Last Chance: MacBook Air, Dell XPS 13 or $600 off with SANS Online Training Ends December 7

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #1

January 08, 2003

TOP OF THE NEWS

6 January 2003 Administration Drafts Trimmed Down Cyber Security Strategy
20 December 2002 Wisconsin Man Will Serve Up To 20 Years In Prison
for Computer Crimes and Other Offenses
6 January 2003 California Disclosure Law May Apply Outside California

THE REST OF THE WEEK'S NEWS

6 January 2003 American Airlines Improves Wireless Security at Denver Airport
6 January 2003 PR Firm Error Could Have Exposed Customer Data
3 & 6 January 2003 CSIS Paper Says Cyberterrorism is Overhyped
3 January 2002 Clarke Says Cyberterrorism is a Real Threat
3 & 6 January 2003 Supreme Court Justice Rescinds Stay in DeCSS Case
3 January 2003 Wall Street Business Disaster Recovery Centers Can be in NYC
2 & 3 January 2003 Serebryany Charged with Stealing and Posting DirecTV Documents
2 & 3 January 2003 Lindows.com CEO Admits He's Behind Xbox Hack Contest
3 January 2003 RIAA Hacked Again
3 January 2003 CIO Council Wants Agencies to Address Enterprise Architecture Security
3 January 2003 Government Site Vandal Pleads Guilty
2 & 3 January 2003 Yaha Variant
2 January 2003 Killboot Macro Virus
2 January 2003 TSA Removes Password Protected Documents from Internet
2 January 2003 Confidence in On-Line Transactions is Increasing
1, 2 & 3 January 2003 Reward Offered in Government Contractor Computer Theft
30 December 2002 Putty SSH Vulnerability Exploit Posted on Bugtraq


******************* This Issue Sponsored by BioNetrix *****************
Considering Single Sign-On? Download a Free SSO White Paper.
This paper surveys the landscape of existing Single Sign On (SSO)
architectures and technologies and outlines the requirements for a new
type of secure, enterprise SSO. Learn how a Secure SSO solution can
enable centralized control of application sign-on and user identity
verification, increasing security, convenience and productivity.
Visit: http://www.bionetrix.com/sso-sans
***********************************************************************

TOP OF THE NEWS

6 January 2003 Administration Drafts Trimmed Down Cyber Security Strategy

In a new draft of the National Strategy for Securing Cyberspace, the Bush Administration has reduced the number of proposals by 40%. The new draft eliminates many proposals for America's corporations to improve security, focusing instead on suggestions for the US government agencies. It also eliminates a proposal for the White House to consult with privacy advocates on the impact of security proposals on civil liberties.
-http://www.msnbc.com/news/855722.asp?0cv=CB20

20 December 2002 Wisconsin Man Will Serve Up To 20 Years In Prison for Computer Crimes and Other Offenses

Joseph Konopka, 26-year-old Wisconsin man who has gone by the alias Dr. Chaos, agreed to a plea bargain in which he will serve a sentence of up to twenty years for a series of crimes that includes "creating counterfeit software and interfering with computers." A person familiar with the investigation notes "Konopka was an extremely capable systems administrator, and of the six charges to which he pled guilty, ? four were computer crime charges, including use of a sniffer, computer intrusion, transmission of malicious code, and software piracy. He was also a serious threat to critical infrastructures."
-http://www.jsonline.com/news/metro/dec02/104890.asp
-http://www.landfield.com/isn/mail-archive/2002/May/0063.html

6 January 2003 California Disclosure Law May Apply Outside California

A California law that will take effect July 1, 2003, requires companies in the state to inform their customers in the event of a computer intrusion that exposes customer names in conjunction with certain sensitive personal data, like a social security number. According to Scott Pink, deputy chair of the American Bar Association's Cybersecurity Task Force, the law will also pertain to on-line businesses with customers in California.
-http://online.securityfocus.com/news/1984


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Alert! Top 10 SPAM CONTROL techniques for the enterprise ***
Free White Paper http://www.sans.org/cgi-bin/sanspromo/NB116
(2) Prevent DDoS, worm propagation, and unsanctioned network
traffic. Best practices white paper
http://www.sans.org/cgi-bin/sanspromo/NB117
(3) ALERT: Automated Vulnerability Audit for your Web Applications-15
Day FREE Trial http://www.sans.org/cgi-bin/sanspromo/NB118
***********************************************************************
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 30 days. Details and schedule at the SANS Web site:
http://www.sans.org/onlinetraining/mentor.php
***********************************************************************

THE REST OF THE WEEK'S NEWS

6 January 2003 American Airlines Improves Wireless Security at Denver Airport

American Airlines has improved the security of its wireless bag-matching and curbside check-in systems at Denver International Airport (DIA) by removing IP addresses from its kiosks and adding authentication technology on top of 40-bit WEP encryption.
-http://www.computerworld.com/mobiletopics/mobile/story/0,10801,77255,00.html

6 January 2003 PR Firm Error Could Have Exposed Customer Data

The administrative password to a server run by Carmichael Lynch, a public relations and advertising company, was posted on a web site for at least six months. The password could have been used to access a variety of files, including customer databases for some of Carmichael Lynch's big clients. The posting containing the password has been removed and a spokeswoman for the company said there is no evidence that anyone took advantage of the vulnerability.
-http://www.wired.com/news/infostructure/0,1377,57066,00.html

3 & 6 January 2003 CSIS Paper Says Cyberterrorism is Overhyped

A paper from the Center for Strategic & International Studies (CSIS) argues that the threat of cyberterrorism to critical infrastructures has been exaggerated by the government and the media. The paper draws a distinction between computer systems, which are vulnerable to cyber attacks, and critical infrastructures, which it says are not as vulnerable.
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,77
239,00.html

-http://www.washtimes.com/business/20021226-40779202.htm

3 January 2002 Clarke Says Cyberterrorism is a Real Threat

Chairman of the President's Critical Infrastructure Protection Board Richard Clarke says the threat of cyberterrorism should not be dismissed. Clarke maintains that solutions to cyberspace threats aren't as clear as those to physical security threats, and that we need to handle the threat by eliminating cyberspace vulnerabilities.
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,77
238,00.html

[Editor's Note (Murray): There is a difference between "not dismissing" and what the government has been doing. In security we must strike a difficult balance between false comfort and false alarm. The CSIS Paper suggests that the government's present rhetoric risks desensitizing us to alarms. This overstatement, not to say hype, is not limited to cyber space. If one uses the Government's own (five point) scale it seems to me that they are consistently one notch too high. (Schultz): I hope that the use of the term "eliminating vulnerabilities" in this news item was a misquote. Certainly Richard Clarke knows that vulnerabilities can never be completely eliminated. Terminology such as "minimizing vulnerabilities" or "managing vulnerabilities" would have been far better. ]

3 & 6 January 2003 Supreme Court Justice Rescinds Stay in DeCSS Case

US Supreme Court Justice Sandra Day O'Connor rescinded an emergency stay she had placed on a ruling by the California Supreme Court in a case involving the publishing of DeCSS, a DVD encryption breaking utility. As a result of O'Connor's action, the defendant in the case, Matthew Pavlovich, may distribute DeCSS again, though he could also be sued again. The Electronic Frontier Foundation's legal director lauded O'Connor's action, observing "
[t ]
he entertainment companies need to stop pretending that DeCSS is a secret."
-http://news.com.com/2100-1023-979197.html
-http://www.cnn.com/2003/TECH/biztech/01/06/us.dvdencrypt.ap/index.html
[Editor's Note (Schultz): DeCSS encryption amounts to little more than "security by obscurity." You'd think that by now the entertainment industry would quit beating a dead horse and instead get real by trying to develop a stronger encryption scheme. ]

3 January 2003 Wall Street Business Disaster Recovery Centers Can be in NYC

Businesses located on Wall Street will not have to locate their disaster recovery data centers at least 200 miles from their primary centers; federal regulators dropped that provision in favor of developing contingency plans that keep the centers in NYC.
-http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,7725
0,00.html

2 & 3 January 2003 Serebryany Charged with Stealing and Posting DirecTV Documents

The FBI has arrested a 19-year-old for allegedly distributing documents containing technical information about DirecTV satellite smart cards to several satellite pirate web sites; the documents could be used to break DirecTV smart cards. Igor Serebryany will be charged under the 1996 Economic Espionage Act and could face a ten-year prison sentence and a fine of up to $250,000. There is no evidence indicating Serebryany benefited financially from his actions.
-http://www.wired.com/news/politics/0,1283,57039,00.html
-http://news.com.com/2100-1023-979001.html
-http://www.vnunet.com/News/1137793
[Editor's Note (Northcutt): This case has enormous importance. As we become an information economy, trade secrets and other intellectual property are among the most valuable assets any organization has. The Economic Espionage act has not been used by the government as much as it should have been so it will be interesting to see how this plays out. ]

2 & 3 January 2003 Lindows.com CEO Admits He's Behind Xbox Hack Contest

Michael Robertson, founder of Lindows.com, says he is behind a contest offering $200,000 to the first successful hack of Microsoft's Xbox console. The challenge emerged anonymously in July 2002. Robertson says he posed the challenge because he believes restricting access to the machine's processor "sets a dangerous precedent."
-http://news.com.com/2100-1040-978957.html
-http://www.wired.com/news/games/0,2101,57052,00.html

3 January 2003 RIAA Hacked Again

The Recording Industry Association of America's (RIAA) website was recently hacked for the sixth time in as many months. The site is a target for hackers because of the association's stance on digital file sharing.
-http://www.wired.com/news/technology/0,1282,57048,00.html

3 January 2003 CIO Council Wants Agencies to Address Enterprise Architecture Security

The CIO Council sent a memo to federal agency CIO's advising them to take steps to secure their enterprise architectures and applications. The Council told the CIOs they should include their plans for securing that software in their next quarterly update submitted to the Office of Management and Budget OMB) under compliance with The Federal Information Security Management Act (FISMA).
-http://www.fcw.com/fcw/articles/2002/1230/web-cio-01-03-03.asp
-http://www.gcn.com/vol1_no1/daily-updates/20764-1.html

3 January 2003 Government Site Vandal Pleads Guilty

An Alabama man could spend up to ten years in prison for defacing numerous government web sites. William Douglas Word pleaded guilty to 17 counts of defacing sites at NASA, the Interior Department, the Defense Department and other agencies. Word's sentencing is scheduled for April 24.
-http://www.dodig.osd.mil/DCIS/press/011228ww.htm
-http://www.gcn.com/vol1_no1/daily-updates/20766-1.html

2 & 3 January 2003 Yaha Variant

A new variant of the Yaha worm was detected at the end of 2002. Yaha affects systems running Windows operating systems; a part of its payload involves trying to disable firewalls and antivirus software. It has its own SMTP engine and sends itself out via infected systems' address books and through some Messenger software.
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,77190,0
0.html

-http://news.bbc.co.uk/1/hi/technology/2621419.stm
-http://www.vnunet.com/News/1137805

2 January 2003 Killboot Macro Virus

A macro virus called "Killboot" has the capacity to overwrite the Master Boot Record (MBR) on physical hard drives of infected machines. "Killboot" infects Word documents. There have been few reports of infections in the wild.
-http://www.vnunet.com/News/1137774

2 January 2003 TSA Removes Password Protected Documents from Internet

The Transportation Security Administration (TSA) has removed four password-protected documents from its web site after concerns were raised about the security of the documents' contents.
-http://news.com.com/2100-1023-978981.html

2 January 2003 Confidence in On-Line Transactions is Increasing

A quarterly survey from the Conference Board finds that consumer confidence in the security of on line transactions is increasing. 33% of those surveyed believed their transactions are secure, compared with 27.5% a year ago. 25% believe their personal information is safe, up from 22% last year.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=1985136
[Editor's Note (Schultz): It is important to understand that changes in statistics over time could be due to sampling error, too. Whether or not these statistical changes represent shifts in attitudes remains to be seen. ]

1, 2 & 3 January 2003 Reward Offered in Government Contractor Computer Theft

A $100,000 reward is being offered for information that leads to the arrest and conviction of those responsible for stealing laptops and hard drives from the office of a government health-care contractor in Phoenix, Arizona. The stolen hardware contains personal data, including names, addresses and social security numbers belonging to more than 500,000 military personnel.
-http://www.cnn.com/2003/TECH/biztech/01/01/pentagon.computerthef.ap/index.html
-http://www.gcn.com/vol1_no1/daily-updates/20756-1.html
-http://www.fcw.com/fcw/articles/2002/1230/web-dod-01-03-03.asp

30 December 2002 Putty SSH Vulnerability Exploit Posted on Bugtraq

Exploit code for a vulnerability in the Putty SSH client was posted on the Bugtraq mailing list. The code, which was posted by the security research division of a Spanish firm called I-Proyectos, was accompanied by a statement that it was only for educational and testing purposes.
-http://www.eweek.com/article2/0,3959,801913,00.asp
[Editor's Note (Murray): Nice people do not publish exploit code or do business with those that do. One certainly does not do business with them for no better reason than that they publish exploit code. Imagine one's reaction to IBM or Oracle publishing exploit code. While I admit that this is a novel ethical decision for some individuals, I have trouble understanding how so many businesses get it wrong. Emmanuel Kant where are you when we really need you? ]



===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites