SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #5
January 31, 2001
If you are a forensics guru or if you have some extraordinary stories
to tell, please consider submitting a proposal for SANS FIRE (Forensics:
Investigation, Research and Education) that will be held in Washington
DC in July. http://www.sans.org/sansfire/cfp.htm
TOP OF THE NEWS25 & 26 January 2001 Microsoft Suffers Denial-of-Service Attack
24 January 2001 System Maintenance
22 January 2001 GAO High Risk Report Focuses on IT
22 January 2001 Not Much Headway in USDA Security, Says GAO
22 & 26 January 2001 Ramen Worm
20 January 2001 Computer Vandal Sentenced
THE REST OF THE WEEK'S NEWS24 & 25 January 2001 Microsoft Router Problems
26 January 2001 Privacy Group Questions On-Line Court Document System
26 January 2001 Former LANL Employee's Cracking Past
26 January 2001 Single Point of Failure
26 January 2001 Satellite TV Disables Illegal Access
25 & 26 January 2001 IE 5.5 Downloads on Hold
25 January 2001 Indian Crackers Arrested
24 January 2001 DEA Officer Charged with Selling Data
23 & 24 January 2001 Travelocity Customer Info Exposed
23 January 2001 CIO Federal Security Guide
23 January 2001 DDoS Perpetrator: Able Cracker or Script Kiddie?
23 January 2001 FTC Closes DoubleClick Investigation
22 January 2001 Security Risks for Companies In China
22 January 2001 Antivirus Company Charged with Info Hoarding Nets List Suspension
PROFESSIONAL DEVELOPMENT NEWSSANS2001 Registration Opens- http://www.sans.org/SANS2001.htm
SANS FIRE Call For Papers
Regional Training Programs Bring Top Teachers To Ten Cities
****************** This Issue Sponsored By PentaSafe *****************
You know what your security policies are and what they are meant to do.
Does everyone else?
"By introducing the new VigilEnt Policy Center(tm), PentaSafe has
finally given security officers a single point for automating security
policy creation, distribution, awareness, and tracking throughout the
Click here http://www.pentasafe.com/products/policyoverview.htm to see
an online demo, or sign up for a webinar or seminar in your area.
TOP OF THE NEWS
25 & 26 January 2001 Microsoft Suffers Denial-of-Service AttackMicrosoft announced that it was the target of two denial-of-service (dos) attacks aimed at its routers late last week, raising many questions. Did the problems earlier in the week inspire the crackers to target the software giant's routers rather than its servers (the more common target of DoS attacks)? Were the earlier problems in fact DoS attacks rather than technical problems? And were these attacks really DoS attacks and not just the unusually large amount of traffic to be expected when the DNS servers became accessible? Also, Microsoft has apparently outsourced its DNS service.
24 January 2001 System MaintenanceProper maintenance, especially applying patches, is essential to securing systems. Failure to maintain systems can be due to lack of training and the sheer magnitude of the task of applying all applicable patches to all machines. Automated updating could enhance systems security.
[Editor's (Grefer) Note: Sound advice. ]
22 January 2001 GAO High Risk Report Focuses on ITThe General Accounting Office's (GAO) recently released high-risk report says security program management is a problem at many government agencies. The Government Information Security Act - which was inspired by GAO reports - requires agencies to adopt management policies and conduct annual evaluations of security management and policy.
Links to FCW.com's government agency IT reporting:
This article describes the IT challenges facing federal agencies.
22 January 2001 Not Much Headway in USDA Security, Says GAOA General Accounting Office (GAO) report says the US Department of Agriculture (USDA) has made little progress toward implementing an action plan for addressing system weaknesses and securing systems against intrusions. The USDA attributes the slow progress to insufficient staffing and funding.
22 & 26 January 2001 Ramen WormThe fact than several cracker groups are switching to Red Hat Linux suggests that they are modifying HTML pages in the recently discovered Ramen worm. Experts fear that more vicious variants of Ramen will emerge. Recent victims of the worm include NASA and Texas A&M University, suggesting that even seasoned network engineers may neglect to apply patches as they become available. Patches for the flaws the worm exploits are available at www.redhat.com/support/alerts/ramen_worm.html.
[Editor's (Murray) Note: To suggest that the failure to apply patches as they become available as "neglect" ignores the fact that to do so is to destabilize systems. Striking the balance between the risk of attack and the risk of destabilizing one's system is a difficult problem. Accepting either risk over the other is not evidence of neglect. "Patch and fix" is a risky tactic, not a mandatory strategy. It is unethical for experts, in general, and security experts, in particular, to "view with alarm." ]
20 January 2001 Computer Vandal SentencedScott Dennis, a former system administrator and security officer, bombarded a US District Court e-mail server with messages three times to demonstrate its vulnerability. He was sentenced to three months in jail and one year of parole. He has already paid more than $5,000 in restitution.
******************** Also sponsored by Network ICE *******************
Does Your IDS Crash At Gigabit Speeds?
BlackICE Sentry from Network ICE detects intrusions at Gigabit and Full
Duplex Fast Ethernet speeds without dropping a single packet! Where
other intrusion detection systems start to go blind, BlackICE Sentry
hums, inspecting every TCP/IP packet on a fully loaded 100Mb Ethernet
Don't believe it, we can prove it! Visit:
THE REST OF THE WEEK'S NEWS
24 & 25 January 2001 Microsoft Router ProblemsA misconfigured router isolated Microsoft's DNS servers in the middle of last week, rendering the company's many web sites inaccessible. Analysts expressed surprise that Microsoft would place all of its DNS servers on one network. Also, there is concern about Microsoft's planned .net system, which will deliver services over the Internet, being part of a system with one point of failure.
26 January 2001 Privacy Group Questions On-Line Court Document SystemThe Privacy Foundation, concerned about PACER (Public Access to Court Electronic Records), a system that will allow on-line access to federal court case files, has written a letter recommending that sensitive personal information, such as social security numbers and medical information, be removed from the on-line documents. The group made several other suggestions aimed at ensuring citizens' privacy.
26 January 2001 Former LANL Employee's Cracking PastJerome Heckenkamp, the former Los Alamos National Laboratory (LANL) employee who has been charged with infiltrating a number of computer systems in 1999 was suspended from graduate school for a year for cracking, and in 1997 lost a job for breaking into the system of a Philadelphia ISP.
26 January 2001 Single Point of FailureMicrosoft's recent outages/attacks underscore the importance of making sure systems do not have a single point of failure like all DNS servers on one network. Some security experts believe that the Internet's increasing reliance on DNS does not bode well for security in the long run.
[Editor's (Cowan) Note: The article says "Conventional wisdom holds that the Internet was made to withstand nuclear attack." It was, but DNS was not. DNS and the Web are not the whole Internet, and are not even critical to Internet operations. They are critical to being able to type "mymajorcorporation.com" into a web browser and getting back some graphics. Hence the criticality of geographically redundant DNS servers. ]
26 January 2001 Satellite TV Disables Illegal AccessSatellite TV company DirecTV last week sent a signal to all its receiver boxes that shut down pirated access cards. In the past, attempts to thwart the use of the unauthorized cards had been met with crackers modifying the cards again and again. This most recent electronic countermeasure may have defeated the pirates once and for all.
25 & 26 January 2001 IE 5.5 Downloads on HoldMicrosoft temporarily stopped Internet Explorer (IE) 5.5 downloads while it updated its service pack. A spokesperson said the action had nothing to do with the denial of service attack Microsoft suffered late last week. The software was available again by Friday afternoon.
25 January 2001 Indian Crackers ArrestedTwo men who sent malicious e-mail that netted them passwords and other data from several Indian web sites, including that of the State bank of India, may not be sentenced because local law enforcement lacks cyber crime training, according to lawyers.
24 January 2001 DEA Officer Charged with Selling DataA Drug Enforcement Administration (DEA) officer in Los Angeles has been charged with illegally accessing law enforcement systems and selling information to a private investigation firm. A consumer advocacy group in San Diego has reportedly received several complaints of this sort. The associate director for the ACLU says legal data access is every bit as worrisome.
23 & 24 January 2001 Travelocity Customer Info ExposedPersonal data belonging to Travelocity customers who had entered a contest last year was exposed when a server that had been used only in-house was put on-line. The information should have been deleted, but wasn't. Those affected were being notified by e-mail. Analysts say the company would be well advised to conduct a security audit.
[Editor's (Murray) Note: I am not sure that I would have picked that up in an audit. Audits are not a substitute for good management controls. In the absence of such controls, audits detect the absence; they rarely detect the consequences.
23 January 2001 CIO Federal Security GuideThe CIO Council has prepared a guide for federal agencies called Securing Electronic Government. The guide defines five security goals - - availability, authentication and identification, confidentiality, integrity, and non-repudiation - and uses examples from the federal security environment. The Council hopes for feedback to help improve and expand the guide.
[Editor's (Murray) Note: This is not a proper list; the items on it are not peers of one another. A better list would have been availability, accountability, integrity, and confidentiality. Alternatively, user identification, access control, logs, journals, alarms, messages, and reports. ]
23 January 2001 DDoS Perpetrator: Able Cracker or Script Kiddie?The attorney for the Canadian teenager who has admitted to the distributed denial of service attacks against major Internet sites last February says his client is a skilled cracker; law enforcement officials maintain he merely used available tools and didn't write any attacks himself. The article also contains details about tracking the teenager.
[Editor's (Murray) Note: The significance of this report is not in the dispute between the police and the child over how prodigious his skills were so much as in the fact that his bragging focused the investigation and led to his early arrest. That is not to say that he would not have been caught in any case, but that he certainly made it easy. ]
[Editor's (Cowan) Note: A dark day for personal privacy. Tip for UNIX users: if you symlink ~/.netscape/cookies to /dev/null, then Netscape will accept cookies all day long, and then forget them all when you exit the process. This gives you a very convenient and very secure enforcement that the life span of cookies on your client is exactly what you want it to be, and generally far too short for Doubleclick to harvest. ]
22 January 2001 Security Risks for Companies In ChinaA report published by an intelligence firm warns that companies with business offices in China may be at risk of government surveillance and proprietary data theft. The report maintains that scans and probes of US companies in China are increasing. Representatives from US companies in China do not seem to be overly concerned.
22 January 2001 Antivirus Company Charged with Info Hoarding Nets List SuspensionPanda Software, the antivirus company that announced the worm HTML/Little Davinia to the public before sharing the information and samples with the antivirus community has been suspended from the Rapid Exchange of Virus Samples (REVS) list for one week. (The virus, which affected only five companies, arrived as an attachment which, when opened, connected to a site in Spain that forced a VBS download and overwrote files containing HTML. The web site has been taken down.)
PROFESSIONAL DEVELOPMENT NEWS
SANS2001 Registration OpensMore than ninety full-day courses including seven immersion training tracks plus the our computer security exposition with the unique IDNet where you can watch war games in progress and participate if you want.
SANS FIRE Call For PapersSANS Forensics: Investigation, Response and Education in Washington DC starts July 30. We're looking for ten eye-opening forensics presentations to complement the in-depth training programs. The Call for Papers is posted at:
Regional Training Programs Bring Top Teachers To Ten Cities Save travel costs and still attend SANS top-rated programs in any of the nine regional conferences planned this year: New Orleans, Sydney, Dallas, Orlando, Portsmouth NH, Denver, Ottawa, Honolulu, Raleigh, San Diego.
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz