SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #48
November 28, 2001
One of the new questions we are hearing is, "Where can we find
tools and consultants who can help us perform continuous monitoring
of our systems?" Apparently there's too much opportunity for
security failures between penetration tests. If your firm does
continuous monitoring of configuration errors, missing patches and
other security vulnerabilities, either for yourself or for other
organizations, please send us a brief summary of the tools you use
and what vulnerabilities you look for. Send them to email@example.com
with the subject "continuous monitoring."
Did you know that it is actually warmer in San Francisco in December
than in August? And that this December international tourism is
way down, so you can enjoy the city without fighting crowds? Cyber
Defense Initiative West will be held in San Francisco on December
16-21 and features the five most popular SANS immersion training and
certification tracks. (http://www.sans.org/CDI.htm)
The SANS Weekly Security News Overview
Volume 3, Number 48 November 28, 2001
TOP OF THE NEWS26 November 2001 Badtrans.b Worm Spreading Rapidly
25 November 2001 Global Cyber Crime Treaty Signed
20 & 21 November 2001 Playboy.com Customer Information Stolen
20 November 2001 Web Conference Security Lacking
20 November 2001 Media Player Vulnerability
THE REST OF THE WEEK'S NEWS21,22 & 23 November 2001 Voyager Alpha Force
21 November 2001 Car Rental Agency Tests Biometrics
20 November 2001 Biometric Technology
21 November 2001 FBI Wants Telecoms Companies to Add Hardware, Software for Surveillance
20 & 21 November 2001 Magic Lantern
15 November 2001 FBI Prefers Fingerprints to Other Biometrics
20 November 2001 Ziff Davis Subscribers' Data Revealed
20 November 2001 Gartner: Internet Reliability is 5 Years Out
19 & 20 November 2001 Microsoft Apologizes, Admits it Knew of Vulnerability
19 November 2001 Security Spending Up Despite Sluggish IT Budgets
19 November 2001 Health Care Site Privacy
19 November 2001 Hacking Back is Not a Good Idea
19 November 2001 Protecting Businesses From Failed Vendors
19 November 2001 ABA Hears UCITA Arguments
18 November 2001 Ellison's Boast of "Unbreakable" Server Could Lead to Embarrassment
************************ Sponsored by NetIQ ***************************
Free Security Guide from NetIQ.
Keep the bad guys out with NetIQ's security guide, "Jack the Hacker
Tells All: Insights into Security Dos and Don'ts."
Respond to threats before they become major incidents.
Download it now before it's too late.
TOP OF THE NEWS
26 November 2001 Badtrans.b Worm Spreading RapidlyBadtrans.B exploits an Outlook and Outlook Express vulnerability to execute its infected attachment automatically when the e-mail is opened. The worm's subject line appears to be a reply to a previously sent message. Badtrans.B self-propagates, then installs a back door on the computer, sends the machine's IP address to the worm's author, and runs a key logging program.
25 November 2001 Global Cyber Crime Treaty SignedThe United States, Canada, Japan and South Africa joined their counterparts in 26 other countries in signing the Council of Europe1s Convention on Cybercrime to harmonize laws and penalties for crimes committed via the Internet.
20 & 21 November 2001 Playboy.com Customer Information StolenA cracker sent Playboy.com online store customers e-mail messages that contained their credit card numbers and other personal information. Playboy.com quickly e-mailed all customers who has shopped at the site in the last five years and advised them to contact their credit card companies to check for fraudulent charges. The company also informed customers that Playboy.com has hired a security consultant to audit its systems and that the FBI is investigating the case.
20 November 2001 Web Conference Security LackingWeb conferences, which have increased in popularity since September 11, often lack basic security measures such as encryption and strong passwords. Furthermore, simple searches for web addresses containing names of web conference providers can reveal meeting times and topics.
20 November 2001 Media Player VulnerabilityMicrosoft released an advisory warning of a buffer overflow vulnerability in its Media Player software. The company advised customers to apply a patch which fixes not only the Media player flaw, but several others, some of which have not been disclosed.
******** Also Sponsored by Windows Security Vulnerabilities ***********
Get the inside story on Windows security vulnerabilities and solutions.
Order your copy of the only security guide for Windows 2000 that is
updated every month.
"Windows 2000 Security Vulnerabilities and Solutions," By Jesper Johansson
Order it at http://www.sansstore.org/
THE REST OF THE WEEK'S NEWS
21,22 & 23 November 2001 Voyager Alpha ForceA new hybrid worm, Voyager Alpha Force, infects improperly configured SQL server systems and uses an IRC channel to force them to launch DDOS attacks. The worm affects only MS SQL Server 7.0 and earlier (i.e. doesn't affect MS SQL Server 2000).
21 November 2001 Car Rental Agency Tests BiometricsDollar Rent A Car agencies at thirteen US airports are requiring customers to supply thumbprints as part of a pilot biometric system aimed at reducing theft and fraud. Privacy advocates say the use of biometric information is not well regulated and could be abused.
20 November 2001 Biometric TechnologyA growing interest in biometric security technology has burgeoned since September 11, and people seem to be willing to forfeit some measure of privacy in return for heightened security. Civil liberties advocates are concerned that the technology presents a "slippery slope to a surveillance society." A sidebar in this article offers brief descriptions of several different types of biometric systems.
21 November 2001 FBI Wants Telecoms Companies to Add Hardware,Software for SurveillanceThe FBI wants telecommunications companies to add software and equipment to enable the agency to access voice communications much as it captures electronic communication. Among the agency's requests are 24 hour real-time monitoring capability and undetectable, reliable interceptions.
20 & 21 November 2001 Magic LanternThe FBI is developing software that can install surveillance programs remotely. Dubbed "Magic Lantern," the tool would aim to plant keystroke-logging programs on targeted computers.
15 November 2001 FBI Prefers Fingerprints to Other BiometricsThe FBI told a Senate subcommittee that the agency prefers fingerprints to new, fancier biometric identification systems. The FBI already has an enormous amount of fingerprint data in digital databases; it also has a system to retrieve and match prints quickly and which is compatible with similar databases in Canada, the UK and at Interpol.
20 November 2001 Ziff Davis Subscribers' Data RevealedZiff Davis Media accidentally posted some subscribers' personal information, including credit card numbers and mailing addresses, on its website. Ziff Davis initially erased the contents of the accessible database, then blocked access to its address entirely.
20 November 2001 Gartner: Internet Reliability is 5 Years OutA Gartner commentary predicts that the Internet will not be as stable or reliable as private networks until 2006. Businesses should assess their systems for vulnerabilities, test incident response plans, and contract for denial-of-service protection.
19 & 20 November 2001 Microsoft Apologizes, Admits it Knew of VulnerabilityMicrosoft apologized for "inaccurate" statements regarding an Internet Explorer (IE) vulnerability disclosed by Online Solutions. Initially, Microsoft blasted Online Solutions for making the vulnerability public on November 8, but then admitted that the security company had notified them of the problem a week before.
19 November 2001 Security Spending Up Despite Sluggish IT BudgetsA recent survey of 174 IT managers conducted by Computerworld and J.P. Morgan Securities Inc. found that while IT budgets are decreasing or staying the same as last year, spending on security technology is on the rise. Survey participants expected to invest in SSL products, anti-virus software, intrusion detection systems, VPNs and firewalls.
19 November 2001 Health Care Site PrivacyMany health care web sites are not bound by the privacy rules that govern what health care providers may and may not do with patients' information.
19 November 2001 Hacking Back is Not a Good IdeaEven though new products are capable of providing more information about who is behind certain cyber attacks, people are reluctant to turn the tables on attackers because they may not have the right target and because some hacking back is illegal.
19 November 2001 Protecting Businesses From Failed VendorsAs the uncertain economy nibbles away at the financial viability of technology vendors, businesses are well advised to include protection clauses in their licensing and outsourcing contracts. Establishing a backup plan with an alternate supplier is also helpful.
[Editor's (Schultz) Note: Organizations that are considering obtaining outside help in areas such as intrusion detection monitoring need to weigh financial/organizational stability of candidate providers much more heavily than most buyers currently do. ]
19 November 2001 ABA Hears UCITA ArgumentsThe American Bar Association (ABA) heard arguments about the Uniform Computer Information Transactions Act (UCITA). It is considering whether or not to support the controversial software licensing law. Of particular concern is the "self-help" provision that lets vendors remotely shut down software if they suspect license violations. Thirty-two states' attorneys general have signed a letter opposing the law.
Computerworld's Maryfran Johnson speaks out against UCITA ; she advises businesses to carefully examine software contracts for UCITA provisions and fight their inclusion.
18 November 2001 Ellison's Boast of "Unbreakable" Server Could Lead to EmbarrassmentOracle's Larry Ellison is touting a new e-mail server as "unbreakable", a label that is all too likely to serve as an invitation to hackers, according to David Coursey.
[Editor's (Schultz) Note: Statements such as the ones Ellison has made appear to reflect gross ignorance about even the most basic principles of information security. (Murray) Security people say "hardened," not "unbreakable. (Paller) SANS is gathering information about the greatest security threats to database products in order to help the database vendors improve their products and to teach their users how to protect themselves. Please share the important security vulnerabilities you have found involving Oracle software by emailing us at firstname.lastname@example.org with the subject: Oracle threats. ]
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail email@example.com with the subject: Subscribe NewsBites
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz