SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #46
November 13, 2002
TOP OF THE NEWS11 November 2002 CA Law Requires Reporting of Certain Security Breaches
5 & 8 November 2002 Breeders' Cup Investigation Continues
12 November 2002 One Week Left For National Cyber Security Strategy Comments [Please Add Your Voice]
4 November 2002 Financial Sector Cyber Incidents Often Go Unreported
THE REST OF THE WEEK'S NEWS14 November 2002 Cybersec Funding Bill Goes to the President
3 November 2002 National Cyber Forensics and Training Alliance
11 November 2002 Optical Antenna Improves Wireless Security
11 November 2002 US Military Site Hacker to be Indicted
11 November 2002 Some Interior Systems Still Disconnected
8 & 11 November 2002 Kaspersky Labs Mailing List Hit with Infected Virus Warning
8 November 2002 Symantec Releases Patch for e-Mail Deletion Flaw
8 November 2002 Churchill Downs Implements Security Procedures
8 November 2002 UK Company to Use Signature Capture Biometrics
7 & 8 November 2002 Japan Police Sites Probed
7 November 2002 Michigan Man Pleads Guilty to Stealing Files from Former Employer
6 & 7 November 2002 VeriSign Separates Two Root Servers
6 November 2002 Lotus Domino Security Flaw Troubles U.S. Navy Sites
6 November 2002 OASIS Approves SAML v.1
6 November 2002 e-Mail from Certain Business Sectors More Likely to Carry Viruses
6 November 2002 Bermudan Bank Site Defaced
6 November 2002 CD Copy Protection Won't Work
6 November 2002 UK Government Seeking to Improve Disaster Recovery Methods
5 & 7 November 2002 Bill Would Fund Cyber Censorship Circumvention Technologies
5 November 2002 Phone Phreakers Rack Up $11,000 Bill in Ohio
5 November 2002 Cyber Sabotage Stories
5 November 2002 Self-Healing Database Software
5 November 2002 Mozilla Vulnerabilities
4,5 & 6 November 2002 e-Voting Needs Audit Trails
4 November 2002 Advice Isn't Always Worth the Cost
4 November 2002 Researcher Develops Prime Number Determination Method
VIRUSES AND OTHER MALWARE12 November 2002 Maz.A Trojan
6 & 7 November 2002 Roron Worm
POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGYA FEW WORDS FROM STEPHEN NORTHCUTT ABOUT YEAR END MONEY
I used to keep my lab up to date by spending year-end money other
people had not used. You may have year end training money available;
it couldn't hurt to check! SANS is offering conferences in Orlando FL,
San Francisco and the greater Washington DC area, http://www.sans.org
If you only have a little money available, you might want to invest
in a 2 day hands on "Flight School" workshop. If you have training
money, but can't travel, consider the local mentor or instructor led
online approaches to learning!
************** This Issue Sponsored by PentaSafe **********************
Make sense of security events and log files with PentaSafe's new
VigilEnt Intrusion Manager
Spending hours sorting through event data? The VigilEnt Intrusion
Manager - Log Analyzer consolidates raw event data from your operating
systems, firewalls, IDS systems and more, then uses a sophisticated
analysis engine to pinpoint security trends across your enterprise.
VIEW DEMO: http://www.pentasafe.com/products/vim
TOP OF THE NEWS
11 November 2002 CA Law Requires Reporting of Certain Security BreachesCalifornia has passed a law requiring State agencies and private businesses to report cyber security breaches that may have compromised confidential information. As of July 1, 2003, those who fail to comply with the law face civil or class action suits.
5 & 8 November 2002 Breeders' Cup Investigation ContinuesThe FBI has joined the investigation into whether three former fraternity brothers were involved in a scheme to manipulate off-track betting computers to guarantee a large win. One of the men, who worked for Autotote, was fired a week ago. The three men allegedly exchanged e-mail in the weeks before the suspicious October 26th bets; the Autotote employee may have altered the bets after the first few races were run. Officials were uncertain whether the Autotote system generates reports when a "superuser" alters bets or other files.
12 November 2002 One Week Left For National Cyber Security Strategy CommentsIn one week, the open comment period closes for the National Strategy to Secure Cyberspace. At the end of this issue of NewsBites (right after the VIRUSES stories), we've included several suggestions developed by some of the people who have taken a lot of time to review the strategy. Read the strategy, take a look at the suggestions, and then express your thoughts. Whether or not the ideas presented here are consistent with your views, please express your suggestions, support and criticism. It's rare that policy makers ask for input from the technical community. It would be a shame to waste the opportunity.
4 November 2002 Financial Sector Cyber Incidents Often Go UnreportedWorld Bank security expert Tom Kellermann cites studies that indicate as many as 80% of cybersecurity breaches at financial institutions go unreported. Banks and other financial institutions are often more willing to pay extortionists than they are to go public with information that could damage their reputation.
[Editor's Notes (Ed Skoudis, Guest Editor): Based on what I've seen in the financial sector, a lot of this 80% number depends on how you define a "breach." Sure, financial institutions don't report every scan they get, or every time someone finds a slight flaw in a web app. That's a lot of the 80% right there. They are only required to report incidents to the government that materially impact their customers, which is a very small portion of all attacks indeed. That said, cyber extortion does occur, just not at the rate implied in the article. I have worked cases where brokerage firms did pay extortionists to defuse logic bombs so that they could continue trading. (Schultz): Information security staff members at financial institutions are undoubtedly chuckling as they read this news item--80 percent is certainly a gross underestimate! (Murray): Though the publicity for banks is often significantly more damaging than the original event (we have had at least one bank fail because of the publicity of a loss that they could easily absorb), it is a felony for banks to conceal material loses from the regulators. This is the only industry for which this true. While they must tell the regulators, they need not and should not tell the press. I do not know of any banks that do or would pay extortion or any responsible security consultants that would advise them to do so. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Special Bundle Pricing on RealSecure(r) for Nokia latest technology
(2) IDS CRYING WOLF? Stop false positives. Stop scouring logs.
FREE white paper. http://www.sans.org/cgi-bin/sanspromo/NB100
THE REST OF THE WEEK'S NEWS
14 November 2002 Cybersec Funding Bill Goes to PresidentH.R. 3394, which allocates $903 million for cybersecurity research, was approved today on a voice vote. The bill, also known as the Cyber Security Research and Development Act (CSRDA), includes $25 million earmarked for increasing the number of qualified college-level cyber-security instructors and $144 for establishing Computer and Network Security Research Centers; it also requires the National Institute of Standards and Technology (NIST) to create cybersecurity checklists for use by government agencies. However, on urging from the computer industry, Congress removed provisions asking federal agencies to use the checklists.
[Editor's Note (Paller): Don't start spending the money yet. The appropriations committees must specifically approve funds before they can be spent. Any combination of a war in Iraq, prescription drug measures, and additional tax cuts will put enormous pressure on Congress to trim discretionary spending. ]
3 November 2002 National Cyber Forensics and Training AllianceThe National Cyber Forensics and Training Alliance in Pittsburgh will train investigators in methods of tracking down cyber evidence. The alliance is comprised of federal and local law enforcement agencies, businesses and institutions of higher education in Pittsburgh and West Virginia. Other such alliances exist around the country, but the one in Pittsburgh is the first to have a training center.
[Editor's Note (Northcutt):I hope this project succeeds and that they reach out and team with the existing and respected High Tech Crime Investigation Association,
that has been serving a similar function for years without government funding. More information about the NCFTA alliance can be found at:
Alliances like this must be part of the government's plan to disburse the money from the Cybersecurity Funding Bill (described in the previous story). ]
11 November 2002 Optical Antenna Improves Wireless SecurityBritish research scientists have developed an optical antenna they say can increase wireless network security. The antenna transmits and receives infrared signals instead of radio signals, and so can be more focused and controlled.
11 November 2002 US Military Site Hacker to be IndictedA British man is likely to be indicted very soon in federal courts in New Jersey and northern Virginia on charges stemming from a series of cyberattacks against U.S. military computer networks. Authorities are considering trying to have the man extradited to the U.S.
11 November 2002 Some Interior Systems Still DisconnectedAlmost a year after a federal judge ordered the Department of the Interior disconnected from the Internet due to serious cyber security problems, 6 per cent of its systems remain off line; most of those systems deal with the Department's Bureau of Indian Affairs trust funds.
8 & 11 November 2002 Kaspersky Labs Mailing List Hit with Infected Virus WarningHackers launched an attack against Kaspersky Labs' server, accessed the company's newsletter e-mail distribution list, and sent a copy of a newsletter with the Braid or Bridex worm attached. Kaspersky has addressed the vulnerability the hackers exploited.
8 November 2002 Symantec Releases Patch for e-Mail Deletion FlawSymantec has released a patch for a security flaw in the anti-spam feature of Norton Internet Security 2003 that deleted some users' e-mails. The patch is available from the company's Live Update site.
8 November 2002 Churchill Downs Implements Security ProceduresIn the wake of a suspiciously large payoff for a series of bets made at the Breeders' Cup, Churchill Down, Inc. is establishing a number of security procedures in its computerized betting system. Automatic betting will be locked out at least a minute before the start of the race to allow final odds to be tabulated and posted prior to the start of the race. Bets will only be accepted from hub facilities that have front-end recording devices that leave audit trails, and winning bets in multiple simulcasts races will be reviewed.
8 November 2002 UK Company to Use Signature Capture BiometricsUK building concern Nationwide plans to use signature capture biometric technology to help prevent fraud. Customers will be asked to sign their names up to six times for the system to decide that it has an accurate picture of that individual's writing style, including how the pen is held, what type of pressure is exerted and how quickly that person writes.
[Editor's Note (Schultz): I wonder how willing customers will be to sign their names up to six times when competitor banks require less rigorous authentication procedures. Human factors/useability considerations are among the most important, yet neglected variables in information security today. ]
7 & 8 November 2002 Japan Police Sites ProbedAccording to Japan's National Police Agency, hackers tried more than 51,000 times to break into their computer systems in July, August and September of this year. The vast majority of the attacks were aimed at discovering what programs the computers were running.
7 November 2002 Michigan Man Pleads Guilty to Stealing Files from Former EmployerGregg Wysocki of Rochester Hills, Michigan has pleaded guilty to criminal computer intrusion. Wysocki could receive a prison sentence of up to five years and be ordered to pay a $10,000 fine for stealing files from his previous employer and using the information they contained to get a job with a competitor.
[Editor's Note (Shpantzer): Some organizations make it a policy to forensically image the computers of departing employees, whether they quit or were fired. This allows them to come back later to a properly archived image and analyze it for potential evidence. ]
6 & 7 November 2002 VeriSign Separates Two Root ServersVeriSign has physically and electronically separated the two domain name servers (DNS) it operates to help reduce the Internet's vulnerability to attacks; the J root server was separated from the A root server. Before their separation, the servers were set up on the same system subnet in the same room.
6 November 2002 Lotus Domino Security Flaw Troubles U.S. Navy SitesSecurity problems in two U.S.Navy websites running IBM's Lotus Domino software made confidential Navy databases accessible to web surfers. One of the sites has been shut down and the other now requires users to log in.
6 November 2002 OASIS Approves SAML v.1The Organization for the Advancement of Structured Information Standards (OASIS) has approved Security Assertion Markup Language (SAML) v.1; the single sign-on standard would allow users to visit multiple sites with one secure sign-on.
[Editor's Note (Murray): Perhaps it can be used that way but that is not what it does. It simply tags such data as user ID and password so that it can be recognized across systems or applications without further prior agreement. ]
6 November 2002 e-Mail from Certain Business Sectors More Likely to Carry VirusesAccording to a MessageLabs report, e-mails from retailing and leisure companies are at least seven times more likely to contain a virus than are e-mails from accounting and legal businesses. The cause is suspected to be the fact that retailing and leisure industries have a closer relationship with home users, who are generally not careful about computer security. The study showed the retail and leisure industry with 1 in 50 infected e-mails, finance and banking with 1 in 101, and accounting and legal with less than 1 in 350.
6 November 2002 Bermudan Bank Site DefacedHackers may have exploited a Microsoft operating system vulnerability to deface two Bermudan websites, including that of the Bank of Butterfield. Bank officials say no customer data was compromised. The site hosts are recommending that their clients who work with data that needs to be protected switch to their Unix based hosting platform.
[Editor's Note Schultz ]
: The recommendation in this news item should add a considerable amount of fuel to the "whose operating system is most secure" debate. ]
6 November 2002 CD Copy Protection Won't WorkPrinceton University computer scientist John Halderman says that CD copy protection is futile because both software and hardware are constantly being upgraded. Halderman suggests that the music industry reduce the cost of new CDs to the point where it would be less expensive to buy one than to make a copy.
[Editor's Note (Shpantzer): Making CDs available at a lesser cost than copying them is not feasible. However there are now reasonably priced internet-based music distribution sites such as PressPlay.com and Listen.com. These are not free nor as cheap as making a copy, but they are moving in the right direction for giving honest people a way to get the custom download experience. ]
6 November 2002 UK Government Seeking to Improve Disaster Recovery MethodsThe UK government's Parliamentary Communications Directorate is inviting bids for a data back-up and disaster recovery system to replace their present tape systems. If it works well, other departments are likely to implement similar systems.
5 & 7 November 2002 Bill Would Fund Cyber Censorship Circumvention TechnologiesProposed legislation would provide $100 million over two years to groups developing technologies that circumvent cyber censorship measures such as those used by the Chinese government. There is some concern that the technologies will be detected and thwarted by Chinese authorities and that those found using them would be punished.
5 November 2002 Phone Phreakers Rack Up $11,000 Bill in OhioHackers guessed an Ohio woman's voice mail password, and recorded a message that would sound to operators as if someone were accepting charges for a collect call so that they could use her line to make lengthy international calls. Her one-month phone bill was nearly $11,000, that she did not have to pay. People should choose voice mail passwords that are hard to guess and should change them frequently; they should also consider blocking or limiting access to international calls.
5 November 2002 Cyber Sabotage StoriesExamples of insider (or former insider) cyber sabotage include a terminated temporary employee crashing servers which irretrievably deleted all the data and an employee sabotaging product performance test results.
5 November 2002 Self-Healing Database SoftwareResearchers at Pennsylvania State University have developed software that allows a database under attack to repair itself even as the attack is occurring. The software monitors database user activity; if it appears suspicious, the user is redirected to a "dummy" database. If it turns out that the concerns were unfounded, the user's activity can still be merged into the true database.
5 November 2002 Mozilla VulnerabilitiesVersions of the open source browser Mozilla prior to 1.0.1 contain a half-dozen security vulnerabilities that could be exploited to execute code and read files from hard drives. Red Hat suggests that users of vulnerable versions should update their software.
4,5 & 6 November 2002 e-Voting Needs Audit TrailsThe increased use of e-voting in the recent election has raised concerns about the security of the systems. Some voters were reporting that the systems were tallying their votes incorrectly. Despite assurances of encryption, digital signatures and backups from system providers, critics say the systems are not reliable enough. The software they run on is proprietary and thus unavailable for review. Current systems provide no audit trail to check for vote tampering or to ensure that people's votes were counted accurately. Cryptographer David Chaum has developed a system that gives voters encrypted receipts they can use to check whether or not their vote was tallied properly.
[Editor's Note (Murray): The problem of ensuring the voter that his ballot has been tallied properly while not compromising the secrecy of that ballot, is a fundamental problem in all systems. No system has ever done it well, least of all the voting machines that we have been using for much of this century. However, we tend to expect both higher integrity and demonstrability of novel technology. ]
4 November 2002 Advice Isn't Always Worth the CostThe intrepid Security Manager, wanting to explore the options available for migrating to a new PKI product, finds that high-priced consultants offer little in the way of meaty advice.
4 November 2002 Researcher Develops Prime Number Determination MethodManindra Agrawal, a theoretical computer scientist in India, has come up with a method for determining whether or not very large numbers are prime. While his findings have "no immediate practical application," Agrawal may eventually address the problem of factoring very large numbers. The product of two very large prime numbers is the basis for some Internet encryption.
VIRUSES AND OTHER MALWARE
12 November 2002 Maz.A TrojanThe Maz.A Trojan arrives in an e-mail with a subject line announcing a great free site; it exploits an IE 5.01 and 5.5 incorrect MIME header vulnerability to execute automatically. A patch is available for the flaw.
6 & 7 November 2002 Roron WormThe Roron, or Oror.B worm spreads through e-mail, shared drives and the Kazaa peer-to-peer file-sharing network. The worm's payload includes installing several tools that allow infected machines to be controlled by IRC messages to launch denial of service attacks. Users become infected only if they manually launch the attachment. Roron also searches for and deactivates some anti-virus software and tries to delete it; in certain circumstances, Roron deletes files from hard drives.
POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGY
POSSIBLE THOUGHTS FOR THE NATIONAL STRATEGYIf any of these are consistent with your views, please grab them and email them to the people collecting comments at email@example.com. Don't forget to tell them who you are, where you work, and what you do. Whether or not these ideas are consistent with your views, please express your suggestions, support and criticism. It's rare that policy makers ask for input. It would be a shame to waste the opportunity.
1. From the Center For Democracy and Technology The government needs to get it own house in order - it needs to force agencies to do the right things. In this regard, we believe that the National Strategy is not strong enough. We urge the Administration to strengthen the power of OMB to mandate security
[but only for government agencies ]
2. From leaders of the networking community ISPs are the first line of defense when a cyber attack is underway. However, the ISP community is at great risk of losing the few remaining security experts who are capable of taking action quickly. If the Federal government hopes to have a viable Rapid Response capability, it must find a way to bolster the security staff and tools available at the medium to large ISPs.
3. From another wise person There is pressure from some people to remove the home user and small business user from the National Strategy because, they say, it is silly for a strategy dealing with terrorism to even consider the home user. When the Leaves worm took over and controlled more than 16,000 home computers, its creators had enough power to put any site on the Internet out of business including major communications facilities serving the military and emergency response systems. Home users control more fire power, in the aggregate, than business users, and they have less security, by far. Please continue to include them in the plan.
4. From SANS Research Office (Alan Paller) One of the most powerful ideas laid out in the draft National Strategy is to use the government's combined buying power to provide economic incentives for vendors to deliver and maintain safer systems. The draft Strategy repeated the idea in the section dealing with industry groups. Both government and industry groups can have a profound impact. Working together they can move mountains. Please put added emphasis in the Strategy on government-wide and industry-wide purchasing using minimum security standards.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
To change your subscription, address, or other information, visit
https://www.sans.org/sansurl/ and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.