Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #5

February 05, 2003

TOP OF THE NEWS

Bush Approves National Cybersecurity Strategy; Cybersecurity Advisor Clarke Resigns
GEWIS Internet Monitoring System
Slammer is Fastest Spreading Worm
Man Sentenced for Selling Certification Exam Answers
Trojan Writers Exploit Outlook Express To Get Around Content Filtering

THE REST OF THE WEEK'S NEWS

Air Force Staff Sergeant Sentenced for Theft of Notebook Computers and PDAs
Slammer Demonstrates Microsoft Has a Long Way to Go on Trustworthy Computing
Strong Opposition to Electronic Voting in Silicon Valley
Benchmark Could Have Slowed Slammer's Progress
FAA Security Practices Helped Fend off Slammer
FAA CIO Mehan Interview
Missing Hard Drive Contains Data that Could be Used in Identity Theft
Take Steps to Protect Databases, Warn Lawyers
Consortium Wants Increased Cybersecurity R&D
Researcher Questions Publishing Proof-of-Concept Code
Georgia to Implement Behavior Based Intrusion Detection System
Dummy Server (Honeypot) Attracts Attacks
Coordinated Effort Helps Track Down Leaves Author
Fourth Man Arrested in Credit Report Theft Ring
Symantec's Buy-Out Proposal Site Exposed Information
Company Will No Longer Work with CERT/CC
Kansas Issuing Digital Certificates for Statewide PKI
Survey Says Companies are Still Reluctant to Share Security Breach Information
Root Server Traffic Largely Unnecessary
Social Security Number Misuse Prevention Act
OMB Minimum Security Standards Don't Apply in Some Contractor Situations
Thieves Stealing Bank Logon Data from Public Access Terminals in UK


********** This Issue Sponsored by Internet Security Systems **********
Are IM and P2P Technologies Undermining Your Security?
IM and P2P technologies are great tools for enhancing employee
productivity, but are popular targets for attack and misuse.
Learn how to balance the benefits against the risk of attack.
Visit: http://www.iss.net/ad/p2p_sansnewsbites020503
***********************************************************************

TOP OF THE NEWS

Bush Approves National Cybersecurity Strategy; Cybersecurity Advisor Clarke Resigns (31 January 2003)

President Bush has signed the National Strategy to Secure Cyberspace. The document will be released to the public within the next few weeks. In addition, Richard Clarke, White House cybersecurity advisor, is resigning his post; Clarke's deputy, Howard Schmidt, has assumed his duties. Schmidt is the former chief security officer for Microsoft Corp. and has a strong sense of the importance of government and the private sector working together to address cybersecurity.
-http://www.washingtonpost.com/wp-dyn/articles/A6320-2003Jan31.html
-http://www.washingtonpost.com/wp-dyn/articles/A3285-2003Jan30.html
[Editor's Note (Schultz): Howard Schmidt is a top-notch person, and I am glad to see that he is assuming the role vacated by Richard Clarke. (Paller) Dick Clarke did more to advance the cause of cybersecurity than anyone else inside or outside government. He'll be sorely missed by everyone who cares about protecting networks from attack. ]

GEWIS Internet Monitoring System (31 January 2003)

The Bush administration is creating an Internet monitoring system that will provide a picture of the Internet's health. The Global Early Warning Information System (GEWIS - "Gee-whiz") will detect and respond to denial-of-service attacks and other cyber incidents. GEWIS is being built by the National Communications System, a defense agency, which receives real time network status information from ISPs and telecommunications providers.
-http://www.washingtonpost.com/ac2/wp-dyn/A3409-2003Jan30
[Editor's Note (Ranum): The only way to respond to DOS is to be in the route the traffic is going to traverse. Detection by itself is a hard problem, but this whole concept is ridiculous as it's described. Of course phase 1 is just to provide a "Gee whiz" graphical picture of the health of the Internet. That's doable, given the right data. I bet that they won't get farther than that. (Paller) I disagree with Marcus on this one. Marcus is correct that only someone "in the path" can stop the attack. That "someone" is usually the ISP. When Internet Storm Center found the Lion worm, SANS analysts quickly informed the folks at the ISPs who acted instantly to block the China.com site where the worm was sending stolen password files. In other words, early detection can lead to immediate remediation. ]

Slammer is Fastest Spreading Worm (3 February 2003)

The Slammer worm infected 90% of vulnerable computers within ten minutes, according to the Cooperative Association for Internet Data Analysis (CAIDA). The number of infections doubled in size every 8.5 seconds; after three minutes, Slammer was generating 55 million scans for vulnerable computers every second.
-http://news.zdnet.co.uk/story/0,,t269-s2129785,00.html

Man Sentenced for Selling Certification Exam Answers (31 January 2003)

Robert Kepple, who last summer pleaded guilty to selling answers to Microsoft certification examinations on the Internet, was sentenced to a year and a day in prison and ordered to pay a fine of half a million dollars. In addition, Kepple will be under supervision for three years after his release.
-http://certcities.com/editorial/news/story.asp?EditorialsID=401
[Editor's Note (Paller): As intellectual property becomes a larger component of wealth, this type of prosecution will become much more frequent. ]

Trojan Writers Exploit Outlook Express To Get Around Content Filtering (31 January 2003)

Virus authors and Trojan writers are using fresh malware tricks to fool traditional content filtering packages, email security firm MessageLabs says. A feature of Microsoft Outlook Express can be exploited to evade content filters and persuade an email recipient that an attachment is safe to open - even when it contains malicious code. Microsoft Outlook is not at risk (contrary to first reports of the problem).
-http://www.theregister.co.uk/content/56/29137.html


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) STOP SPAM and unwanted email. Take control. FREE WHITE PAPER!!!
http://www.sans.org/cgi-bin/sanspromo/NB128
(2) ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
FREE white paper! http://www.sans.org/cgi-bin/sanspromo/NB129
(3) PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
countermeasures! FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB130
***********************************************************************
SANS National Information Assurance Leadership Conference (March
5-6 in San Diego) is the only conference to attend for CISO's
and other security managers and team leaders. The highest rated
speakers in the security field - no vendor marketing fluff. And it
is not too technical for managers. You can even attend it and then
attend SANS immersion training in the same hotel right after the
conference. www.sans.org/SANS2003/ (Click on NIAL in "Select a Course")
***********************************************************************

THE REST OF THE WEEK'S NEWS

Air Force Staff Sergeant Sentenced for Theft of Notebook Computers and PDAs (3 February 2003)

Air Force Staff Sergeant Sheridan Ferrell II was sentenced to six years in military prison for stealing four notebook computers and two Palm Pilots from US Central Command in Tampa, Florida. The items, some of which contained sensitive data, were stolen last summer and were recovered at Ferrell's home. He apparently stole the items because he was angry that he had been passed over for promotion. Ferrell was also demoted and will be dishonorably discharged after he completes his prison term.
-http://www.gcn.com/vol1_no1/daily-updates/21034-1.html

Slammer Demonstrates Microsoft Has a Long Way to Go on Trustworthy Computing (1 February 2003)

Some security experts are pointing to Slammer as evidence that Microsoft's Trustworthy Computing Initiative is not living up to its initial billing.
-http://www.cnn.com/2003/TECH/biztech/02/01/microsoft.security.reut/index.html

Strong Opposition to Electronic Voting in Silicon Valley (30 January/1 February 2003)

Some local computer scientists have expressed concern over Santa Clara (CA) County's plan to introduce direct-recording electronic voting as a replacement for its present punch card system. The computer scientists fear that the all-electronic system offers no way for voters to validate that their selections were recorded accurately; they would rather see a system that prints out a paper ballot and provides an audit trail.
-http://online.securityfocus.com/news/2197
-http://www.wired.com/news/business/0,1367,57490,00.html
[Editor's Note (Schultz): It's premature to say that Microsoft's Trustworthy Computing Initiative (TCI), which is not even one year old yet, is a failure. It's true that serious vulnerabilities in Microsoft products are being discovered all the time, but these vulnerabilities are in older products, products that were not developed when the TCI went into effect. We should instead turn our attention towards new Microsoft products such as Windows Server 2003 when deciding whether or not TCI is successful. ]

Benchmark Could Have Slowed Slammer's Progress (31 January 2003)

Slammer's rapid spread across the Internet could have been slowed if companies had installed the patch Microsoft had issued for the vulnerability and if they had used the free Consensus Minimum Security Benchmarks, which are designed to detect vulnerabilities, including the one exploited by Slammer. The benchmarks were developed by five federal agencies, the SANS Institute and the Center for Internet Security (CIS).
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78063,0
0.html

[Editor's Note (Schultz): There was no patch for those who installed the Microsoft Desktop Engine (MSDE) using the Microsoft .NET Framework Software Developer's Kit until several days after Slammer first struck the Internet. ]

FAA Security Practices Helped Fend off Slammer (28 January 2003)

The Federal Aviation Administration (FAA) came through Slammer relatively unscathed: only one administrative server was compromised. FAA CIO Daniel Mehan credited his agency's cyber security strategies, which include keeping current on patches, providing regular training for employees, isolating mission critical flight control computers from web connected machines, using firewalls and conducting regular internal security audits. The FAA is also working with some vendors on building security into their products.
-http://www.idg.net/ic_1041353_9676_1-5123.html

FAA CIO Mehan Interview (31 January 2003)

In an interview, Federal Aviation Administration (FAA) CIO Dan Mehan discussed the need for developers to integrate security into the design of their products and the FAA's policy on wireless technologies.
-http://www.computerworld.com/securitytopics/security/story/0,10801,78060,00.html

Missing Hard Drive Contains Data that Could be Used in Identity Theft (30 January 2003)

The Royal Canadian Mounted Police (RCMP) and the Regina (Saskatchewan) Police Service are investigating the disappearance of a computer hard drive that contains personal information belonging to 180,000 customers of Co-operators Life Insurance Company; the information could be used to steal people's identities. Co-operators' customers have been sent a letter describing the situation. ISM Canada, the company that stored the data, says other clients' data is also on the disk.
-http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/
Article_Type1&c=Article&cid=1035777205819&call_pageid=968332188492&col=968793972154
-http://www.theregister.co.uk/content/55/29117.html

Take Steps to Protect Databases, Warn Lawyers (30 January 2003)

Lawyers in the UK are warning companies to take steps to better protect their databases after two incidents of attempted data theft were reported recently. The databases may have been targeted to harvest e-mail addresses for mass mailings. The lawyers say companies should document the steps they take to secure the data and develop disaster plans that can be implemented in the case of an attack.
-http://www.vnunet.com/News/1138363

Consortium Wants Increased Cybersecurity R&D (30/31 January 2003)

The Institute for Information Infrastructure Protection (I3P) wants the government and private sector companies to conduct research and development in eight areas of cybersecurity, including secure system and network response and recovery, enterprise security management and traceback, identification and forensics. I3P is a consortium of security research institutions funded by the National Institute of Standards and Technology (NIST) and based at Dartmouth College in Hanover, New Hampshire.
-http://www.idg.net/ic_1066736_9677_1-5046.html

Researcher Questions Publishing Proof-of-Concept Code (30 January 2003)

David Litchfield, the man who discovered the vulnerability exploited by the Slammer worm last week says the worm was created from code he published as a proof-of-concept. In the wake of Slammer's rampant spread, Litchfield questioned the wisdom of continuing to publish such code.
-http://www.computerworld.com/securitytopics/security/story/0,10801,78020,00.html

Georgia to Implement Behavior Based Intrusion Detection System (29 January 2003)

The State of Georgia plans to implement a behavior based intrusion detection system. The state's computer network security has included firewalls and signature-based intrusion detection systems; the addition of the behavior-based system should help reduce the likelihood that state computer systems will be hit with viruses and worms whose signatures are unknown. The system established a normal network behavior baseline and notifies the administrator about any anomalies.
-http://www.fcw.com/geb/articles/2003/0127/web-georgia-01-29-03.asp
[Editor's Note (Ranum); Many organizations have planned behavior-based IDS. Very few of the behavioral systems have paid off, unless they are supported with vast amounts of expertise or manpower. Perhaps this would be more newsworthy after they've succeeded. ]

Dummy Server (Honeypot) Attracts Attacks (29 January 2003)

PSINet Europe set up an unprotected "dummy" server at its Amsterdam Internet Data Center; the server was attacked more than 450 times within 24 hours of going on line. The server contained no data and had no public profile. Many of the attacks were made from broadband or cable ISPs; most attacks came from the United States and Western Europe.
-http://zdnet.com.com/2100-1105-982554.html
[Editor's Note (Schultz): When deployed properly, honey pots can be extremely valuable. At a minimum they can serve as a "barometer" of the amount and types of malicious activity on the Internet. ]

Coordinated Effort Helps Track Down Leaves Author (29 January 2003)

This article offers a detailed account of a coordinated effort between the White House, FBI and members of the private sector to track the author of the Leaves worm in the summer of 2001. In the midst of their work, the team was forced to deal with another Internet fiend -- Code Red. In the end the team uncovered the worm's author in the UK, but his identity was never disclosed.
-http://www.govexec.com/dailyfed/0103/012903worm.htm

Fourth Man Arrested in Credit Report Theft Ring (29 January 2003)

A fourth man has been arrested in connection with a massive identity theft ring in which thousands of credit reports were stolen and sold. The newly arrested man could face up to 35 years in prison and more than $1 million in fines if convicted. Another man, who exploited his position at a technology company to obtain the records, will be arraigned this week.
-http://www.cnn.com/2002/TECH/11/26/hln.wired.id.theft/index.html

Symantec's Buy-Out Proposal Site Exposed Information (29 January 2003)

A security hole in Symantec's "Submit a Deal" website exposed proposals from businesses offering to be bought out by the security company. The compromised information was stored in a Lotus database; the website has since been taken offline.
-http://www.wired.com/news/infostructure/0,1377,57438,00.html

Company Will No Longer Work with CERT/CC (28/29/30 January 2003)

Next Generation Software Ltd. will no longer work with the Computer Emergency Response Team Coordination Center (CERT/CC) because researchers at the company say the organization shared vulnerabilities reported by NGS with a vendor and government agencies. CERT/CC's disclosure policy indicates that it does provide advance notice of vulnerabilities to its sponsors, Internet Software Alliance members and owners of critical infrastructure. NGS says it will now work directly with vendors instead of going through CERT/CC.
-http://www.eweek.com/article2/0,3959,849816,00.asp
-http://www.computerworld.com/securitytopics/security/story/0,10801,77988,00.html
-http://zdnet.com.com/2100-1105-982663.html

Kansas Issuing Digital Certificates for Statewide PKI (28 January 2003)

The state of Kansas has begun issuing digital certificates to its employees for use in a public key infrastructure (PKI). Kansas is the first state to implement a statewide PKI, which eliminates the need to integrate systems from multiple providers at a later date. This year, 1,500 employees at two state agencies will receive the certificates.
-http://www.gcn.com/vol1_no1/daily-updates/21004-1.html

Survey Says Companies are Still Reluctant to Share Security Breach Information (28 January 2003)

A survey conducted by Defcom, a security consultancy, found that companies in the United Kingdom are still reluctant to report security breaches to authorities. Two thirds of the companies participating in the survey indicated they would be fearful of damaging their company's reputation by disclosing cyber security events. Additionally, almost half of the companies' directors were not informed about security breaches.
-http://www.vnunet.com/News/1138317

Root Server Traffic Largely Unnecessary (28 January 2003)

After analyzing the traffic received in one day by one of the Internet's 13 root servers, researchers at the San Diego Supercomputer Center (SDSC) concluded that the vast majority of the queries were unnecessary and could have been managed by other parts of the network. Approximately 70% of the queries were for duplicate sites which could be handled by ISP caching; other traffic included requests for non-existent domains and for numerical addresses. The SDSC is developing software tools to help address this problem.
-http://news.bbc.co.uk/2/hi/technology/2699071.stm

Social Security Number Misuse Prevention Act (27 January 2003)

A bill introduced in the US Senate would prohibit the use of social security numbers on such readily available forms of identification as drivers' licenses and checks and other public records available on the Internet. The goal is to make it harder for identity thieves to obtain the numbers.
-http://www.fcw.com/fcw/articles/2003/0127/web-ident-01-27-03.asp

OMB Minimum Security Standards Don't Apply in Some Contractor Situations (27 January 2003)

The Office of Management and Budget (OBM) Circular A-130 establishes minimum security standards for federally owned and operated computer systems; it also requires periodic security awareness training for employees involved with those systems. Though Circular A-130 applies to contractor employees as well, it does not apply to computer systems that are owned and operated by contractors.
-http://www.fcw.com/fcw/articles/2003/0127/pol-carl-01-27-03.asp
[Editor's Note (Ranum): That's silly. If it's got access to your network, it's just as critical to your security as your own machine. ]

Thieves Stealing Bank Logon Data from Public Access Terminals in UK (27 January 2003)

Cyber thieves have been gleaning bank account logon data from public access Internet terminals and stealing money from people's accounts. Lloyds TSB advises its customers not to leave public terminals while still logged on and to clear auto-complete records from browsers.
-http://www.theregister.co.uk/content/6/29054.html
[Editor's Note (Ranum): Clear records from browsers?!!? What are they smoking? Haven't they heard of KEYSTROKE LOGGERS? Never ever do ANYTHING important (like enter a password) from a public access terminal. ]


===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.