SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #16
April 23, 2003
We rarely begin NewsBites with an editorial, but this week the first
two items in "Top of the News" combine to tell an important story.
First, Howard Schmidt is leaving the White House and the government,
and second, Microsoft is announcing a much more safely configured
server operating system. Many people (including one of our editors)
will say that Schmidt's leaving - so soon after Richard Clarke's
departure - means the government has lost its cybersecurity leadership.
Although we are very sad to see Howard go, the fact is that Richard
Clarke and Howard Schmidt have accomplished, magnificently, the
principal goal set for their positions. Their speeches and articles and
private meetings changed the mind set of the IT buying community. They
led the charge that caused security to become a required feature
rather than an afterthought.
The proof - the second news item:
Microsoft's announcement, and five similar announcements from other
vendors you will hear over the next few months. Vendors do not change
their products because government leaders make speeches; they change
their products because their customers demand the changes. Kudos to
Dick Clarke and Howard Schmidt for helping to persuade the IT buying
community that security really matters.
The question still remains: can government lead in cybersecurity
without a highly-placed czar? Absolutely! Mark Forman (Office of
Management and Budget), Karen Evans (Department of Energy and the CIO
Council) and Van Hitch (Department of Justice and the CIO Council)
are working quietly and effectively to make the federal government
the smartest and largest buyers of safely configured software and
hardware. Add to that effort the new rapid response analysis and
information distribution system (called the US Cert) being set up in
the Department of Homeland Security by Bob Liscouski and Marcus Sachs
and you have a US government that is continuing to show leadership
by putting its money on improved security and, as a result, that is
making security a little easier and more effective for all of us.
TOP OF THE NEWSSchmidt Resigns Post
Windows Server 2003 Offers Improved Security
NIST to Establish Cybersecurity Standards for Agency Systems
DHS Proposes Rules for Info Sharing
THE REST OF THE WEEK'S NEWSStudent Faces Charges for Alleged Server Intrusion
Student Who Used Keystroke Logger to Steal Info Gets Probation
Trojan Downloaded Pornographic Images
Windows 2000 Patch Contains Unidentified Files
Military Academies Engage in Cyber Defense Exercise
Proposed EU Hacking Law Has Loophole
Survey Shows Security Needs Improvement
TechNet and Others Developing Best Practices for Managers
Sticky Legal Questions About Honeypots
Students Cannot Present Talk on Smart Card Security Circumvention
Naval Academy Students Disciplined for Downloading Music Files
Application Vulnerability Description Language
Admitted Australian ISP Hacker Let Go Without a Conviction
******** Sponsored by Application Security, Inc. (AppSecInc) *********
QUESTION: How vulnerable are your Oracle, Microsoft SQL Server, IBM DB2,
Sybase, and Lotus Domino installations to an attack?
ANSWER: Find out with AppDetective!
AppDetective DISCOVERS installations; performs ZERO KNOWLEDGE DATABASE
PENETRATION TESTS; and performs in-depth AUDITS without host-based agents.
Download your FREE EVALUATION of AppDetective and WHITE PAPERS on
database security TODAY from: http://www.appsecinc.com/sans/
TOP OF THE NEWS
Schmidt Resigns Post (18/21 April 2003)White House cybersecurity advisor Howard Schmidt has announced that he will resign his post and return to the private sector. Schmidt plans to meet with DHS Assistant Secretary of Infrastructure Protection Robert Liscouski and others to make sure projects in progress make a smooth transition. Schmidt's resignation means there is no high ranking official whose primary focus is cybersecurity.
[Editor's Note (Schultz): This is a huge setback. It once again raises the suspicion that the government is really giving only lip service to cybersecurity. ]
Windows Server 2003 Offers Improved Security (18 April 2003)The impending release of Microsoft's Windows Server 2003 will serve as a test for the company's trustworthy computing initiative. The new operating system's default installation is very close to the safe computing benchmarks developed by the US National Security Agncy and the Center for Internet Security. The new system also includes a security feature that will check a PC's configuration when it connects to the network. If the PC does not meet the configuration requirements, for instance, if its anti-virus signatures are not up to date or it lacks a personal firewall, then that machine is quarantined on a private segment of the network until the problem is addressed.
[Editor's Note (Paller): Microsoft appears to be using the improved security of Windows 2003 Server as a lever to push clients to switch from Windows 2000 to Windows 2003. Gartner says that by the end of 2003, only 5% of Windows 2000 users will have switched to Windows 2003, and only 15% will switch by the end of 2004. Computer companies like Dell and Hewlett Packard could become serious security heros by configuring the Windows 2000 systems they deliver with the same sort of safe configurations now being offered in Windows 2003. Every reader of NewsBites can help make that happen by asking their CIOs to add a safe configuration requirement to your procurement specifications for computers delivered with Windows 2000. You can find safe and compatible configurations in the benchmarks published by the Center for Internet Security at
NIST to Establish Cybersecurity Standards for Agency Systems (17 April 2003)The National Institute for Standards and Technology's (NIST's) Certification and Accreditation program will develop standards with which to certify the security of agency computer systems. The first phase of the program, which is underway, involves developing the standards; the second phase involves establishing a group of accredited organizations that can provide security certification services.
[Editor's Note (Ranum): None of this stuff is going to mean anything unless the standards have teeth behind them. (Paller) Agreed and also they will need to have substantial components that are technical standards that can be measured by machine, or they will become another exercise in report writing. ]
DHS Proposes Rules for Info Sharing (16/17 April 2003)The Department of Homeland Security (DHS) has proposed rules for protecting the private sector systems information it receives; the rules would apply to hardware and software that is part of the nation's critical infrastructure. All federal agencies, as well as state, local and foreign governments and government contractors, would be subject to the rules. Homeland Security Secretary Tom Ridge will choose an undersecretary of the Information Analysis Infrastructure Protection (IAIP) Directorate who will oversee collection and storage of the critical infrastructure data in a database.
[Editor's Note (Ranum): They should try it with the federal sector first and get THAT working, then roll it to the private sector. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
1) ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
FREE white paper!
(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
THE REST OF THE WEEK'S NEWS
Student Faces Charges for Alleged Server Intrusion (21 April 2003)A business-college student in Erie, Pennsylvania, faces charges for allegedly breaking into a server belonging to Ohananet, a Hawaiian company. Jason Starr allegedly had control of the server, which was located in Missouri, for about a year. Starr also allegedly changed the server's password and attempted to access PayPal accounts belonging to Ohananet's president. If convicted, Starr could face up to a year in prison and a fine of as much as $100,000.
Student Who Used Keystroke Logger to Steal Info Gets Probation (18 April 2003)Douglas Boudreau, a former Boston College student who used keystroke-logging software to steal personal information of students, faculty and staff, has been sentenced to five years of probation, and ordered to undergo counseling, repay the school and have his computer use monitored. Boudreau used the information he collected to alter his own student ID card, enabling him to access campus buildings and make purchases with illicitly obtained funds.
Trojan Downloaded Pornographic Images (18 April 2003)A UK man was acquitted of charges of having pornographic images on his computer after it became apparent that his computer had been infected with a Trojan horse program that was responsible for downloading the images.
Snort Vulnerabilities (17 April 2003)The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning of vulnerabilities in two preprocessor modules of the Snort Intrusion Detection System. The vulnerabilities, which affect versions 1.8 through 2.0 RC1, could be exploited to allow a remote user to execute arbitrary code with the privileges of the user running Snort. Users are encouraged to upgrade to Snort 2.0, disable the affected preprocessor modules, or block outbound packets from Snort IDS systems.
Windows 2000 Patch Contains Unidentified Files (17 April 2003)Some security experts are recommending that users not install Microsoft's recently released patch for a bug in the Windows 2000 kernel. The vulnerability also affects Windows NT and XP, but the patch for Windows 2000 contains unidentified files, one of which had been included in a patch for an earlier vulnerability and was found to cause problems. NTBuqTraq's Russ Cooper recommends not installing the patch unless you first test it in a non-production environment.
Military Academies Engage in Cyber Defense Exercise (17 April 2003)Students at West Point Military Academy, the Naval Academy, the Air Force Academy, and the Coast Guard Academy engaged in the third annual cyber defense exercise last week.
Proposed EU Hacking Law Has Loophole (17 April 2003)A proposed European union (EU) cybercrime regulation is aimed at unifying laws that protect servers and other systems from cyber attacks. However, a loophole in the proposal would allow people who access an unsecured computer, without the intent to cause damage or to benefit financially, not to be considered to have committed a crime.
Survey Shows Security Needs Improvement (16 April 2003)Respondents to a Human Firewall Council survey completed an on-line self-assessment tool called the "Security Management Index" to grade their company's security efforts in ten areas; 80% of respondents earned a D or an F as an overall grade. The Human Firewall Council believes the "dismal" ratings stem from the fact that businesses seem to approach security by responding to each problem as it arises rather than addressing security as an overall business concern.
TechNet and Others Developing Best Practices for Managers (16 April 2003)TechNet, an information technology company lobbying group, will work with the Internet Security Alliance and four major accounting and audit firms to develop cybersecurity best practices for managers to use in securing their companies. Howard Schmidt said the initiative is "exactly what we had in mind when we created the National Strategy to Secure Cyberspace."
[Editor's Note (Northcutt): I expect Mr. Schmidt is misquoted; hopefully our strategy to secure cyberspace is more comprehensive than a list of ten or so things we ought to be doing. May I suggest a reading of ISO 17799 might be a better use of their collective time. (Paller) We'll know whether they are serious if none of the "Best Practices" calls for buying any of the sponsors' products or services. ]
Sticky Legal Questions About Honeypots (16 April 2003)Speaking at the RSA conference, senior counsel for the Justice Department's computer crime unit Richard Salgado said that people who deploy honeypots could potentially be charged with "interception of communications," a felony which carries up to five years in prison, or sued by hackers under the Federal Wiretap Act. Director of Stanford University's Center for Internet and Society Jennifer Granick recommends checking with an attorney before deploying a honeypot.
[Editor's Note (Spitzner): While possible, these issues mainly apply to research honeypots that capture extensive amounts of information, such as Honeynets. Most production honeypots, such as Honeyd or Specter, capture no more information than traditional technologies such as IDS sensors or firewall logs. (Ranum): In other words, some forms of honeypots MAY be intrusive and may be a problem; the majority of production honeypots are not a problem at all; Salgado's comments need to be read carefully and not taken out of context. ]
Students Cannot Present Talk on Smart Card Security Circumvention (15/18 April 2003)Two students have been blocked from presenting a talk that describes how to break into and manipulate a university smart card network. Blackboard Inc. obtained a temporary restraining order preventing Billy Hoffman, a Georgia Tech student, and Virgil Griffith, a University of Alabama student, from presenting at the Interz0ne conference in Atlanta.
Naval Academy Students Disciplined for Downloading Music Files (15 April 2003)Eighty-five students at the US Naval Academy have been disciplined for illegally downloading music; computers belonging to 92 cadets were seized in November 2002. The students could face demerits, loss of leave time, extra duties and campus activity restrictions.
Application Vulnerability Description Language (14 April 2003)The Application Vulnerability Description Language (AVDL) will provide a standard for describing application security vulnerabilities. AVDL will be managed through the Organization for the Advancement of Structured Information Standards (OASIS) consortium.
Admitted Australian ISP Hacker Let Go Without a Conviction (9 April 2003)An Australian man who admitted hacking into Optusnet, an Internet service provider, and accessing customer details was released without a conviction registered against him, angering members of the computer security community. Stephen Craig Dendtler's lawyer called his client's activity an "intellectual pursuit."
[Editor's Note (Schultz): Although outcomes like this one are unfortunately by no means rare when it comes to prosecuting cybercrime, it appears that over time there has been an upward trend in the number of people being tried and convicted on charges such as the one in this case. ]
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Lance Spitzner
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit