SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #14
April 02, 2002
Forensics and enterprise security management are rapidly emerging as
key fields of security. To help you master these important subjects,
SANS will combine its existing immersion training programs with free,
focused technical conferences on forensics (in Boston at SANSFire 02)
and enterprise security management (in Washington for SANS Washington
02). Each person who registers for one of the training tracks in
Washington or Boston will be able to attend the technical conference
sessions at no extra cost.
In about 15 days, more than 500,000 people will receive conference
guides for Washington and Boston. To ensure you get a seat in the
course of your choice, please register early. (Orlando was sold out.)
SANS Washington DC, May 6-12, http://www.sans.org/CapitolHill
SANSFire, Boston, June 27-July 2: http://www.sans.org/SANSFIRE02
TOP OF THE NEWS01 April 2002 Cyber Czar Says Security Comfort 3-5 Years Away
25 March 2002 Supplemental Budget Request Includes IT Security Items
29 March 2002 Former Global Crossing Employee Arrested
27 March 2002 Media Player Could Present a New Wave of Attacks
THE REST OF THE WEEK'S NEWS29 March 2002 Microsoft Releases Patch for Two IE Holes
27 & 28 March 2002 Airports Testing Biometrics
27 March 2002 FBI Must Produce More Carnivore Information
25 & 28 March 2002 Should the Law Consider Good Intentions?
25 & 28 March 2002 Weak Security on eBay Has Users Concerned
25 March 2002 Air Force Network Targeted With Copious Probes
25 March 2002 FrontPage Vulnerability Exploited
25 March 2002 Georgia Tech IT Handled Intrusion Well
25 March 2002 Web Services Security
21 March 2002 Gartner Explains Why Complete Software Security Won't Happen
20 March 2002 Open Source Software Review is Uneven
RECENT TUTORIAL ARTICLES26 March 2002 Broadband Security
29 March 2002 The Internet A Root Server and Security
15 March 2002 Developing an Incident Response Plan
**************** Sponsored by SurfControl, Inc. **********************
YOUR NETWORK IS CONSTANTLY UNDER ATTACK.
If you could easily stop users from sapping your bandwidth, block
access to personal Web-based email accounts (the main way users
introduce viruses into your network), all w/out being the company
traffic cop, would you?
Then try SuperScout Web Filter FREE:
TOP OF THE NEWS
01 April 2002 Cyber Czar Says Security Comfort 3-5 Years AwayPresidential cybersecurity advisor, Dick Clarke says history of Federal IT security is "a sad one," and worries that Congress may not fully fund computer security efforts.
25 March 2002 Supplemental Budget Request Includes IT Security ItemsThe White House submitted a supplemental budget request for fiscal 2002 requests asking form more than $36 million IT security programs for homeland security. That number includes $2.5 million for the GSA to establish the Internet Vulnerability Management Office.
29 March 2002 Former Global Crossing Employee ArrestedThe FBI arrested Steven Sutcliffe, a former Global Crossing employee, for making threats against company executives on his website. A federal judge dismissed charges connected with Sutcliffe's posting of employee names and social security numbers on the website because he didn't intend to use the data for illegal purposes.
[Editor's (Ranum) Note: This one is really interesting!! He posted social security numbers "not for illegal purposes" and got away with it? What happens when some hacker posts all the social security numbers from some database "not for illegal purposes"? (Schultz) There are some very interesting "truth in disclosure" issues that surround this case. Because of the great potential for loss by individual employees, why did Global Crossing wait so long to inform its employees that their personal information had been compromised? ]
27 March 2002 Media Player Could Present a New Wave of AttacksSecurity experts say that Windows Media Player can be exploited to run code disguised as a trusted file in HTML e-mail; the attack also manages to bypass Outlook 2002 security measures.
*********************** Sponsored Links *****************************
Highest availability for Check Point! Download this FREE WHITE PAPER
from Resilience. http://www.sans.org/cgi-bin/sanspromo/NB20
(2) NEW White Paper - Content Inspection in High Capacity Networks
Aladdin & Radware. http://www.sans.org/cgi-bin/sanspromo/NB21
(3) THE Security Solution for Authentication, Adminsatration,
Auditing for UNIX/LINUX http://www.sans.org/cgi-bin/sanspromo/NB22
THE REST OF THE WEEK'S NEWS
29 March 2002 Microsoft Releases Patch for Two IE HolesMicrosoft has released a patch for two "critical" vulnerabilities in Internet Explorer (IE) versions 5.01, 5.5 and 6.0. The first vulnerability could allow a malicious script embedded in a cookie to run in the local zone, potentially altering or deleting files. The second involves object tags and could allow executable files already on the computer to run. The patch is cumulative. Microsoft is still investigating a debugging tool flaw in Windows 2000 and NT that could be exploited to gain a higher level of privilege on the operating system.
27 & 28 March 2002 Airports Testing BiometricsSeveral airports are experimenting with biometric identification systems for workers and for passengers. While some experts say the technology will become widespread over the next few years, former FBI agent and now professor of security Harvey Burstein observes that human error will always be a factor in security.
A Gartner analyst says that while biometrics are helpful, they are not likely to be a panacea for airport security.
[Editor's (Murray) Note: Biometrics are what we use in airports now. We compare the individual's visage to a reference on a credential issued by government authority. What is potentially new is the automation of this process. Automation is not nearly as difficult as will be the issuance of a suitable credential for automatic checking. (Schultz) Burstein's statement is particularly applicable here because of the prevalence of human error, But a good deal of the cause of human error is due to poor usability design. I fear that the next generation of two-step authentication technology is going to be rushed out without sufficient attention being paid to human factors. Experiments conducted two years ago at Purdue University show that smart card and biometric authentication is often plagued by the need for users to perform additional, unnecessary, and often difficult actions. ]
27 March 2002 FBI Must Produce More Carnivore InformationA federal judge has ruled that the FBI has 60 days to conduct "a further search" of its records to produce more information on Carnivore and EtherPeek. A prior search, conducted in response to a suit filed by EPIC under the Freedom of Information Act, produced only technical details and overlooking legal and policy references.
25 & 28 March 2002 Should the Law Consider Good Intentions?A panel at the recent "Information Security in the Age of Terrorism" conference discussed whether or not well-intentioned cyber-intruders should be prosecuted just like other cyber criminals. One of the panelists was Adrian Lamo, the young man responsible for exposing and then helping to fix security problems at major companies. The target of his most recent foray, the New York Times, has not decided how they plan to proceed. While the panelists shied away from condemning actions like Lamo's, they conceded that he sat on his knowledge of the vulnerabilities for too long.
[Editor's (Ranum) Note: Society takes into account good intentions when laws are written. It doesn't need to revisit things that have been decided to be illegal every time someone feels that the law shouldn't apply to them because their motives are superior. ]
25 & 28 March 2002 Weak Security on eBay Has Users ConcernedSome eBay users have had their accounts commandeered by crackers.The online auction site does not have a lockout policy, so dictionary attacks can be used to seek out passwords.
eBay does not use Secure Socket Layers (SSL) by default when transmitting data between users' computers and company servers. One analyst points out that though SSL may not actually add a great deal of security, from the users' perspective, it decreases the perceived security risk.
25 March 2002 Air Force Network Targeted With Copious ProbesA computer network at Wright-Patterson Air Force base detected 125,000 probes in a two-hour period. A public affairs officer confirmed reports that the probes originated outside the US and said that the network was not breached.
25 March 2002 FrontPage Vulnerability ExploitedUsing an exploit published by a computer security company, crackers took advantage of a known buffer overflow flaw in IIS's FrontPage Server Extensions to deface three Microsoft websites. A patch for the vulnerability has been available since June of last year.
25 March 2002 Georgia Tech IT Handled Intrusion WellThe IT people at the Georgia Institute of Technology handled a recent intrusion into a business office server proficiently. They limited access to the server as soon as the problem was discovered, held meetings to assess what they knew and, within three days of the incident, contacted everyone affected by the incident.
[Editor's (Murray) Note: An ounce of prevention is worth a pound of cure. ]
25 March 2002 Web Services SecurityDraft protocols to address web services security that have been submitted to the World Wide Web Consortium (W3C) include XML encryption and key management.
21 March 2002 Gartner Explains Why Complete Software Security Won't HappenGartner analysts say that while open source software may reach a certain level of security more quickly than proprietary software will, neither will ever be completely secure. Businesses should make purchasing decisions based on product security, and should bolster software security with firewalls, vulnerability assessments and other additional security measures.
20 March 2002 Open Source Software Review is UnevenWhile open source software is available for users to inspect and alter, Sardonix founder Crispin Cowan says that no one is auditing the software; open source software review is uneven because people tend to examine the more interesting sections of code and ignore the duller ones.
RECENT TUTORIAL ARTICLES
26 March 2002 Broadband SecurityIndividuals with broadband connections at home lack the security resources of a company with an IT department, but they need to protect their machines from attacks nonetheless. Broadband users should install a firewall and remove unnecessary services and components from all their devices before putting them on line. Finally, users need to make sure that their on-line behavior emphasizes security.
[Editor's (Grefer) Note: Broadband users are urged to employ hardware based solutions, like the LinkSys, NetGear or DLink DSL/Cable-Routers, which typically include NAT and limited firewall capabilities. Using personal firewall software like ZoneAlarm, Tiny, BlackIce, McAfee Personal Firewall or Norton Internet Security will provide an additional layer of defense. ]
29 March 2002 The Internet A Root Server and SecurityVeriSign's Network Operations Center, that houses the Internet's A root server and several important domain servers, employs considerable physical security, including cameras and biometric scanners in "mantraps" which are triggered when an unauthorized palm is scanned. Though security is high, a VeriSign VP said that even if the A root server went down, the Internet would not feel a significant impact.
15 March 2002 Developing an Incident Response PlanIt's a good idea to have an incident response plan in place to deal quickly and efficiently with cyber attacks. Among the recommended steps to take: establishing a team, deciding who has the authority to do what, and speaking with law enforcement ahead of time so you know who to call when an incident does occur.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail email@example.com with the subject:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz