-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The National Infrastructure Protection Center just released an 84 page summary of all security vulnerabilities, viruses and Trojans identified between December 12, 2000 and December 14, 2001. It is a valuable check list that includes risk level, vendor, operating system, software and reference to more detailed data in NIPC's CyberNotes. http://www.nipc.gov/cybernotes/2001/cyberissue2001-26.pdf Alan ********************************************************************** SANS NEWSBITES The SANS Weekly Security News Overview Volume 4, Number 2 January 9, 2002 Editorial Team: Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz ********************************************************************** TOP OF THE NEWS 8 January 2002 Virus Found in Macromedia Flash File 8 January 2002 National Research Council Report: US Firms at Risk 2, 3 & 4 January 2002 File Sharing Programs Contain Trojan 2 January 2002 ZaCker Worm 2 January 2002 IT Insurance Policies Exclude On Line Assets, Acts of Terrorism THE REST OF THE WEEK'S NEWS 4 January 2002 BSA Offers Illegal Software Amnesty Program 4 January 2002 IE Patch Opens up a Hole 4 January 2002 Seeker Trojan Tries to Alter IE Settings 3 & 4 January 2001 Microsoft Encourages Passport Users to Install Patch 3 & 4 January 2002 Nvidia Nettles Suit with Dutch Hackers 4 January 2002 Judge Okays Keystroke Logging Evidence 4 January 2002 College Student Disclosed AIM Vulnerability 2,3 & 4 January 2002 AOL Patches AIM Hole 3 January 2002 Home Computer Users are Vulnerable 3 January 2002 NIPC Revises XP Security Advice 2 & 3 January 2002 Computer Export Limits Relaxed 2 January 2002 AOL Says Harvard E-Mails Were Not Treated as Spam UPCOMING TRAINING OPPORTUNITIES *** SANS Darling Harbour (4 tracks), Sydney, Jan 19-24 ** SANS Peachtree 2002 (3 tracks), Atlanta, Jan 18-24 *** SANS Aloha IV (4 tracks), Honolulu, Jan 28-Feb 2 **** SANS Computer Security Bootcamp (7 tracks), Monterey, CA, Feb 9-14 * SANS San Diego Info. Sec. Officer (1 track), Feb 25-Mar 1 * SANS Ottawa Info. Sec. Officer (1 track), Feb 25-Mar 1 ** SANS Lone Star (3 tracks), San Antonio, March 11-16 *****SANS 2002 (our largest conference) (12 tracks plus a free technical conference for all who attend the tracks), Orlando, April 1-7 See www.sans.org for details. ************** Sponsored by the Security Reading Room ***************** A Quiz Where can you find more than 2,000 (that's not a typo) original, unique, peer-reviewed reports on a wide range of security topics? And where can you find an authoritative summary of the top ten new security news stories each week day? The Answer SANS Security Reading Room has both and gets more than 100 new reports every month. It's an extraordinary site. More than 35,000 security professionals use it every week day to explore new areas of security, to find answers to tough questions, and to get a quick news update. We invite you try it; it's free. http://rr.sans.org/ *********************************************************************** TOP OF THE NEWS --8 January 2002 Virus Found in Macromedia Flash File Antivirus researchers discovered a virus that infects Macromedia Flash files - putting at future users of the many web sites that rely on Flash files. http://news.cnet.com/news/0-1005-200-8410601.html?tag=lh http://investor.cnet.com/investor/news/newsitem/0-9900-1028-8410601-0.html?tag=ats --8 January 2002 National Research Council Report: US Firms at Risk Summary: "From an operational standpoint, cybersecurity today is far worse than what known best practices can provide." http://www.cnn.com/2002/TECH/industry/01/08/security.reut/index.html --2, 3 & 4 January 2002 File Sharing Programs Contain Trojan Three file sharing software products, LimeWire, Grokster and KaZaA, have been found to contain W32.DIDer, a Trojan horse program that tracks users' web surfing habits without their permission. The Trojan was evidently part of an advertising program that came bundled with the free software. All three companies have posted new versions of their software. http://news.cnet.com/news/0-1005-200-8335745.html?tag=prntfr http://www.wired.com/news/technology/0,1282,49430,00.html http://www.theregister.co.uk/content/4/23532.html http://www.cnn.com/2002/TECH/internet/01/04/spy.software.ap/index.html [Editor's (Schultz) Note: Programs such as KaZaA are controversial, as they are so often used for Warez, distribution of indecent materials, etc., and, additionally, because they can bypass perimeter security. Where I work these kinds of programs are illegal. I find it ironic that now a Trojan has been found in some of these programs. Is the real problem the Trojan or the use of these programs in the first place?] --2 January 2002 ZaCker Worm The ZaCker mass-mailer worm, also known as Maldal.D, arrives as an attachment which , if opened, tries to delete anti virus files, and other files with common extensions such as .exe and .doc. ZaCker self-replicates via Microsoft Outlook, sending itself to all addresses in the infected machine's address book. http://www.zdnet.com/zdnn/stories/news/0,4586,5101163,00.html?chkpt=zdhpnews01 http://www.nwfusion.com/news/2002/0103zacker.html --2 January 2002 IT Insurance Policies Exclude On Line Assets, Acts of Terrorism Insurance policies are increasingly moving away from covering online assets in their standard policies. Customers who want such coverage will have to purchase more expensive supplemental policies. Policies covering IT were originally designed to protect against physical loss or damage, not denial-of-service attacks and viruses. Some policies offer no coverage at all for damage resulting from terrorist activity. http://www.informationweek.com/story/IWK20020102S0004 [Editor's (Murray) Note: How does one distinguish between a rogue hacker and a terrorist?] THE REST OF THE WEEK'S NEWS --4 January 2002 BSA Offers Illegal Software Amnesty Program The Business Software Alliance (BSA) is offering amnesty to businesses using illegally coped software. Users who own up need only pay the necessary licensing fees; they will avoid penalties, which can run as high as $150,000. The BSA provides tools to inventory the companies' software. The program is available to certain cities, including Houston, Norfolk and Richmond VA and the San Francisco Bay area, through the end of January. http://news.cnet.com/news/0-1003-200-8354860.html?tag=prntfr --4 January 2002 IE Patch Opens up a Hole Security bug hunter Georgi Guninski has discovered yet another Internet Explorer (IE) hole, this one apparently the result of an earlier IE patch for versions 5.5 and 6.0. The hole in the GetObject JScript function could allow attackers to execute programs on the affected computer. Guninski recommends disabling active scripting or simply not using IE. http://cgi.zdnet.com/slink?167047 [Editor's (Murray) Note: Given that there is a limited amount of change that we can tolerate and given that patches are never applied to all systems and rarely even to most, Microsoft should fix things in the order of their importance rather than in the order of their discovery. (Guninski gets publicity only when MS fails to fix something on his schedule.)] --4 January 2002 Seeker Trojan Tries to Alter IE Settings The JS/Seeker-E Trojan exploits a known ActiveX Internet Explorer (IE) hole to try and change IE settings on infected machines. The Trojan can arrive via e-mail can or be acquired by visiting a malicious web page. A patch for the vulnerability has been available since October 2000. http://www.zdnet.com/zdnn/stories/news/0,4586,5101254,00.html --3 & 4 January 2001 Microsoft Encourages Passport Users to Install Patch Microsoft has sent millions of e-mail messages to Passport account holders, urging them to apply an Internet Explorer (IE) patch that has been available for almost two months. The patch addresses an IE vulnerability that could let attackers steal sensitive data from cookies on unprotected machines. http://news.cnet.com/news/0-1005-200-8355007.html?tag=prntfr http://www.computerworld.com/storyba/0,4125,NAV47_STO67090,00.html --3 & 4 January 2002 Nvidia Nettles Suit with Dutch Hackers Two Dutch hackers posted intellectual property belonging to graphics chip designer Nvidia on the website M3DZone. The pair allegedly cracked Nvidia's firewall and used social engineering techniques to obtain intellectual property information from the graphics chip designer. The parties have reached an undisclosed settlement of a civil suit the company brought against the hackers. http://www.msnbc.com/news/681639.asp http://news.cnet.com/news/0-1006-200-8355008.html?tag=prntfr http://www.computerworld.com/storyba/0,4125,NAV47_STO67083,00.html --4 January 2002 Judge Okays Keystroke Logging Evidence A federal judge ruled that evidence the FBI gathered using a keystroke-logging device surreptitiously installed on a computer (under a court-approved search warrant) is admissible in court. The FBI has not released any details about how the device works; last summer prosecutors in the case invoked the Classified Information Protection Act (CIPA), maintaining that details about the technology had to be kept secret to protect national security. http://www.wired.com/news/privacy/0,1848,49455,00.html http://www.computerworld.com/storyba/0,4125,NAV47_STO67087,00.html --4 January 2002 College Student Disclosed AIM Vulnerability Matt Conover, the Utah college student who disclosed the AIM security hole, says he did it because AOL ignored his attempts to inform them of the vulnerability. Though some have called Conover's actions "irresponsible," others have defended him, noting that companies dismiss threats as theoretical unless an exploit demonstrates otherwise. http://www.zdnet.com/zdnn/stories/news/0,4586,2836272,00.html --2,3 & 4 January 2002 AOL Patches AIM Hole AOL has fixed a security hole in its AIM application that could have allowed a cracker to exploit a buffer overflow problem to gain control of a targeted machine. The hole affected only those using the AIM on a Windows operating system, not those who use the built-in messaging system. AOL made the fix on its servers; users do not need to install patches. http://www.wired.com/news/technology/0,1282,49442,00.html http://www.searchsecurity.com/qna/0,289202,sid14_gci788890,00.html http://www.zdnet.com/zdnn/stories/news/0,4586,5101170,00.html http://news.bbc.co.uk/hi/english/sci/tech/newsid_1741000/1741955.stm [Editor's (multiple) note: Notice the ease and speed with which AOL fixes its software because it controls the client software. Is that a safer and better supported model for distributing PC software? Should the great majority of people, those without extraordinary security skills and the time to patch Microsoft software, be getting more of their software from AOL where the purchaser gives AOL the responsibility to maintain it?] --3 January 2002 Home Computer Users are Vulnerable Home users' computers are increasingly becoming cracker targets for a number of reasons: many home machines are powerful enough to attract the attention of crackers looking at launch denial of service attacks, many home machines maintain high-speed, always-on connections that increase their vulnerability, and home users tend to neglect security measures normally employed by businesses. http://www.cnn.com/2002/TECH/ptech/01/04/hacking.home.computers.ap/index.html --3 January 2002 NIPC Revises XP Security Advice The FBI's National Infrastructure Protection Center (NIPC) has revised its advice regarding a recently disclosed security hole in Windows XP. Initially, NIPC recommended turning off the universal Plug and Play (UPNP) service in addition to applying a patch available from Microsoft; now they are saying that the patch alone is adequate. http://www.cnn.com/2002/TECH/industry/01/03/hackers.ap/index.html http://www.computerworld.com/storyba/0,4125,NAV47_STO67069,00.html --2 & 3 January 2002 Computer Export Limits Relaxed The Bush administration has eased restrictions on computers exported to Tier 3 nations, China, India and Pakistan, from 85,000 millions of theoretical operations per second (MTOPS) to 190,000 MTOPS. In addition, Latvia will be moved from Tier 3 to Tier 1, enjoying the looser restrictions enjoyed by Japan, Canada, Mexico and others. Some technology industry representatives say the MTOPS standard is not effective because countries can cluster less-powerful machines. http://news.cnet.com/news/0-1003-200-8338468.html?tag=prntfr http://www.computerworld.com/storyba/0,4125,NAV47_STO67053,00.html http://www.wired.com/news/politics/0,1283,49453,00.html --2 January 2002 AOL Says Harvard E-Mails Were Not Treated as Spam In a correction to previously released data, an AOL spokesman said the Harvard admissions e-mails that were bounced back were returned not because the ISPs filtering system thought they were spam, but for other reasons such as closed accounts and full mailboxes. Between 3 and 4 percent of the e-mails sent to AOL accounts from Harvard were returned. A Harvard spokeswoman said that regular paper notifications were sent the same day the e-mails went out. http://www.computerworld.com/storyba/0,4125,NAV47_STO67046,00.html ==end== Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PHqp+LUG5KFpTkYRApTRAJ0YIYcTyNlFIeCZmTqcYIlx+btVRwCgi59F H0cirbVKL7qMTzFuQzqsugM= =mVQB -----END PGP SIGNATURE-----