SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #15
April 11, 2001
The number of papers posted in SANS Information Security Reading Room
passed the 500 mark this week. Each is original research by a person
seeking GIAC certification as a security professional, and each has been
checked and graded to ensure value and accuracy. The Reading Room is
one of the great ways that people in security help one another. Use it
whenever you have a question about some area of security that is new to
you. There's no cost. http://www.sans.org/infosecFAQ/index.htm
TOP OF THE NEWS10 April 2001 Alcatel DSL Models found vulnerable
6 April 2001 Outlook 2002 Will Restrict Attachments
5 April 2001 Federal Systems' Security Inadequate
5 April 2001 GAO Says DOE Doesn't Adequately Clear Old Machines
3 April 2001 Wireless LAN Protocol Vulnerabilities
2 April 2001 Web Host Database Stolen
THE REST OF THE WEEK'S NEWS6 April 2001 Security Projects Likely to Survive Budget Cuts
5 April 2001 FedCIRC Outsources Operations
5 April 2001 Turbo Tax Glitch May Necessitate Password Changes
5 April 2001 Two Indicted in Cisco Stock Theft
5 April 2001 New NIPC Director Accentuates Preventive Security Measures
5 April 2001 CA Democrat Site Security Hole
5 April 2001 Yahoo and eBay Log-Ins Not Always Secure
5 April 2001 Welsh Cracker Says He Used Gates' Credit Card
4 April 2001 IT Should Work With Legal Department
2 April 2001 Industry Says Virus Challenge Irresponsible
2 April 2001 Cloaked Code
2 April 2001 Security Disclosure Could Raise Confidence in Internet
********* Sponsored by VeriSign - The Internet Trust Company *********
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how:
DEPLOY THE LATEST ENCRYPTION and authentication techniques
DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users. And more.
Get your FREE Guide now:
TOP OF THE NEWS
10 April 2001 Alcatel DSL Models found vulnerableTsutomu Shimomura, a senior fellow at the San Diego Supercomputing Center, discovered numerous flaws in a popular modem supplied by Pacific Bell, Ameritech, Bell Atlantic and others to DSL customers.
6 April 2001 Outlook 2002 Will Restrict AttachmentsIn an effort to protect users from viruses, Outlook 2002 will reject more than 30 types of file attachments, including .exe, .bat, and .vbs files, CD images and screen-savers. The new restrictions will make it more difficult for people to share information as the feature is very difficult to disable. Security expert Richard Smith supports Microsoft's endeavor and suggests people compress files they wish to send to others; other experts believe Microsoft should fix its essential security problems instead of treating the symptoms.
5 April 2001 Federal Systems' Security InadequateHackers gained root-privilege control of more than 150 systems at 32 government agencies last year, said federal officials at a congressional hearing, adding that only 20% of such incidents are reported. A General Services Administration (GSA) computer security official said that three-quarters of intrusion attempts on federal systems came from foreign sources. The majority of successful intrusions could have been thwarted had agencies updates their systems.
[Editors' Note: These stories imply that federal systems are less secure than private systems. That's not true. Under the same level of scrutiny, commercial systems would look no better and probably much worse. ]
5 April 2001 GAO Says DOE Doesn't Adequately Clear Old MachinesA General Accounting Office (GAO) report reveals that the Department of Energy (DOE) has no policies for managing used computers and that some retired machines still contain readable data. DOE regulations require that all information be cleared from computers before they are transferred. The GAO recommends that DOE develop and implement procedures for clearing hard drives and that they obtain independent verification that machines have been properly cleared.
3 April 2001 Wireless LAN Protocol VulnerabilitiesA research team from the University of Maryland has identified three new wireless LAN security problems, all dealing with access control and authorization requests. One allows an eavesdropper to sniff the network name which can then be used to access the network. Exploiting the vulnerabilities is trivial, according to William Arbaugh, assistant professor of computer science and member of the research team.
[Editors' (Murray, Grefer) note: The weakness in WEP is not nearly so serious that it should not be used. In a year or two, we will have hackers harvesting passwords in airports the way they used to harvest electronic serial numbers off the analog cell-phone network. ]
2 April 2001 Web Host Database StolenA cracker says he stole a database containing personal information on 46,000 customers of ADDR.com, a Colorado-based web hosting company. Several customers have reported fraudulent charges on their credit cards. The cracker suggested he could use the sites' bandwidth to launch a DoS attack. In addition, the stolen database contains user names and passwords; if customers had not reset their default passwords, the cracker could potentially have altered content on their sites.
[Editor's (Murray) Note: Perhaps not since Clyde Barrow, John Dillinger, and Al Capone have we seen such self promotion by criminals as we are seeing now. It is very clear that this reporter went to great pains to verify what he was told. However, he seems to demonstrate no concern at all at being used, not to say exploited, by criminals. ]
*********** Also Sponsored by Network-1 Security Solutions ***********
Don't Skimp - Use a Real Firewall on Your Servers
CyberwallPLUS protects NT/ 2000 servers against attacks using stateful
packet inspection and fine-grain access controls. It also provides
active intrusion detection that resides directly on the server. Central
management and logging facilities make it ideally suited for enterprise
deployment. Don't skimp!
Free 30-day evaluation: http://www.network-1.com/support/download.html
THE REST OF THE WEEK'S NEWS
6 April 2001 Security Projects Likely to Survive Budget CutsDespite a downturn in IT spending, security projects are likely to escape deep budget cuts. However, managers will face increasing demands for measurable returns on investment from security expenditures.
5 April 2001 FedCIRC Outsources OperationsFedCIRC has outsourced such operations as vulnerability alerts and aiding agencies with response to and recovery from cyber attacks. While Carnegie Mellon University's CERT Coordination Center had provided those services in the past, the Center will now focus on analysis.
5 April 2001 Turbo Tax Glitch May Necessitate Password ChangesA security glitch in Intuit's Turbo Tax software saves investment account passwords to the user's PC or to Intuit's servers when the customers import investment tax data from any of seven financial institutions. As many as 150,000 users are affected by the problem. Some of the financial institutions have recommended that customers change their passwords while others have disabled the affected passwords altogether.
5 April 2001 Two Indicted in Cisco Stock TheftGeoffrey Osowski and Wilson Tang, both Cisco Systems accountants, have been indicted on charges of computer and wire fraud; the two allegedly transferred millions of dollars worth of Cisco stock to their own accounts by exploiting their positions at Cisco and security flaws in a stock-option distribution processing program. The two men have been fired.
5 April 2001 New NIPC Director Accentuates Preventive Security MeasuresSpeaking at the National High-Performance Computing and Communication Council conference, new NIPC director Ronald L. Dick encouraged attendees to employ good proactive security measures including hiring a qualified system administrator, applying patches in a timely fashion, using firewalls and encryption, and maintaining system backups.
5 April 2001 CA Democrat Site Security HoleA security flaw in the California Democratic Party's web site exposed credit card numbers and other personal data belonging to 54 people who had made contributions. Some of the donors received personal phone calls apologizing for the problem and no fraudulent use of the cards had been reported. The glitch in the older version of Lotus Notes Domino server allows unrestricted database access by default. MSNBC.com received an anonymous tip about the flaw and passed the information on to party officials.
5 April 2001 Yahoo and eBay Log-Ins Not Always SecureYahoo and eBay both allow users to log in to personalized versions of their sites via a secure log on page. But when accessing features on the site, users are asked to enter their user Ids and passwords again; this time, they are sent across LANs and WANs in clear text.
5 April 2001 Welsh Cracker Says He Used Gates' Credit CardA tongue in cheek article reporting that Raphael Gray, the Welsh teenager who recently pleaded guilty to stealing credit card numbers from several web sites, now claims he made a fraudulent charge on a card belonging to Bill Gates. An expert witness for the prosecution said the claim could be truthful only if Gray had been involved in the attack on the World Economic Forum database in Davos, Switzerland earlier this year.
[Editor's (Grefer) Note: In genera, stolen credit cards are made available to the hacker community, through elite mailboxes and networks, very soon after their theft. Only the inexperienced folks are dumb enough to brag about such thefts. ]
4 April 2001 IT Should Work With Legal DepartmentIT departments that work with corporate legal departments can better provide law enforcement what they need to investigate cybercrime cases, said speakers at a public policy forum sponsored by the Bureau of National Affairs, Inc.
[Editor's (Cowan) Note: Readers are encouraged to express their views on this policy with their feet, er, mice. ]
2 April 2001 Industry Says Virus Challenge IrresponsibleA firewall company is offering a $10,000 reward to any virus writer who can infect a certain machine shielded by its product. The writer will receive $100 for getting a virus past the gateway; the balance will be paid when the author shares information about the creation of the successful virus. Anti-virus experts have called the challenge irresponsible and unethical, and the founder of an on-line virus dictionary points out the company could be held liable for viruses written to meet the challenge.
[Editor's (Cowan) Note: The "irresponsible" aspect of this challenge escapes me. This is precisely the kind of challenge that virus writers face every day (beat the AV scanner). The only problem here is that because it is a public contest, none of the AV companies get to shout "First!" and release a breathless press release announcing their unique discovery of the most deadly virus since smallpox :-) ]
2 April 2001 Cloaked CodeA hacker who also works as a security consultant has developed a technique called polymorphic coding that can be used to disguise malicious code. The cloaking technique thwarts intrusion detection system pattern matching, according to its author.
[Editor's (Murray) Note: This is another case of criminal self- promotion. What is worse, he suggests that any of us might be him. A struggling profession needs members like him like we need a hole in our heads. ]
[(Cowan) This result was inevitable. It was predicted by a landmark 1998 paper by Ptacek and Newsham (
The most interesting aspect of this story is that this approach is now being discussed publicly in very practical forums. Polymorphic code will soon undermine virus detection and IDS systems ]
2 April 2001 Security Disclosure Could Raise Confidence in InternetThe government could boost confidence in the Internet if it required companies to disclose their security measures, just as the SEC required companies to provide Y2K preparedness in their earnings reports two years ago, according to Senator Robert Bennett (R-Utah), chairman of the High-Tech Task Force and Special Committee on Y2K. .
[Editor's (Cowan) Note: Here, here! About time. The only security measures that are likely to survive attack are those that are subject to public scrutiny. See the lessons of the Clipper chip. ]
[(Grefer) Sure, Bob, let's go ahead and make the life of our attackers/intruders much much easier. ]
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail email@example.com with the subject: Subscribe NewsBites
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz