Last Chance: MacBook Air, Dell XPS 13 or $600 off with SANS Online Training Ends December 7

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #44

October 30, 2002

TOP OF THE NEWS

28 October 2002 Government, ICANN Considering DDoS Protections
23 October 2002 There Were Two Attacks on the Internet
22, 23 & 28 October 2002 Internet DDoS Attack
28 October 2002 Reuters Charged with Hacking

THE REST OF THE WEEK'S NEWS

28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
25 October 2002 Visa is Testing Voice Authentication Technology
25 October 2002 NIST System Certification and Accreditation Program
25 October 2002 Professional Certifications Outpace Skills for Bonuses
24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
24 October 2002 Will NIST's Dept. of Computer Security be Part of DHS?
24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move Toward Trustworthy Computing
24 October 2002 NTT DoCoMo Site Intrusion
24 October 2002 Brookings Study: Good Security Will Require More than Market Forces
24 October 2002 A Palm Like an Open Book
24 October 2002 Canadian Inmates Pose Cyber Risk
23 October 2002 Bugbear Bites Australian Government Again
23 October 2002 Berman's Hack Back Bill Likely Candidate for Revision
28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
22 October 2002 Defacements Increasing
22 October 2002 Customs Wants to Build Secure Network
21 October 2002 Support Growing for Security Regulations
21 October 2002 NASA's Vulnerability Reduction Program Works
18 October 2002 NIST Draft: Recommendation for Block Cipher Modes of Operation

SECURITY TRAINING NEWS

*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
*Twelve new Local Mentor Programs start in the next few weeks.



************ This Issue Sponsored by Qualys, Inc. ********************
ZAP Top 20 security vulnerabilities - FREE Network Security Scan!
Get INSTANT control of your network security. FREE Web service
automatically finds exposure to Top 20 threats identified by
SANS/FBI. Scan your network today -- in just minutes learn if your
network is susceptible to attack. Why wait for trouble?
Click NOW to get started:
https://sans20.qualys.com/index.php?lsid=231
***********************************************************************

TOP OF THE NEWS

28 October 2002 Government, ICANN Considering DDoS Protections

The government and the Internet Corporation for Assigned Names and Numbers (ICANN), an Internet governing body, are trying to figure out what to do to protect the domain name system (DNS) from further distributed denial of service (DDoS) attacks like the one launched last week. They are likely to take steps to require that packets with forged return addresses be blocked. It is also likely the root-name server operators will add more servers. Large buyers may be encouraged to do business only with ISPs that have DDoS protection in place.
-http://www.eweek.com/article2/0,3959,651686,00.asp

23 October 2002 There Were Two Attacks on the Internet

According to officials at Verisign, a second large distributed denial of service (DDoS) attack occurred just hours after the attack on the Internet's root name servers, this time targeting the domain name servers such as dot-com, dot-biz and dot-info, and country code domains such as Great Britain's dot-uk and Canada's dot-ca.
-http://www.washingtonpost.com/wp-dyn/articles/A6894-2002Oct23.html

22, 23 & 28 October 2002 Internet DDoS Attack

White House spokesman Ari Fleischer said it is still unknown who is responsible for the attack. The attacks were not sophisticated, and there was no serious degradation of service; though all 13 servers were targeted, at least 4 kept running uninterrupted. Experts have expressed concern that this attack could be a precursor to a larger, more serious one. The FBI's National Infrastructure Protection Center (NIPC) and cybercrime division agents are investigating.
-http://www.idg.net/go.cgi?id=755556
-http://www.msnbc.com/news/824620.asp?0dm=B259T
-http://news.com.com/2100-1001-963095.html
-http://www.cnn.com/2002/TECH/internet/10/23/net.attack/index.html

28 October 2002 Reuters Charged with Hacking

Swedish IT company Intentia plans to file criminal charges against Reuters; it alleges the news agency broke into its computers to obtain company information. An internal investigation brought to light the fact than an intrusion into company computers came from an IP address belonging to Reuters, which published the disappointing figures ahead of their official release. Several other Scandinavian companies claim Reuters published their figures ahead of schedule as well.
-http://www.theregister.co.uk/content/6/27816.html
-http://salon.com/tech/wire/2002/10/28/reuters/index.html
[Editor's Note: (Shpantzer) Intentia, the company whose information was published by Reuters, says that the information was on the web server but could not be accessed "through normal channels." It appears that Reuters used very basic URL guessing as a method to obtain the information that was on the webserver, as it was not immediately available to the casual surfer on the website via hyperlink. Intentia is looking to the Swedish court system to create a precedent stating that these methods are explicitly illegal. This story got me curious so I did a little looking around in the news room of the Intentia website, and found the following URLs: This was the URL for their first quarter results.
-http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q1_US.pdf/$FILE/Intentia_0
2_Q1_US.pdf

This was the URL for their second quarter results:
-http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q2_us.pdf/$FILE/Intentia_0
2_Q2_us.pdf

And this is the URL for their third quarter results, published by Reuters in the alleged hack:
-http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q3_us.pdf/$FILE/Intentia_0
2_Q3_us.pdf

1, 2, 3, 4, Intentia declares a legal war. Let's hope they don't put the unpublished fourth quarter results on the web site with a Q4 replacing Q3 in the URL name. ]


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) DITCH DETECTION. THINK PREVENTION. Neutralize unknown threats
outside the firewall. FREE paper.
http://www.sans.org/cgi-bin/sanspromo/NB93
(2) ALERT! "Outsmart Web Application Attackers"- FREE 15-day WebInspect
Download http://www.sans.org/cgi-bin/sanspromo/NB94
(3) ARE SECURITY CERTIFICATIONS WORTH THE MONEY? Free Certifications &
Skills Pay Trend Report: http://www.sans.org/cgi-bin/sanspromo/NB95
***********************************************************************

THE REST OF THE WEEK'S NEWS

28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court

Dutch judges meted out a sentence of 150 hours of community service to the author of the Kourmikova virus. They didn't believe the offender's claim that he didn't know (1) what he was doing or (2) that releasing viruses would be damaging. He had over 7,000 virus specimens on his computer and worked in a computer store.
-http://idg.net/ic_960118_1794_9-10000.html

25 October 2002 Visa is Testing Voice Authentication Technology

Visa International, Inc. has begun using voice authentication technology internally to allow employees to reset their passwords; the technology could eventually be used for on line purchase verification.
-http://www.computerworld.com/databasetopics/data/story/0,10801,75392,00.html
[Editor's Note (Murray): If one goes to the trouble to enroll one's users for a biometric, one ought to use it routinely as part of a strong authentication scheme. To use it to manage passwords is absurd; i.e., use a weak authenticator to manage an even weaker one. Replacing passwords with strong authentication has been the biggest agenda item for a generation ]

25 October 2002 NIST System Certification and Accreditation Program

As part of its System Certification and Accreditation Project, the National Institute of Standards and Technology (NIST) has posted Special Publication 800-37, proposed guidelines for performing security checkups. Guidelines for minimum security requirements for federal online systems (800-53) and techniques for determining systems' security levels (800-53A) will follow over the next few months.
-http://www.gcn.com/vol1_no1/daily-updates/20332-1.html
Download the draft:
-http://csrc.nist.gov/sec-cert/
[Editor's Note (Northcutt): Security accreditation is not the hottest topic, but if you are a U.S. government worker, or do work with the government, I strongly advise you to take a look at this document and to send in your comments. My preference is rapid assessment and remediation and specific checklists over fluffy process, but Ron Ross and Marianne Swanson and their team have created a solid first cut that does not appear to be so paperwork heavy it dies of its own weight, a la DITSCAP. One of the interesting components is the "type accreditation" in which you harden an OS to a certain level and this serves as an initial or "interim" accreditation for a number of different environments. Obviously, this could be abused, but it could also be a powerful tool to encourage broad-based adoption of standards. ]

24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability

The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning of a buffer overflow vulnerability in Kerberos Administration Daemon. The flaw could be exploited to obtain root privileges on vulnerable systems. Patches and upgrades are available to address the problem. Affected systems include MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones versions earlier than 1.2.1 and KTH Heimdal earlier than 0.5.1.
-http://www.cert.org/advisories/CA-2002-29.html
-http://zdnet.com.com/2100-1105-963250.html
-http://www.theregister.co.uk/content/55/27791.html

24 October 2002 Will NIST's Computer Security Division be Part of DHS?

Commerce Department Deputy Secretary Samuel Bodman said the National Institute of Standards and Technology's (NIST's) Computer Security Division should be transferred to the new Department of Homeland Security. A bill that recently passed the House (H.R. 5005) would block the transfer. The Business Software Alliance (BSA) feels the move is unnecessary.
-http://207.27.3.29/dailyfed/1002/102402td1.htm
[Editor's Note (Paller): Deputy Secretary Bodman is probably right. The computer security group at NIST has done a lot of good, but they could have made a huge difference in the security of federal systems and commercial systems had they been given substantial financial and management support. Lacking such support at NIST, they risk being made irrelevant unless they get some of the authority and money that will accompany the new Department of Homeland Security. Quiz question: Why would groups representing marketing interests in companies that sell software, argue against including NIST's security responsibilities in a new Department where NIST's excellent technical security staff could establish security standards for software sold to the government and be a force in helping agencies use the standards in their procurements? ]

24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move Toward Trustworthy Computing

An InternetWeek reader poll with 213 respondents found that 50% feel Microsoft has made little or no progress toward Trustworthy Computing, while 37% feel the company has made some or great progress; the rest feel things are the same as they were before the initiative was announced. The article includes reader comments.
-http://www.internetwk.com/security02/INW20021024S0004
[Editor's Note (Murray): By expecting results in six months InternetWeek editors demonstrate a lack of understanding of the problem. Much of it is related to MS's need to maintain backward compatibility to popular applications. Much of the problem is related to very old code; it will not be identified or fixed overnight. (Paller): Though users are still feeling the pain of two decades of security neglect by Microsoft, it is time for all other software developers to step up and be measured against Microsoft's security initiatives. Those who build Linux and Solaris and other operating systems, those who build Oracle and DB2 and other databases and those who build client software and applications (the two newest targets of attackers) should report publicly the percent of all their software developers who have taken and passed secure programming courses, the depth of automated and manual security testing done on every line of code they deliver, the automated systems they offer to update users' systems automatically to fix critical security flaws, and the degree to which their installed base of is being protected rather than being forced to upgrade. Microsoft has a long way to go, but the other vendors may be even further behind. ]

24 October 2002 NTT DoCoMo Site Intrusion

A cracker broke into NTT DoCoMo's web site and altered a web page that lets customers modify contractual terms with the Japanese mobile phone services company; the page was made inaccessible. No individual customer data was altered; the company says it will enhance its site security.
-http://www.wirelessweek.com/index.asp?layout=story&articleId=NEk1023100.401&
amp;verticalID=360&vertical=Applications

24 October 2002 Brookings Study: Good Security Will Require More than Market Forces

A study from the Brookings Institution, "Interdependent Security: Implications for Homeland Security Policy and Other Areas" argues that market forces alone do not provide adequate incentive for businesses to implement strong security measures. Companies do not often see security as providing a good return on investment, and when leading companies don't spend the money on security, others don't either. The study recommends regulations, insurance and third-party inspections to help boost security to appropriate levels.
-http://www.computerworld.com/securitytopics/security/story/0,10801,75347,00.html
[Editor's Note (Murray): There are only the market and coercion; those who argue that one will not work are arguing for the other. Be careful what you ask for; you might get it. (Paller) A balance between market forces and coercion is having extraordinary impact: Buyers combine their technology purchasing power to force suppliers to deliver safer systems. The federal government is the leader in this, but hundreds of organizations have joined forces in the Center for Internet Security (www.cisecurity.org) to establish standards for safer software, and they are beginning to order software configured safely on delivery. Some buyers are forcing software suppliers to take full economic responsibility for security breaches caused by flaws in their software. Market forces improve security when buyers unite. ]

24 October 2002 A Palm Like an Open Book

The ubiquity of personal digital assistants (PDAs) has helped law enforcement agents gather evidence and successfully prosecute crimes ranging from identity theft to corporate espionage to murder. The convenience of having so much data in one place eliminates the need for dumpster diving and other more tedious forms of evidence gathering, and PDAs are rarely encrypted or even password protected.
-http://www.nytimes.com/2002/10/24/technology/circuits/24palm.html
(Please note: this site requires free registration)
[Editor's Note (Shpantzer): I spoke today with Amber Schroader, from Paraben Software, who is quoted in this article. She says that the current breed of PDA passwords typically crack within minutes, including the encryption built into the word processing, spreadsheet and zip applications for the PDAs. The more complex and lengthy passwords take up to two weeks. The few cases in which forensics personnel are not able to get the plaintext data are caused by a strong third party encryption program installed on the device. ]

24 October 2002 Canadian Inmates Pose Cyber Risk

An internal report from Canada's Correctional Service (CSC) warns that inmates with computers could spread viruses or break into the CSC's network. Though the report strongly urges that inmates be allowed to use only prison-issue PCs, inmates who already have their own computers have been allowed to keep them. During the last five years, there have been more than 600 security incidents involving inmates' computers; the machines have also been used to plot escapes and create false IDs.
-http://www.theregister.co.uk/content/6/27770.html
[Editor's Note (Northcutt): Heavy sigh. You would think 600 security incidents would be enough to discover something is amiss. ]

23 October 2002 Bugbear Bites Australian Government Again

Australia's Parliament House in Canberra was hit with a second round of the Bugbear virus, prompting the Department of Parliamentary Reporting to ask everyone in the building to turn off printers. The October 3rd infection made some printers print pages and pages of gibberish.
-http://news.zdnet.co.uk/story/0,,t269-s2124317,00.html
-http://australianit.news.com.au/articles/0,7204,5344158^15331^^nbv^15306-15319,0
0.html

--23 October 2002 Berman's Hack Back Bill Likely Candidate for Revision The P2P Piracy Prevention Act, widely criticized for its vague language allowing copyright holders to hack back with impunity at suspected digital pirates, will likely be revised to eliminate those problems, according to an aide to bill author Representative Howard Berman (D-Calif.).
-http://news.com.com/2100-1023-963087.html

28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe

Several security pundits believe that last week's distributed denial of service (DDoS) attack on the 13 Internet root servers was a probe to gather information prior to an attack of much greater magnitude. Ed Skoudis says it is possible that the Internet will be brought down within the next few years, but compared it to a snow day rather than an event with dire physical consequences.
-http://www.msnbc.com/news/827209.asp?0dm=C21AT

22 October 2002 Defacements Increasing

Roberto Preatoni, the owner of Zone-H.org, a web site that tracks defacements, says web vandalism is on the rise; the number of defacement notices he receives daily has jumped from about 40 last year to 500 this year. Preatoni warns that while defacements are largely vandalism, some of the attacks may give crackers root access.
-http://www.internetnews.com/dev-news/article.php/1485601

22 October 2002 Customs Wants to Build Secure Network

The U.S. Customs Service is expected to issue a draft request for proposal (RFP) for building a classified network for law enforcement data; the RFP will be available only to vendors with top-secret facility security clearance and personnel with valid security clearances.
-http://www.fcw.com/fcw/articles/2002/1021/web-customs-10-22-02.asp

21 October 2002 Support Growing for Security Regulations

During a meeting at MIT, Critical Infrastructure Protection Board chairman Richard Clarke heard from academics, business people and security experts about the necessity for some method to hold software vendors accountable for product security. Though Clarke would prefer to allow market pressure to take care of accountability, there is a cry for regulations or a certification body to ensure the software security.
-http://www.eweek.com/article2/0,3959,642940,00.asp
[Editor's Note (Murray): I will start to give credence to such orchestrated whining on the same day I see any preference in the market place for secure operating systems over popular ones. Bad software is a fact of life; get used to it. ]

21 October 2002 NASA's Vulnerability Reduction Program Works

NASA began its Vulnerability Reduction Program in 1999 when it became clear that the agency's 80,000 computers were plagued by the same security holes again and again. NASA made a list of the top 50 vulnerabilities, bought vulnerability scanning software and began challenging each of its centers to gradually reduce the ratio of vulnerabilities to computers. Each quarter the list is revised; NASA has seen a marked decline in successful attacks against its systems since the program has been implemented. Its success inspired the SANS Top 10 and 20 lists.
-http://www.gcn.com/21_31/news/20283-1.html
[Editor's Note: This article provides details on NASA's efforts that were not included in articles we covered last week. ]

18 October 2002 NIST Draft: Recommendation for Block Cipher Modes of Operation

NIST has recently developed the Draft Special Publication 800-38B, "Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode." Public comments are welcome through December 2, 2002.
-http://csrc.nist.gov/publications/drafts.html

SECURITY TRAINING NEWS

*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20

features the eight highest rated teachers in the security field. If you can attend only one conference this winter, try to get a place in the courses in San Francisco. Also features a free, evening step-by-step program for implementing a Top 20 vulnerability remediation program. San Francisco is often warmer and less crowded in December than in August.

*Twelve new Local Mentor Programs start in the next few weeks.

Combine online program with live training/practice sessions. Offers the most cost-effective local training for both CISSP and GSEC Certifications. Also included: free updated Internet Threat Briefing. *See:
-http://www.sans.org
for details on San Francisco, Local Mentor and other programs.


===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.