Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #12

March 20, 2002


The President's Critical Infrastructure Protection Board has released
the first phase of the US National Strategy to Secure Cyberspace - a
list of the key questions to be answered in the Strategy. By releasing
the questions first, the Board hopes to encourage interested parties
to suggest innovative and thoughtful answers to each of the questions.


You'll find the questions and instructions on providing suggested
answers at http://www.sans.org/nationalstrategy.php
Oracle security problems may be more prevalent than previously
reported. Pete Finnegan, with the help of many of the other Oracle
security gurus around the world, has completed a first draft of SANS
new Oracle Security: Step-by-Step guide. We are distributing the
list of Oracle security problems to be sure we have addressed all the
known issues. We'll share the solutions sections with those people who
provide substantive feedback on the problems. If you know a lot about
Oracle security and will provide feedback, please email info@sans.org
with the subject "Oracle security problems" and we will email you
a copy. Include your name, organization, city, state, and country.


Alan

TOP OF THE NEWS

13 March 2002 Alleged Defacer/Extortionist Charged
12 March 2002 Admin Chastised for Using Vulnerabilities to Warn of Infection
11 March 2002 CIA Networks Mapped
15 February 2002 ISPs and DDoS Liability

THE REST OF THE WEEK'S NEWS

14 March 2002 PGP Difficult to Use, Says Gartner
14 March 2002 Fbound Worm is Bilingual
14 March 2002 Cable Modem Vulnerability
13 March 2002 More Security Professionals Needed
11 & 12 March 2002 Zlib Compression Library Vulnerability
14 & 15 March 2002 Zlib Vulnerability Affects Other OSes
11 March 2002 Virus Alert Standards Would be Helpful
11 March 2002 Security Manager on SNMP Patching, IM Virus
8 March 2002 DoT Plans to Address GPS Vulnerabilities
8 March 2002 New Issues Facing Corporate Security

TUTORIALS

4 March 2002 Facial Recognition Technology
21 February 2002 Security FAQ


*********** FREE Seminar from Internet Security Systems ************
You have heard about the need for online security. You know your
systems may be at risk. Now it's time to ask the question, "Am I
Vulnerable?" Join Internet Security Systems for our FREE Seminar
Series, "Are You Vulnerable?" and learn how to determine if your
network, servers and desktops are open to attack. Attend this FREE
seminar and learn how to secure your online assets with the latest
protection solutions from Internet Security Systems.
Register Today! http://www.issfeedback.com/areyouvulnerable?SANS
**********************************************************************

TOP OF THE NEWS

13 March 2002 Alleged Defacer/Extortionist Charged

A Kansas teenager who in 2000 allegedly offered to help secure a California city's web site that he had defaced in exchange for a laptop computer has been charged with felony computer crimes.
-http://online.securityfocus.com/news/352
--12 March 2002 Admin Chastised for Using Vulnerabilities to Warn of Infection An Australian systems administrator has been criticized for writing a script to warn users that their computers had been infected; his program used the same software flaws exploited by the worms he warned about.
-http://it.mycareer.com.au/news/2002/03/12/FFXEIAXKOYC.html

11 March 2002 CIA Networks Mapped

A UK computer security consulting company used entirely legal means to compile a detailed map of non-classified CIA networks and gather names, e-mail addresses and phone numbers of a handful of agency employees. While a CIA spokesperson discounted the significance of the study, others say the information could be used to gain access to classified information.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68961,00.html

15 February 2002 ISPs and DDoS Liability

This article describes the liability ISPs could face as a result of distributed denial of service (DDoS) attacks. ISPs need to be especially careful about claims they make when marketing and promoting their services. ISPs need to be especially careful about claims they make when marketing and promoting their services; they should also employ effective security practices that are continually monitored and updated as necessary.
-http://www.tisc2001.com/newsletters/43.html
[Editor's (Murray) Note: The problem here is that the contracts are being drafted by the vendors and the buyers are not asking, do not even know how to ask, for security. Even if the ISP thinks he is doing a good job of security, he will try to disclaim it in the contract if he can get away with it. He knows that he cannot protect the user from everything and, particularly, from his own errors. A good contract will describe what the user can rely upon the ISP to do and what the ISP relies upon the user to do. The emphasis should be on agreed actions, not on responsibility and certainly not on results. ]


************************ SPONSORED LINKS *****************************
(1) Stop Hackers DEAD with Continuous Intrusion Prevention provided
by ActiveGuard(tm)
http://www.sans.org/cgi-bin/sanspromo/NB15
(2) Dorian Software Creations: Automate Event Log Archiving, Analysis,
and Detection!
http://www.sans.org/cgi-bin/sanspromo/NB16
**********************************************************************

THE REST OF THE WEEK'S NEWS

14 March 2002 PGP Difficult to Use, Says Gartner

Gartner believes that the main reason Network Associates had trouble selling PGP encryption to businesses is that they did not make the product easy to use.
-http://zdnet.com.com/2100-1107-859781.html
[Editor's (Schultz) Note: The Gartner Group has once again missed the real point, namely that security products in general are deficient when it comes to useability. ]

14 March 2002 Fbound Worm is Bilingual

The Fbound worm spreads itself through Outlook and deletes itself; the worm carries no malicious payload, but can arrive either in English or Japanese, depending upon the recipient's e-mail address or computer language setting.
-http://news.com.com/2100-1001-860409.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69081,00.html
-http://zdnet.com.com/2100-1105-860094.html

14 March 2002 Cable Modem Vulnerability

A man who fiddled with the settings in his cable modem when he felt his service was too slow says he has discovered a vulnerability in DOCSIS-compliant cable modems that could expose their configuration files.
-http://online.securityfocus.com/news/353

13 March 2002 More Security Professionals Needed

Experts say a dearth of experienced security professionals is the greatest threat to the security of the country's computer networks.
-http://www.eweek.com/article/0,3658,s=701&a=23973,00.asp

11 & 12 March 2002 Zlib Compression Library Vulnerability

A "double-free" vulnerability in the Linux zlib compression/decompression library could allow malicious code onto an affected machine. No exploits have been reported, and patches are available.
-http://www.gzip.org/zlib/advisory-2002-03-11.txt
-http://www.cert.org/advisories/CA-2002-07.html
-http://news.com.com/2100-1001-857265.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69013,00.html
-http://www.theregister.co.uk/content/55/24387.html

14 & 15 March 2002 Zlib Vulnerability Affects Other OSes

The security hole in the zlib compression/decompression library affects not only Linux but all operating systems that use zlib code.
-http://news.com.com/2100-1001-860328.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69167,00.html

11 March 2002 Virus Alert Standards Would be Helpful

When a new virus begins making the rounds, users are faced with a bevy of warnings and alert ratings from various anti-virus vendors.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68980,00.html

11 March 2002 Security Manager on SNMP Patching, IM Virus

The security manager plans to install patches for the SNMP vulnerability because he expects that someone will soon write code to exploit it; he also confesses to being impressed with the MSN Instant messenger virus
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO68932,00.ht
ml

8 March 2002 DoT Plans to Address GPS Vulnerabilities

The Transportation Department's (DoT) plan to address security vulnerabilities found in the Global Positioning System (GPS) includes maintaining GPS backup systems, using anti-jamming technology, and educating state and local agencies about the vulnerabilities.
-http://www.govexec.com/dailyfed/0302/030802gsn1.htm

8 March 2002 New Issues Facing Corporate Security

As security has become more complex, corporations need to integrate information security throughout the enterprise, address the convergence of physical and information security and prepare to deal with biometrics and the attendant privacy concerns.
-http://zdnet.com.com/2100-1107-855323.html
[Editor's (Schultz) Note: Has security really become more complex, or do consultancies make it appear more complex to the point that demand for their services grows? Perhaps if we began viewing security as not so complex, we would actually make some headway in improving defenses. ]

TUTORIALS

4 March 2002 Facial Recognition Technology

This article describes how facial recognition systems work, their attendant privacy concerns, and the four main types of facial recognition technology. Organizations considering using facial recognition need to consider not only the implementation costs, but also whether the system will be used for access control or surveillance. Finally, the article reviews several different products.
-http://www.fcw.com/geb/articles/2002/0311/web-face-03-04-02.asp
[Editor's (Murray) Note: The big growth in the application of this technology is not in I&A but in automated surveillance. In the short run this application relies upon the fact that the database of targets is small. In this application the concern is false positives. ]

21 February 2002 Security FAQ

This article offers a primer of information security advice, answering questions about firewalls, outsourcing, insurance, and reporting security incidents. It also lists ten important elements of good information security, which includes identifying risks, developing and implementing a security policy, and hiring an independent third party to conduct a security audit.
-http://www.cio.com/security/edit/security_abc.html


==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz