Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #28

July 11, 2001

TOP OF THE NEWS

10 July 2001 "Serious" Vulnerability In Check Point Firewalls
6 July 2001 PayPal Fights Back Against On-line Fraud, And Wins
6 July 2001 One Third Of On-Line Workers Monitored Constantly
5 July 2001 Oracle Patches High Risk Security Hole in 8i
2 July 2001 NSA's Windows 2000 Security Guides Have Moved

THE REST OF THE WEEK'S NEWS

6 July 2001 Welsh Hacker Sentenced After Causing $2.8 Million in Fraud
5 July 2001 Security Vendors' Revenue Slows
4 July 2001 Eli Lilly Exposes Customer E-Mail Addresses
3 July 2001 Shopping Cart Software Flaw Still Prevalent
3 July 2001 Canada Aims for Secure E-Government
3 July 2001 The Serious Underbelly of Cyber Attacks
2 July 2001 Crackers May Have Tested Distributed Spamming
2 July 2001 Teenager Allegedly Attacked NASA Computer
2 July 2001 Firewall Appliances Outsold Software Firewalls In 2000
29 June 2001 Visa Announces Authentication Specs


********************Sponsored by NetIQ Corporation *******************
FREE SECURITY GUIDE:
Get the in-depth knowledge you need to secure your enterprise with
NetIQ's FREE step-by-step security guide - "Selecting The Right Security
Solution" - at
http://www.netiq.com/sponsor/default.asp?236
NetIQ's security solutions not only identify intruders, but ensure that
threats don't ever become incidents.
**********************************************************************

TOP OF THE NEWS

10 July 2001 "Serious" Vulnerability In Check Point Firewalls

A hole has been discovered that allows outsiders to snoop inside networks that are protected by Check Point Firewalls. The vulnerability exploits the fact that RDP packets traverse Check Point firewall gateways. Representatives of CERT/CC called the problem serious.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO62105,00.html.html
Advisory:
-http://www.checkpoint.com/techsupport/alerts/rdp.html
Patch:
-http://www.checkpoint.com/techsupport/downloads.html

6 July 2001 PayPal Fights Back Against On-line Fraud, And Wins

After losing more than $100,000 to Russian hackers and far more to other credit card thieves, PayPal executives decided that either they would defeat on-line fraud or fraud would defeat them. This Newsweek article tells the story of how they are winning the war.
-http://www.msnbc.com/news/597642.asp?0si=-

6 July 2001 One Third Of On-Line Workers Monitored Constantly

The Privacy Foundation reported that employers are monitoring email and/or web surfing activities of 30 to 40 per cent of all US workers who have an Internet connection. The story includes a very useful question and answer feature about how much monitoring is legal and what type of communication is private.
-http://www.msnbc.com/news/597135.asp?0si=-

5 July 2001 Oracle Patches High Risk Security Hole in 8i

Oracle acknowledged a buffer overflow problem in the "listener" component of its database. The attacker who uses the vulnerability can read or change any information in the database. Oracle issued a patch.
-http://news.cnet.com/news/0-1003-200-6469566.html?tag=owv
[Editor's (Paller) Note: This unfortunate programming error creates an opportunity for Oracle to demonstrate leadership in database security by taking responsibility for actively verifying that all its clients have corrected the problem. ]

2 July 2001 NSA's Windows 2000 Security Guides Have Moved

Everyone who tried (and failed) to download NSA's Windows 2000 security guides will be happy to know the guides are now more fully available. There are five valuable inf files and sixteen guides (including the first update to the "Secure Configuration and Administration of IIS" guide)
-http://nsa1.www.conxion.com/win2k/index.html


********************* Also sponsored by Symantec *********************
Who Gets In? Who Stays Out? Who Decides?
The dilemma every company faces. Symantec(tm) has a solution. With
Managed Intrusion Prevention, security experts assess, monitor and
maintain your company's perimeter security, around the clock. Using
world-class technology, we keep your organization's networked assets
secure and protected.
Find out how at
http://ad.doubleclick.net/clk;3041359;6085529;l?http://www.symantec.com/ses5
**********************************************************************

THE REST OF THE WEEK'S NEWS

6 July 2001 Welsh Hacker Sentenced After Causing $2.8 Million in Fraud

Raphael Gray, the Welsh hacker who used Bill Gate's credit card to send the Microsoft CEO a large shipment of Viagra was sentenced to three years of community rehabilitation with psychiatric care for what the defense called an obsessive medical condition.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2783016,00.html

5 July 2001 Security Vendors' Revenue Slows

Financial results reported by ISS, Check Point, Symantec, Certicom, Watchguard and Baltimore disappointed analysts and caused stock prices to fall.
-http://www.computerworld.com/cwi/stories/0,1199,NAV65-663_STO61886,00.html
[Editor's (Paller) Note: In several cases the company's revenue was up sharply from the prior year's results. The disappointments came in large part because the vendors had expected more growth and had increased their expenses to meet explosive demand. When that demand didn't appear, their earnings plummeted. In other words, the industry is healthy, but expectations had gotten out of line. ]

4 July 2001 Eli Lilly Exposes Customer E-Mail Addresses

Eli Lilly and Co. mistakenly sent messages containing more than 600 e- mail addresses to customers of a reminder service. Many of the customers are taking medication for depression, bulimia, or obsessive- compulsive disorder.
-http://washingtonpost.com/wp-dyn/articles/A14311-2001Jul3.html

3 July 2001 Shopping Cart Software Flaw Still Prevalent

Although a flaw in PDG shopping cart software has been public knowledge since April, some e-commerce sites still have not repaired the hole, leaving customer credit card data and merchant identification numbers available to crackers. Lists of vulnerable sites have been appearing in chat rooms.
-http://www.msnbc.com/news/595932.asp?0dm=T21AT

3 July 2001 Canada Aims for Secure E-Government

The Canadian government hopes to have its on line network running by 2004. They hope to allow Canadian citizens to pay their taxes, apply for benefits and conduct other government business on line with assured privacy and security.
-http://www.fcw.com/fcw/articles/2001/0702/web-canada-07-03-01.asp

3 July 2001 The Serious Underbelly of Cyber Attacks

High profile cyber crimes like defacements and denial-of-service attacks distract from the greater threats of backdoors and cryptoviruses, say information warfare specialists.
-http://www.wired.com/news/politics/0,1283,44955,00.html

2 July 2001 Crackers May Have Tested Distributed Spamming

Crackers have apparently used a worm-generating tool to create a program that turns infected PCs into zombie spammers.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2781893,00.html
[Editor's (Schultz) Note: This represents an extremely serious threat in that virtually everyone who downloads e-mail could potentially (and unwittingly) be turned into a spammer. This reinforces the need for virus walls at network gateways as well as other measures. ]

2 July 2001 Teenager Allegedly Attacked NASA Computer

An Albuquerque teenager stands accused of breaking into a NASA computer at the Ames Research Center in California. The alleged attack took place in April 2000.
-http://www.msnbc.com/news/595392.asp?0dm=T22AT

2 July 2001 Firewall Appliances Outsold Software Firewalls In 2000

IDC reports that, for the first time, more money was spent on pre- configured hardware firewalls than on software firewalls in 2000. Lack of trained staff to monitor and configure the software firewalls has led to the switch, according to IDC.
-http://www.computerworld.com/cwi/stories/0,1199,NAV65-663_STO61833,00.html

29 June 2001 Visa Announces Authentication Specs

Visa International, Inc. has announced technical specifications for payment authentication services. The 3-D Secure 1.0 specifications will allow e-merchants to use their own processing systems while establishing a connection between customers, card issuers, and themselves to authenticate transactions.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO61789,00.html


==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Howard Schmidt, Eugene Schultz