SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #51
December 21, 2001
The Microsoft Internet Explorer vulnerability is just as bad as you
have heard. Vicki Irwin will give you a full briefing on how it works
in the Internet Security Update web broadcast today (Wednesday) at 1
PM EST (18:00 UTC). As part of the broadcast, Stephen Northcutt will
provide a briefing on why security policies fail and how to avoid
the most common problems. There is no cost. Register well before the
start time so you won't be caught in the last minute rush:
The damage caused by NIMDA - one of the worst worms the Internet has
experienced - was grossly underreported for a very good reason. Nimda
arrived exactly seven days after the World Trade Center and Pentagon
attacks. No one wanted to whine about computer damage and Internet
outages when so many people had been killed. It is important, however,
that we get a handle on the actual damage - so that senior executives
can allocate the resources needed to defend against the increased
threat. Please take a few minutes and send me (email@example.com) a
completely confidential description of the damage your organization
experienced - the cost of clean up, the time you were out of operation,
other losses of any kind, or the damage any of your key suppliers
TOP OF THE NEWS14 December 2001 Microsoft IE Patch
13 December 2001 Sun, IBM Unix Share Buffer Overflow Vulnerability
13 December 2001 Davis Wants GISRA to be Permanent
11 December 2001 NIPC Highlights DNS Concerns |||
THE REST OF THE WEEK'S NEWS17 December 2001 Hackers Attack Routers
17 December 2001 Al Qaeda Suspect Says Others Sabotaged Windows XP
14 December 2001 Intrusion Detection Swamps Users With False Alarms
14 December 2001 Microsoft's CSO Likely to be Appointed to Cybersecurity Board
13 & 14 December 2001 Quantum Cryptography Moves Forward
13 December 2001 Is Oracle Ad Campaign an Invitation to Hackers?
13 December 2001 Gokar Worm
13 December 2001 Sklyarov Charges Dropped in Exchange for Testimony
12 December 2001 Former Intel Employee Still Guilty of Trespassing
12 December 2001 Cerf Wary of Forcing Patches, GovNet
12 December 2001 FBI Admits Existence of Magic Lantern
10 December 2001 Security Manager's Journal: External Audit Disappoints
10 December 2001 Outlook Web Access Patch Problems
7 December 2001 Use Local Law Enforcement, Says Vatis
******************** Sponsored by NetIQ ***************************
Learn How to Unlock Your Firewall's Secrets with Security Manager.
Find out how to maximize the return on your firewall investment.
Download NetIQ's free white paper, "Reporting and Incident Management
for Firewalls: The Keys to Unlocking Your Firewall's Secrets."
TOP OF THE NEWS
14 December 2001 Microsoft IE PatchMicrosoft is strongly encouraging customers who are using Internet Explorer 5.5 and 6.0 to install a patch for a variety of security holes, including one which could trick users into downloading malicious code.
13 December 2001 Sun, IBM Unix Share Buffer Overflow VulnerabilityA buffer overflow flaw in the Unix login program allows attackers to obtain root access to servers. Evidence from Internet chat rooms indicates an exploit is already circulating among hackers. The affected versions are Sun Solaris 8 and earlier and IBM AIX 4.3 and 5.1; other systems could also be vulnerable. Both companies have issued fixes.
13 December 2001 Davis Wants GISRA to be PermanentRepresentative Tom Davis (R-Va.) is developing legislation that would make the Government Information Security Reform Act (GISRA) permanent and would include mandatory information security standards for government agencies. GISRA will expire in October 2002.
11 December 2001 NIPC Highlights DNS ConcernsThe National Infrastructure Protection Center (NIPC) encourages companies to make sure their domain name servers do not provide the possibility of a single point of failure; they should be redundant and geographically distributed. NIPC cited research conducted by Men & Mice, an Icelandic firm, that found up to a quarter of Fortune 1000 companies had all their domain name servers on the same section of the network.
THE REST OF THE WEEK'S NEWS
17 December 2001 Hackers Attack RoutersHackers are increasingly using router attacks for denial of service and redirection attacks.
17 December 2001 Al Qaeda Suspect Says Others Sabotaged Windows XPA suspected Al Qaeda member, arrested in India in early October, allegedly claimed other members of the terrorist network managed to secure jobs at Microsoft and tried to build backdoors and bugs into the company's new XP operating system. A Microsoft spokesman was skeptical of the statement.
14 December 2001 Intrusion Detection Swamps Users With False AlarmsIDS vendors concede that false alarms and redundant alerts are a serious problem. Adding to the problem is the fact that companies buy IDSs but fail to provide adequately trained personnel to monitor the results.
14 December 2001 Microsoft's CISO Likely to be Appointed to Cybersecurity BoardMicrosoft's chief information security officer, Howard Schmidt, is expected to be appointed vice chairman of the recently established Critical Infrastructure Protection Board.
[Editor's (Paller) Note: Mr. Schmidt was Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare. His reputation for patriotism and commitment to effective security were in no way tarnished by his time at Microsoft where he worked tirelessly-- and usually thanklessly --from the inside to improve the security of the products Microsoft delivered to its customers. Obviously he was not 100 per cent effective, but in my opinion he did more than any other person to make a difference. ]
13 & 14 December 2001 Quantum Cryptography Moves ForwardThe possibility of quantum cryptography has taken an important step forward with the development of a device capable of emitting single photons.
13 December 2001 Is Oracle Ad Campaign an Invitation to Hackers?Security pundits have criticized Oracle's latest marketing campaign, which claims products are "unbreakable" for being tantamount to an invitation to hack. Intrusion attempts against Oracle databases and application server products has increased by a factor of ten since the beginning of the campaign, though none of the attempts have been successful, according to Oracle CEO Larry Ellison. Company senior vice president and chief marketing officer Mark Jarvis points out that the customer has a role to play in establishing the "unbreakable" environment.
13 December 2001 Gokar WormGokar is a mass mailer worm that spreads via email (Outlook and Outlook Express), mIRC and web servers running IIS software. Users must click on an attachment to become infected, and the worm runs each time an infected computer is booted up. The attachment file extension will be .pif, .scr, .exe, .com, or .bat; the subject, body text, and file names vary.
13 December 2001 Sklyarov Charges Dropped in Exchange for TestimonyRussian programmer Dmitri Sklyarov who last summer was charged with violating the Digital Millennium Copyright Act (DMCA) has gained his freedom after agreeing to testify against his employer, ElcomSoft. Company president Alex Katalov is pleased that ElcomSoft is now the defendant in the case and is confident that the charges will ultimately be dropped altogether.
[Editor's (Schultz) Note: Haven't we suffered enough already with the consequences of the passage of the Digital Millennium Copyright Act? It is now time to consider repealing this Act, or perhaps revising it to be more reasonable. ]
12 December 2001 Former Intel Employee Still Guilty of TrespassingA California appeals court upheld a lower court decision that found Kourosh Kenneth Hamidi, a former Intel employee, guilty of trespassing for sending e-mail messages outlining his grievances to large groups of Intel employees. Hamidi plans to appeal the decision. The second story is an interview with Hamidi.
[Editor's (Paller) Note: This is a big decision - concentrated emails to a company's employees is deemed trespassing. The full opinion and one judge's dissenting opinion is posted at
12 December 2001 Cerf Wary of Forcing Patches, GovNetVinton Cerf expressed concern that the White House proposal to automate software patching would not work due to the wide array of network configurations. He also cautioned that GovNet users may illegally connect computers to GovNet, the proposed isolated government network, and that floppy disks could infect the network with viruses.
[Editor's (Schultz) Note: Cerf is once again correct here. Patching vulnerabilities is anything but straightforward. There are many variables that affect whether a patch will install correctly, let alone whether or not it will work correctly. The White House proposal is naive. (Paller) Disagreeing with either Schultz or Cerf is dangerous, and disagreeing with both is downright foolhardy - but here goes. The Internet pioneers started their careers in a time when it was appropriate for every computer user to make any changes they liked to their system configuration. That hasn't been appropriate for the vast majority of computer users for at least five years. Today, more than 25 million people use automated patching. Millions more will join them within a few months. What the White House is suggesting is more than sensible; it is essential and cost-effective. There's no other way to lower the cost of system administration and security while at the same time maintaining updated security patch levels on 100 million or more computers. ]
12 December 2001 FBI Admits Existence of Magic LanternAn FBI spokesman acknowledged that Magic Lantern backdoor keystroke logger Trojan is under development. Antivirus companies have said they would not voluntarily make accommodations in their software to let the program go undetected.
10 December 2001 Security Manager's Journal: External Audit DisappointsThe security manager found that an external audit didn't afford him any insights into ways to enhance security; penetration testing, performed on a regular basis, is more revealing and helpful.
[Editor's (Schultz) Note: I disagree. The contrast he makes between the value of external audits and penetration tests is superfluous. The value of each depends more on how well each is conducted and how each is used than anything else. A well done external audit is much more valuable than a poorly done penetration test. ]
10 December 2001 Outlook Web Access Patch ProblemsMicrosoft updated and re-released a security bulletin regarding a vulnerability in its Exchange 5.5's Outlook Web Access module because the accompanying patch caused problems on systems running older versions of Internet Explorer. The revised bulletin recommends users upgrade to IE 5.5 with Service Pack 2 or IE 6.0.
7 December 2001 Use Local Law Enforcement, Says VatisCybersecurity expert and former NIPC director Michael Vatis says federal law enforcement should enlist the help of local agencies to help combat cybercrime.
Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz