SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #15
April 10, 2002
TOP OF THE NEWS8 April 2002 Cyber Attacks Are Up But Not Reported
5 April 2002 LANL Security Improvements
3 April 2002 Cyber Crime Conviction Overturned
2 & 3 April 2002 Judge Denies Dismissal Motion in DMCA Case
THE REST OF THE WEEK'S NEWS4 April 2002 NIST Releases Two More Draft Guides
4 April 2002 Sentencing Study Examines Cyber Crime Motives
3 April 2002 eBay Fixes One Security Hole, Still Working on Another
3 April 2002 Expiration Dates for Open Source Software
3 April 2002 Pirates' Software Supplier Pleads Guilty
3 April 2002 Office XP Flaws
2 & 3 April 2002 Brilliant Network Software Bundled with Kazaa
2 April 2002 Cyber Insurance Market is Thriving
2 April 2002 Some Government Sites are Leaking Information
1 April 2002 Proactive Antivirus Software
1 April 2002 What Makes A Great CIO
1 April 2002 Survey Says Only Half of Businesses Have Continuity Plans
1 April 2002 CVE Dictionary Expands to More than 2,000 Items
1 April 2002 Some Sites Still Using Flawed Shopping Cart Software
1 April 2002 Protecting Company Information on the Internet
************************ SPONSORED BY NetIQ **************************
FREE - SANS Top Trends in Security Management
What's the hottest trend shaping security this year? Read the FREE
SANS report co-distributed by NetIQ to find out what top industry
experts had to say about security management in 2002.
Don't get left behind--download the must-have report today!
TOP OF THE NEWS
8 April 2002 Cyber Attacks Are Up But Not ReportedAn FBI survey indicates that most businesses have been victims of cyberattacks, but few have chosen to contact law enforcement officials largely because they feared bad PR.
[Editor's (Ranum) Note: I wonder whether they feared bad PR or whether they simply expect that nothing would come of getting law enforcement involved. (Schultz) I am sure that, as stated in this news item, organizations avoid contacting the FBI after incidents occur because they are afraid of negative PR. But that is not the only reason. Despite good efforts on its part, the FBI has not really established the level of trust and rapport with industry to make turning to the FBI a viable alternative. ]
5 April 2002 LANL Security ImprovementsLos Alamos National Laboratories has taken measures to improve security without impeding employee productivity. Employees use tokens that require them to memorize only one PIN; computer peripherals have been moved to a secure vault, and employees have been educated about the Internet security.
3 April 2002 Cyber Crime Conviction OverturnedA computer technician who was convicted of sending his employer a computer virus has had that conviction erased because the jury found the damages to be less than $5,000, the minimum requirement in such a case.
[Editor's (Schultz) Note: This outcome illustrates more flaws in U.S. computer crime legislation. ]
2 & 3 April 2002 Judge Denies Dismissal Motion in DMCA CaseA lawyer for Russian software firm ElcomSoft argued that the US does not have jurisdiction in the case because the transactions took place over the Internet; the judge disagreed and denied the motion to dismiss. Two other motions to dismiss maintain that the Digital Millennium Copyright Act (DMCA) is "too broad and vague" and that the charges against the firm are likely to be unconstitutional.
************************** SPONSORED LINKS ****************************
(1) Get flexible, reliable USB-based strong authentication with
(2) THE Security Solution for Authentication, Administration, Auditing
(3) Why anti-virus is no longer enough - FREE Beyond Viruses white
THE REST OF THE WEEK'S NEWS
4 April 2002 NIST Releases Two More Draft GuidesThe National Institute of Standards and Technology (NIST) has released two draft guides: one concerned with securely configuring e-mail servers and another outlining a systematic process for dealing with software patches. Comments on the first draft guide are due by April 30; comments on the second are due by May 2.
4 April 2002 Sentencing Study Examines Cyber Crime MotivesA member of the United States Sentencing Commission is conducting a study that could produce new sentencing guidelines for computer criminals. The USA Patriot Act lumps all cyber criminals together, but the results of the study could provide for lesser sentences for some, depending on their motives. Jennifer Granick, litigation director at the Stanford Center for Internet and Society, is skeptical that the minimum sentences will be reduced.
3 April 2002 eBay Fixes One Security Hole, Still Working on AnotherOn-line auction company eBay has fixed a security hole in a password-changing function that could have allowed unauthorized people to gain access to others' accounts. The company is also working on a fix for a dictionary attack vulnerability.
3 April 2002 Expiration Dates for Open Source SoftwareJon Lasser proposes building expiration dates into open source networking and security software to ensure that people are running more secure and interoperable versions.
[Editor's (Ranum) Note: If a new vulnerability comes out you need to be able to expire a version of software right now - in order to make that work, it's just a small incremental cost (I'm not saying this is an easy problem, though!) to simply make the software update itself with a newer version in near-real time. (Grefer) Any such immediate expiration functionality can and will also be targeted as an additional attack vector ]
3 April 2002 Pirates' Software Supplier Pleads GuiltyNathan Hunt, who supplied software to an international piracy group, pleaded guilty to one count of conspiracy to commit copyright infringement; he could receive a sentence of up to five years in prison and a fine of $250,000.
3 April 2002 Office XP FlawsGeorgi Guninski has found two security holes in Microsoft's Office XP. The first hole, in Outlook XP, could allow active content to be embedded in e-mail, which could forcibly direct a user to a specific web page. The other hole, in Office XP's spreadsheet, could be used to put certain files in the start-up directory and when used in conjunction with the first hole, could be exploited to take control of the affected machine.
2 & 3 April 2002 Brilliant Network Software Bundled with KazaaBrilliant Digital Entertainment has been sending out software bundled with Kazaa file-trading software; Brilliant's goal is to create a giant network for content distribution or distributed computing projects, but the company CEO says no computer would be used without its owner's permission.
How to uninstall the Brilliant Software:
2 April 2002 Cyber Insurance Market is ThrivingRevenues from cyber insurance purchases reached almost $100 million in 2001. Businesses are purchasing the policies because traditional business coverage policies are being written to exclude the threats posed by digital vectors of attack. Some experts say the insurance industry could begin to mandate security practices and products.
[Editor's (Paller) Note: The estimates of industry growth information in this article are far greater than estimates SANS has received from insurance industry insiders. One potential explanation is that marketing people in the insurance industry are renaming policies they already had in place (and are renewing), and calling them cyber insurance policies. Reinsurance industry executives tell us that there is a critical problem in the application of the insurance model to cyber crimes - leading to policy language that excludes many of the more important threats. ]
2 April 2002 Some Government Sites are Leaking InformationA French security group says that several US government web sites running on Domino servers have allowed access to internal documents. A spokesman for the Federal Judicial center, which tuns one of the affected web sites, says no sensitive data were exposed.
1 April 2002 Proactive Antivirus SoftwareNew software from Network Associates looks for holes that worms are likely to exploit so they can be fixed before an infestation.
[Editor's (Grefer) Note: Interesting how they are trying to sell a pair of old shoes (with holes in them) as brand new sandals. Vulnerability scanners have been around for quite a while, as have a multitude of utilities to check current patch levels. ]
1 April 2002 What Makes A Great CIOTips for becoming a top-notch CIO include advice in such areas as communication, vision, security sense and best practices. Also included are examples of excellence among government CIOs and deputy CIOs.
1 April 2002 Survey Says Only Half of Businesses Have Continuity PlansA survey conducted by Ernst and Young two months after the September 11th attacks revealed that only about half of the companies polled had business continuity plans in place; even fewer had awareness and training programs established. While some security experts say two months is enough time to get a plan in place, others maintain the process requires more time. The article includes a list of questions to ask about your business and security.
1 April 2002 CVE Dictionary Expands to More than 2,000 ItemsThe Common Vulnerabilities and Exposures (CVE) lexicon, which began in 1999 with 321 entries, now contains 2,032 standardized descriptions of security holes. There are nearly 2,000 additional entries currently under review.
1 April 2002 Some Sites Still Using Flawed Shopping Cart SoftwareTwo web sites are still running unpatched versions of PDG shopping cart software that publishes customer credit card details on the web. The security hole was discovered nearly a year ago and PDG contacted its customers by phone and e-mail to inform them about the problem and tell them how to fix it.
1 April 2002 Protecting Company Information on the InternetCompanies may be surprised at how much of their intellectual property is available on the Internet. Companies would be well advised to see who is linking to their web site and not to put too much information in their job postings.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail firstname.lastname@example.org with the subject:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz