SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #26
July 02, 2003
TOP OF THE NEWSFeinstein Introduces Security Breach Notification Bill
Interior Ordered Off-Line Again
Gates Says Security Does Not Preclude Privacy
Cyber Warning Information Network is Operational
THE REST OF THE WEEK'S NEWSPetCo.com Fixes SQL Vulnerability
BugBear.B Sends Out Private Correspondence
Palo Alto School District Wireless Network Not Secure
Windows 2000 service Pack 4 is Available
Advice for Mitigating Security Risks
Microsoft Warns of Media product Vulnerabilities
W32/Sobig.E Worm Could be Used by Spammers
Experts Want Government to Leverage Spending Power to Encourage Security
Distributed Denial of Service Attack Hits ClickBank and SpamCop.net
RIAA Will Go After More File Traders
Buffer Overflow Vulnerability in Internet Explorer
Japanese University Server Used to Try to Break into NASA Computers
Former Microsoft Employee Arrested for Allegedly Reselling Software
Symantec Addresses Security Check Service Vulnerability
Executive Branch Agencies Can Hire Cyber Security Specialists Directly
Managed IT Security Services Market in Great Demand, Says Study
Web Address Hijacking on the Rise
65,000 LA County Web Addresses hijacked
Government Gets Right To Hire Computer Security Experts Faster
Disgruntled Employee Sent Confidential Document to Employees
How to Hold on to Your Security Management Job
********************** Sponsored by NetIQ ***************************
"Information Security Policies Made Easy" is the most comprehensive
security policy resource guide you can buy, with 1300+ ready-to-use
security policies that can be quickly customized for any company. Build
best practice security policies in half the time and expense. Also
available "Information Security Roles & Responsibilities Made Easy."
Download a free policy now http://www.netiq.com/order/publications.asp
TOP OF THE NEWS
Feinstein Introduces Security Breach Notification Bill (30 June 2003)Senior Judiciary Committee member Senator Dianne Feinstein (D-Calif) has introduced a bill that would require businesses and government agencies to let people know if their computer systems are compromised and certain types of personal data are stolen. The proposed legislation echoes a California law that took effect July 1, requiring customer notification if unencrypted personal data is exposed. While the new law would not have an effect on the California law, it would preclude other states from enacting similar statutes of their own.
Article On the California law:
[Editor's Note (Schneier): The California law has the enormous loophole of not requiring disclosure in the event of an ongoing investigation. My guess is that some security breaches will be part of ongoing investigations forever. ]
Interior Ordered Off-Line Again (27/30 June 2003)US District Judge Royce Lamberth has ordered the Interior Department to disconnect from the Internet because it refused to cooperate with a court-appointed master who was to test the department's computer systems. Judge Lamberth allowed exceptions for "any system essential for protection against fires and other threat to life or property." Interior was also cut off from the Internet in December 2001, but most systems have been allowed back on-line since then, with the exception of the Bureau of Indian Affairs (BIA).
Gates Says Security Does Not Preclude Privacy (26 June 2003)Speaking at a technology conference in Washington DC, Bill Gates said that improving cyber security does not mean that citizens will have to give up their privacy. Gates emphasized Microsoft's renewed focus on security in its products, pointing out that Microsoft has delayed the release of a product in order to improve its security. Gates spoke in favor of a government plan to buy software only if it meets minimum security standards. Gates would also like the government to increase funding of security research and development.
[Editor's Note (Schultz): It's very encouraging to see an industry giant such as Bill Gates saying the things he is saying. Now it is time for other leaders to openly advocate similar views. ]
Cyber Warning Information Network is Operational (25/30 June 2003)The Cyber Warning and Information Network (CWIN) has begun operation, according to Paul Kurtz, senior director for critical infrastructure protection in the Homeland Security Council and special assistant to President Bush. CWIN has about 30 nodes across the country and allows government and industry to share information about cyber attacks and other threats to computer systems.
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: "How a Hacker Launches a SQL Injection Attack
Step-by-Step" - White Paper
(2) Secure access to your applications. Get your FREE Application
Security White Paper!
(3) Stop spam! - Learn the Top 10 enterprise techniques
THE REST OF THE WEEK'S NEWS
PetCo.com Fixes SQL Vulnerability (30 June 2003)PetCo.com has repaired a security flaw that made it vulnerable to an SQL injection attack. As many as half-a-million customer credit card numbers could have been exposed; PetCo.com blocked access to the website as soon as it learned of the problem. Two weeks ago, Guess.com settled a case regarding the same vulnerability with the FTC.
BugBear.B Sends Out Private Correspondence (30 June 2003)BugBear.B infected some computers at Harvard University, which resulted in private e-mail messages being sent out randomly. One such piece of private correspondence was a memo from Secretary of the Faculty John B. Fox to Dean of the Faculty William C. Kirby regarding possible disciplinary action against a student. Fox said that "computer security is not
responsibility," that it rests with Director of Harvard Arts and Sciences Computer Services Frank Steen.
Palo Alto School District Wireless Network Not Secure (27 June 2003)Palo Alto (CA) Weekly education reporter Rachel Metz found she was able to penetrate the Palo Alto Unified School District's wireless computer network armed with only a laptop and a wireless connection card. Metz was able to access students' grades, addresses, medical and psychological evaluations and photographs; she informed the school district, which immediately took the network off-line to fix the problem.
[Editors' Note (Schultz): Here we have still another case of a reporter who has broken the law simply to get a story. It is time for law enforcement to go after reporters who commit computer crime in the name of journalism. ]
Windows 2000 Service Pack 4 is Available (27 June 2003)Microsoft's Service Pack 4 for Windows 2000, released on June 25, includes updates and patches that have been made available for the system since the release of Service Pack 3 in August 2002. The End User License Agreement (EULA) has also been updated to include specific information about features that "call home" to Microsoft so users can turn off the features they don't want.
Advice for Mitigating Security Risks (26 June 2003)While there is no one method to ensure cyber security at all enterprises, adhering to four core principles can help mitigate the risks. Organizations should know what's running on their systems and they should apply the "principle of least privilege," allowing users and systems the minimum level of access necessary to perform their jobs. It is also important for organizations to deploy a variety of security measures to provide layers of protection, and to use technology that allows for detection of cyber security incidents.
Microsoft Warns of Media product Vulnerabilities (25/26 June 2003)Microsoft has released a pair of security bulletins regarding flaws in two of its Windows Media products. The more serious of the two vulnerabilities, given a severity rating of important, is a buffer overflow flaw in ISAPI Extension for Windows Media Services that could allow attackers to execute code or crash the server; it affects Windows 2000. The second vulnerability, rated moderate, exists in the way an ActiveX control in the Windows Media Player 9 series allows access to information on affected computers.
W32/Sobig.E Worm Could be Used by Spammers (25/26 June 2003)A new variant of the Sobig worm, W32/Sobig.E@MM, has been spreading around the world. Sobig.E places a Trojan horse e-mail program, which can be used to send spam on computers it infects; it spreads as a .zip file, an extension that is not usually blocked. The worm affects machines running on the Windows 95, 95, Me, NT and 2000 operating systems. Like earlier versions, Sobig.E is set to expire after several weeks.
Experts Want Government to Leverage Spending Power to Encourage Security(25 June 2003)Testifying before the Cybersecurity, Science and Research and Development Subcommittee, Counterpane Internet Security CTO Bruce Schneier, CERT Coordination Center director Richard Pethia and SANS Institute director of research Alan Paller encouraged the government to "use its purchasing power to improve
security." Schneier also spoke in favor of imposing liability on users who leave their systems unsecured.
Distributed Denial of Service Attack Hits ClickBank and SpamCop.net (25 June 2003)ClickBank and SpamCop.net are working with the FBI to track down the perpetrators of a distributed denial-of-service (DDoS) attack that has hit both companies' servers. The attack, which began on June 21, filled ClickBank's log files at the rate of over 1MB/second. Several unnamed companies and government agencies suffered a similar attack three weeks ago.
RIAA Will Go After More File Traders (25 June 2003)The Recording Industry Association of America (RIAA) plans to scan peer-to-peer network public directories to find which files are being shared and then subpoena users' Internet service providers (ISPs) to obtain their identities. RIAA President Cary Sherman said those found violating copyrights could face civil lawsuits and possibly criminal prosecution. Critics of the activity say the actions are likely to prompt the creation of stealthier file trading technology and that the RIAA risks alienating customers.
[Editor's Note (Schneier): If the largest file archives really are a significant percentage of the total, this approach might have some effect, but if it's truly distributed, it'll just spread FUD without getting results. It's the business model that's the real problem, of course. ]
Japanese University Server Used to Try to Break into NASA Computers (25 June 2003)Kobe (Japan) University officials say someone has broken into a university server and installed a program as part of an attempt to break into NASA computers.
Former Microsoft Employee Arrested for Allegedly Reselling Software (24 June 2003)Richard Gregg, who until December 2002 worked as a Windows development project coordinator for Microsoft, has been arrested for allegedly ordering $17 million worth of company software through an internal purchasing system and reselling it, pocketing all the profits. Microsoft has been working with the FBI and the US Attorney's Office on the investigation.
Symantec Addresses Security Check Service Vulnerability (24 June 2003)An ActiveX control vulnerability in Symantec's on-line Security Check service could allow attacker to access vulnerable machines. Symantec has replaced the component so users who may have downloaded the faulty ActiveX script can run a new security scan; the new component will overwrite the old software and fix the problem. The person who posted information about the vulnerability on a mailing list two days before Symantec released its advisory readily admits he didn't inform Symantec before going public.
Executive Branch Agencies Can Hire Cyber Security Specialists Directly (24 June 2003)The government's focus on homeland security has led to an increased demand for cyber security specialists at government agencies. As a result, the Office of Personnel Management has granted direct-hire authority to executive branch agencies.
Managed IT Security Services Market in Great Demand, Says Study (24 June 2003)A study from Forrester Research indicates that the market for managed IT security services will increase to US$5.3 billion in 2008. The study predicts that small to medium businesses will account for 66% of that market. Forrester also predicts that managed intrusion detection systems (IDS) will grow at a rate of 47% a year, outstripping the predicted 25% a year growth of managed firewall services.
Web Address Hijacking on the Rise (24 June 2003)Cyberjackers take over unused Internet addresses at large companies and governments and use them to send out spam and viruses. One reason for the increase in this activity may be that the Internet is running out of addresses, a problem that will be remedied by Internet Protocol Version 6 (IPV6) which will have a much larger address scheme, but which will take at least a decade to gain wide adoption.
[Editors' Note (Schultz, Grefer): IPV6 is alive and well and is currently being used extensively in parts of the world such as China and South Korea.
65,000 LA County Web Addresses hijacked (26 June 2003)One cyberjacker broke into a computer Los Angeles (CA) County and used it to send unsolicited e-mail to 65,000 web addresses, and to try to access other computers. An investigation is taking place. The attack, which occurred during April 2003, required only one phone call and one e-mail to the American Registry of Internet Numbers.
Government Gets Right To Hire Computer Security Experts FasterThe US Office of Personnel Management approved government-wide use of "direct hire" authority to recruit more technology experts skilled in preventing the unauthorized use of computers, especially by terrorists. Direct hire allows agencies to avoid some of the competitive procedures normally required for federal jobs.
Disgruntled Employee Sent Confidential Document to Employees (23 June 2003)ThruPoint is investigating an instance of an employee allegedly breaking into company computers, accessing a confidential document relating to the restructuring of the consultancy's European offices, and e-mailing information contained in the document to other employees. In addition, information from the document appeared on a website for former company employees.
How to Hold on to Your Security Management Job (June 2003)Advice for CSOs and CISOs who want to keep their job includes taking time to figure out the corporate culture and your place in it, conducting a security assessment in order to establish a baseline you can use to provide executives with metrics and developing good business acumen.
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit