SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #28
July 10, 2002
Good news on two important security projects Oracle Security
Pete Finnegan and a global team of Oracle security wizards just
finished an amazing step-by-step guide for securing Oracle, and we
now need three sites to bench-test the document. If you have a test
system and are willing to test the guide, email firstname.lastname@example.org with
the subject: Oracle Bench Test
The Richter Scale Project For Rating Vulnerabilities
Many system administrators are overwhelmed by the number
of vulnerabilities - finding it difficult to tell which must be
acted upon immediately and which can be put aside to wait for
the next service pack. A new SANS project is providing the needed
information by collating the decisions of a "Security Council" whose
members describe exactly what they did (completely confidentially) to
respond to each of the highest priority vulnerabilities (as collated
by Neohapsis and Tipping Point). We need additional members of this
council. If you are the person who makes the security decision on what
to do for at least 5,000 users, and you want to participate, email
your qualifications to email@example.com with the subject Richter Project.
Today is the last day for the early registration discount
for SANS Beyond Firewalls conference and training program in
TOP OF THE NEWS3 July 2002 Netcraft Survey Says Web Servers More Vulnerable
7 July 2002 Kowbot Virus/Worm Spreading Through Kazaa
3 July 2002 Congressional Action On Cybersecurity Now Focuses on Homeland Security Bill
27 June 2002 White House Boosting Cyber Insurance
THE REST OF THE WEEK'S NEWS7/8 July 2002 Falun Gong Hacks Chinese Satellite TV
7 July 2002 Virus Blocks Access To News Site From Infected Systems
8 July 2002 Attacks on Power Companies Growing
3 July 2002 Microsoft RAS Patch has Flaw; New Patch Issued
3 July 2002 DEA Agent Accused of Selling Law Enforcement Data
2 July 2002 Forensics Tools Not Up To The Task
2 July 2002 Singapore Police Believe They Know Identity of On
2 July 2002 Police Break Up On Line Pornography Ring
1 July 2002 Scarfo Receives Sentence; Keystroke Logging Software Evidence Allowed
1 July 2002 InfraGard Hopes More Businesses Will Share Information
1 July 2002 Security Manager's Journal: Losing Staff
1 July 2002 Add a Variety of Operating Systems to Bolster Security
1 July 2002 Secure Computing Consortium to Frame Standard
******* This Issue Sponsored by VeriSign - The Value Of Trust ********
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets
and authenticate your Web sites. 128-bit SSL is serious security for
your online business.
Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n09440091010057000
TOP OF THE NEWS
3 July 2002 Netcraft Survey Says Web Servers More VulnerableNetcraft says, based upon its survey results, that a greater number of web servers are vulnerable now than ever before. Recently disclosed vulnerabilities in Apache and Microsoft's IIS servers are pervasive within the installed base and, because of lags in installing patches, leave a greater number of systems exposed.
[Editor's Note (Northcutt): Thousands of companies run their businesses on Apache servers, so securing them is critical. The Center for Internet Security has just completed a consensus benchmark on securing Apache. SANS will begin a series of one day hands-on Securing Apache courses in many cities beginning with one in the Washington DC area on August 28, 2002. Data on the course:
(Grefer) Actually the vulnerability is the same as it was before disclosure (the hole was there). The risk of attack has increased. ]
7 July 2002 Kowbot Virus/Worm Spreading Through KazaaA new virus/worm is spreading by masquerading as a popular mp3 media file to trick users into downloading it. It then replicates itself 150 times in the Kazaa shared files directory. Kowbot takes control of the user's computer and is the second worm to attack Kazaa users in the past two months.
3 July 2002 Congressional Action On Cybersecurity Now Focuses on Homeland Security BillBoth the US House of Representatives and the US Senate are reshaping initiatives to fit into the Homeland Security Bill, thereby increasing the chances of passage this year.
27 June 2002 White House Boosting Cyber InsuranceThe White House is establishing a joint public/private working group to identify obstacles that may be preventing insurers from writing more cybersecurity policies.
THE REST OF THE WEEK'S NEWS
1 July 2002 Attacks on Power Companies GrowingPower companies are increasingly being targeted by hackers, according to data gathered by RipTech. FBI spokespersons expressed concern
Editor's Note: The LA Times site requires free registration
[Editor's Note (Denning): It isn't just power companies. Attack activity averaged over all companies during the 6-month period Jan-June 2002 was 28% higher than over the preceding 6-month period (Jul-Dec 2001), leading to a projected annual growth rate of 64%. (Bill Murray's brief analysis of hackers v. terrorists is included at the end of this issue.) ]
7/8 July 2002 Falun Gong Hacks Chinese Satellite TVTV viewers in China saw a banner reading "Falun Gong is good" on their TV screens during prime time. Peoples Republic of China government sources confirmed that the satellite carrying Central Chinese TV's ten stations was hacked, and vowed to fight back.
7 July 2002 Virus Blocks Access To News Site From Infected SystemsThe Gunsan mass-mailing virus deletes files needed by antivirus and firewall products and blocks the infected computer's access to a British technology news service, The Register. It spreads by emailing itself to all email addresses found on the infected machine and comes with a subject of a single blank character and an attachment of test.exe.
3 July 2002 Microsoft RAS Patch has Flaw; New Patch IssuedA security patch released June 12 for a buffer overflow flaw in Microsoft's Remote Access Service (RAS) in Windows NT 4.0, 2000 and XP has a flaw itself that can prevent users from connecting to virtual private networks (VPNs). Microsoft has removed the patch from its Update service and provided a new one.
3 July 2002 DEA Agent Accused of Selling Law Enforcement DataA former US Drug Enforcement Administration (DEA) agent who skipped bail was found in Mexico and sent back to Los Angeles to face a number of charges, including violating the Computer Fraud and Abuse Act. Emilio Calatayud allegedly sold information from three law enforcement databases, including the FBI's National Crime Information Center (NCIC), the California Law Enforcement Telecommunications System (CLETS) and the DEA's Narcotics and Dangerous Drug Information System (NADDIS). The case underscores the problem of law enforcement data being too easily accessible.
[Editor's Note (Ranum): The case underscores the problem that computers, to be useful, must be useful to humans - and humans aren't trustworthy. We must always remember cases like this when we're asked to design security systems: there is no wall so high that money cannot buy the keys to its door. ]
2 July 2002 Forensics Tools Not Up To The TaskFBI special agents and other security experts report that increasing complexity of software and larger numbers of vulnerabilities are too much for many of the rudimentary forensics tools available to cyber defenders.
2 July 2002 Singapore Police Believe They Know Identity of On Line Account Theft CulpritPolice in Singapore have identified the man they believe is responsible for a rash of thefts from on line banking accounts at DBS and POSB banks. The alleged thief stole varying amounts between $200 and $4,999. Police recommend that online banking customers use firewalls and anti-virus software and that they do not access their accounts from public computers. The bank maintains that it was not their security but the security of individuals' computers that was breached.
2 July 2002 Police Break Up On Line Pornography RingLaw enforcement agents from Europol and the UK's National Hi-Tech Crime Unit managed to infiltrate and break up a pedophile ring that was using complex cryptography to send files and proxy servers to hide members' identities.
1 July 2002 Scarfo Receives Sentence; Keystroke Logging Software Evidence AllowedNicodemo Scarfo was sentenced to nearly three years in prison for his role in an illegal gambling (operation). The case is significant because investigators used a surreptitiously installed keystroke-logging device to gather evidence. In December, US District Court Judge Joel Pisano ruled that the evidence was admissible, after which Scarfo admitted to his role in the crime.
1 July 2002 InfraGard Hopes More Businesses Will Share InformationBusinesses are still reluctant to share information about computer attacks and security breaches because they fear the repercussions the negative PR could generate. The FBI is trying to entice them to change their stance on this issue by offering anonymity and information about cyber security. The (offer) comes as part of the FBI's InfraGard program. It is available to companies with "secure" memberships in the program.
1 July 2002 Security Manager's Journal: Losing StaffThe security manager writes about how he plans to manage after losing two members of his security team. He will have to take on more responsibilities himself until replacements are hired and trained, which means he will have to temporarily assign some of his daily tasks to other areas of the company.
1 July 2002 Add a Variety of Operating Systems to Bolster SecurityHomogenous computing environments are more susceptible to virus infections. MIT Police Department information systems manager John Welch says that deploying servers with alternate operating systems throughout networks slows down the spread of viruses.
[Editor's Note (Ranum): Genetic diversity is one defence against viruses. Immunity is another. The wise organism will use both. (Schultz) IT managers will read Welch's comments and cringe. Sure, having different OSs is better for security, but different OSs create all kinds of IT challenges. Security professionals need to be careful about conveying a "security above all else" attitude. ]
1 July 2002 Secure Computing Consortium to Frame Standards for Software DevelopmentThe Sustainable Computing Consortium (SCC) hopes to produce standards and guidelines for software developers to help them create more secure and reliable products. NASA, an SCC member, is regarded as having highly reliable software; the question is how to translate what NASA has done to the industry in general. Other SCC members include Carnegie Mellon University, Microsoft, Oracle and Raytheon.
[Editor's Note (Murray): The Romans used to make the engineers stand under the bridge as the army marched across. Ancient Roman bridges are still in routine use. It is not that we do not know how to do it (build safe software) but that programmers, for a variety of reasons, do not do it. ]
Are hackers the moral equivalent of terrorists? A brief analysis by William Murray
It has been suggested (by the President of the United States, inter alia) that post 911 there is a moral equivalence between hackers and terrorists. That is, they both diminish necessary public trust and confidence. However, for security purposes it is useful to distinguish. For hackers, the network is both the target and the means: for terrorists the application is the target and the network merely the means. The hacker attacks targets of opportunity in a target-rich environment; the terrorist attacks targets of choice. The hackers are attacking instances of ubiquitous operating systems and applications where the necessary special knowledge is essentially public. The terrorist is after applications (where the money and the power are); where the necessary special knowledge is more narrowly held. The hacker succeeds because targets are numerous and most targets are the same. The terrorist succeeds because his cost of attack, while higher than that of the hacker, is very low when compared to the value to him (martyrdom and eternal fame and happiness?) of his success. There is some limit to what hackers will do.
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail firstname.lastname@example.org with the subject:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz