SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #1
January 03, 2001
The first story in this issue, showing vulnerability scanners failing
to find common, dangerous vulnerabilities, is a sobering note on which
to begin the new year. On the other hand, there is much reason for
optimism that 2001 will be the year in which security professionals
finally begin to make real progress in turning the tide against the
attackers. It's a great time to be in the security field.
TOP OF THE NEWS2 January 2001 Vulnerability Scanners Fail To Find Common Vulnerabilities
27 December 2000 ADL, Nasdaq Sites Targeted by Crackers
27 December 2000 Internet Credit Card Theft
25 December 2000 Bush May Name Tech Czar
24 December 2000 Security Progress is Slow
24 December 2000 2000's Top Ten Security Stories 2000
THE REST OF THE WEEK'S NEWS29 December 2000 NIPC Warns of Potential DDoS Attacks
29 December 2000 Wireless Viruses in the Future
29 December 2000 Chinese Internet Crime Laws
29 December 2000 Marines to Get Smart Card IDs
29 December 2000 Securing E-Commerce
28 December 2000 Y2K Problems?
28 December 2000 The Year in Privacy
28 December 2000 eBay Alerts Customers to Spurious E-Mail
28 December 2000 Indian Dept. Store Site Attack
27 December 2000 ActiveX Security
27 December 2000 Microsoft Security Breach Could Threaten National Security
26 December 2000 Cyber Warfare Threat; Cyberincident Group Meets
26 December 2000 No New Egghead Info; MasterCard States Security Policy
PROFESSIONAL DEVELOPMENT NEWS2 January 2001 Deadline For Early Registration Discount At SANS Security New Orleans Is January 9
2 January 2001 New Cities Announced for Security Training
****************** This Issue Sponsored By PentaSafe *****************
You know what your security policies are and what they are meant to do.
Does everyone else?
"By introducing the new VigilEnt Policy Center(tm), PentaSafe has
finally given security officers a single point for automating security
policy creation, distribution, awareness, and tracking throughout the
Click here http://www.pentasafe.com/products/policyoverview.htm to see
an online demo, or sign up for a webinar or seminar in your area.
TOP OF THE NEWS
2 January 2001 Vulnerability Scanners Fail To Find Common VulnerabilitiesNetwork Computing magazine laboratory tests show that all of the popular security vulnerability testing software packages failed a test in which they were analyzing systems with seventeen known "NASTY" vulnerabilities. A table is included showing the results by vulnerability assessment product, operating system, vulnerability. The bottom line: relying on a single vulnerability assessment tool is dangerous.
[Editor's (Paller) Note: This type of research is of enormous value. It will cause products to improve and cause users and consultants to be more careful and comprehensive in their analyses. ]
27 December 2000 ADL, Nasdaq Sites Targeted by CrackersThe Anti-Defamation League (ADL) web site was defaced by pro- Palestinian crackers. The site was closed within minutes after the attack was detected, and was up and running again four hours later. In an unrelated incident, a cracker replaced the Nasdaq 100 Index web page with a statement about Windows server security. The cracker also made reference to a Brazilian cracker group believed to be responsible for defacing several US government sites in March 2000. ADL Site:
27 December 2000 Internet Credit Card TheftSeveral people share their stories of having credit cards stolen and used for fraudulent charges. One credit card theft victim is also an Egghead patron. (Egghead recently suffered a security breach that may have exposed customers' credit card information.) The thieves made charges to the cards of less than $20.
25 December 2000 Bush May Name Tech CzarPresident elect Bush is likely to name a tech czar to oversee technology policy. Among those being considered for the position are former Michigan Senator Spencer Abraham (R) and Silicon Valley venture capitalist Floyd Kvamme.
[Editor's (Bradford) Note: Senator Abraham's out of the running for tech czar, since he was named Secretary of Energy. ]
24 December 2000 Security Progress is SlowExperts warn that it may take a major cyber catastrophe to convince private industry and government to cooperate in the endeavor to secure computer systems from attacks. The article also offers a list of security incidents that took place over the last year.
24 December 2000 2000's Top Ten Security Stories 2000ZDNet's list includes VBS/Kakworm, data theft, the ILOVEYOU worm, February's distributed denial of service attacks, and home users who indiscriminately click on attachments and leave shared hard drives open to the Internet.
[Editor's (Cowan) Note: A good story, but it does not mention the fundamental shift in viruses in 2000: viruses can now be crafted to infect computers based only on MS Outlook's preview of the mail, without ever opening it. ]
********************** Also Sponsored by Symantec ********************
Proactively exploiting mission critical vulnerabilities
Vulnerabilities can often be overlooked by even the most knowledgeable
IT and security professionals. Symantec's Enterprise Security enforces
policy compliance & vulnerability assessment to help safeguard your
mission-critical applications and exploit those hidden vulnerabilities.
To register for the "Everything You Need to Know About Vulnerability
Assessment" Webcast on January 25, 2001, visit:
THE REST OF THE WEEK'S NEWS
29 December 2000 NIPC Warns of Potential DDoS AttacksThe National Infrastructure Protection Center (NIPC) posted an advisory asserting that distributed denial of service (DDoS) attacks could be launched over the Holiday weekend and issued guidance on protecting systems.
[Editors' Note: GIAC reported no attacks. Sometimes heightened monitoring and visibility can be a deterrent. ]
29 December 2000 Wireless Viruses in the FutureVirus warnings concerning PDAs are mostly vendor hype. The problem will become real in about a year, however.
[Editor's (Cowan) Note: The PDA vendors are feverishly working to destroy PDA security by adding facilities to execute mobile code. ]
29 December 2000 Chinese Internet Crime LawsChina recently passed a resolution that criminalizes e-mail tampering, infiltrating national defense networks, creating and distributing viruses, and using the Internet to promote Taiwanese independence.
29 December 2000 Marines to Get Smart Card IDsMarine Corps personnel at Quantico will start using smart cards as standard identification in February. The cards can hold up to 32K of data and may store critical medical information and training scores.
[Editors' Note: Smart cards may be the best form of authentication. ]
29 December 2000 Securing E-CommerceSecurity experts say the best way to protect customers' credit card information is to have them enter it in full each time they shop on line. Short of that inconvenient measure, e-commerce merchants should encrypt stored customer data, test their sites for security vulnerabilities, and establish security teams to patch holes and stay on top of security alerts.
[Editor's (Cowan) Note: Because the encryption keys must be stored on the web server for the transaction to be processed, host security on e-commerce servers needs to be really good. ]
28 December 2000 Y2K Problems?Though Y2K fixes kept legacy systems operating normally through the date rollover one year ago, some of the patches caused difficulties with applications.
28 December 2000 The Year in PrivacyTop privacy concerns of 2000 included workplace surveillance, medical record privacy, Carnivore, and wireless tracking, according to Privacy Foundation analysis. Some major corporations have created the new position of Chief Privacy Officer.
28 December 2000 eBay Alerts Customers to Spurious E-MaileBay is letting its customers know that an e-mail requesting personal information that appears to come from the on-line auction site is in fact phony. The company is investigating.
28 December 2000 Indian Dept. Store Site AttackThe CEO of an Indian department store web site maintains that a recent crack has been traced to an IP (Internet Protocol) address in the US, and that the breach was due to poor security on the part of the web host.
27 December 2000 ActiveX SecuritySecurity experts have issued a report that offers advice on ActiveX security risks, including how to adjust settings, find auditing tools, and disable controls.
The report can be found at
[Editor's (Cowan) Note: Possibly better advice: Don't use Active-X. Security for mobile applets is a difficult problem, with many varied solutions, ALL of which are better than ActiveX. ]
27 December 2000 Microsoft Security Breach Could Threaten National SecurityThe Center for Strategic and International Studies (CSIS), a Washington think-tank, recently issued a report cautioning that October's security breach at Microsoft could pose a national security threat. CSIS stated that the "trustworthiness" of Microsoft products could be diminished as a result of the intrusion. Microsoft maintains the intruders never had access to source code.
26 December 2000 Cyber Warfare Threat; Cyberincident Group MeetsOfficials are warning that some hostile governments, criminal cartels, and guerrilla groups are conducting cyber-reconnaissance on the computer systems that support US critical infrastructure. In related news, the recently created Cyberincident Steering Group held its first meeting; the group aims to encourage government and private sector cooperation to protect systems from attacks.
26 December 2000 No New Egghead Info; MasterCard States Security PolicyWhile Egghead is not releasing any new information regarding the recent security breach of its web site, the software firm did confer with credit card companies about potentially exposed customer information. MasterCard issued a statement noting that they require merchants to encrypt credit card information.
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz