SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #16
April 17, 2002
A new version of the Router Analysis Tool, running on both UNIX and
Windows, was released yesterday by the Center for Internet Security.
CERT/CC issued a report late last fall saying routers are a new
favorite target of attackers. If you use Cisco routers, it makes
sense to test their security settings using this free program.
(http://www.cisecurity.org and click on the Cisco IOS Router Security
US government agency officials are meeting later this week to begin
discussions on alternative configuration benchmarks that could be
used for site certifications. If your organization uses a benchmark
and testing system that has significantly improved security across
many sites, please let us know the details so we can share that
information with them. Email email@example.com with subject "site
Washington DC's spring computer security training conference is
scheduled for May 6-12. http://www.sans.org/CapitolHill
TOP OF THE NEWS15 April 2002 Microsoft Baseline Security Analyzer Misses The Mark
8/9 April 2002 Microsoft's Baseline Security Analyzer
15 April 2002 Buyers Shifting Security Liability To Software Vendors
11 April 2002 Aphex/Aplore Worm
11 April 2002 Red Hat To Issue Vulnerability Alerts Using CVE
10/11 April 2002 Microsoft Releases Cumulative IIS Patch, Thanks Bug Finders
THE REST OF THE WEEK'S NEWS15 April 2002 British Hacking Losses Put at 10 Billion Pounds ($16B)
15 April 2002 Hungarian Internet Law Amendments Outlaw All Hacking
15 April 2002 Argentine Law Does Not Provide for Prosecuting Hackers, Says Judge
15 April 2002 New Threats Could Slip Past Intrusion Detection Systems
14 April 2002 Hidden Programs on Free Software Could Pose Problems
8/13 April 2002 Companies are Increasingly Monitoring IM
12 April 2002 Tell People How to Erase Data, says JEITA
12 April 2002 Experts Disagree About Insider Threat
11 April 2002 Voice Mail Not So Secure
11 April 2002 Companies Work Together on Web Services Security Specification
RECENT TUTORIAL ARTICLES12 April 2002 The Not-to-Do List
10 April 2002 Buffer Overflow Attacks
******* This Issue Sponsored by PentaSafe Security Technologies *******
"I forgot my password." These are expensive words!
PentaSafe's new VigilEnt User Manager will drastically reduce password
calls to your help desk, make your passwords safer, and save your
company money. See a demo and use our FREE ROI CALCULATOR to find
out how much your company is really spending on manual password resets.
TOP OF THE NEWS
15 April 2002 Microsoft Baseline Security Analyzer Misses The MarkA user-friendly version of HFNetChk, released last week. Has been misdiagnosing various Windows systems - both by ignoring patches and reporting phantom flaws.
8/9 April 2002 Microsoft's Baseline Security AnalyzerMicrosoft has released the Microsoft Baseline Security Analyzer (MBSA), a free, 2.5MB tool that will scan for vulnerabilities and missing patches. MBSA generates a report card for each system scanned and offers instructions for downloading fixes.
15 April 2002 Buyers Shifting Security Liability To Software VendorsIT managers and CIOs are including clauses in contracts that hold software vendors liable for security breaches and cyber attacks connected to their products. It is hoped that the trend will encourage more secure software development.
[Editor's (Paller) Note: A related contracting trend is one in which large buyers require software vendors to deliver their tools configured according to industry standard benchmarks such as those being published by the US National Security Agency (www.nsa.mil) and the Center for Internet Security (www.cisecurity.org) Federal buyers have taken the lead in this new initiative. ]
11 April 2002 Aphex/Aplore WormThe Aphex or Aplore worm spreads through IRC and AIM and uses several methods of infection. It can send itself out via Outlook and recipients must open an attachment for their systems to become infected. It can also send instant messages on its own or replace messages sent by an infected user that may contain a pop-up window; recipients are told they need a browser plug-in and if they click the download button, they become infected.
11 April 2002 Red Hat To Issue Vulnerability Alerts Using CVELinux supplier, Red Hat, announced that it will begin using the Common Vulnerabilities and Exposures (CVE) standards list for future security alerts and advisories. The US Government-funded CVE project provides standardized definitions for security vulnerabilities and exploits.
[Editor's (Paller) Note: This announcement demonstrates security awareness and leadership. Other system vendors may well follow Red Hat's lead. Security vendors, such as ISS and Symantec, already provide CVE references for the vulnerabilities they report. In addition, the new global site security certification process is being based on a consensus list of highest priority vulnerabilities developed using CVE numbers. The complete CVE list with valuable additional reference list is searchable at
10/11 April 2002 Microsoft Releases Cumulative IIS Patch, Thanks Bug FindersMicrosoft has released a cumulative patch for ten security holes in its Internet Information Server (IIS); the company urges people hosting IIS web servers on Windows NT 4.0, Windows 2000 or Windows XP to install the patch. In its bulletin, Microsoft thanks a number of security vendors and others for reporting the security holes; Microsoft also found two of the flaws on its own.
THE REST OF THE WEEK'S NEWS
15 April 2002 British Hacking Losses Put at 10 Billion Pounds ($16B)The UK Department of Trade and Industry (DTI) found that attacks by hackers on firms have more than tripled in the past two years, accounting for 10 billion Pounds in losses. According to the report, half of all businesses were victims of such attacks, compared with a quarter in 2000 and less than one in five in 1998.
15 April 2002 Hungarian Internet Law Amendments Outlaw All HackingAmendments to Hungary's criminal code outlaw all hacking and make no distinction between events which caused damage and those that did not.
15 April 2002 Argentine Law Does Not Provide for Prosecuting Hackers, Says JudgeCalling it a "dangerous legal void," a judge in Argentina has ruled that hacking is legal there because the law covers only people, animals and things, not cyber attacks. The defendants in the case were accused of defacing an Argentine Supreme Court web page. A similar situation in the Philippines led to the release of the purported author of the Love Bug worm two years ago.
15 April 2002 New Threats Could Slip Past Intrusion Detection SystemsSignature-based Intrusion Detection systems (IDSes) could allow new (methods) of attacks to slip past; polymorphic buffer overflows alter or encrypt a known attack's shell code. IDSes need to start incorporating anomaly and behavior-based detection
14 April 2002 Hidden Programs on Free Software Could Pose ProblemsPrograms piggy-backing on free software can take actions ranging from sending users ads to gathering surfing habits to changing Internet settings. Some can make computers crash. They could eventually be used by hackers to take more malicious action.
[Editor's (Paller) Note: This article points out risks in legitimate free programs. An even more dangerous related risk is posed by the screen savers, fake pictures and music, and bogus security patch alerts created as malicious software. Unsuspecting users receive spam instant messages or spam email or visit web sites telling them to take advantage of a free download. When they execute the downloaded program, their systems are immediately infected. See April 11 Aphex Worm story for a current example. ]
8/13 April 2002 Companies are Increasingly Monitoring IMInstant Messaging (IM) use in businesses more than doubled between September 2000 and September 2001. Some companies have become concerned about sensitive data leaking out and employees wasting company time, and they have begun to monitor such communications, raising questions about employee privacy.
12 April 2002 Tell People How to Erase Data, says JEITAThe Japan Electronics and Information Technology Industries Association (JEITA) has warned that data from hard disks on scrapped or donated PCs can be retrieved even if the disk has been reformatted. The organization urges PC makers to give their customers information on erasing data from the disks. Under Japanese law, corporate PCs must be recycled, and the government is considering legislation requiring consumers to recycle their PCs as well.
12 April 2002 Experts Disagree About Insider ThreatWhile some experts say the threat of externally launched cyber attacks is more serious than that of internal threats, others disagree. NIPC's Robert Wright points out that people have internal access through contracts or partnerships, and that new technology can make insider attacks harder to detect.
the insider threat is worse. So many external attacks are "ankle biter" attacks, and insiders are in a much better position to do things that can cripple an organization. At the same time, however, to say that insider attacks outnumber external attacks is downright wrong. It is amazing how many people who claim that insider attacks outnumber external attacks have never looked at their organization's firewall logs to see just how many external attacks there are. ]
11 April 2002 Voice Mail Not So SecureVoice mail systems are often not very secure, as is evidenced by the recent leak of a message left by Hewlett Packard Chairwoman and CEO Carly Fiorina for CFO Robert Wayman.
11 April 2002 Companies Work Together on Web Services Security SpecificationMicrosoft, IBM and VeriSign together have published WS-Security, a security specification for web services.
10 April 2002 Textron Hacker Sentenced to Sixteen MonthsArmen Oganesyan was sentenced to sixteen months in jail and fined $10,000 for hacking into Textron's computer systems and shutting them down for a day in March 2000. Oganesyan had lost his job a month earlier.
10 April 2002 DoD Policy Discourages Hiring Non-CitizensA recent Washington Post report indicated that a new Department of Defense (DoD) policy would require IT companies with DoD contracts to hire only US citizens on unclassified projects. Security companies are concerned that they would lose valuable expertise and that hiring inexperienced people could lead to poorly written code. DoD deputy director of personnel said it does not intend to forbid the hiring of visa workers and that everyone would be subject to strict security checks.
Washington Post story:
10 April 2002 Baylor Implements Security for Handheld BlackberriesSecurity technology used at Baylor Health Care System in Dallas allows users of handheld Blackberries to be locked out if the device is unused for a set period of time. The technology can also set passwords and erase data remotely.
8 April 2002 Security Manager's Journal: Forensic InvestigationAfter learning that someone may have copied some of his company's source code, the security manager decides to outsource the forensic investigation.
8 April 2002 What Would Make Trustworthy Computing Initiative Work?Frank Hayes isn't impressed with Microsoft's Trustworthy Computing Initiative, pointing out that the company criticized Georgi Guninski for disclosing a pair of security holes when they themselves had created the problems. He suggests that if Microsoft wants to make good on its security position, it should address vulnerabilities quickly and search out security holes itself.
[Editor's (Murray) Note: Guninski's fame, not to say notoriety, is the result of his not cooperating with MS. If he cooperated with MS he might have no public identity at all. ]
5 April 2002 Webster Commission Report Says Security Seen as Inconvenient at FBIThe Webster Commission report reveals that FBI agents view security as a hindrance to operations and "an impediment to career advancement." The report suggests that the FBI foster security professionals within the agency, and recommends restricting employee access to documents and computers that contain sensitive data.
[Editor's (Murray) Note: Convenience is one of the costs of security; that is fundamental and cannot be helped. That security is not good for one's career is not fundamental and can be helped. The other interesting observation in the report was that IT in the Bureau is ten years behind the state of the practice. Intelligence and forensics must be ahead of the curve, not behind. Imagine trying to do either without current tools. The bureau is unable to appreciate tools that they have never had the chance to use. ]
RECENT TUTORIAL ARTICLES
12 April 2002 The Not-to-Do ListA list of 21 things you can do to invite cyber attacks includes not updating virus signatures, not patching software and not educating employees about security practices.
10 April 2002 Buffer Overflow AttacksSoftware developers can address buffer overflows by writing software that automatically checks the size of the data going in to buffers, though the checking process could slow the software's performance. This article also offers a description of how buffer overflow vulnerabilities work.
[Editors' (multiple) note: Could the fact that college programming texts and courses do not teach these truths be considered malpractice? ]
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail firstname.lastname@example.org with the subject:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz