investment

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

  RealPlayer Flaw
  Optix Pro Trojan Author Admits to Embedding Master Password
  Critical Flaw in Oracle's 11i E-Business Suite and Applications 11.0
  Korgo Author Could be Honing Attack Strategy
  Six Vulnerabilities in Concurrent Versions System
  Cisco CatOS Vulnerability
  Internet Explorer Vulnerabilities

SPECIAL

  SANS Training Resources That Can Be Used To Meet Federal FISMA Requirements


*********************** Sponsored by NetIQ *******************************

Free Security Event Management Guide

Do you need more efficient, automated log management methods and tools to manage the terabytes of information generated by your Security Event Management systems? Download our free guide, "Log Management: Closing the Loop on Security Event Management," to discover the crucial role that log management plays as part of a complete Security Event Management solution.

http://www.netiq.com/f/form/form.asp?id=2469&origin=NS_Sans_061604

*************************************************************************

TOP OF THE NEWS

OPM Releases IT Security Training Guide (14 June 2004)
The Office of Personnel Management (OPM) has released a four-step process to help agencies ensure their employees receive adequate IT security training. The rules vary depending on employees' IT security roles and responsibilities.
-http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=26205

(Editor's Note (Tan): A very good move by OPM. Users are usually the weakest link in security. The requirements for different roles of people provide a clearer guide on what they need to know. Security training is not just for end users but for all levels of staff, including the top management. In fact, it is important for the top management to have a better understanding of security so that they can make a better risk decision.)

Defense Department Software Security Initiative (11 June 2004)
The Defense Department (DOD) is examining ways to amend software acquisition policy and certification procedures to disallow products and services that are "too risky." The initiative will evaluate vendors, products and business practices.
-http://www.govexec.com/story_page.cfm?articleid=28735&printerfriendlyVers=1&
amp;

-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26178



Survey Finds Intrusions and Attendant Losses are Down Again (10 June 2004)
A Computer Security Institute (CSI) survey of nearly 500 US security professionals found that for the third year in a row, the incidence of cyber intrusions has decreased. 53% of respondents said they had experienced an intrusion in the past year, down from 56% in 2003. The average annual cost of intrusions per company was approximately USD$286,000 in the 2004 survey compared with approximately USD$380,000 in the 2003 survey.
-http://www.securityfocus.com/printable/news/8883
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=21700472


Ohio Officials Certify Voting System with Paper Audit Trail (10 June 2004)
Election officials in Ohio have certified a touch-screen voting system that provides a voter-verified paper audit trail. A recently passed law in Ohio requires that the voting machines provide paper trails.
-http://www.fcw.com/geb/articles/2004/0607/web-accupoll-06-10-04.asp
(Editor's Note (Schultz: Ohio has done the right thing--now it is the federal government's turn to pass legislation that requires paper audit trails for voting systems.)


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.


(1) CIPHERTRUST WHITE PAPER: Control spam, viruses, phishing.
"Selecting an Email Security Solution"
http://www.sans.org/click.php?id=478


(2) Better perimeter protection with the Symantec Gateway Security 5400 Series.
Click here.
http://www.sans.org/click.php?id=479


(3) ALERT: Learn about the software tools spammers use. You'll be amazed.
**FREE White Paper **
http://www.sans.org/click.php?id=480


*************************************************************************

THE REST OF THE WEEK'S NEWS

NIST Releases Final Information Mapping Guide (14 June 2004)
The National Institute of Standards and Technology (NIST) has released the final version of Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The guide is designed to help agencies comply with Federal Information Security Management Act (FISMA) provisions that require them to assess the impact of compromises to the information they store.
-http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=26209

-http://csrc.nist.gov/publications/nistpubs/#sp800-60


Arrests in Half-Life Code Theft (11 June 2004)
People in several countries have been arrested in connection with last year's theft of the code for Valve Corp.'s Half-Life 2 computer game. Valve Corp. says that some of its customers aided the investigation by submitting and analyzing information.
-http://www.washingtonpost.com/ac2/wp-dyn/A33214-2004Jun10?language=printer
-http://news.bbc.co.uk/2/hi/technology/3797167.stm
-http://www.gamespot.com/news/2004/06/10/news_6100381.html


Taiwanese Man Arrested for Alleged Data Theft (10 June 2004)
Taiwan's Criminal Investigation Bureau has arrested a man in connection with the theft of large quantities of sensitive personal data, including banking and auction-site account numbers and codes. Chen Chung-shun is suspected of working with others to use a Trojan horse program to obtain the information. As many as 200,000 account numbers may have been compromised. Chen also allegedly stole money after transferring it from the compromised accounts.
-http://www.taipeitimes.com/News/taiwan/archives/2004/06/10/2003174478/print


Saudi Graduate Student Acquitted of Patriot Act Charges (10 June 2004)
A jury acquitted Saudi graduate student Sami Omar Al-Hussayen of charges that he "fostered terrorism" by serving as webmaster for several sites that prosecutors maintained were used to "recruit terrorists, raise money and disseminate inflammatory rhetoric." The case is a significant test of a provision of the Patriot Act that "makes it a crime to provide expert advice or assistance to terrorists." Despite his acquittal, Al-Hussayen, who was studying computer science at the University of Idaho, will be deported.
-http://www.guardian.co.uk/worldlatest/story/0,1280,-4193164,00.html


Stolen Laptop Contains Information About Blood Donors (10 June 2004)
A laptop containing information about blood donors of the University of California Los Angeles Blood and Platelet Center was stolen late last year; the Center has sent letters to the 145,000 affected people warning them they could be at risk for identity theft. The stored information included names, birth dates and social security numbers. The database was password-protected but not encrypted; police are investigating. University officials were not aware of the "significance" of the theft until a security audit last month. A second laptop was stolen from the University health center several weeks ago.
-http://zdnet.com.com/2102-1105_2-5230662.html?tag=printthis
(Editor's Note Grefer): For laptops running the Microsoft Windows XP Professional operating system, a quick and easy way to add another layer of security is to encrypt the pertinent directory or directories. HOW TO: Encrypt a Folder in Wndows XP
-http://support.microsoft.com/default.aspx?scid=kb;en-us;q308989&sd=tech
INFO: Understanding Encrypted Directories
-http://support.microsoft.com/default.aspx?scid=kb;en-us;248723&sd=tech)


Laptops Purchased at Auction Still Hold Old Data (9/7 June 2004)
Swedish company Pointsec Mobile technologies bought used laptop computers on the Internet or at public auction, only to find that many of them still contained easily accessible sensitive information. One hard drive bought from eBay contained login codes, passwords, payroll details and customer pension plan information for a large European insurance company. Computers lost at airports or train stations and then auctioned off are especially vulnerable.
-http://www.computerworld.com/printthis/2004/0,4814,93742,00.html
-http://www.theregister.co.uk/2004/06/07/hdd_wipe_shortcomings/print.html


AT&T CSO Sings Intrusion Prevention Systems' Praises (8 June 2004)
Speaking at the Gartner Information Technology Security Summit in Washington DC, AT&T CSO Edward Amoroso said that intrusion prevention systems (IPS) offer the best protection against vulnerable software and that IPS has been notably effective at protecting his company's corporate network. Amoroso also said the patching and testing cycle is overwhelming to system administrators.
-http://www.fcw.com/fcw/articles/2004/0607/web-att-06-08-04.asp


Time Spent Planning for Business Continuity and Disaster Recovery is Well Worth the Investment (June 2004)
Organizations would be well-advised to take the time to develop business continuity, resilience and disaster recovery plans, though many don't do so, according to Stephen Northcutt.
-http://www.cyberdefensemag.com/articles2.php


WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

RealPlayer Flaw (12 June 2004)
RealNetworks, Inc. is encouraging its customers to upgrade versions of RealOne Player and RealPlayer to fix a flaw in the programs' core component that could allow attackers to run code on vulnerable machines. All current versions are affected.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci969919,00
.html



Optix Pro Trojan Author Admits to Embedding Master Password (11 June 2004)
The author of Optix Pro, a popular, free Trojan horse program, has admitted that he embedded a "master password" in the program which could allow him to take control of vulnerable machines. He said he did it so that if law enforcement officials were to discover his identity, he could make the password public, thereby lessening its appeal to others.
-http://www.securityfocus.com/printable/news/8893
(Editor's Note (Ranum): Lie down with dogs; wake up with fleas. Use hacker tools; run code the hackers want you to run.)

Critical Flaw in Oracle's 11i E-Business Suite and Applications 11.0 (11/9 June 2004)
Oracle has released a patch for the SQL injection vulnerabilities.
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39183035-39001150t-3
9000005c

-http://www.fcw.com/fcw/articles/2004/0607/web-oracle-06-10-04.asp
-http://www.eweek.com/print_article/0,1761,a=129099,00.asp


Korgo Author Could be Honing Attack Strategy (10/9 June 2004)
Though the Korgo worm initially appeared to be a relatively harmless Sasser copycat, the rapid appearance of twelve successive variants suggest that perhaps the worm's author is fine-tuning it for a use in a serious attack in the future. Sasser seems to have opened the door for other malware to exploit the LSASS vulnerability.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci969764,00
.html

-http://www.usatoday.com/tech/news/computersecurity/2004-06-09-sasser_x.htm


Six Vulnerabilities in Concurrent Versions System (10 June 2004)
The security holes could allow denial-of-service attacks or let attackers run malicious code. Two weeks ago, someone used another vulnerability to break into the CVS project website; the subsequent audit led to the discovery of these six holes. The CVS project has released an update to address the vulnerabilities.
-http://www.computerworld.com/printthis/2004/0,4814,93754,00.html


Cisco CatOS Vulnerability (10 June 2004)
Cisco is encouraging customers to download patches for a flaw in its Catalyst Operating System (CatOS) that could be exploited to launch a denial-of-service attack.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci969706,00
.html



Internet Explorer Vulnerabilities (11/10/9 June 2004)
The security flaws could allow an attacker run code on vulnerable systems. Due to the critical nature of the vulnerabilities, users are encouraged to disable Active Scripting support on all but trusted web sites. A Microsoft spokesperson said the company is considering what steps to take, including the possibility of releasing a patch outside of their regular monthly update. Someone has apparently exploited the flaws to install adware on vulnerable computers.
-http://www.computerworld.com.au/index.php?id=117316298&eid=-255
-http://www.computerworld.com/printthis/2004/0,4814,93802,00.html
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39182874-39001150t-3
9000005c

-http://www.kb.cert.org/vuls/id/713878


SPECIAL

Special Section On SANS Training Resources To Meet Federal FISMA Requirements
SANS offers off the shelf and customizable training that meets or exceeds the requirements shown below. We list the rule and then describe what we offer.

(1) All users of Federal information systems must be exposed to security awareness materials at least annually. Users of Federal information systems include employees, contractors, students, guest researchers, visitors, and others who may need access to Federal information systems and applications.

SANS offers a one day, train the trainer in Security Awareness based on the NIST Security Awareness guidance that includes an Awareness presentation the student can give in their own organization. We also have online Awareness training that includes a monthly newsletter.
-http://www.sans.org/awareness/

(2) Executives must receive training in information security basics and policy level training in security planning and management.

SANS offers a one day information security basics course available onsite upon request.
-http://www.sans.org/onsite/
">
-http://www.sans.org/onsite/


(3) Program and functional managers must receive training in information security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/ application life cycle management, risk management, and contingency planning.

(4) Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) must receive training in information security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.

SANS offers the most popular IT management training course available, it is generally sold out in conference and covers all of the requirements listed above.
-http://www.sans.org/sansfire2004/description.php?tid=11
System specific training for Windows and Unix are both available:
-http://www.sans.org/sansfire2004/description.php?tid=17
-http://www.sans.org/sansfire2004/description.php?tid=45
SANS Security Leadership Essentials, Securing Windows, Securing Unix are available onsite:
-http://www.sans.org/onsite/
">
-http://www.sans.org/onsite/


(5) IT function management and operations personnel must receive training in information security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/ application life cycle management, risk management, and contingency planning.

SANS offers both a CompTIA Security + level security basis course, Introduction to Information Security:

-http://www.sans.org/sansfire2004/description.php?tid=21
And the more advanced, SANS Security Essentials, Bootcamp Style, a hands on, intense opportunity to come up to speed fast:
-http://www.sans.org/sansfire2004/description.php?tid=23

Provide the Federal information systems security awareness material/exposure outlined in NIST guidance on IT security awareness and training to all new employees before allowing them access to the systems. Provide information systems security refresher training for agency employees as frequently as determined necessary by the agency, based on the sensitivity of the information that the employees use or process. Provide training whenever there is a significant change in the agency information system environment or procedures or when an employee enters a new position that requires additional role-specific training.
[FR Doc. 04-13319 Filed 6-10-04; 8:45 am ]


Finally, SANS material is modular and can be quickly customized for specific Agency requirements.

== end ==


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/