Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #11

March 13, 2002


Consultants and internal groups that perform site security assessments
have experienced major changes in the aftermath of September 11. One
key change is the emerging requirement to test all systems rather
than a sample of systems and to compare the status of security on
those systems with industry benchmarks. To try to help make this job
easier, SANS is completing a consensus standard for auditing security
on Internet-connected systems and networks. If you do a large number
of such audits, and are willing to invest some time in helping make
the consensus better, please email info@sans.org with the subject,
Consensus site audit standards.


Alan

TOP OF THE NEWS

6 & 7 March 2002 Davis Bill Would Require Compliance with Info Sec Best Practices
11 March 2002 Air Force CIO Wants Better Security In Microsoft Products
7 & 8 March 2002 Rough Sets Data Mining Tool Detects Abnormal Activity
7, 8 & 9 March 2002 Flickering Lights May Leak Data
6 March 2002 Man Arrested for Allegedly Trying to Sell Personal Data

THE REST OF THE WEEK'S NEWS

8 March 2002 MyLife Worm
6 & 8 March 2002 Gibe Worm Installs Back Door
6 & 8 March 2002 NAI Drops PGP; Zimmerman Wants Source Released
7 March 2002 DOE and DOD Address Computer Security Issue
6 March 2002 Reporting Web Site Holes is Problematic
6 March 2002 SSA Testing Biometrics
5 March 2002 SSA Testing SSN Authentication Program
5 March 2002 Security Hole In Microsoft's Java Virtual Machine
4 March 2002 Disclosure Proposal Favors Vendors
4 March 2002 Defense Lawyer Argues DMCA Does Not Apply in Elcomsoft Case
4 March 2002 Financial Companies Move to Preserve Mission Capability
26 February 2002 The Center for Internet Security


************************ Sponsored by NetIQ **************************
Free Security White Paper from NetIQ
Want to simplify, strengthen and speed up security tasks? Download
NetIQ's free white paper, "Strengthen Windows Security." Need to
reduce administration costs, boost security and implement comprehensive
reporting ... and extend the security benefits of Active Directory?
Learn how! http://www.netiq.com/f/form/form.asp?id=800
**********************************************************************

TOP OF THE NEWS

6 & 7 March 2002 Davis Bill Would Require Compliance with Info Sec Best Practices

Representative Tom Davis (R-Va.) introduced the Federal Information Security Management Act (FISMA), legislation that aims to make the provisions of GISRA permanent and add a requirement that government agencies adhere to information security best practices developed by the National Institute of Standards and Technology (NIST).
-http://www.gcn.com/vol1_no1/daily-updates/18120-1.html
-http://www.fcw.com/fcw/articles/2002/0304/web-gisra-03-07-02.asp
[Editor's (Murray) Note: Be careful what you ask for. New York State recently removed web sites from the internet completely as an alternative to restricting access to an appropriate set of people. "Nothing useful can be said about the security of a practice except in the context of an application and an environment. (Paller) People who accept Bill's thinking would avoid running hardening scripts before deploying systems, because they had not performed a thorough needs assessment involving in-depth analysis of the application and the environment. But since most people are not as skilled as Bill is at risk assessment, they would be left with completely unprotected systems, available to immediate attack. Benchmarks make sense, and the Davis Bill, with a few critical changes, could do a great deal of good. ]

11 March 2002 Air Force CIO Wants Better Security In Microsoft Products

Air Force CIO John Gilligan says the Air Force will stop using Microsoft software if the company doesn't improve its products' security; Gilligan says the Air Force will do business with the companies that offer the best solutions.
-http://www.usatoday.com/life/cyber/tech/2002/03/11/gilligan.htm
[Editor's (Schultz) Note: This is an extremely significant development. A large customer is standing up to vendors and saying "We will not buy your products any more if you don't give us better security." Vendors say they do not provide better security in their products because customers do not demand it. Now Gilligan is demanding it. If others like Gilligan follow suit, vendors will for the first time feel genuine pressure to develop better, more secure software. ]

7 & 8 March 2002 Rough Sets Data Mining Tool Detects Abnormal Activity

Researchers from Pennsylvania State University and Iowa State University tested three data mining tools for efficacy as intrusion detection techniques. The three tools, neural networks, inductive learning, and rough sets, are all capable of learning from prior attack examples. Rough sets is the only one of the three capable of working with incomplete data; it also returned the highest accuracy in detecting abnormal activity. There are presently no plans for commercial development of rough sets.
-http://unisci.com/stories/20021/0307023.htm
-http://abcnews.go.com/sections/scitech/CuttingEdge/cuttingedge020308.html
Abstract:
-http://www.decisionsciences.org/dsj/Vol32_4/32_4_635.htm

7, 8 & 9 March 2002 Flickering Lights May Leak Data

Researchers have found that light reflected from computer monitor screens and the pattern of flickering light emitted from LEDs on some devices can be captured and translated into readable information.
-http://www.wired.com/news/print/0,1294,50893,00.html
-http://news.com.com/2100-1001-854946.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68939,00.html
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1861000/1861656.stm
[Editor's (Murray) Note: This vulnerability is much smaller than leakage from RF emanations and we do not spend much time worrying about that one. ]

6 March 2002 Man Arrested for Allegedly Trying to Sell Personal Data

Federal and local law enforcement agents arrested Donald Matthew McNeese for allegedly trying to sell personal data belonging to 60,000 Prudential Insurance Company employees. He is charged with downloading the data while he worked for the company. If convicted, McNeese could face as much as 45 years in prison and a fine of $750,000 plus restitution.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68850,00.html


*************** Sponsored Links **************************************
(1) Get the SIMPLEST, Highest Availability for Check Point
VPN-1/FireWall-1, only from Resilience.
http://www.sans.org/cgi-bin/sanspromo/NB13
(2) On-time Real Time UNIX auditing with auditGuard from DLI.
http://www.sans.org/cgi-bin/sanspromo/NB14
**********************************************************************

THE REST OF THE WEEK'S NEWS

8 March 2002 MyLife Worm

The MyLife mass-mailer worm arrives in the guise of a sentimental photograph to exploit a bug in Microsoft Outlook. It tries to delete certain Windows files, but a coding bug prevents that from happening. Outlook 2000 users need to install the Security Update or upgrade to Outlook 2002 to be protected.
-http://zdnet.com.com/2100-1105-855400.html

6 & 8 March 2002 Gibe Worm Installs Back Door

The Gibe mass-mailer worm arrives as an attachment to what appears to be a Microsoft security bulletin; if activated, it will mail itself out and install a back door in the infected system. The infection occurs only if users open the attachment. Outlook 2000 users need to install the Security Update or upgrade to Outlook 2002 to protect their computers.
-http://zdnet.com.com/2100-1105-853235.html
-http://www.msnbc.com/news/721388.asp?0dm=T18QT

6 & 8 March 2002 NAI Drops PGP; Zimmerman Wants Source Released

NAI failed to find a buyer for PGP Desktop and wireless encryption products, which will now be put in "maintenance mode;" current service contracts will be honored through expiration. Phil Zimmerman wants NAI to release the source code.
-http://www.nwfusion.com/news/2002/0306naipgp.html
-http://news.com.com/2100-1023-856132.html
-http://online.securityfocus.com/news/348

7 March 2002 DOE and DOD Officials Address Computer Security Issue

Testifying before a House subcommittee, Department of Energy (DOE) and Defense Department (DOD) officials described the actions their agencies are taking to address the problems outlined in a recent computer security assessment.
-http://www.fcw.com/fcw/articles/2002/0304/web-action-03-07-02.asp

6 March 2002 Reporting Web Site Holes is Problematic

A software developer who found a security hole in the Guess.com e-commerce web site had a hard time informing the company about the problem; this sort of difficulty is all too common, leading some who find vulnerabilities resorting to posting them on security mailing lists. A standard that could streamline the reporting of problems to the web site owners would be helpful.
-http://online.securityfocus.com/news/346

6 March 2002 SSA Testing Biometrics

The Social Security Administration (SSA) is testing a variety of biometric technologies for possible use in guarding against identity theft; if a biometric program is chosen, the information would be stored in a database, not identity cards.
-http://www.fcw.com/fcw/articles/2002/0304/web-ssa-03-06-02.asp

5 March 2002 SSA Testing SSN Authentication Program

The Social Security Administration (SSA) plans to test an on-line Social Security number (SSN) authentication program companies can use when hiring employees.
-http://www.gcn.com/vol1_no1/daily-updates/18116-1.html

5 March 2002 Security Hole In Microsoft's Java Virtual Machine

A flaw in Microsoft's Java Virtual Machine (JVM) software could allow a hacker to take control of browsers configured to use proxy servers; they could then redirect traffic and steal passwords and other sensitive information. A patch for the vulnerability is available.
-http://news.com.com/2100-1001-851711.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68811,00.html
-http://www.theregister.co.uk/content/55/24295.html
-http://www.microsoft.com/java/vm/dl_vm40.htm

4 March 2002 Disclosure Proposal Favors Vendors

Computerworld senior news columnist Frank Hayes says the best practices vulnerability disclosure proposal recently submitted to the Internet Engineering Task Force (IETF) gives vendors too much latitude in dealing with security problems.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68754,00.html
[Editor's (Murray) Note: I do not know what Mr. Hayes' competence to comment on the matter is. What I do know, with a high degree of confidence, is that we must fix things in the order of their importance, not the order of their discovery. It is difficult for the vendor to decide which problem is most important but it is impossible for the discoverer of one problem to rank it. ]

4 March 2002 Defense Lawyer Argues DMCA Does Not Apply in Elcomsoft Case

The lawyer for Elcomsoft, the Russian software company that created the e-book encryption circumvention software for which Dmitri Sklyarov was arrested last summer, argued that the company was doing business on the Internet and is therefore outside US jurisdiction.
-http://www.wired.com/news/print/0,1294,50797,00.html
-http://news.com.com/2100-1001-851418.html

4 March 2002 Financial Companies Move to Preserve Mission Capability

In an effort to mitigate potential losses, financial firms are distributing offices and IT operations over wider geographical areas.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68769,00.html

26 February 2002 The Center for Internet Security

The Center for Internet Security (CIS) provides users with preferred practice benchmarks, easy-to-use tools to test systems' compliance with those benchmarks, and security ratings to quantify improvements made in security.
-http://www.usatoday.com/life/cyber/tech/2002/02/27/security.htm



==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz