Ending Soon! Online Training Special Offer: Get iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off through July 24!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #3

January 17, 2001


12 January 2001 Police Find Pro-Napster Cracker
12 January 2001 DOJ Computer Crime Procedures
11 January 2001 Offender Registry Site Security Holes
11 January 2001 NT is Most Vulnerable Server Software
10 & 11 January 2001 Los Alamos Employee Charged with Cracking
10 & 11 January 2001 Computer Export Limits Eased
8 January 2001 Court Rules on Private Web Site Access


12 January 2001 AOL Password Glitch
12 January 2001 DOE to Inspect E-Mail
11 January 2001 Data Base Back Door
11 January 2001 Quantum Security Applications
11 January 2001 Hybris Worm
10 January 2001 Security Enhanced Linux
9, 10 & 12 January 2001 IRC DDoS Attacks
9 January 2001 Federal Agencies Need to Educate Employees
9 January 2001 Study Says Security is Challenged
9 January 2001 eBay Privacy Confusion Irks Customers
8 & 9 January 2001 Egghead Says Data Not Compromised
8 January 2001 Advice for Breaking into Security Profession
2 December 2000 Site Offers Attack Tools


Four New Orleans SANS Security Tracks Close
Additional SANS Security Training Conferences Scheduled In Dallas, Orlando, and Ottawa
Windows Security Added To Online Training
Popular KickStart and SANS Security Essentials Programs Available Online.


Is SecurID Safe?

******************** This issue Sponsored by NetIQ *******************
Get expert advice on securing your IT network during NetIQ's "Top 10 IT
Security Threats for 2001" audiocast on Jan. 26. Register now and you'll
qualify to win an autographed copy of "Windows NT/2000 Network Security"
by audiocast guest speaker E. Eugene Schultz.
Register today at: http://www.netiq.com/audiocast/default.asp?Origin=sans


12 January 2001 Police Find Pro-Napster Cracker

Law enforcement officials have confiscated computer equipment from the home of a California teenager who has admitted to defacing hundreds of sites with pro-Napster graffiti. The district attorney's office has not decided if it will press charges.

12 January 2001 DOJ Computer Crime Procedures

Newly published Department of Justice (DOJ) guidelines clarify search and seizure law enforcement procedures in computer crime cases. The article claims that anyone with access to your computer can allow a search without a warrant.
[Editors' (Cowan/Grefer) Note: If you use encryption, and don't share the pass phrase with those who have access to your computer, then your co-workers and family cannot legally or actually grant access. ]

11 January 2001 Offender Registry Site Security Holes

The on-line sex offender registries of nine states were found to be running on IIS (Internet Information Server) servers lacking patches for known vulnerabilities, including the Unicode flaw and the more dangerous RDS vulnerability. Intruders could exploit the holes to alter data. Two of the sites had been defaced in the past; most have repaired the security holes.

11 January 2001 NT is Most Vulnerable Server Software

A survey posted on Attrition.org ranks Windows NT as the most vulnerable to crackers, garnering nearly 60% of December defacements. Microsoft may be targeted because it is so widely known, or because it has a reputation for hurrying the release of applications, which suggests that security might take a back seat.

10 & 11 January 2001 Los Alamos Employee Charged with Cracking

Jerome Heckencamp, a network engineer at Los Alamos National Laboratory has been indicted on hacking charges which stem from activity that took place prior to his being hired in June, 2000. The FBI informed lab officials, who took precautions to ensure he had no access to sensitive information. Heckencamp denies he is responsible for the intrusions and communication interception and maintains that someone else used his computer to commit the break-ins.

10 & 11 January 2001 Computer Export Limits Eased

Acknowledging that clusters of networked machines could generate considerable computing power, the White House relaxed export limits to the majority of nations worldwide. A handful of countries considered terrorist threats are still under a "virtual embargo."

8 January 2001 Court Rules on Private Web Site Access

The 9th Circuit Court of Appeals ruled that accessing a private web site without permission may violate the federal Wiretap Act and/or the Stored Communications Act. The ruling reverses a federal judge's decision to dismiss claims brought by a Hawaiian Airlines pilot against his employer.

********************* Also Sponsored By PentaSafe ********************
You know what your security policies are and what they are meant to do.
Does everyone else?
"By introducing the new VigilEnt Policy Center(tm), PentaSafe has
finally given security officers a single point for automating security
policy creation, distribution, awareness, and tracking throughout the
Click here http://www.pentasafe.com/products/policyoverview.htm to see
an online demo, or sign up for a webinar or seminar in your area.


12 January 2001 AOL Password Glitch

Some "AOL Anywhere" customers have found that former passwords allow access to their accounts. AOL is investigating the problem.

12 January 2001 DOE to Inspect E-Mail

The Department of Energy (DOE) has established the Electronic Mail Analysis Capability, which will examine all incoming and outgoing e- mail at four of its national labs, and will forward suspicious communications to an analyst. International mail will automatically be deemed suspicious; DOE has not clarified what constitutes suspicious content.

11 & 12 January 2001 IRC DDoS Attack Connected to New Year's Threat

The recent DDoS attacks on IRC have been linked to a NIPC warning of a New Year's weekend denial of service threat. A Washington state teenager is under investigation and four Israeli crackers have been arrested in connection with a threat to "take down the Internet" over the holiday weekend.

11 January 2001 Data Base Back Door

A back door in Borland's InterBase database software allows intruders to alter information and introduce damaging programs. The company has notified customers of the security hole and is releasing patches. Two open source versions of InterBase have been released; both are vulnerable to the problem.
[Editor's (Cowan) Note: Illustrates the security value of open source. The back door has been there since 1994, but only came to light six months after the source code was released as open source. ]

11 January 2001 Quantum Security Applications

A group of quantum information experts met in Amsterdam to discuss such concepts as quantum encryption, which would cause any unauthorized interception of encrypted communication to destroy the message.

11 January 2001 Hybris Worm

The Hybris worm's longevity can be attributed to the fact that it spreads slowly, infects quickly, and uses encrypted plug-ins to update itself and change its signature. As always, users should keep anti- virus software current and be wary of attachments.

10 January 2001 Security Enhanced Linux

The National Security Agency (NSA) has released "security-enhanced Linux" in the hopes that the community will help improve the operating system's security for use in both business and government.

9, 10 & 12 January 2001 IRC DDoS Attacks

Many Undernet IRC servers have been taken down due to Distributed Denial of service (DDoS) attacks apparently originating in Romania. The Country does not have the legal infrastructure to deal with the situation. Even after the servers were taken down, host ISPs have continued to be targets of DDoS attacks.
Candid comments from IRC users about why this has happened:

9 January 2001 Federal Agencies Need to Educate Employees

The Department of Transportation (DOT) has completed its vulnerability study and will now implement an information assurance awareness program. Federal officials say all agencies need to focus on employee education to coordinate inter-agency activities to protect the country's critical infrastructure.

9 January 2001 Study Says Security is Challenged

A study released by Purdue University's Center for Education and Research in Assurance and Security (CERIAS) asserts that information security systems are being pushed to their limits by ever-expanding e- commerce and a broadening array of net appliances. Members of the business, technology, education and political communities need to work together toward fixing such problems as a lack of consistent international laws and the privacy/convenience trade-off. Suggested solutions include security training for employees and improved security architecture.

9 January 2001 eBay Privacy Confusion Irks Customers

After discovering a bug in its registration system that changed default answers to "no," eBay reset customer preferences. The on-line auction site notified affected customers of the change and gave them two weeks to modify their preferences. Some customers were annoyed that their preferences were reset to receive e-mail from eBay.

8 & 9 January 2001 Egghead Says Data Not Compromised

After nearly three weeks, an investigation into an intrusion at Egghead.com concluded that customer information had not been stolen from the site. One security expert noted that whether or not the intruders stole information, damage was done; Egghead spent time scrutinizing the events and credit card companies spent millions of dollars reissuing cards to affected customers. One source indicated that Egghead had not implemented Visa International's minimum security standards. In any case, Egghead will have to work hard to regain customer confidence.

8 January 2001 Advice for Breaking into Security Profession

Columnist advises those wanting to get into security to clarify which aspect of security is of particular interest (technical, consulting, or management), to train on specific products, and to get certification. He also describes a mind-set he sees as necessary for success in the field.

2 December 2000 Site Offers Attack Tools

Pro-Palestinian crackers have been sharing cyber attack methods, including denial-of-service tools and a variety of viruses, to bring down Israeli web sites. The arsenal is being distributed via a web site that also contains instructions for deploying attacks.


New Orleans SANS Security Tracks Close

(January 28-Feb 2): Seats are still available in Kick Start, SANS Security Essentials, Firewalls and Intrusion Detection

New SANS Security Conferences Scheduled In Dallas, Orlando, and Ottawa Complete list of regional programs:

Sydney, Australia, February 12-15:
Honolulu, February 27-March 3:
Portsmouth, NH, March 9-11:
Dallas, TX, March 22-25:
Orlando, FL, April 18-22:

Windows Security Added To Online Training

The third online program has been released - this one covering Windows NT Security. Includes course books, audio lectures by the nation's top-rated teacher in Windows NT Security, and self-tests every hour so you can be sure you are mastering the material every step of the way.

Popular KickStart and SANS Security Essentials programs are also available online.



William Hugh Murray, Executive Consultant to Deloitte & Touche

Let me get my biases on the table. First, I subscribe to Courtney's First Law: "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment." Everything that I say here must be taken in the context of that disclaimer.
Second, for more than a decade I have been a strong advocate for strong authentication*. Security Dynamics/RSA Security has a significant share of the market for strong authentication. They have always advocated what they have called "two factor" authentication, i.e., that the SecurID token be used only in the context of a second form of evidence, usually a shared secret.
Third, for the last five or six years I have advocated client-side authentication, i.e., the evidence of strong authentication be reconciled on the client and only a nonce be passed to the server. Fourth, Ken Weiss, the founder of Security Dynamics, and Chuck Stuckey, Chairman of the Board of RSA Security are friends of more than a decade. - From time to time over the last decade one or the other has engaged me for small consulting engagements, one of which involved the SecurID Soft Token. In my consulting practice I often recommend strong authentication and have, on some engagements, recommended solutions that included SecurID.
By modern standards SecurID is mature, not to say old, technology. It was developed in a different era for a different environment. For example, it was developed for use over a point-to-point connection and to be reconciled by a closed system. It is now used over broadcast networks and reconciled by a separate server. While it has served us very well, it is timely and useful to re-examine it. Such re-examination is prompted in part by a recent publication of the source code for a functional equivalent of the algorithm and by a talk about a man-in-the-middle attack.
For those of you not familiar with SecurID, it is a small tamper-resistant token with a clock, a hash function, a 64 bit identity vector, and a display. Periodically the 64 bit identity and the time are put through the hash and the result is displayed. The number in the display is used to demonstrate to a distant process that one possesses the token. Since each token has a unique identity, it displays a unique number each minute. If the distant system has the algorithm, the same time, and the identity vector, it knows what number the token is displaying. By sending the current number, the user demonstrates that he possesses the token.
Depending upon the model of the token, the number displayed may be 6 or 8 digits in length. The former is the easiest to use while the latter is more difficult to guess. With six digits one has a one in a million (10^-6) chance of choosing the number at random while with eight it is one in a hundred million chance. Since the number changes once a minute one does not have much time to find the right number. Notice that this number, as large as it is, is much smaller than the input. (2^64 is larger than 10^8; take my word for this.) The hash is a compression of the input. It is not possible to go from the hash back to the time and the identity any more than one could go from a 128 bit hash of a 10K file back to the file. Neither is it possible to go from the time and the display back to the identity.
This leaves the question of whether or not it might be possible to go from many hashes and the corresponding times back to the identity or how many such hashes one might have to use in order to do it. The number is far more than the total amount of information that the token will put out in millennia, much less in its short life. By the time you have enough data to derive the identity, we are all long dead. So, not only does the system not depend upon the secrecy of the hash algorithm it does not even depend much upon the algorithm used. While it must be a good hash, the real strength of the system is in how much information about the identity is lost in generating the output. However to say that the algorithm, the time, and all the numbers that the token will display in many times its life is not enough information to predict what it will say at any point in the future, is not to say that it is safe. It is only to say that an attack against the token numbers is not the way to go.
How about an attack against the token itself? The engineers tell me that the token is tamper-resistant, i.e., it is so constructed that any attempt to breech the token to get at the identity is more likely to destroy it. I have no more evidence to support the engineers than their testimony. On the other hand, I do not have any evidence against them. But it does not make any difference. It is sufficient for the token to be tamper-evident. In order for it to be useful to me to get the identity vector, I must do it without leaving evidence that I have done so. If I leave evidence that I have done so, then the legitimate owner will simply replace it.
How about an attack against the network? We have already noted that the whole purpose of the system is to ensure that replays will not work. What one might do is wait until the user has logged on and steal the session. While we have no reports of this, we know that in a packet-switched network it is at least theoretically possible. This is really not an attack against a vulnerability of SecurID so much as against a vulnerability of the network. Given the network in which session stealing will work, it will work regardless of the authentication mechanism used. We also know the defense against session stealing: end-to-end encryption. The man-in-the-middle must be denied sufficient information to steal the session. We know how to do that.
[Historically there was a race attack in which the attacker stole the whole number and used it before the owner. The owner would get a failure and would simply re-authenticate. Often this attack failed; however, often it worked. The defense is for the server to wait before acknowledging a success until it knows that no second attempt to use the number occurs. If the number is received twice it fails both. This adds security at the expense of latency. ]

That leaves an attack against the server. An attack against the server is more likely to be successful and less likely to leave evidence than one against the token. In practice, most administrators save the original seed identifiers on the shipping media as backup. This is another point of attack. In other words the whole system is no more secure than the server and its backup. A successful attack against the network, while easier to defend against, might work against a lot of systems.
While Courtney's law tells me that I cannot tell you whether SecurID is safe, what I can tell you is that neither the numbers nor the token are the weak points in the system. The weak points are the network, the server, and the people. In order to strengthen both the network and the server we should move to client-side reconciliation and end-to-end encryption. But that is a story for another day.
* Strong Authentication uses at least two kinds of evidence, at least one of which is resistant to replay.

== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites

Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz