Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #5

January 30, 2002


Demand for GIAC security certification courses shot up in the New
Year. Both the Firewalls and Perimeter Protection track and Auditing
Systems and Networks tracks at Bootcamp in Monterey are sold out as
is Marcus Ranum and Lance Spitzner's new program on How to Deploy
Effective Honeypots. These programs are also being presented in
Orlando in early April at SANS 2002, but they are filling up quickly
there, too, as is the popular new program for Certified Information
Security Officers. Please make your reservations for Orlando within
the next two weeks to ensure you can get a place in the track of
your choice. hppt:/www.sans.org/sans2002.htm


SANS Monthly Free Web Broadcast: February 6, 2002 1 pm
Internet Threat Update and How Hackers Use Social Engineering
Register at http://sans.digisle.tv/audiocast_020602/brief.htm


Alan

TOP OF THE NEWS

28 January 2002 Senator Introduces Cyber Security Legislation
28 January 2002 NIST to Release Security Guides
24 January 2002 Measuring the Progress Toward Trustworthy Computing
22 January 2002 .Net Depends on Security
23 & 24 January 2002 ISP Hit by DoS, Shuts Down

THE REST OF THE WEEK'S NEWS

25 January 2002 Caution and Responsibility Urged in Using Biometric IDs
24 January 2002 Biometric Tolerances
25 January 2002 Fix Available for Vaio Backdoor
25 January 2002 Successfully Tracking a Stolen Laptop
24 January 2002 Chat with Dutch Royals Hit with DoS
24 January 2002 Patch Available for RealPlayer Buffer Overflow Vulnerability
21 January 2002 Buffer Overflow Attacks
24 January 2002 Icelandic Airport Using Face Recognition System
21 January 2002 Deleted E-mail Can Still Reside on Hard Drive
21 January 2002 Authentication Technologies
SANS Announces 18 Authorized Graders for 2002


********** This issue sponsored by PatchLink Corporation ************
FREE Proactive Protection Against Patch-Related Vulnerabilities
How much do YOU suffer because of unpatched systems? PatchLink
promotes proactive patching with PatchLink Update 3.0 and a limited
time offer of the first ten workstations or servers completely FREE for
one year. Don't let stolen data or network downtime problems continue!
Find out more at: http://www.patchlink.com/promotions/sans.asp
**********************************************************************

TOP OF THE NEWS

28 January 2002 Senator Introduces Cyber Security Legislation

Senator John Edwards (D-North Carolina) has introduced two security bills aimed at enhancing government computer security and security education. The Cybersecurity Preparedness Act of 2002 would establish a consortium that would support the creation of cyber security "best practice" configuration settings and other measures that would be tested thoroughly, and implemented first on government computers. The bill would also fund multi-disciplinary, long-term, or high-risk research and development to improve cyber security, including R&D to identify best practices and to measure their effectiveness. First year funding, for 2003, would be $60M. The Cybersecurity Research and Education Act of 2002 would fund graduate cybersecurity fellowships and a research sabbatical program.
-http://idg.net/ic_796350_1794_9-10000.html
[Editor's (Schultz) Comment: Sen. Edwards deserves much praise for his efforts. A national definition of best practices is sorely needed, as is money for security research and education. ]

28 January 2002 NIST to Release Security Guides

The National Institute of Standards and Technology's (NIST's) Computer Security Resource Center plans to release over 30 guides for government agencies this year. The topics covered will include guidance on incident handling and security ROI, e-mail security issues and emerging technology security. The guides will be released for comment.
-http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp

24 January 2002 Measuring the Progress Toward Trustworthy Computing

Bruce Schneier and Adam Shostack suggest measures Microsoft should take to move its trustworthy computing initiative beyond PR and into practice. Customers can also use the measures to track Microsoft's progress toward realizing the initiative. Among the suggestions: separating code from data, allowing features to be installed one by one, making interfaces and protocols public and not disparaging researchers who bring vulnerabilities to their attention.
-http://www.securityfocus.com/news/315
[Editor's (Schultz)Note: Schneier and Shostack's comments are good, but they missed the by far most critical measure that is needed---implementing a structured development process designed to produce high quality code. Without this, the other measures suggested by Schneier and Shostack will not have nearly as much impact. ]

22 January 2002 .Net Depends on Security

Gartner analyst John Pescatore says Microsoft has to be serious about its trustworthy computing initiative because the success of .Net depends on it. He adds that changing the security culture at Microsoft will be a difficult and lengthy process, and customers should keep tabs on the company's progress.
-http://zdnet.com.com/2100-1107-819752.html

23 & 24 January 2002 ISP Hit by DoS, Shuts Down

Cloud Nine, a UK Internet Service Provider (ISP), closed down after it was hit with denial of service (DoS) attacks and its insurance would not cover the necessary costs to get up and running again. Cloud Nine apparently plans to sell its assets to another ISP, which has some customers worried about losing data stored on Cloud Nine's servers and being transferred to another service against their wishes.
-http://zdnet.com.com/2100-1105-820708.html
-http://zdnet.com.com/2100-1105-822309.html
-http://zdnet.com.com/2100-1105-821078.html


***** Also Sponsored by Ranum and Spitzner's Honeypots Course *******
A two day course dedicated to honeypot technologies. Learn what
honeypots are, how they work, and how they apply to security. Learn
how the bad guys are tracked in the wild. The course is hands-on,
intensive, with a full night session dedicated to interacting with
a variety of commercial honeypot solutions.
Students will get a CDROM with a copy of the latest documentation,
whitepapers, utilities, and evaluations copies of software.
(And it is all part of SANS 2002 so you can take certification courses
and seethe exhibits and attend the free technical conference and
birds of a feather sessions, too.)
http://www.sans.org/SANS2002/honeypot.php
*********************************************************************

THE REST OF THE WEEK'S NEWS

25 January 2002 Caution and Responsibility Urged in Using Biometric IDs

Panelists at a Cato Institute-sponsored forum said government agencies need to resolve civil rights issues surrounding the use of biometric identification for security purposes before the technology is employed.
-http://www.gcn.com/vol1_no1/daily-updates/17834-1.html
-http://www.fcw.com/fcw/articles/2002/0121/web-bio-01-25-02.asp
[Editor's (Denning) Note: I was on the panel and don't remember this being a consensus of the panel. My point was that you needed to look at the application of biometrics to see whether privacy was threatened, and that for applications where biometrics is used solely for authentication as a means of access to control, biometrics can enhance privacy by stopping impersonators from getting access to your private data. ]

24 January 2002 Biometric Tolerances

After a fingerprint reader lens gets older and starts generating errors, some employees figure out how to reset the tolerances on the identification system.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67639,00.html

25 January 2002 Fix Available for Vaio Backdoor

A backdoor in software on certain Sony Vaio notebook computers could allow crackers to alter or delete data on the machine's hard drive. A customer alerted Sony to the problem in December and the company has a software update available. The software is on machines sold in Asia, South Africa and the Middle East; machines sold in Europe, Mainland China and the Americas are not affected.
-http://www.theregister.co.uk/content/55/23825.html
-http://www.cnn.com/2002/TECH/ptech/01/25/sony.security.idg/index.html

25 January 2002 Successfully Tracking a Stolen Laptop

A Texas man found his sister's stolen laptop computer by using remotely controllable software and changing the Internet access dial-up numbers to his home phone. The police were able to use the phone number obtained from Caller ID to apprehend the person who had the stolen machine.
-http://www.wired.com/news/mac/0,2125,50025,00.html

24 January 2002 Chat with Dutch Royals Hit with DoS

A Dutch newspaper reported that a hacker group based in the Netherlands is claiming responsibility for launching a denial of service (DoS) attack on an on-line chat with the Country's Crown Prince and his fiancee.
-http://www.theregister.co.uk/content/55/23815.html

24 January 2002 Patch Available for RealPlayer Buffer Overflow Vulnerability

RealNetworks plans to release a patch for a buffer overflow vulnerability in its RealPlayer 8 that could crash the software and could potentially be used to execute malicious code. The patch will be distributed via the company's automated update service. The vulnerability affects both Windows and Linux versions of RealPlayer 8.
-http://www.newsbytes.com/news/02/173936.html

21 January 2002 Buffer Overflow Attacks

Buffer overflow attacks are highly effective because they do not rely on users opening infected attachments to execute. Despite the fact that such vulnerabilities are easy to prevent - coders can limit the length of strings the buffer accepts - buffer overflows are ubiquitous. Until they disappear, users should apply appropriate patches.
-http://www.computerworld.com/itresources/rcstory/0,4167,KEY73_STO67572,00.html

24 January 2002 Icelandic Airport Using Face Recognition System

Iceland's Keflavik air terminal is using a facial recognition system as part of its security routine. The system has produced no matches in the six months since it has been installed; a similar system tested last year in Florida produced numerous false positives
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1780000/1780150.stm

21 January 2002 Deleted E-mail Can Still Reside on Hard Drive

Though Enron-related e-mails were deleted, pieces and entire copies of the messages can probably be found on the hard drives, according to a computer forensics expert.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO67583,00.html

21 January 2002 Authentication Technologies

Authentication methods such as smart cards, tokens and biometrics offer layers of security that passwords alone cannot. As each method has benefits and drawbacks, companies should refrain from running headlong into new authentication systems and instead take time to match authentication technology with their specific needs.
-http://www.computerworld.com/itresources/rcstory/0,4167,KEY73_STO67551,00.html

Eighteen Authorized Graders Named For GIAC Certification

One of the hallmarks the SANS Global Information Assurance Certification (GIAC) program is that each student completes a practical assignment. That assignment demonstrates that he or she not only understands the material to answer test questions but can use it in the real world. This requires a significant investment of time and effort on the part of the student with outstanding rewards. Many students have commented that they learned as much completing the practical as they did in the course, and indeed that is what the practical is designed to accomplish. Grading the practicals in a fair and consistent manner is one of the top priorities of the GIAC certification. Authorized Graders are selected from the very highest scoring students that have earned certification. Each must complete a rigorous training process before they are allowed to grade a student's practical without direct supervision. SANS enthusiastically applauds this elite corps and is proud to present the 2002 GAIC Authorized Graders.
Jeff Campione, Communications Analyst, Federal Reserve Board Brent Deterding, Security Engineer, TechGuard Security Clement Dupuis, Senior Security Consultant, CGI Consulting Group in Montreal, Canada. Jamie French, Canadian Department of National Defense Computer Incident Response Team - (DND CIRT) and Whitehats.ca Peter Giannoulis, Independent Security Consultant Dan Goldberg, Xerox - The Document Company, Electronic Security Architect Bob Grill, California Federal Bank, Audit Project Team Leader Erik Kamerling, Silver Dollar Optical Corporation, Network Security Administrator Brian Kelly, Computer Sciences Corporation, IT Security Analyst Fred Kerby, Naval Surface Warfare Center, Dahlgren Division David Koconis, Dartmouth College, Institute for Security Technology Studies Robert McMillen, USMC Captain Greg Owens, Vibren Technologies, Inc. David Parks, Publix Super Markets, Inc. Infrastructure Architect Patrick Prue, Fantom Technologies Inc. Jos Purvis. Veritect Dan Strom, Kansas Farm Bureau Services, Data Security Manager Carla Wendt, Internet Security Consultant

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz