Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #4

January 24, 2001

TOP OF THE NEWS

22 January 2001 Government Web Sites Defaced in US, UK, and Australia
21 January 2001 Yahoo.com and Microsoft.com Traffic Redirected
18 & 19 January 2001 Canadian Teenager Pleads Guilty in DDoS Case
17 January 2001 Ramen Worm
17 January 2001 GAO's "High Risk" Report

THE REST OF THE WEEK'S NEWS

22 January 2001 Clinton Appoints 21 to NIAC; Panel's Survival In Doubt
19 January 2001 Bulgarian Government Sites Attacked
22 January 2001 Bulgarian Cracker Offered Job
19 January 2001 Humans Create DDoS Vulnerability
19 January 2001 UK's RIP Act Raises Concerns at ISPs
19 January 2001 CyberArmy
18 January 2001 AeA, EPIC Outline Privacy Regulation Stances
18 January 2001 German Banking Security Check
18 January 2001 Mac Melissa Variant
18 January 2001 Hotmail E-Mail Discarded
17 January 2001 QAZ Worm Has Chinese Ties
17 January 2001 Financial Security Guidelines
16 & 17 January 2001 IT-ISAC Formed
16 January 2001 Media Player "Skins" Vulnerability
15 January 2001 Defacements May Hide More Serious Attacks
15 January 2001 Egghead Problems

PROFESSIONAL DEVELOPMENT UPDATES

Training and Certification Update Distributed on January 22
Security Manager's Journal Still Needs A Writer

ASK THE EDITORS

Gene Schultz on "What Difference Would it Make If We Outsourced Our Security Function?"


**** This issue sponsored by VeriSign, The Internet Trust Company ****
Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE
guide "Securing Your Web Site for Business." You will learn everything
you need to know about using SSL to encrypt your e-commerce transactions
for serious online security.
For more information visit:
http://www.verisign.com/cgi-bin/go.cgi?a=n016007810008000
**********************************************************************

TOP OF THE NEWS

22 January 2001 Government Web Sites Defaced in US, UK, and Australia

Crackers defaced government web sites in the US, the United Kingdom, and Australia. Identical messages appeared on all affected sites; one Australian site also had a search application taken down. All the targeted sites were running Windows NT. The group has previously defaced government sites in several other countries.
-http://www.idg.net/go.cgi?id=401773
-http://news.cnet.com/news/0-1003-201-4559554-0.html
[Editor's (Murray) Note: These targets are interesting. They are targets of opportunity in that they all had the same operating system and, presumably, vulnerabilities from the same short list. On the other hand, they were targets of choice in that they were all government sites. It defies belief that only government sites manifest these vulnerabilities. ]

21 January 2001 Yahoo.com and Microsoft.com Traffic Redirected

A faulty Domain Name System (DNS) table appears to be to blame for deflecting Internet traffic aimed at yahoo.com and Microsoft.com to MyDomains.com. While MyDomain.com's president acknowledges his company inadvertently released an error-ridden DNS table, he also said that ISPs should use the "authoritative" name servers to direct traffic instead of relying on nearby tables. One security consultant suggested that the vulnerability has the potential to be seriously abused.
-http://www.msnbc.com/news/519306.asp
[Editor's (Cowan) Note: DNS is one of the most frail and critical aspects of the Internet. ]

18 & 19 January 2001 Canadian Teenager Pleads Guilty in DDoS Case

The Canadian teenager who admitted to being responsible for the distributed denial off service (DDoS) attacks that took down major sites last February has pleaded guilty to the majority of charges against him, facing a possible two years in prison and a fine of approximately US$660. Free until sentencing, the youth must stay away from computers, abide by a curfew, and go to his job.
-http://www.wired.com/news/politics/0,1283,41287,00.html
-http://www.usatoday.com/life/cyber/tech/ctj012.htm
[Editor's (Paller) Note: This is a good time to pause and extend our thanks to a group of little-known, but often-criticized men and women who were responsible for identifying and capturing this attacker. They are the same people who have successfully found and, where laws allow, prosecuted the attackers in other highly visible cases this year and last. Because their rules do not allow them to make investigatory information public, and because reporters are hungry for any information about major attacks, their critics get far too much press coverage. Through the efforts of these law enforcement people, joy-riding attackers are learning that the chances of their getting caught, prosecuted, and incarcerated are rising. This is what deterrence is all about. So let us say thank you to Shawn Henry and his team at the NIPC and in the FBI field offices, and to all the other law enforcement people around the world who respond to major attacks quickly, intelligently, and with due regard for the rights of individuals. ]

17 January 2001 Ramen Worm

The Ramen worm exploits the RPC.statd and wu-FTP flaws in versions 6.2 and 7.0 of Red Hat's Linux. The worm consumes large amounts of bandwidth while scanning for vulnerable servers. Users can download patches for the security holes from Red Hat's web site.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56475,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2675147,00.html
-http://www.securityfocus.com/news/139

17 January 2001 GAO's "High Risk" Report

The General Accounting Office's (GAO) annual report on high-risk government programs includes aspects of federal systems' security. Recent audits reveal that many agencies lack security plans, policies, and testing and evaluation programs. Of particular concern in the report were systems upgrades at the IRS, FAA, and Defense Department.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56472,00.html
-http://www.idg.net/go.cgi?id=400254


**************** Also sponsored by Network ICE, Inc. *****************
Protect Your Network and Remote Users from Hackers
Network ICE solves the problem of intrusion detection for high-speed
environments and remote users. Network ICE provides centrally managed
intrusion protection solutions for networks and individual systems,
including Gigabit segments and VPN clients to detect, identify and block
attacks.
For more information, visit http://www.networkice.com
**********************************************************************

THE REST OF THE WEEK'S NEWS

22 January 2001 Clinton Appoints 21 to NIAC; Panel's Survival In Doubt

President Clinton appointed 21 people to the National Infrastructure Assurance Council (NIAC) on his last full day in office. The NIAC advises the president on cyber security issues and aims to strengthen public and private sector partnership in addressing critical infrastructure security. However, concerns about the makeup of the panel lead many observers to predict the Bush Administration will rescind the Executive Order that created the NIAC, alter the makeup of the panel, or both.
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO56725,00.html

19 January 2001 Bulgarian Government Sites Attacked

Crackers defaced several Bulgarian web sites, including the president's official site. The press office said it planned to increase security measures, and the National Security Service and an Internet supplier are trying to trace the attackers.
-http://news.cnet.com/news/0-1007-200-4535994.html

22 January 2001 Bulgarian Cracker Offered Job

Bulgarian President Petar Stoyanov has publicly offered a job to the cracker who defaced his web site with a message bemoaning the dearth of opportunity in the country.
-http://dailynews.yahoo.com/h/ap/20010122/tc/bulgaria_hackers_3.html

19 January 2001 Humans Create DDoS Vulnerability

While awareness of distributed denial of service (DDoS) attacks has risen, sites are still vulnerable to the attacks due in part to the human factor. Home users do not routinely use firewalls, leaving their machines vulnerable to those looking to plant zombies. Administrators often leave ports open unnecessarily, and can rely too heavily on software instead of vigilant monitoring.
-http://www.zdnet.com/filters/printerfriendly/0,6061,2676260-2,00.html
[Editor's (Murray) Note: Is it because the perpetrator looks more like us than the victim does that we are so ready to blame the victim? The vulnerability is inherent but there is nothing either inevitable or justified about the attacks. These attacks are malicious and premeditated. They are calculated to destroy public trust and confidence that the perpetrators did not create and cannot repair. They are cowardly and dastardly and they should not be defended, much less blamed on the victim. ]

[Editor's (Grefer) Note: An important additional layer of protection can be gained by installing very low-cost, very easy to set up hardware firewalls from companies like Linksys, UMAX, and NetGear. ]

19 January 2001 UK's RIP Act Raises Concerns at ISPs

The UK's Regulation of Investigatory Powers (RIP) Act allows law enforcement agents to demand access to suspects' electronic communications, but technically untrained law enforcement officers seem to be having trouble understanding which requests are reasonable and which are preposterous. Additionally, concerns that the government may require Internet Service Providers (ISPs) to retain records of all Internet traffic could lead the companies to move their businesses elsewhere.
-http://www.wired.com/news/politics/0,1283,41288,00.html
Text of RIP Act:
-http://www.homeoffice.gov.uk/ripa/texten.htm
Implementation Schedule:
-http://www.homeoffice.gov.uk/ripa/imptable.htm

19 January 2001 CyberArmy

CyberArmy, a highly organized privacy and pro-self-regulation group, aims to clean up the Internet by taking down sites that "abuse" the web.
-http://www.msnbc.com/news/518766.asp?0nm=T13M
[Editors' Note: This is illegal cracking activity masquerading as public service, an obviously bad idea. ]

18 January 2001 AeA, EPIC Outline Privacy Regulation Stances

The American Electronics Association, now known as AEA, released a list of privacy principles for Congress to consider. The group says it will support federal privacy legislation that overrides state legislation, and that consumers should be compensated for use of their data and that no new authority should be created to oversee privacy; the Federal Trade Commission should monitor privacy compliance.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56513,00.html
-http://www.idg.net/go.cgi?id=400263
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56551,00.html
[Editor's (Cowan) Note: The only way to keep information private is not to give it. The most urgent privacy issue is for browser vendors to provide web browsers that protect your privacy by not blabbing lots of information about you to the web sites you browse. They won't do that until consumers demand it. ]

18 January 2001 German Banking Security Check

A group of German banking industry watchdogs has begun a security check of European Internet banks and brokerages as a proactive measure. If they find security problems, the group will discuss the matter with the bank in question.
-http://news.cnet.com/news/0-1007-200-4524136.html

18 January 2001 Mac Melissa Variant

A new strain of the Melissa worm spreads as a Microsoft Mac:Office 2001 document. Word documents created on infected machines can spread the virus. This version of Melissa must first infect a Macintosh machine, but if that user shares an infected document with a Windows user, the self-mailing capabilities can kick in. No massive outbreak is expected, however.
-http://www.msnbc.com/news/518157.asp?0nm=T1CM
-http://www.cnn.com/2001/TECH/computing/01/19/melissa.w.idg/index.html
-http://www.theregister.co.uk/content/39/16209.html

18 January 2001 Hotmail E-Mail Discarded

Some outgoing Hotmail e-mail has been blocked from sites hosted by certain ISPs thought to be friendly to spammers. The mail was thrown away and the senders not notified.
-http://www.msnbc.com/news/518308.asp?0nm=B1BM

17 January 2001 QAZ Worm Has Chinese Ties

A worm that may have been used to infiltrate Microsoft's internal network last year apparently sends passwords and other data to a now defunct e-mail account in China. There is no way to tell if the attack originated in China, as the system could have been remotely accessed.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56474,00.html

17 January 2001 Financial Security Guidelines

Recently issued federal guidelines for financial services firms' information security include performing data security risk assessments and developing plans to mitigate the risks. The guidelines also suggest incorporating penetration testing and encryption to safeguard systems.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56469,00.html
[Editor's (Murray) Note: surely they can say something more helpful than that. ]

16 & 17 January 2001 IT-ISAC Formed

Nineteen IT companies have come together to form the IT-ISCA (Information Sharing and Analysis Center) - the fourth of eight such organizations to be created as called for under a Presidential directive in 1998. The group is made up primarily of companies that sell security services and products.
-http://www.fcw.com/fcw/articles/2001/0115/web-isac-01-17-01.asp
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO56410,00.html
-http://news.cnet.com/news/0-1003-201-4495870-0.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2674531,00.html

16 January 2001 Media Player "Skins" Vulnerability

A security hole in Microsoft Windows Media Player 7 "skins" could allow attackers to take control of machines remotely. A Microsoft product manager said that customers can protect themselves from attacks by disabling unsigned Java content in their Internet security options.
-http://news.cnet.com/news/0-1005-200-4499270.html
[Editors' Note: Everyone should disable JAVA by default. ]

15 January 2001 Defacements May Hide More Serious Attacks

Web page defacements are on the rise, and of growing concern is what these defacements may be masking. Defaced sites should check their systems for DDoS code, look for deeper intrusions, and subtle text changes.
-http://computerworld.com/cwi/story/0%2C1199%2CNAV65-663_STO56345_NLTs%2C00.html
[Editor's (Murray) Note: Duh! If one has not taken pro-active measures (e.g., TripWire) in advance, detecting "subtle" changes is, at best, inefficient, not to say impossible. If one has been pro-active, one is not a target of opportunity. ]

15 January 2001 Egghead Problems

Although Egghed.com maintains that credit card numbers were not stolen from its web site during December's security breach, customers are not happy with the company's security practices. The author says Egghead keeps credit card numbers on file too long, has no apparent investigatory system for customer credit card problems, and has not owned up to its security problems.
-http://computerworld.com/cwi/story/0%2C1199%2CNAV65-663_STO56330_NLTs%2C00.html

PROFESSIONAL DEVELOPMENT UPDATES

Training and Certification Update Distributed on January 22.

Includes complete schedule of training opportunities and update on new developments in certifications for security professionals. If you did not receive a copy of this update, please email info@sans.org with the subject "Training and Certification Update."

Security Manager's Journal Still Needs A Writer

Computerworld and SANS are looking for new contributors for the Security Manager's Journal. If you're a security manager who can write well, and you'd like to share your experiences with Computerworld's and SANS readers, let us know. You will be writing for an audience that includes security managers in Fortune 2000 companies and comparing notes with readers as you moderate the Security Manager's Journal forum on the Security Watch community page. Your identity will remain anonymous. You must have a background in security and have security responsibility at the management level to qualify.
-http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO56112,00.html

ASK THE EDITORS

Gene Schultz on "What Difference Would it Make If We Outsourced Our Security Function?"

The answer, like most everything else in the world of information security, depends on many factors. One of the most important considerations is how effective the current information security function is. How in touch with the corporate culture and business drivers is this function? To what degree do current information security priorities relate to the business process? Has the information security function developed effective communication channels with senior level management as well as other IT-related areas? Is it serving as an effective advocate for security?
If the answers to these questions are mostly affirmative, then dismantling an effective information security function in favor of the cost savings gained through outsourcing is anything but wise. Additionally, having a home-grown information security function rather than an outsourced one is potentially advantageous in that the former is more likely to be regarded as a real player in terms of being included in planning activities, daily operations, and so forth. An outsourced security function, on the other hand, is less likely to become part of the mainstream. An outsourced function is also less likely to be able to understand and deal with the corporate culture and business drivers.
If the answers to the above questions are mostly negative, then having an outsourced security function might indeed be a very good thing. One thing that my experience in the consulting world has taught me is that, while some information security functions are truly outstanding, many of them are less than effective. Too often people within these functions know the right things to do for the sake of security, but then they advocate security for security's sake, squandering resources on activities such as producing massive formal risk analyses and technical vulnerability analyses that have little to do with the business process itself. In this latter case, outsourcing is preferable. True, outsourcing brings its own downsides, but when an information security function is ineffective, there is little to lose and potentially much to gain by trying another approach.
One last point deserves mention. Some people think that outsourcing the information security function introduces additional personnel-related risk compared to having an all- employee information security function. In this case the truth really boils down to how well an organization handles personnel security in the first place. Many if not most organizations do not really do a very thorough job in investigating prospective employees' backgrounds. Worse yet, despite the fact that people's lives can change radically as the result of loss of a loved one, divorce, new habits such as gambling, and so forth, reinvestigations of personnel are exceptionally rare. Saying that having employees instead of contractors leads to better security is thus not necessarily true at all. E. Eugene Schultz, Ph.D.

== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz