Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #13

March 27, 2002

TOP OF THE NEWS

25 March 2002 GSA To Provide Patches For All Feds
21 March 2002 Security Vendors Adopt CIS Standards
21 & 22 March 2002 Government Sites to Remove Sensitive Info
21 March 2002 Antispam Admin Could Face Felony Charges for Crashing Server
20 March 2002 CERT Warns of Social Engineering IM/IRC Attacks

THE REST OF THE WEEK'S NEWS

26 March 2002 Virus "WildList" Closes
22 March 2002 New MyLife Variant has Nasty Payload
22 March 2002 Image-Based Passwords
21 March 2002 Mueller Mulling Dividing NIPC
21 March 2002 Lieberman Asks Ridge for Information
21 March 2002 Richard Smith on Outlook 2002 and HTML
20 March 2002 Apache Flaw on IRIX
20 March 2002 Microsoft Warns of Another Java Hole
18 & 20 March 2002 NSA Assesses Security Consultants
19 March 2002 Transportation Mulls Smart Cards
18 March 2002 Georgia Tech Server Compromised
15, 19 & 21 March 2002 Vulnerability Reporting Standards Draft Withdrawn from IETF


********************* Sponsored by NetIQ *****************************
Secure your Windows Environment, Decrease Costs - NetIQ White Paper!
Learn proven strategies to manage group policies in Windows 2000/Active
Directory. This free white paper will reveal how you can unleash its
power to eliminate and address security holes as well as automate
time-consuming administrative tasks.
Download now! http://www.netiq.com/f/form/form.asp?id=912
**********************************************************************

TOP OF THE NEWS

25 March 2002 GSA To Provide Patches For All Feds

The General Services Administration has signed a contract to find, verify, and disseminate customized patch sets. System administrators will register their system configurations and receive data only about patches required for their systems
-http://www.fcw.com/fcw/articles/2002/0325/news-patch-03-25-02.asp

21 March 2002 Security Vendors Adopt CIS Standards

Three Internet security software companies have submitted their products to the Center for Internet Security (CIS) for certification against a set of standards and benchmarks. This certification is essential for ensuring a security vendor's tool actually is testing for the most critical vulnerabilities.
-http://www.washingtontechnology.com/news/1_1/daily_news/18011-1.html

21 & 22 March 2002 Government Sites to Remove Sensitive Info

White House Chief of Staff Andrew Card sent a memo to the heads of all government agencies and departments directing them to remove sensitive information from their websites, re-examine public documents and send a report to the Office of Homeland Security within 90 days.
-http://www.govexec.com/dailyfed/0302/032102tdam1.htm
-http://www.wired.com/news/politics/0,1283,51236,00.html
-http://news.com.com/2100-1023-866132.html
-http://www.usatoday.com/life/cyber/tech/2002/03/21/web-sites-attacks.htm
[Editor's (Murray) Note: We call this kind of security "throw out the baby." I can understand removing the material from public web sites but surely we understand enough about access control to make it available for legitimate uses and known users. ]

21 March 2002 Antispam Admin Could Face Felony Charges for Crashing Server

A system administrator at an antispam company could face felony charges of computer intrusion for sending a seemingly innocuous query that crashed a mail server that belongs to the city of Battle Creek, Michigan. There is a patch available for the bug that enabled the crash.
-http://www.wired.com/news/politics/0,1283,51218,00.html

20 March 2002 CERT Warns of Social Engineering IM/IRC Attacks

CERT/CC has released an advisory warning that people using instant messaging (IM) and Internet Relay Chat (IRC) have been tricked into downloading malicious software that could be used to glean personal data, take remote control of an infected computer or to take part in a distributed denial of service attack (DDoS).
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69329,00.html
-http://zdnet.com.com/2100-1105-864508.html
-http://www.theregister.co.uk/content/55/24511.html
Advisory:
-http://www.cert.org/incident_notes/IN-2002-03.html


********************* Sponsored Links ********************************
NEW White Paper - Content Inspection in High Capacity Networks,
by Aladdin & Radware.
http://www.sans.org/cgi-bin/sanspromo/NB17
Application-level security appliance for Exchange/Notes mail
servers...IronMail *** Free WHITE PAPER ***
http://www.sans.org/cgi-bin/sanspromo/NB18
Attack Mitigator Stops Hackers Dead. How? SANS2002 Booth #605, Free
White Paper:
http://www.sans.org/cgi-bin/sanspromo/NB19
**********************************************************************

THE REST OF THE WEEK'S NEWS

26 March 2002 Virus "WildList" Closes

For many years, volunteers have prepared the authoritative list of viruses that are actually infecting computers. Now Shane Courson, the head of that volunteer group, says March, 2002 is the final WildList. He's seeking full-time employment.
-http://www.theregister.co.uk/content/56/24587.html

22 March 2002 New MyLife Variant has Nasty Payload

A new variant of the MyLife worm, this one with a caricature of former President Clinton, is spreading quickly, according to anti-virus firms. This version packs a stronger punch than the version that circulated several weeks ago because several bugs in its code have been fixed, allowing the worm to drop a nasty payload that destroys files. Additionally, the message body that accompanies the worm tries to trick the reader into believing the attachment has been found "Viruse" free.
-http://www.msnbc.com/news/728077.asp?0dm=C12NT
-http://zdnet.com.com/2100-1105-866811.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69455,00.html

22 March 2002 Image-Based Passwords

Microsoft researchers are developing image-based passwords; users would click on certain points of their choosing in a series of pictures on the screen; the corresponding pixels are converted into a random number.
-http://zdnet.com.com/2100-1104-866544.html
[Editor's (Schultz) Note: The notion of image-based passwords is certainly intriguing, but it is by no means new. Boeing was exploring this technology as early as the late 1980's. Still, if image-based passwords can circumvent the inherent weaknesses in how passwords for Microsoft operating systems are formed, Microsoft would do well to try image-based passwords. ]

21 March 2002 Mueller Mulling Dividing NIPC

FBI Director Robert Mueller is apparently considering splitting the National Infrastructure Protection Center (NIPC) and placing parts of it among different agency divisions. Senator Charles Grassley (R-Iowa) sent Mueller a letter enumerating the reasons the decision would prove detrimental to information sharing.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69370,00.html
-http://www.govexec.com/dailyfed/0302/032102j1.htm
-http://www.cnn.com/2002/TECH/internet/03/21/fbi.cybercrime.ap/index.html

21 March 2002 Lieberman Asks Ridge for Information

Senator Joseph Lieberman (D-Conn.), who chairs the Governmental Affairs Committee, sent a letter to Homeland Security director Tom Ridge asking him questions about federal cybersecurity and critical infrastructure protection.
-http://www.gcn.com/vol1_no1/daily-updates/18229-1.html

21 March 2002 Richard Smith on Outlook 2002 and HTML

Richard Smith has released a list of security concerns he has about Microsoft's Outlook 2002, which focus largely on HTML e-mail.
-http://news.com.com/2100-1023-866307.html

20 March 2002 Apache Flaw on IRIX

Two security holes have been found in versions of Apache server older than 1.3.22 running on SGI IRIX operating system versions 6.5.12, 13 or 14. A split-logfile program flaw could allow crackers complete system access; a flaw in Multiviews could allow attackers to determine the locations of sensitive files on a vulnerable machine. SGI has not released a patch and recommends upgrading to a system newer than 6.5.14, or if that is not possible, disabling Apache.
-http://zdnet.com.com/2100-1105-864599.html

20 March 2002 Microsoft Warns of Another Java Hole

Microsoft has released a security bulletin warning of another Java flaw that could allow Java programs to run outside the "sandbox" or restricted area on computers. The patch issued on March 4th for the earlier Java hole should take care of this problem as well.
-http://www.usatoday.com/life/cyber/tech/2002/03/20/java-security.htm
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69331,00.html

18 & 20 March 2002 NSA Assesses Security Consultants

Seven companies had their information security vulnerability assessment abilities evaluated and rated by the National Security Agency's Infosec Assessment Training and Rating Program (IATRP).
-http://www.gcn.com/vol1_no1/daily-updates/18209-1.html
-http://www.fcw.com/fcw/articles/2002/0318/web-nsa-03-20-02.asp
[Editor's (Paller) Note: The vendors that passed the NSA reviews may be doing excellent assessments, but the NSA program does not measure quality of their assessments or their skills. NSA takes pains to point out that IATRP assessments look only at management processes at the company, not whether the company's employees can audit systems or networks. There is no verification, for example, of whether the consultants can test a firewall configuration for effectiveness, audit a UNIX system to see whether it meets minimum security configuration standards, assess the network architecture for obvious security weaknesses or correct even the top twenty Internet security vulnerabilities. Agencies seeking such assurance are converging on the GIAC certification for system and network auditors (GSNA) as a means of identifying consultants and employees who have the minimum technical knowledge and skills necessary to undertake effective security audits. ]

19 March 2002 Transportation Mulls Smart Cards

The Transportation Security Administration is considering using smart cards for employee authentication; proposals for the system are presently being accepted.
-http://www.gcn.com/vol1_no1/daily-updates/18217-1.html
[Editor's (Murray) Note: While the cost of smart cards is approaching that of early mag-stripe cards, they are still much more expensive here than in Europe. In my mind, the difference is in usage and maturity. I am sure that we will find other form factors that will work, this is the only one that will interoperate with the pervasive mag-stripe technology. ]

18 March 2002 Georgia Tech Server Compromised

A server at Georgia Institute of Technology that held employee reimbursement records, including university credit card numbers, was compromised earlier this month. The intrusion came to light when the webmaster noticed that the server logs had been erased. University officials speculate that the attacker used the server as a repository for large files of some sort that were later removed.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69213,00.html

15, 19 & 21 March 2002 Vulnerability Reporting Standards Draft Withdrawn from IETF

A draft guideline for reporting vulnerabilities which had been submitted to the Internet Engineering Task Force (IETF) has been withdrawn because the issues it raises with are beyond the scope of the technical protocols with which the IETF is normally concerned. Members of the technical standards body were displeased that they had not been asked for input on the document, and also voiced concern that the authors had not solicited enough comments from others.
-http://www.theregister.co.uk/content/55/24482.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO69391,00.html
-http://www.counterpane.com/crypto-gram-0203.html#2
-http://zdnet.com.com/2100-1105-863165.html


==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz