-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ********************************************************************** SANS NEWSBITES The SANS Weekly Security News Overview Volume 4, Number 1 January 3, 20012 Editorial Team: Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz ********************************************************************** A vulnerability has been discovered in the Windows version of the AOL Instant Messenger software.(AIM software running on other platforms such as Linux or the Macintosh do not appear to be vulnerable). If exploited, an attacker may be able to run programs on your computer without your permission, much like a worm or virus can. A temporary fix can be applied that will help to reduce the risk. 1. Go to your Preferences 2. Go to the Privacy section 3. Click "Allow only users on my Buddy List" under "who can contact me" This is not a perfect fix, if someone on your buddy list gets attacked, you can be attacked by that infected individual. Users should watch for updated AIM software from AOL. AOL is also expected to patch it's servers to alleviate the problem. More information about this vulnerability can be found at http://www.newsbytes.com/news/02/173320.html ********************************************************************** TOP OF THE NEWS 1 January 2002 Some Harvard Admissions E-Mail Treated as Spam 31 December 2001 NY Privacy Policy Act Becomes Law 14 December 2001 Cracker/Thief Sentenced 10 December 2001 GAO and State Auditors Release Security Auditing Guide THE REST OF THE WEEK'S STORIES 31 December 2001 Sklyarov Returns Home 28 December 2001 Banks Support B2B Standard 27 December 2001 Worm Writers are Not Often Caught or Prosecuted 27 December 2001 McAfee Offers AV and Firewall Subscriptions 27 December 2001 Gift Cards Frequently Not Secure 27 December 2001 This Year's Threats May Get More Vicious 26 December 2001 Patching IE Can be Tricky 26 December 2001 IE SSL Authentication Hole 24 December 2001 Gilmore Commission on IT and Homeland Security 20 December 2001 Cyber Law Year in Review 18 December 2001 AmEx Contest Security Gaffe 1 December 2001 The Question of Cyberinsurance December 2001 Sieberg's Top Ten Tech Stories of 2001 TUTORIALS 14 December 2001 Rootkit Basics 13 December 2001 Blended Threats UPCOMING TRAINING OPPORTUNITIES ** SANS South Beach (2 tracks), Miami, Jan. 7-12 ** SANS Gateway Asia (2 tracks), Singapore, Jan 10-15 * SANS Down Under (1 tracks), Melbourne, Jan 10-15 *** SANS Darling Harbour (4 tracks), Sydney, Jan 19-24 ** SANS Peachtree 2002 (3 tracks), Atlanta, Jan 18-24 *** SANS Aloha IV (4 tracks), Honolulu, Jan 28-Feb 2 **** SANS Computer Security Bootcamp (7 tracks), Monterey, CA, Feb 9-14 * SANS San Diego Info. Sec. Officer (1 track), Feb 25-Mar 1 * SANS Ottawa Info. Sec. Officer (1 track), Feb 25-Mar 1 ** SANS Lone Star (3 tracks), San Antonio, March 11-16 *****SANS 2002 (our largest conference) (12 tracks plus a free technical conference for all who attend the tracks), Orlando, April 1-7 See www.sans.org for details. ***********************Sponsored by SurfControl*********************** Personal Web-Based Email Accounts Spell Trouble for Security Viruses can enter your network undetected via downloads or accessing web-based email. This security risk can be eliminated by blocking access to such accounts and restricting downloads of potentially damaging files. Try SuperScout Web Filter FREE: http://www.surfcontrol.com/promo/zsnb0102 ************************************************************************ TOP OF THE NEWS --1 January 2002 Some Harvard Admissions E-Mail Treated as Spam Between 75 and 100 early admission application e-mail messages from Harvard University's admissions office were bounced back because AOL identified them as spam. Hopeful students found out whether or not they had been admitted by calling the office instead. http://www.cnn.com/2002/TECH/internet/01/01/harvard.spam.ap/index.html [Editor's (Murray) Note: Security is a difficult balancing act. However, the real villains here are those that initiate the spam that forces the filtering in the first place. (Schultz) Later data showed that 1) only acceptance (not rejection) messages had been emailed, and 2) Harvard snail mailed acceptance letters after learning about what AOL did.] --31 December 2001 NY Privacy Policy Act Becomes Law New York State's freshly signed Internet Privacy Policy Act prohibits State agencies from gathering or divulging site visitors' personal data without their consent. Visitors are allowed to access any of their information the sites collect. http://www.gcn.com/vol1_no1/daily-updates/17664-1.html --14 December 2001 Cracker/Thief Sentenced Markus Lukawinsky received a prison sentence of a year and a day to be followed by three years of probation. He was sentenced for stealing computer equipment from and breaking into the computers of a Connecticut consulting company and downloading encrypted password files which he used to log in to the system as an employee. Lukawinsky must also pay the firm restitution of almost $200,000. http://www.usdoj.gov/criminal/cybercrime/LukawinskySent.htm --10 December 2001 GAO and State Auditors Release Security Auditing Guide The US Government Accounting Office and twelve state and local auditing agencies jointly published a comprehensive and thoughtful roadmap for security audits. Among the many important guidelines was an unequivocal requirement that auditors who audit access control (including penetration testing) and system software must have specialized technical skills such as knowledge of security configuration requirements and how to test for them on both servers and applications as well as advanced knowledge of network hardware, software and protocols. http://www.gao.gov/special.pubs/mgmtpln.pdf [[Editor's (Paller) Note: This is good advice. With solid technical skills, security auditors often become the most powerful force for positive change in improving security. Even before the new report was issued, we saw a surge in auditors attending very technical courses at SANS conferences and earning GIAC certifications. Randy Marchany (at Virginia Tech) is the quintessence of the fusion of technical skills and auditing. His STAR risk analysis system has been a boon to hundreds of security auditors: http://www.security.vt.edu/playitsafe/index.phtml#RiskAnalysis] THE REST OF THE WEEK'S STORIES --31 December 2001 Sklyarov Returns Home Dmitry Sklyarov, the Russian software programmer who recently reached an agreement with US authorities to avoid prosecution under the Digital Millennium Copyright Act (DMCA), has returned to Russia. He has agreed to keep authorities apprised of his location and to appear at legal hearings if he is needed. http://news.cnet.com/news/0-1005-200-8324114.html?tag=owv --28 December 2001 Banks Support B2B Standard Fourteen banks around the world are running pilot programs of Project Eleanor, a proposed industry standard that will secure business-to-business payments by establishing online authentication methods and reduce payment clearing time to one day. The standard has the support of major banks worldwide. http://www.computerworld.com/storyba/0,4125,NAV47_STO67001,00.html --27 December 2001 Worm Writers are Not Often Caught or Prosecuted Even though some worm and virus writers leave clues to their identities in their coding, they're not often caught because tracking them down is not a profitable business. Cybercrime units tend to focus their resources on fraud and legal systems around the world are unsure what to do with cyber criminals. Russ Cooper says virus writers should be pursued and prosecuted as an example to the rest of the virus-writing community. http://www.wired.com/news/politics/0,1283,49313,00.html --27 December 2001 McAfee Offers AV and Firewall Subscriptions McAfee is offering subscriptions for automatically updated antivirus software and remotely managed firewall service to Internet users in the UK and Germany. The service will be available to a dozen more countries in 2002. http://news.bbc.co.uk/hi/english/sci/tech/newsid_1723000/1723447.stm --27 December 2001 Gift Cards Frequently Not Secure Some retailers that sell magnetic stripe gift cards are not taking adequate security precautions to protect the cards from counterfeiters. If card account numbers are visible before purchasing or are shelved sequentially, thieves need only create fraudulent cards for those accounts and find out the amounts purchased on each card by using an 800 number. Stores would be well advised to package the cards so the account numbers are hidden, use bar codes rather than magnetic strips, and have their cashiers check that the numbers on the card and the transaction match. http://www.msnbc.com/news/598102.asp?0dm=C12OT --27 December 2001 This Year's Threats May Get More Vicious Experts predict that worms and viruses will get nastier in 2002. Blended threats, such as Nimda, made a strong appearance in 2001; blended threats make use of multiple attack methods and don't require users to click on attachments. The experts disagree about the threat of mobile viruses. http://www.zdnet.com/zdnn/stories/news/0,4586,2834890,00.html --26 December 2001 Patching IE Can be Tricky Fixing the "automatic execution of embedded MIME types" vulnerability in Internet Explorer (IE) is not a one-size-fits-all, which can frustrate system administrators who need to patch numerous company desktops. http://www.zdnet.com/zdnn/stories/comment/0,5859,2834787,00.html --26 December 2001 IE SSL Authentication Hole E-matters, a German web development company, found that Microsoft's Internet Explorer (IE) can be tricked into accepting phony or expired certificates for accessing e-commerce sites. Users who check the certificates before visiting sites will notice that they have expired or that the domain does not match the site they are accessing, but most people don't do this. http://www.newsbytes.com/news/01/173217.html E-matters' report: http://security.e-matters.de/advisories/012001.html --24 December 2001 Gilmore Commission on IT and Homeland Security The Gilmore Commission's December 15th report on the response to terrorism addressed IT aspects of homeland protection. The report recommends that the Critical Infrastructure Protection Board include representatives from all levels of government and that a third party evaluate agency programs. http://www.fcw.com/fcw/articles/2001/1217/web-report-12-24-01.asp Gilmore Commission Site and links to report: http://www.rand.org/nsrd/terrpanel/ --20 December 2001 Cyber Law Year in Review Cyber law experts list significant developments of 2001; among the top few are the passage of the USA Patriot Act, the Microsoft decision, and the Digital Millennium Copyright Act (DMCA) prevailing in court decisions. http://www.nytimes.com/2001/12/28/technology/28CYBERLAW.html --18 December 2001 AmEx Contest Security Gaffe American Express admitted that it didn't build adequate security into a web page asking customers to enter personal data, including credit card numbers, for a chance to win a vacation. The page in question caches the data and does not use SSL. http://www.silicon.com/a50000 --1 December 2001 The Question of Cyberinsurance Although cyberinsurance covers events not covered in traditional policies, some companies still find that their current insurance policies are adequate. Additionally, cyberinsurance can be costly, and companies may wish to spend money on security technology instead. While cyberinsurance premium discounts may be for using certain platforms and security services, some are concerned that organizations using those products may fall into a false sense of security. http://www.cio.com/archive/120101/et_article.html [Editor's (Schultz) The verdict on cyberinsurance is still very uncertain. It has not had the degree of impact upon the infosec arena that experts predicted it would only a few years ago. Some consultancies based their business strategies on alliances with insurance companies, with little to show for their efforts.] -- December 2001 Sieberg's Top Ten Tech Stories of 2001 CNN.com Science and Technology Editor Daniel Sieberg offers his list of the top ten technology stories of 2001, including Code Red, the FBI's Magic Lantern project, Dmitry Sklyarov's arrest under the Digital Millennium Copyright Act (DMCA) and Richard Clarke's appointment as "cybersecurity czar." http://www.cnn.com/SPECIALS/2001/yir/stories/technology/ TUTORIALS --14 December 2001 Rootkit Basics This article describes rootkits and their purposes and activities, and suggests ways to detect their presence on your system. The author also recommends installing firewalls on network-connected machines, applying software patches as they become available and removing unnecessary services. http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html --13 December 2001 Blended Threats Blended threats make use of multiple methods of propagation, attack multiple points in a system and require no human action to spread. The best defense against blended threats is a comprehensive security strategy that includes antivirus software, content filtering, firewalls, intrusion detection and keeping current with patches. http://enterprisesecurity.symantec.com/article.cfm?articleID=967&PID=9834967&EID=151 ==end== Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8NHkj+LUG5KFpTkYRAqkwAJ4u3xEEz4vcTfM1f9x+F5/jyfE5ywCeIqhA G2vmTWIfIKsPKrCnM9DaxzA= =brtW -----END PGP SIGNATURE-----