Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #42

October 16, 2002

TOP OF THE NEWS

14 October 2002 NASA's Security Remediation Works
10 October 2002 Proposed Legislation Would Make GISRA Permanent
9 October 2002 Chinese Computers Have High Rate of Virus Infection
8 October 2002 Clarke Pushes for Internet Operations Center
8 October 2002 UCSB Students Not Allowed To Connect Windows 2000 or NT Machines to School Net

THE REST OF THE WEEK'S NEWS

14 October 2002 Schmidt Says Cyber Security Cost is Increasing
11 October 2002 Buffer Overflow Flaw in Outlook Express
11 October 2002 Three New NIST Draft Guides
11 October 2002 U.S. Copyright Office Invites Public Comment on DMCA
11 October 2002 Australian Customs to Pilot Facial Recognition Passport System
8 & 10 October 2002 Carnegie Mellon Gets $35.5 Million Grant for Cyber Security Research
10 October 2002 Henpeck Worm Spreads Via MSN Messenger
10 October 2002 Sustainable Computing Consortium
10 October 2002 Proposed legislation Indemnified Government Contractors
9 October 2002 Microsoft May Offer New Security Products
9 October 2002 Treasury to Start Deploying Smart Cards
9 October 2002 Why PKI is Not Hot
8 October 2002 Trend Micro Will Pay Fines for Late Virus Signatures
7 & 8 October 2002 Bugbear Revives Jdbgmgr.exe Hoax
7 October 2002 Top 20 a Good Remedy for Audits
7 October 2002 OASIS Member Disagreement May Delay Web Services Standard Release
7 October 2002 Budget Increase Not Enough to Properly Address Security, Says Gartner

SECURITY TRAINING NEWS

*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20



*************** This Issue Sponsored by Tripwire, Inc. ****************
ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.
Tripwire data integrity assurance solutions pinpoint changes to your
servers and network devices, accelerating discovery and increasing
uptime, making you the hero of your IT organization.
Click here to get a FREE copy of our Security Exploit and Vulnerability
Matrix Poster.
http://www.tripwire.com/literature/poster/index.cfm?djinn=703
***********************************************************************

TOP OF THE NEWS

14 October 2002 NASA's Security Remediation Works

NASA's "scanning and remediation program" has proven successful in addressing cyber security problems at the agency and reducing the number of successful compromises even as attempted compromises surged. Three years ago, NASA identified the 50 top security vulnerabilities on its machines and began scanning for them. NASA challenged its centers to reduce the vulnerability to computer ratio from 1:1 to 1:4; the present ratio is about 1:10. When it reached that goal it went on to a second set of lower priority vulnerabilities and then again to a third set.
-http://www.fcw.com/fcw/articles/2002/1014/mgt-nasa-10-14-02.asp
[Editor's Note (Schultz): Where I work {a major national research lab and university} we've launched an aggressive vulnerability scanning program; the results have been incredible. On the basis of our results, I have no doubt whatsoever that NASA is achieving the success it claims to have achieved. ]
(Paller) NASA was the model that motivated the development of the SANS/FBI Top Ten and Top Twenty Internet Vulnerabilities - giving people all over the Internet the initial set of vulnerabilities to attack. The lessons learned by NASA and the techniques NASA developed, will be taught in a series of evening sessions in the Cyber Defense Initiative conference in San Francisco the 3rd week in December. The program will be open to all delegates at the conference.
-http://www.sans.org/CDI02/]

10 October 2002 Proposed Legislation Would Make GISRA Permanent

Senate bill 3067, introduced last week, would make the Government Information Security Reform Act (GISRA) permanent; under current provisions, GISRA expires on November 22, 2002. GISRA requires that government agencies evaluate the security of their information technology systems and provide reports to the Office of Management and Budget (OMB).
-http://www.gcn.com/vol1_no1/daily-updates/20236-1.html

9 October 2002 Chinese Computers Have High Rate of Virus Infection

The China Daily newspaper reported the results of a survey conducted by the National Computer Virus Emergency Response Center that found that 80% of computers in China are infected with viruses.
-http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=1557133
-http://www1.chinadaily.com.cn/news/cn/2002-10-10/88972.html

8 October 2002 Clarke Pushes for Internet Operations Center

Richard Clarke is trying to gather support for a public/private Internet operations center which would monitor the Internet for cyber attacks and issue warnings. The center would receive data from 15-20 Internet service providers (ISPs) and router and security companies and would be hosted by a university or national laboratory. The center would not be run by the government, but would receive some federal funding. Clarke hopes to include the creation of the center in the final draft of the Strategy to Secure Cyberspace.
-http://www.govexec.com/dailyfed/1002/100802tdpm1.htm
-http://www.gcn.com/vol1_no1/daily-updates/20223-1.html

8 October 2002 UCSB Students Not Allowed To Connect Windows 2000 or NT Machines to School Net

Students at the University of California at Santa Barbara (UCSB) may not connect their computers to the university network if they are running Windows 2000 or NT; many computers running those operating systems were found to be compromised by malware.
-http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=
JanS.db&command=viewone&id=66&op=t

-http://www.resnet.ucsb.edu/information/win2k.html
[Editor's Note (Paller): Note the words at the second link: "Providing a reliable, high performance network for
[every ]
user is the entire reason we are here. Because of that, we have to consider the overall health of our network when dealing with vulnerable operating systems, virus protection, and network security threats." UCSB's approach, where protection of the community is valued highly, is spreading and will ultimately lead to ISPs taking responsibility for ensuring the people they connect to the Internet do not place others at risk. Bravo UCSB! If you know of other organizations following (or leading) this trend, let us know so we can share their stories, too. ]


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Dorian Software Creations: Automate Event Log
and Syslog Monitoring, Archiving, and Analysis!
http:///www.sans.org/cgi-bin/sanspromo/NB87
(2) 90% of attacks continue to bypass firewalls &
IDS. Prevent it! Visit Top Layer - White Papers
http://www.sans.org/cgi-bin/sanspromo/NB88
(3) FREE WEB SECURITY REPORT FROM STRATUM8 - Protect
Web Applications from all hacks and vulnerabilities.
http://www.sans.org/cgi-bin/sanspromo/NB89
***********************************************************************

THE REST OF THE WEEK'S NEWS

14 October 2002 Schmidt Says Cyber Security Cost is Increasing

White House cyber security advisor Howard Schmidt says, "cyber-related incidents are increasing in number, sophistication, severity and cost," and urges cooperation within and between the public and private sectors.
-http://www.cnn.com/2002/TECH/biztech/10/14/crime.cyberspace.reut/index.html
[Editor's Note (Murray): It is a little early for cooperation. We are having enough difficulty controlling our own domains without worrying about each other. What the private sector expects of government is that it put its own house in order, that it remedy its weak systems that put us all at risk. ]

11 October 2002 Buffer Overflow Flaw in Outlook Express

A buffer overflow in the way Microsoft's Outlook Express versions 5.5 and 6.0 handles messages with MIME components could allow attackers to take control of vulnerable machines; earlier versions may be affected but they are no longer supported. Service Pack 2 for OE 5.5 and Service Pack 1 for IE 6.0 are not vulnerable to the buffer overflow attack. Microsoft has released an alert about the vulnerability and has posted a patch for it on its website.
-http://www.computerworld.com/securitytopics/security/story/0,10801,75067,00.html
-http://news.com.com/2100-1001-961769.html
Alert:
-http://www.microsoft.com/technet/security/bulletin/MS02-058.asp
Patch:
-http://www.microsoft.com/windows/ie/downloads/critical/q328676/default.asp

11 October 2002 Three New NIST Draft Guides

The National Institute of Standards and Technology's Computer Security Division has released three draft guides: Selecting IT Security Products (SP800-36), IT Security Services (SP800-35) and Security Considerations in Federal IT Procurements (SP800-4A). The guides are available on the NIST web site; comments are due by 11 November.
-http://www.fcw.com/fcw/articles/2002/1007/web-nist-10-11-02.asp
-http://csrc.nist.gov/

11 October 2002 U.S. Copyright Office Invites Public Comment on DMCA

The United States Copyright Office is inviting public comment on the Digital Millennium Copyright Act (DMCA), the controversial law that sent Russian programmer Dmitry Sklyarov to jail. The office is looking specifically for instances in which the law's restrictions cause actual problems in the marketplace.
-http://news.com.com/2100-1023-961783.html
-http://www.copyright.gov/1201/fr2002-4.pdf
[Editor's Note (Schultz): It's ironic that no one in the government seems to be asking questions about how this Act can and has been used by security-negligent corporations to hassle people who discover vulnerabilities in their products. ]

11 October 2002 Australian Customs to Pilot Facial Recognition Passport System

The Australian Customs Service (ACS) plans to begin testing a facial recognition passport verification system at Sydney Airport. The ACS will evaluate the system over the next six months, and then decide whether to expand the program to other airports.
-http://www.zdnet.com.au/newstech/security/story/0,2000024985,20269008,00.htm

8 & 10 October 2002 Carnegie Mellon Gets $35.5 Million Grant for Cyber Security Research

Carnegie Mellon University has been awarded a $35.5 million grant over five years for antiterrorist policy and technology development. Research will focus on the availability and security of information and communications infrastructure and secure device and physical access with the use of biometrics.
-http://www.wired.com/news/politics/0,1283,55649,00.html
-http://www.fcw.com/fcw/articles/2002/1007/web-cyber-10-10-02.asp

10 October 2002 Henpeck Worm Spreads Via MSN Messenger

The Henpeck worm spreads through MSN messenger by convincing users to download a file. Once the file is downloaded and executed, the machine is infected and the worm sends instant messages encouraging its spread to everyone on the user's buddy list. The file, which was located on line, has been removed from the web. Infected machines may have backdoors installed, which would allow attackers to use infected computers to launch distributed denial of service attacks.
-http://news.com.com/2100-1001-961693.html

10 October 2002 Sustainable Computing Consortium

In an interview, William Guttman, professor of economics and technology and director of the Sustainable Computing Consortium at Carnegie Mellon University, describes the group's goals of improving software quality and reliability.
-http://zdnet.com.com/2100-1104-961521.html

10 October 2002 Proposed Legislation Indemnified Government Contractors

Senate bill 3076 would indemnify government contractors for liability claims made against products and services sold to the government for the purpose of homeland security.
-http://www.govexec.com/dailyfed/1002/101002td2.htm

9 October 2002 Microsoft May Offer New Security Products

Microsoft chief technical officer Craig Mundie said the company may offer security services at an added cost to users; Steve Ballmer clarified the point, saying Microsoft has no plans to charge customers for security services, but it may release new security products. Mundie also defended his company's position of legal liability for its products, observing that if Microsoft were to assume liability, it would be reflected in increased costs of their products.
-http://news.com.com/2100-1001-961351.html
[Editor's Note (Murray): We are more interested in improvement in the security of the products that we already get from MS than we are in having MS offer security products. ]

9 October 2002 Treasury to Start Deploying Smart Cards

Seven thousand Treasury Department employees will receive smart cards embedded with digital certificates as part of the Federal Bridge Certification Authority, which allows digital certificate interoperability between federal agencies and departments. Other members include NASA, the Defense Department and the National Finance Center.
-http://www.gcn.com/vol1_no1/daily-updates/20232-1.html

9 October 2002 Why PKI is Not Hot

Security experts at the RSA conference discussed reasons why PKI has not taken off as originally expected. It is expensive to implement, and it is not terribly valuable until it is ubiquitous. There are, however, programs in US government that are trying to promote PKI.
-http://zdnet.com.com/2100-1105-961350.html
[Editor's Note (Murray): PKI becomes valuable when one wants to share existing certificates or keys across applications. Most of us hardly have the first application. ]

8, 9 & 10 October 2002 Some Sendmail Distributions Contain Trojan Horses

Someone apparently hacked the Sendmail FTP server so that every tenth download of the open source e-mail service contained a Trojan horse, which installs when the source code is compiled. Users are encouraged to use PGP signatures and checksums to verify the integrity of downloaded software.
-http://www.cert.org/advisories/CA-2002-28.html
-http://news.com.com/2100-1001-961311.html
-http://news.com.com/2100-1001-961469.html
-http://www.theregister.co.uk/content/55/27511.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74988,0
0.html

[Editor's Note (Shpantzer): Using the signatures and hashes that distribution sites make available is effective, free and takes very little time and effort. Use of this integrity check can help administrators avoid serious headaches, not to mention calls from management for heart-to-heart talks. ]

8 October 2002 Trend Micro Will Pay Fines for Late Virus Signatures

Anti-virus company Trend Micro says it will pay fines of up to $3,000 to its premium customers who submit virus signatures if they haven't issued a virus pattern file within two hours of submission. The Virus Response Service Level Agreement is available to premium customers only; the fines vary based on the level. Present premium support customers will be required to upgrade in order to participate. The program addresses virus detection but not removal, and there are certain types of viruses that are exempt from coverage in the program.
-http://www.computerworld.com/securitytopics/security/story/0,10801,74972,00.html
[Editor's Note (Schultz): Trend Micro's idea here is intriguing in that a major security vendor is coming one step closer to taking responsibility for what it does. I trust that to avoid the "fine," the pattern file will also have to be correct. ]

7 & 8 October 2002 Bugbear Revives Jdbgmgr.exe Hoax

The Bugbear worm, which is the most prevalent worm now in the wild, is beginning to slow its spread across the Internet. However, its presence has brought a resurgence of the Jdbgmrg.exe hoax e-mail. The hoax warns people to delete that file from their computers because it is a virus, when in fact, it's a necessary file. The file appears with a teddy bear icon, which probably leads people to believe it's somehow connected to Bugbear.
-http://www.msnbc.com/news/815117.asp?0dm=C279T
-http://www.smh.com.au/articles/2002/10/08/1033538935349.html
--7 October 2002 Top 20 a Good Remedy for Audits Many security audits produce tomes of data, leaving administrators overwhelmed and uncertain where to begin addressing the multitude of problems. The recently released Top 20 Internet Security Risks list, which is accompanied by a list of tools to address the problems, provides an inroad to security holes. IT would also help if consumers refused to buy IT products that aren't secure.
-http://www.computerworld.com/securitytopics/security/story/0,10801,74856,00.html
[Editor's Note (Paller) I made an error in the interview that formed part of the basis for the Computerworld editorial. I left the word untrained out before "security auditors" - incorrectly implying that all security auditors made the mistake. Many auditors are well trained, know which vulnerabilities matter, and focus their reports on what is feasible and what can do the most good. Separately, several organizations have begun programs of active auditing involving quarterly or monthly testing for the Top 20 across all Internet-connected systems, as a means of enforcing a minimum standard of due care and thereby reducing their exposure to tort liability if their systems are used in attacks on other sites. ]

7 October 2002 OASIS Member Disagreement May Delay Web Services Standard Release

A disagreement between Organization for the Advancement of Structured Information Standards (OASIS) Security Technical Committee members about a proposed web services security specification may stall its release. IBM, Sun Microsystems and other companies feel the standard needs more work, while Microsoft and others think it is fine the way it is.
-http://www.eweek.com/article2/0,3959,590669,00.asp

7 October 2002 Budget Increase Not Enough to Properly Address Security, Says Gartner

The proposed 2003 federal budget includes an increase of 64% in spending on computer security, but much of the money is designated for known problems, according to an announcement from Gartner Inc. This is not adequate to improve government computer system security.
-http://www.infoworld.com/articles/hn/xml/02/10/07/021007hnusbudget.xml?s=IDGNS

SECURITY TRAINING NEWS

*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20

Featuring 8 hands-on SANS immersion training tracks plus SANS@Night featuring action plans for fighting back by implementing a Top Twenty remediation program.. San Francisco is often warmer and less crowded in December than in August. *Advanced security training in fifteen additional cities, plus Local Mentor programs in 25 cities. See:
-http://www.sans.org
for details on these programs

===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer