-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note for users of Cisco routers concerned about security: A router security audit tool will be announced today, the result of cooperative efforts by experts at the US National Security Agency, UUNET, and Cable & Wireless, and tested and validated by many of the 170 member organizations of the Center for Internet Security. The Router Audit Tool performs an impressively comprehensive check of Cisco router security, gives an overall score, and points the user to the specific corrections for problems found. The tool's authors will conduct a web briefing today at 1:00 PM (1800 UTC). Both the tool and the briefing are free. Register in advance at: http://www.sans.org/webcasts Alan ********************************************************************** SANS NEWSBITES The SANS Weekly Security News Overview Volume 4, Number 8 February 20, 2002 Editorial Team: Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz ********************************************************************** TOP OF THE NEWS 15 February 2002 SNMP Vulnerability Is Widespread and Important 14 February 2002 OMB Releases Report Detailing Federal Security Problems 14 February 2002 Hacking at Japan's Space Agency 14 February 2002 Cyberattack Could Provoke Military Attack 11 & 13 February 2002 Info on Web Sites Could Pose Security Risk 11 & 12 February 2002 Microsoft Issues Cumulative Patch THE REST OF THE WEEK'S NEWS 17 February 2002 Application Security "In Grim State" 15 February 2002 Hacker's Claims Compel Morningstar to Conduct Audit 14 & 15 February 2002 Messenger Worm 14 February 2002 Cloud Nine Hackers Probably Won't be Caught 14 February 2002 C++ .Net Compiler Buffer Overflow Problems 12 & 14 February 2002 Anonymous Surfing Technology has Holes 13 February 2002 ISP Protection Legislation Introduced 12 February 2002 WYX Virus Found on IBM Memory Keys 12 February 2002 Chair Named for ICANN Security Committee 12 February 2002 Sandia is Testing Wireless LANs 11 February 2002 Global Crossings Former Employee Exposes Data 11 February 2002 Hotmail Password Reset Vulnerability 11 February 2002 BlackIce Patches TRAINING OPPORTUNITIES IN THE NEXT 120 DAYS SANS 2002 in Orlando: SANS' largest conference and exposition. Large conferences San Antonio, London and Washington, Toronto, and Portland (OR). Smaller programs in Kansas City, Los Angeles, Phoenix, and Minneapolis. Details: http://www.sans.org ***************** Sponsored by Websense, Inc. *********************** Choosing Internet filtering software is never easy, is it? Guess again. With Websense Enterprise, the leading solution, you get installation and administration that's a breeze. Combine that with integrations like Microsoft and Cisco. You'll see why 15,000+ organizations use Websense. If only ALL our decisions were this simple. Try a free, fully-functional 30-day trial. http://www.websense.com?id=10209 ********************************************************************** TOP OF THE NEWS --15 February 2002 SNMP Vulnerability Is Widespread and Important A vulnerability in the Simple Network Management Protocol means the infrastructure of the Internet is at risk according to the CERT Coordination Center at Carnegie Mellon University. A free tool can help you find your systems that are running SNMP, so you know where patches must be installed. http://www.govexec.com/dailyfed/0202/021502j1.htm Tool requests: email snmptool@sans.org --14 February 2002 OMB Releases Report Detailing Federal Security Problems In a report providing detailed reviews of every major Federal agency, the US Office of Management and Budget has laid out a scathing review of the security status and efforts of Federal government agencies. The report is the first annual submission required under the Government Information Systems Reform Act (GISRA), and provides detailed information on each major agency. http://www.gcn.com/vol1_no1/security/17955-1.html Download the complete report from: http://www.whitehouse.gov/omb/pubpress/2002-05.html [Editor's (Paller) Note: GISRA was effective because it woke up senior federal managers to the role they must play in fostering effective security. That job is done; they are awake. Today, the law is being reconsidered. To avoid wasting $100 million or more, the new law should be refocused on supporting programs that actually improve security at the technical level, measure that improvement, and compare it across agencies. Perhaps such testing wasn't feasible a year ago; today it is.] --14 February 2002 Hacking at Japan's Space Agency An employee at one of two Japanese firms working on a satellite project with the National Space Development Agency of Japan (NASDA) hacked into a NASDA computer to access sensitive data belonging to the other company; he was discovered when he bragged about his transgression to a mailing list that included a NASDA employee. The employee will likely be transferred to another position within his company which is barred from submitting bid to NASDA for one month. http://dailynews.yahoo.com/h/nm/20020214/sc/japan_space_computer_dc_1.html [Editor's (Schultz) Note: The punishment, both for the unethical employee and the employee's company, seems like a proverbial "slap on the wrist." What kind of message does this send to the cracker community? Unless computer crime is dealt with in a serious and responsible manner, we're never going to make progress in combating it.] --14 February 2002 Cyberattack Could Provoke Military Attack White House technology adviser Richard Clarke said that a cyberattack launched by foreign countries or terrorist groups could prompt a retaliatory military attack from the US. Clarke also indicated he believes that many critical infrastructure systems have already been broken into. http://www.usatoday.com/life/cyber/tech/2002/02/14/cyberterrorism.htm --11 & 13 February 2002 Info on Web Sites Could Pose Security Risk Corporate websites contain floor plans and back-up facility locations, telecommunications sites include locations of routers and major network nodes, and DOE websites provide sensitive information about plutonium storage and nuclear reactor locations. Richard Clarke says there is evidence that al-Qaeda used the Internet to gather information about US facilities, and that other groups may be doing the same thing. http://www.computerworld.com/storyba/0,4125,NAV47_STO68181,00.html http://www.computerworld.com/storyba/0,4125,NAV47_STO68182,00.html http://www.computerworld.com/storyba/0,4125,NAV47_STO68183,00.html http://www.computerworld.com/storyba/0,4125,NAV47_STO68281,00.html --11 & 12 February 2002 Microsoft Issues Cumulative Patch Microsoft has issued bundled fixes for vulnerabilities in Internet Explorer versions 5.01, 5.5 and 6.0. http://news.com.com/2100-1001-834826.html http://www.computerworld.com/storyba/0,4125,NAV47_STO68224,00.html patch: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp ************************ SPONSORED LINKS ***************************** (1) Learn why Sony calls ManHunt 2.0 Internet security's 'crystal ball!' http://www.sans.org/cgi-bin/sanspromo/NB4 (2) Add it up and upgrade... StoneGate firewall 50% upgrade promotion. http://www.sans.org/cgi-bin/sanspromo/NB5 (3) Rainfinity, Inc. Download RainWall High Availability Software for E-Business FREE 30 DAY TRIAL http://www.sans.org/cgi-bin/sanspromo/NB6 *********************************************************************** THE REST OF THE WEEK'S NEWS --17 February 2002 Application Security "In Grim State" A security research company reports that most e-business applications have serious security flaws. http://www.vnunet.com/News/1129340 --15 February 2002 Hacker's Claims Compel Morningstar to Conduct Audit Morningstar Canada is paying for an outside security company to conduct an audit of its investment research website's security after a hacker claimed to have broken into the servers and stolen confidential data. Despite the fact that the site houses no such data, Morningstar felt the audit was necessary to maintain their credibility. http://www.computerworld.com/storyba/0,4125,NAV47_STO68375,00.html --14 & 15 February 2002 Messenger Worm A worm, knows as Menger, Cool Worm, or JS Exploit-Messenger, exploits an Internet Explorer vulnerability to spread through MSN Instant Messenger. A patch has been released for the IE hole (see story 11& 12 February). The worm does not appear to carry a malicious payload beyond spreading itself to other MSN messenger users in infected machines' address books. http://zdnet.com.com/2100-1105-837525.html http://www.msnbc.com/news/707267.asp?0dm=T217T http://www.newsfactor.com/perl/story/16355.html --14 February 2002 Cloud Nine Hackers Probably Won't be Caught The hackers responsible for taking down the UK ISP Cloud Nine, ultimately resulting in its demise, erased web logs that contained data that might have helped identify them. Cloud Nine was apparently the victim of both hacking and a distributed denial of service attack. http://zdnet.com.com/2100-1105-837412.html --14 February 2002 C++ .Net Compiler Buffer Overflow Problems A feature in Microsoft's Visual C++ .Net compiler called StackGuard, which is supposed to guard against buffer overflows, is itself vulnerable to the attack. The security consultancy that issued the initial warning has been criticized for not giving Microsoft enough time to address the problem. http://www.computerworld.com/storyba/0,4125,NAV47_STO68315,00.html http://www.msnbc.com/news/707130.asp?0dm=C19NT http://news.com.com/2100-1001-837428.html http://news.com.com/2100-1001-838096.html [Editor's (Murray) Note: It is hubris for hackers to believe that they have the right to decide how long a vendor has to fix a vulnerability that was not a problem before the hacker disclosed it. Not all vulnerabilities are problems. Not all problems are of the same magnitude.] --12 & 14 February 2002 Anonymous Surfing Technology has Holes Two researchers published a paper describing flaws in SafeWeb's anonymous surfing technology that could allow web sites to gather visitors' Internet addresses and other surfing habit information by using JavaScript. SafeWeb says it will fix the problems. http://www.wired.com/news/politics/0,1283,50371,00.html http://www.wired.com/news/business/0,1367,50424,00.html --13 February 2002 ISP Protection Legislation Introduced Rep. Robert Goodlatte (R-Va.) has introduced a bill that would ensure ISPs would not be held liable for illegal content placed on line by third-party users. http://news.com.com/2100-1023-837137.html --12 February 2002 WYX Virus Found on IBM Memory Keys The WYX virus has been found in certain IBM Memory Key removable storage devices; a fix is available from IBM. Affected devices carry a manufacture date earlier than 21 December 2001 or a serial number lower than 2320000. http://www.theregister.co.uk/content/55/24035.html http://www.pc.ibm.com/qtechinfo/MIGR-40980.html?lang=en_US&page=brand&brand=IBM+Options&doctype=Hot+news&subtype=Cat --12 February 2002 Chair Named for ICANN Security Committee The Internet Corporation for Assigned Names and Numbers (ICANN) has appointed Stephen Crocker chairman of the newly formed ICANN Security Committee; there has been some concern that the ICANN system is vulnerable to distributed denial of service attacks because it uses BIND. http://www.computerworld.com/storyba/0,4125,NAV47_STO68225,00.html [Editor's (Murray) Note: Good choice!!] --12 February 2002 Sandia is Testing Wireless LANs Sandia National Laboratories is testing wireless LANs outside of secure areas. Other DOE labs are taking a different approach: Lawrence Livermore National Laboratory has issued a ban on wireless LANs and Los Alamos National Laboratory is conducting a security review of wireless LANs which may lead to their removal. http://www.computerworld.com/storyba/0,4125,NAV47_STO68235,00.html --11 February 2002 Global Crossings Former Employee Exposes Data A former employee of the telecommunications company Global Crossing Holdings Ltd. Has been posting personal data belonging to other company employees on the web for the last five months. According to a company attorney, the employee allegedly stole a disk containing the information. Though Global Crossing became aware of the problem in September, it didn't inform its employees until December; former employees were not told of the breach at all. Some former employees say the company failed to in implement adequate controls over who was allowed access to which data. http://www.computerworld.com/itresources/rcstory/0,4167,KEY73_STO68168,00.html --11 February 2002 Hotmail Password Reset Vulnerability A Hotmail vulnerability allows hackers to bypass password resetting security measures and jump right to the secret question prompt; once authenticated, the hacker can also use other Microsoft services, including .Net Passport. http://www.newsbytes.com/news/02/174400.html --11 February 2002 BlackIce Patches There are now patches available for the BlackIce ping flood vulnerability. http://www.computerworld.com/storyba/0,4125,NAV47_STO68189,00.html http://www.iss.net/support/consumer/BI_downloads.php ==end== Please feel free to share this with interested parties via email (not on bulletin boards). For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8c58O+LUG5KFpTkYRAsm1AJ4tJlN6lQsAMroKb2qK1MPnoQxzUgCeJyE6 yFBJFbPWOzLrKfRzMaivdEw= =PZEW -----END PGP SIGNATURE-----