Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #30

July 25, 2001


The conference program for Network Security 2001 (San Diego, October
15-21) has just been posted at http://www.sans.org/NS2001/NS2001.htm

You may have received it this week along with the Security Tools and
Managed Security poster.

If you have never been to a SANS Network Security conference,
the world-class training in all nine critical areas of security,
the huge exhibition of security tools and services, the birds of a
feather sessions, the SANS @ Night programs, the keynotes, and the
great interaction make it the one conference to attend this fall if
you are serious about information security.

TOP OF THE NEWS

20 & 23 July 2001 White House Averts Code Red Denial of Service Attack
20 July 2001 SirCam Worm
19 July 2001 Wireless Networks Not Secured
18 & 20 July 2001 CIS Consensus Benchmark For Minimum Security Settings
18 July 2001 Phony Microsoft Security Bulletins

THE REST OF THE WEEK'S NEWS

23 July 2001 IDSes Require Fine-Tuning
23 July 2001 FBI's Missing Laptops
20 July 2001 Security Firm's Action Irresponsible, Say Critics
20 & 23 July 2001 DoJ to Create Nine New Cyber Crime Prosecution Squads
20 July 2001 Privacy and Security Require Change from the Inside Out
20 July 2001 CERT/CC Advisory for Home Users
20 July 2001 Hong Kong Hacking Laws
18 July 2001 LDAP Vulnerabilities
17 & 18 July 2001 Bush Plan Calls for Cyber Security Board
17, 19 & 21 July 2001 eBook Security Researcher Arrested Under DMCA
16 July 2001 Witnesses Ask For Restraint at Subcommittee Hearing on Cyber Security
16 July 2001 Feds Meet with Hackers
16 July 2001 Project Seeks Help with Human Rights Violations
16 July 2001 Server Security Hole Allows Free Download of XP Beta
16 July 2001 Security Manager's Journal: Moving From Managed Services to In-House



********************** Sponsored by PentaSafe ************************
YOUR INFORMATION SECURITY POLICIES ARE ALREADY WRITTEN!
INFORMATION SECURITY POLICIES MADE EASY V8 is a practical, easy-to-use
reference tool offering 1100+ already-written security polices. Quickly
customize these definitive, up-to-date security policies covering
the latest threats and technologies -- saving thousands of hours
and dollars. This is the most comprehensive collective of security
policies available anywhere. Recently updated to help with HIPAA and
GLBA regulations.
Download a FREE E-MAIL SECURITY POLICY now at:
http://www.pentasafe.com/publications
**********************************************************************

TOP OF THE NEWS

20 & 23 July 2001 White House Averts Code Red Denial of Service Attack

Thwarting the attempts of the Code Red worm to launch a denial of service attack against www.whitehouse.gov, system administrators moved the site to an alternate IP address. Code Red takes advantage of a known Microsoft IIS buffer overflow vulnerability and evades antivirus scanners because it runs entirely in memory.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO62410,00.html
-http://news.cnet.com/news/0-1003-200-6625470.html?tag=prntfr
-http://www.gcn.com/vol1_no1/daily-updates/4690-1.html
-http://www.cert.org/advisories/CA-2001-19.html
[Editor's (Murray) Note: This was the single most successful worm in a decade, and it used only professionally managed systems. In a week, it starts over again. Anyone want to assert that we have destroyed all of more than 200K copies? Anyone want to assert that it has exhausted the address space and that are simply no more systems for it to attack? How about that we have responded to the attack and finally gotten around to patching all the vulnerable systems? ]

20 July 2001 SirCam Worm

The SirCam worm propagates via Outlook when users open infected attachments. The accompanying e-mail address will have a randomly chosen subject line and will add a document from the infected computer to the attachment, possibly exposing personal or proprietary information. The worm also plays a sort of roulette, which may result in all unused space on an infected machine's hard drive being filled with random text. It also may delete all files on an infected computer.
-http://www.nwfusion.com/news/2001/0719sircam.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2792260,00.html?chkpt=zdnnp1tp02
-http://www.wired.com/news/technology/0,1282,45427,00.html

19 July 2001 Wireless Networks Not Secured

A security group consulting manager said that wireless detection tools can easily find unsecured wireless networks in any city. Although wireless hacking tools are not widely available yet, once the technology becomes more common, attacks on wireless networks will become as prevalent as those on wired networks are today.
-http://www.vnunet.com/News/1124105
[Editor's (Ranum) Note: Wireless hacking tools, sadly, are not necessary. The majority of wireless networks don't even need to be "hacked" - they simply accept the attacker without offering any defense at all. ]

[(Murray): The issue is not so much that the air-side is weak as that wireless punches a hole in the wire-side. It is not so much about managing the access points that we know about as it is that for tens of dollars almost anyone can install a rogue access point. It is time to start managing all devices on your net by MAC address and allocating IP addresses statically. ]

18 & 20 July 2001 CIS Consensus Benchmark For Minimum Security Settings

By developing a consensus minimum security benchmark and offering free testing tools, the Center for Internet Security (CIS) hopes to pressure vendors into releasing products that are securely configured. Gartner analyst John Pescatore observes that the CIS benchmark will be extremely valuable and an easy way to get an increase in security, versus just reading about threats. CIS is a consortium of 160 large businesses, government agencies and academic institutions in 17 countries.
-http://www.internetwk.com/story/INW20010718S0011
-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=12802
6

18 July 2001 Phony Microsoft Security Bulletins

Two spurious Microsoft security bulletins trick people into infecting their machines with viruses; their attendant web sites have been shut down.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2790383,00.html?chkpt=zdhpnews01
****** Also Sponsored by VeriSign -The Internet Trust Company ******** Secure your Web servers now - with a proven 5-part strategy. The FREE Server Security Guide shows you how: DEPLOY THE LATEST ENCRYPTION and authentication techniques DELIVER TRANSPARENT PROTECTION with the strongest security without disrupting users. Click here:
-http://www.verisign.com/cgi-bin/go.cgi?a=n061242310013000

THE REST OF THE WEEK'S NEWS

23 July 2001 IDSes Require Fine-Tuning

Federal security managers speaking at a conference about intrusion detection systems (IDSes) say there's a lot more to the systems than simply installing the boxes. You must know your network traffic patterns well enough to determine what is out of the ordinary and be careful not to set the threshold too low or you will flood your own system. Additionally, monitoring the IDS results can consume a lot of resources.
-http://www.gcn.com/vol20_no20a/news/4698-1.html
[Editor's (Schultz) Note: "Setting the threshold too low" refers to a capability to adjust IDSs to either have more false alarms with the gain of fewer misses (detection failures) or have fewer false alarms with the gain of more misses. (Multiple) Firewalls also require tuning and you have to know your security policy to install them effectively. The fact that any security system requires knowledge, skills, hard work, and tuning should not be a surprise. (Paller): Sadly, federal agencies are asking people with little or no training to take responsibility for securing major systems. ]

23 July 2001 FBI's Missing Laptops

The FBI began tracking its laptops only last year. In the last 11 years, 184 of 13,000 laptops have disappeared; at least 13 were stolen and three contained sensitive or classified data. Legislators are unhappy, and Attorney General John Ashcroft has requested an inventory of Bureau laptops and other items.
-http://www.fcw.com/fcw/articles/2001/0723/news-fbibx-07-23-01.asp

20 July 2001 Security Firm's Action Irresponsible, Say Critics

eEye Digital security, the company that apparently discovered the Code Red worm, has been criticized by security experts for publishing exploit information that could potentially be used by crackers.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO62453,00.html

20 & 23 July 2001 DoJ to Create Nine New Cyber Crime Prosecution Squads

The Justice Department (DoJ) is creating nine additional cyber crime units in cities across the country. The model for the units is the first Computer Hacking and Intellectual Property (CHIP), based in San Francisco. Forty-eight of the 77 people on staff nationwide will be prosecutors.
-http://www.wired.com/news/politics/0,1283,45432,00.html
-http://news.cnet.com/news/0-1003-200-6626166.html?tag=prntfr
-http://www.fcw.com/fcw/articles/2001/0723/web-doj-07-23-01.asp
[Editor's (Schultz) Note: This new initiative sounds good in that having a sufficient number of prosecutors is critical to turning the corner with respect to cybercrime. The FBI has initiated many efforts in the past, most of which have fallen by the wayside. I hope this one works. ]

20 July 2001 Privacy and Security Require Change from the Inside Out

At a panel discussion at the University of Chicago Law School the consensus was that privacy and security will become manageable not through "quick fixes," but through change from within the company culture itself. Ontario's Information and Privacy Commissioner said that "legislation can't work without self-regulation." One CIO said that companies should make security requirements a part of contracts between businesses.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO62411,00.html

20 July 2001 CERT/CC Advisory for Home Users

CERT/CC has issued a security alert urging home users to protect their computers with antivirus software, firewalls, and good practices.
-http://www.cert.org/advisories/CA-2001-20.html
[Editor's (multiple) Note: The CERT/CC bulletin is long overdue, but still useful. It is questionable, however, whether this bulletin will get to the people who need it most. ]

20 July 2001 Hong Kong Hacking Laws

Hackers in Hong Kong are now criminals, according to new measures, and can be punished with a three-year prison sentence for their activities.
-http://english.sina.com/news/tech/2001/0720/tech_1.html
[Editor's (Murray) Note: Even here in the "Land of Law and Order" we only punish behavior, not motive, not intent, and certainly not self-identification. Many people who identify with the word "hacker" never interfere with anyone else's system. While I get a little tired of those that do not interfere with the systems of others defending those that do, I am not yet ready to put them in jail simply because they are called or call themselves "hackers." ]

18 July 2001 LDAP Vulnerabilities

A security test suite developed by a group at Oulu University in Finland found vulnerabilities in various implementations of the Lightweight Directory Access Protocol (LDAP) protocol. The vulnerabilities could allow crackers to run code or launch denial of service attacks on targeted machines. CERT/CC issued an advisory that includes patch information.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62356,00.html
-http://www.cert.org/advisories/CA-2001-18.html
[Editor's (Murray) Note: Patching protocol stacks is not an efficient way to protect directories. Directories should run as single- application kernel-only machines that fail to a halt. Better to have a directory fail hard than to have it covertly compromised. ]

17 & 18 July 2001 Bush Plan Calls for Cyber Security Board

The Bush administration plans to set up a federal cyber security board composed of 23 officials from major government agencies. The panel will be charged with determining how best to protect U.S. critical infrastructure and how to maintain functionality in times of cyber crisis. The board would report to National Security Advisor Condoleezza Rice. Critics have expressed concern that such a large group will complicate decision-making.
-http://news.cnet.com/news/0-1003-200-6594259.html?tag=prntfr
-http://www.zdnet.com/zdnn/stories/news/0,4586,2790366,00.html
[Editor's (Paller) Note: The critics got this one wrong. Decisions will continue to be made quickly by senior officials. The board will engage senior agency officials in the policy and implementation process and accelerate the long overdue task of getting Federal agencies to lead by example in the security field. On the other hand (Schultz) unless something other than the "same old same old" is done here, this will turn out to be yet another bureaucratic exercise in cyber futility. ]

17, 19 & 21 July 2001 eBook Security Researcher Arrested Under DMCA

A Russian encryption expert has been arrested for allegedly violating the Digital Millennium Copyright Act (DMCA). Dmitry Sklyarov presented his research at Defcon, demonstrating eBook security problems. Sklyarov's arrest has rallied civil liberties groups to launch protests and boycotts.
-http://www.theregister.co.uk/content/55/20444.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5094266,00.html
-http://www.wired.com/news/politics/0,1283,45342,00.html
-http://news.cnet.com/news/0-1003-200-6632832.html?tag=prntfr

16 July 2001 Witnesses Ask For Restraint at Subcommittee Hearing on Cyber Security

Witnesses at a Senate Subcommittee on Science, Technology and Space hearing urged legislators to exercise caution when considering laws aimed at cyber security. Vinton Cerf warned that passing unenforceable legislation would result in people and businesses ignoring the law; Bruce Schneier said he sees insurance companies helping to improve security through risk management.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62309,00.html

16 July 2001 Feds Meet with Hackers

A panel of government officials spoke with hackers and voiced hopes that they will put their talents to good and ethical uses.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5094147,00.html

16 July 2001 Project Seeks Help with Human Rights Violations

The Hacktivismo project aims to disseminate information about human rights violations while shielding the identities of the people who report the incidents. Members of the Cult of the Dead Cow (cDc) are finishing their Peekabooty application, which was developed for just this purpose.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5094156,00.html
[Editor's (Murray) Note: Encryption is equally powerful for good and evil. Software that can hide source and content of information about human rights violations can hide the source and content of the violations (e.g. depictions of violence against women and children) themselves.]

16 July 2001 Server Security Hole Allows Free Download of XP Beta

Previews of Windows XP, which were to be available to 100,000 people at a cost of $10-20, could be downloaded without usernames or passwords. While the unofficial downloads might prove difficult if not impossible to install, one tester believes that product activation codes will soon be broken.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5094174,00.html

16 July 2001 Security Manager's Journal: Moving From Managed Services to In-House

The security manager's new CIO wants to change from managed services to in-house security. The manager says he needs new security standards, policies, and network diagrams with which to determine trust relationships. He has begun by creating a policy requiring encryption of all sensitive data sent from the company.
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO62155,00.ht
ml

[Editor's (Murray) Note: Do I understand correctly that having identified "no security standards to speak of" and "vague policies" as core problems, this manager jumps to the selection of encryption software as the most efficient place to spend his limited resources? ]


==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz