-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





Salary growth has slowed for security people, after rapid growth for

several years, but bonuses and premiums are boosting pay for those with

strong technical skills (demonstrated by GIAC certifications and CISA

audit certifications). Foote Partner's quarterly IT salary, skills and

certification survey covers more than 28,000 employees and David Foote

presented the latest survey data in a web broadcast archived at

http://searchsecurity.techtarget.com/onlineEventsTranscriptSecurity/1,289693,sid14_gci777176,00.html



Saturday is the last day for registering for the SANS Security Bootcamp

program in Monterey, February 9-14, before the late fee kicks in.

Bootcamp is the most intense learning environment most security

professionals will ever experience.  Courses run during the day and

special Bootcamp sessions run at night.  If you are seeking advanced

security education that gives you the tools, tips and techniques to get

up to speed fast, this is the ideal training opportunity. Most people

who have attended SANS conferences in Monterey say it is the best place

in the country to go to a conference - especially with the program

running right next to Fisherman's Wharf.

http://www.sans.org/Bootcamp.htm



                                Alan



********************************************************************** 



                             SANS NEWSBITES 



                 The SANS Weekly Security News Overview 



Volume 4, Number 3                                   January 16, 2002 



Editorial Team: 

      Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, 

             Bill Murray, Stephen Northcutt, Alan Paller, 

             Marcus Ranum, Howard Schmidt, Eugene Schultz 



********************************************************************** 



TOP OF THE NEWS

15 January 2002  Solaris Buffer Overflow Being Exploited

14 January 2002  Congress May Take New Look At Software Protection from

                 Product Liability For Security Flaws

11 January 2002  Incidents Reported to CERT/CC Doubled in 2001

10 January 2002  FedCIRC Says Hacking is Down

10 January 2002  DeCSS Author Indicted

9 January 2002  AIM Fix Has Back Door

7 January 2002  Cross-Site Scripting Vulnerability in Citibank Payment

                Service Site





THE REST OF THE WEEK'S NEWS

15 January 2002  Justice Department Forms New Anti-hacker Unit

14 January 2001  Wireless LANs at Airports Pose Security Threat

11 January 2002  Gigger Virus

11 January 2002  Cyber Law Predictions

11 January 2002  Opinion: Microsoft Not Focused on Security 

11 January 2002  Report Makes Federal Cyber Security Recommendations

11 January 2002  Financial Companies Looking Into Biometrics

11 January 2002  Human Firewall Survey Reveals Employees' Lack of

                 Security Knowledge

10 & 11 January 2002  Microsoft Says Donut is Not .Net Virus

10 January 2002  DoubleClick Drops Targeting Service

9 & 10 January 2002  IRS Computers Missing

9 January 2002  Guarding Against Socially Engineered Attacks

9 January 2002  Cracker Pleads Guilty to DoE Lab Intrusion

8 & 9 January 2002  Macromedia Flash Virus is Not Much of a Threat 

8 & 9 January 2002  CSTB Report Says Companies are Neglecting Security

8 January 2002  Security Advice Confuses

8 January 2002  Microsoft Investigates Purported IE Hole

7 January 2002  Virus Writers Justify their Work

7 January 2002  Crowell Supports GovNet

4 January 2002  Report Considers Al-Qaeda Cyber Capabilities



UPCOMING TRAINING OPPORTUNITIES

**    SANS Peachtree 2002 (3 tracks), Atlanta, Jan 18-24

*     SANS SNORT Series (1 Day), Atlanta, Jan 18

***   SANS Darling Harbour (4 tracks), Sydney, Jan 19-24

***   SANS Aloha IV (4 tracks), Honolulu, Jan 28-Feb 2

****  SANS Computer Security Bootcamp (7 tracks), Monterey, CA, Feb 9-14

*     SANS San Diego ISO (1 track), Feb 25-Mar 1

*     SANS Tysons Corner ISO (1 track), March 3-7

**    SANS Lone Star (3 tracks), San Antonio, March 11-16

*     SANS Securing IIS (1 day), Los Angeles, March 20

**    SANS Arizona (2 tracks), Phoenix, March 23-27

*     SANS Securing IIS (1 day), Phoenix, March 28

***** SANS 2002 (our largest conference) (12 tracks plus a free

           technical conference for all who attend the tracks),

           Orlando, April 1-7

****  SANS Parliament Square 2002 (4 tracks), London, April 22-27

See www.sans.org for details.



************ This issue sponsored by NetIQ Corporation ***************



FREE Security White Paper from NetIQ!



Between 60% and 90% of the time IT managers spend resolving problems is

lost to diagnostics. Wouldn't you like to significantly reduce that

percentage?



Download NetIQ's FREE white paper, 



"Security Event Correlation: Where Are We Now?"  



http://www.netiq.com/f/form/form.asp?id=421



***********************************************************************



TOP OF THE NEWS



 --15 January 2002  Solaris Buffer Overflow Being Exploited

The HoneyNet project reported that a buffer overflow problem in Solaris,

reported and patched two months ago, is now being exploited by

attackers.  CERT offered an advisory recommending the patch be applied

or the affected service.

http://news.cnet.com/news/0-1003-200-8495923.html?tag=lh

The CERT advisory: http://www.cert.org/advisories/CA-2002-01.html



 -- 14 January 2002  Congress May Take New Look At Software Protection

                     from Product Liability For Security Flaws

Rep. Rick Boucher (D-Va.) who co-chairs the Congressional Internet

Caucus said . "The producers of software should be responsible for any

flaws that the software contains," especially if the flaws lead to

hacking."

http://www.latimes.com/news/nationworld/nation/la-011402micro.story



 --11 January 2002  Incidents Reported to CERT/CC Doubled in 2001

The number of security incidents reported to the Computer Emergency

Response Team Coordination Center (CERT/CC) in 2001 was more than double

the number reported the previous year, from 21.756 to 52,658.  The

number of alerts nearly doubled, up from 26 to 41.  Much of the increase

is attributable to heightened security awareness.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67318,00.html



 --10 January 2002  FedCIRC Says Hacking is Down

The Federal Computer Incident Response Center (FedCIRC) says that the

incidence of hacking has fallen since the terrorist attacks of September

11.  Reasons offered for the decrease are improved security practices

and intrusion detection tools and legislation that treats hackers as

terrorists.

http://www.theregister.co.uk/content/55/23628.html

[Editor's (Murray) Note: It is naive to believe that legislation that

does not result in prosecutions has any impact on behavior.

(Paller) FedCIRC is to be congratulated, but the decline in attacks

reported by federal sites is not being replicated elsewhere. One needs

only to look at the defaced web site mirror at Alldas.de to see that

December was the highest month for such hackings since the summer.

http://defaced.alldas.de/?archives=complete]



 --10 January 2002  DeCSS Author Indicted

Jon Johansen, a Norwegian man who co-authored the DeCSS utility, has

been indicted in hacking charges and could face between 6 months and 2

years of incarceration.

http://www.wired.com/news/politics/0,1283,49638,00.html

http://www.securityfocus.com/news/306

http://news.cnet.com/news/0-1005-200-8434181.html?tag=prntfr 



 --9 January 2002  AIM Fix Has Back Door

AIMFilter, a fix for the AIM vulnerability, contains a back door that

lets the program's author redirect users' browsers to pay-for-click

sites.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67214,00.html

http://www.theregister.co.uk/content/55/23596.html

http://www.zdnet.com/zdnn/stories/news/0,4586,5101490,00.html



 --7 January 2002  Cross-Site Scripting Vulnerability in Citibank

                   Payment Service Site

A security researcher has found a cross-site scripting vulnerability in

C2it.com, Citibank's on-line payment service.  The security hole could

expose customer account data and even allow attackers to move money out

of customer accounts.

http://www.msnbc.com/news/683646.asp?0dm=T225T

[Editor's (Murray) Note: Characterizing this activity as "security

research" is inappropriate, not to say destructive.]





THE REST OF THE WEEK'S NEWS



 --15 January 2002  Justice Department Forms New Anti-hacker Unit

The new unit has six full-time prosecutors and will focus on Cybercrime

and cyber-terrorism. Prosecutors in nine other cities have also formed

Cybercrime units.

http://www.cnn.com/2002/TECH/industry/01/15/catching.hackers.ap/index.html



 --14 January 2002  Wireless LANs at Airports Pose Security Threat

Some airlines are using wireless LANs with no encryption for baggage

matching and curbside check-in applications.  These insecure wireless

networks could put flight operations systems at risk.

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO67344,00.html



 --11 January 2002  Gigger Virus

The Gigger virus arrives as an attachment purporting to be a Microsoft

security update and tries to delete files from infected computers' hard

drives.  The JavaScript virus spreads via Outlook address books and

mIRC.  Antivirus vendors are updating their software to detect the virus

and protection is now largely in place."

http://www.zdnet.com/zdnn/stories/news/0,4586,2838401,00.html?chkpt=zdhpnews01

http://www.theregister.co.uk/content/56/23652.html



 --11 January 2002  Cyber Law Predictions

Ten experts in cyber legal matters predict what 2002 holds for Internet

law and policy.

http://www.nytimes.com/2002/01/11/technology/11CYBERLAW.html

(please note: free registration required) 



 --11 January 2002  Opinion: Microsoft Not Focused on Security 

Jim Rapoza maintains Microsoft consistently places security behind

productivity when designing software, thereby inviting security

problems.  He conceded that the company has made some headway in the

area of server security.

http://www.zdnet.com/zdnn/stories/comment/0,5859,5101601,00.html

[Editor's (Schultz) Note: Until the public clamors for greater security

in vendor products, vendors are unlikely to pay greater attention to

security concerns.  And, as I have said so many times before, the real

problem is not security per se, but rather lack of quality in software

development.

(Murray) It seems clear that MS users would like to have security if it

were free. There is no evidence to suggest that they will give up

productivity (or even generality or flexibility) to get it.]



 --11 January 2002  Report Makes Federal Cyber Security Recommendations

A Heritage Foundation report strongly recommends that President Bush

designate Global Positioning Satellite (GPS) radio frequencies and

network systems as critical infrastructure to bolster their security.

The report makes other recommendations as well, including creating a

center to allow all levels of government to share information and

intelligence, and securing all federal networks and information systems.

http://www.fcw.com/fcw/articles/2002/0107/web-heritage-01-11-02.asp



 --11 January 2002  Financial Companies Looking Into Biometrics

Financial services companies are considering biometrics for customer

identification.  Some companies already use the technology to restrict

employee access to server rooms.  Citibank hopes to offer its customers

several biometric identification options.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67314,00.html



 --11 January 2002  Human Firewall Survey Reveals Employees' Lack of

                    Security Knowledge

A survey conducted by the Human Firewall project illustrates the

knowledge gap between security managers and most other employees.  Many

employees were unable to identify safe passwords and most are unaware

of their companies' security policies.

http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO67319,00.html



 --10 & 11 January 2002  Microsoft Says Donut is Not .Net Virus

Antivirus vendors are calling Donut the first .Net virus, but Microsoft

maintains it is merely a reworked Windows virus.  The virus does not

self-propagate; users become infected by receiving deliberately sent

e-mail or from a web site.  The virus does not damage computers, but it

does infect other .Net files.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67256,00.html

http://news.cnet.com/news/0-1003-200-8444607.html?tag=prntfr 

http://news.cnet.com/news/0-1003-201-8447073-0.html?tag=prntfr 



 --10 January 2002  DoubleClick Drops Targeting Service

DoubleClick discontinued its Intelligent Targeting service late last

year.  The service allowed advertisers to send ads to Internet users

based on their surfing habits.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67262,00.html



 --9 & 10 January 2002  IRS Computers Missing

A recent Treasury Department audit revealed that the Internal Revenue

Service (IRS) could not account for more than 2300 of its computers.

An agency spokesman said that almost 1600 of the machines have been

located.  He also said that taxpayer information was not compromised

despite the fact that the missing machines likely contain tax return

and audit information.

http://news.cnet.com/news/0-1005-200-8418759.html?tag=owv

http://www.wired.com/news/politics/0,1283,49615,00.html



 --9 January 2002  Guarding Against Socially Engineered Attacks

In the second of two articles about social engineering, the author

discusses preventing, spotting and dealing with socially engineered

attacks. Companies should implement security policies, use good physical

security practices and train their staff.  They should also have

procedures in place for handling socially engineered attacks when they

occur.

http://www.securityfocus.com/infocus/1533

[Editor's (Schultz) Note: Social engineering is something about which

virtually all information security professionals know, but the

overwhelming majority of the papers and talks on this issue focus on

the problem, not effective solutions.  Granger's piece is a refreshing

exception to this trend.

(Murray) We have been dealing with this attack since Eve.  We are not

much better at resisting it now than we were then.  It must exploit some

fundamental vulnerability.]



 --9 January 2002  Cracker Pleads Guilty to DoE Lab Intrusion

Benjamin Troy Breuninger, who uses the hacker alias "Konceptor," pleaded

guilty to breaking into the computer network at Lawrence Livermore

National Laboratory, admitting he downloaded data and agreed that he

caused $20,000 worth of damage.  Breuninger will be sentenced on April

12; he could receive up to 5 years in prison, a $250,000 fine plus a

requirement for restitution.

http://www.gcn.com/vol1_no1/daily-updates/17736-1.html

http://www.securityfocus.com/news/305



 --8 & 9 January 2002  Macromedia Flash Virus is Not Much of a Threat

SWF/LFM-926 is a proof of concept Macromedia Flash virus that can infect

other Flash files.  It has a relatively weak vector of infection: to

become contaminated, users must download an infected Flash file and view

it in a different player; viewing a Flash film in a browser will not

infect a machine.  While this virus is not a large threat, future

variants could be more aggressive.

http://www.cnn.com/2002/TECH/internet/01/09/macromedia.virus.reut/index.html

http://www.zdnet.com/zdnn/stories/news/0,4586,5101425,00.html?chkpt=zdhpnews01 

http://news.bbc.co.uk/hi/english/sci/tech/newsid_1750000/1750775.stm



 --8 & 9 January 2002  CSTB Report Says Companies are Neglecting

                       Security

A report from the National Academy of Science's Computer Science and

Telecommunications Board (CSTB) says that US companies are not using

available security measures to protect themselves from cyber attacks.

The CSTB encourages companies to conduct random security testing, use

strong authentication systems and train all employees in the proper use

of security tools.  Furthermore, the report suggests that companies

producing unsecure software should be held liable.

http://www.securityfocus.com/news/304

http://www.wired.com/news/technology/0,1282,49570,00.html

http://www.computerworld.com/storyba/0,4125,NAV47_STO67238,00.html



 --8 January 2002  Security Advice Confuses

The recent confusion surrounding the Universal Plug and Play security

problems in Windows XP underscores the difficulty users face in deciding

where to turn for reliable security information and advice.

http://www.msnbc.com/news/682227.asp?0dm=C235T



 --8 January 2002  Microsoft Investigates Purported IE Hole

An alleged vulnerability in Internet Explorer versions 5.5 to 6 could

allow crackers to spoof web sites, steal cookie information and read

local files on affected computers.  The hole is due to Microsoft's

failure to comply with the "same-origin policy."  Microsoft is looking

into the problem and has expressed displeasure at the method of

disclosure.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67199,00.html



 --7 January 2002  Virus Writers Justify their Work

Some virus writers justify their activity by claiming it helps other

people learn about security and provides jobs for security experts.

They also claim that releasing an exploit anonymously is safer than

going directly to the software companies with the vulnerability because

they might be accused of hacking.  Detractors say they have never heard

of a software company prosecuting someone who came forward with

information about vulnerabilities.

http://www.wired.com/news/culture/0,1284,49483,00.html



 --7 January 2002  Crowell Supports GovNet

Cylink Corp. CEO, Bill Crowell, who is a former National Security Agency

(NSA) deputy director, supports the creation of GovNet, a secure

government network not connected to the Internet, and says that the

private sector should consider doing the same thing.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67138,00.html

[Editor's (Murray) Note: GovNet as a strategy is "defense in depth."

It will be interesting to see how successful the operators are in

resisting connections to the broader network.]



 --4 January 2002  Report Considers Al-Qaeda Cyber Capabilities

A report from the Canadian Office of Critical Infrastructure Protection

and Emergency Services suggests that al-Qaeda's financial resources

could allow the terrorist organization to mount cyber attacks against

critical infrastructure targets.  Such an attack could have a

devastating ripple effect.

http://www.computerworld.com/storyba/0,4125,NAV47_STO67092,00.html



==end==





Please feel free to share this with interested parties via email (not

on bulletin boards).  For a free subscription, (and for free posters)

e-mail sans@sans.org with the subject: Subscribe NewsBites

 

To change your subscription, address, or other information, visit

http://www.sans.org/sansurl and enter your SD number (from the headers.)

You will receive your personal URL via email.

 

You may also email <sans@sans.org> with complete instructions and your

SD number for subscribe, unsubscribe, change address, add other digests,

or any other comments.







-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.6 (BSD/OS)

Comment: For info see http://www.gnupg.org



iD8DBQE8RaZM+LUG5KFpTkYRAqMKAKCYqGhJSx3YkmW8wLJdjDnrAGPOFwCfaWPH

27s8E89mBWAT1K/7VIAg8S4=

=0xcY

-----END PGP SIGNATURE-----