********************************************************************** SANS NEWSBITES The SANS Weekly Security News Overview Volume 4, Number 14 April 2, 2002 Editorial Team: Kathy Bradford, Dorothy Denning, Roland Grefer, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz ********************************************************************** TOP OF THE NEWS 01 April 2002 Cyber Czar Says Security Comfort 3-5 Years Away 25 March 2002 Supplemental Budget Request Includes IT Security Items 29 March 2002 Former Global Crossing Employee Arrested 27 March 2002 Media Player Could Present a New Wave of Attacks THE REST OF THE WEEK'S NEWS 29 March 2002 Microsoft Releases Patch for Two IE Holes 27 & 28 March 2002 Airports Testing Biometrics 27 March 2002 FBI Must Produce More Carnivore Information 25 & 28 March 2002 Should the Law Consider Good Intentions? 25 & 28 March 2002 Weak Security on eBay Has Users Concerned 25 March 2002 Air Force Network Targeted With Copious Probes 25 March 2002 FrontPage Vulnerability Exploited 25 March 2002 Georgia Tech IT Handled Intrusion Well 25 March 2002 Web Services Security 21 March 2002 Gartner Explains Why Complete Software Security Won't Happen 20 March 2002 Open Source Software Review is Uneven RECENT TUTORIAL ARTICLES 26 March 2002 Broadband Security 29 March 2002 The Internet A Root Server and Security 15 March 2002 Developing an Incident Response Plan TRAINING OPPORTUNITIES IN THE NEXT 120 DAYS Large SANS GIAC Certification and Training programs in Toronto, Boston, London, Washington, Denver, New York, and Los Angeles. Smaller programs in Phoenix, Minneapolis, Portland, Colorado Springs, Chicago, Detroit. Details and registration information: www.sans.org **************** Sponsored by SurfControl, Inc. ********************** YOUR NETWORK IS CONSTANTLY UNDER ATTACK. If you could easily stop users from sapping your bandwidth, block access to personal Web-based email accounts (the main way users introduce viruses into your network), all w/out being the company traffic cop, would you? Then try SuperScout Web Filter FREE: http://www.surfcontrol.com/go/zsnb0403 ********************************************************************** --01 April 2002 Cyber Czar Says Security Comfort 3-5 Years Away Presidential cybersecurity advisor, Dick Clarke says history of Federal IT security is "a sad one," and worries that Congress may not fully fund computer security efforts. http://gcn.com/21_7/news/18305-1.html --25 March 2002 Supplemental Budget Request Includes IT Security Items The White House submitted a supplemental budget request for fiscal 2002 requests asking form more than $36 million IT security programs for homeland security. That number includes $2.5 million for the GSA to establish the Internet Vulnerability Management Office. http://www.fcw.com/fcw/articles/2002/0325/news-budget-03-25-02.asp --29 March 2002 Former Global Crossing Employee Arrested The FBI arrested Steven Sutcliffe, a former Global Crossing employee, for making threats against company executives on his website. A federal judge dismissed charges connected with Sutcliffe's posting of employee names and social security numbers on the website because he didn't intend to use the data for illegal purposes. http://www.computerworld.com/storyba/0,4125,NAV47_STO69684,00.html [Editor's (Ranum) Note: This one is really interesting!! He posted social security numbers "not for illegal purposes" and got away with it? What happens when some hacker posts all the social security numbers from some database "not for illegal purposes"? (Schultz) There are some very interesting "truth in disclosure" issues that surround this case. Because of the great potential for loss by individual employees, why did Global Crossing wait so long to inform its employees that their personal information had been compromised?] --27 March 2002 Media Player Could Present a New Wave of Attacks Security experts say that Windows Media Player can be exploited to run code disguised as a trusted file in HTML e-mail; the attack also manages to bypass Outlook 2002 security measures. http://www.wired.com/news/technology/0,1282,51361,00.html *********************** Sponsored Links ***************************** Highest availability for Check Point! Download this FREE WHITE PAPER from Resilience. http://www.sans.org/cgi-bin/sanspromo/NB20 (2) NEW White Paper - Content Inspection in High Capacity Networks Aladdin & Radware. http://www.sans.org/cgi-bin/sanspromo/NB21 (3) THE Security Solution for Authentication, Adminsatration, Auditing for UNIX/LINUX http://www.sans.org/cgi-bin/sanspromo/NB22 *********************************************************************** THE REST OF THE WEEK'S STORIES --29 March 2002 Microsoft Releases Patch for Two IE Holes Microsoft has released a patch for two "critical" vulnerabilities in Internet Explorer (IE) versions 5.01, 5.5 and 6.0. The first vulnerability could allow a malicious script embedded in a cookie to run in the local zone, potentially altering or deleting files. The second involves object tags and could allow executable files already on the computer to run. The patch is cumulative. Microsoft is still investigating a debugging tool flaw in Windows 2000 and NT that could be exploited to gain a higher level of privilege on the operating system. http://www.computerworld.com/storyba/0,4125,NAV47_STO69683,00.html http://news.com.com/2100-1001-871771.html http://www.microsoft.com/technet/security/bulletin/ms02-015.asp --27 & 28 March 2002 Airports Testing Biometrics Several airports are experimenting with biometric identification systems for workers and for passengers. While some experts say the technology will become widespread over the next few years, former FBI agent and now professor of security Harvey Burstein observes that human error will always be a factor in security. http://zdnet.com.com/2100-1104-869437.html http://www.cnn.com/2002/WORLD/europe/03/27/schiphol.security/index.html A Gartner analyst says that while biometrics are helpful, they are not likely to be a panacea for airport security. http://zdnet.com.com/2100-1107-870372.html [Editor's (Murray) Note: Biometrics are what we use in airports now. We compare the individual's visage to a reference on a credential issued by government authority. What is potentially new is the automation of this process. Automation is not nearly as difficult as will be the issuance of a suitable credential for automatic checking. (Schultz) Burstein's statement is particularly applicable here because of the prevalence of human error, But a good deal of the cause of human error is due to poor usability design. I fear that the next generation of two-step authentication technology is going to be rushed out without sufficient attention being paid to human factors. Experiments conducted two years ago at Purdue University show that smart card and biometric authentication is often plagued by the need for users to perform additional, unnecessary, and often difficult actions.] --27 March 2002 FBI Must Produce More Carnivore Information A federal judge has ruled that the FBI has 60 days to conduct "a further search" of its records to produce more information on Carnivore and EtherPeek. A prior search, conducted in response to a suit filed by EPIC under the Freedom of Information Act, produced only technical details and overlooking legal and policy references. http://news.com.com/2100-1023-870028.html --25 & 28 March 2002 Should the Law Consider Good Intentions? A panel at the recent "Information Security in the Age of Terrorism" conference discussed whether or not well-intentioned cyber-intruders should be prosecuted just like other cyber criminals. One of the panelists was Adrian Lamo, the young man responsible for exposing and then helping to fix security problems at major companies. The target of his most recent foray, the New York Times, has not decided how they plan to proceed. While the panelists shied away from condemning actions like Lamo's, they conceded that he sat on his knowledge of the vulnerabilities for too long. http://online.securityfocus.com/news/358 [Editor's (Ranum) Note: Society takes into account good intentions when laws are written. It doesn't need to revisit things that have been decided to be illegal every time someone feels that the law shouldn't apply to them because their motives are superior.] --25 & 28 March 2002 Weak Security on eBay Has Users Concerned Some eBay users have had their accounts commandeered by crackers.The online auction site does not have a lockout policy, so dictionary attacks can be used to seek out passwords. http://zdnet.com.com/2100-1106-868306.html eBay does not use Secure Socket Layers (SSL) by default when transmitting data between users' computers and company servers. One analyst points out that though SSL may not actually add a great deal of security, from the users' perspective, it decreases the perceived security risk. http://news.com.com/2100-1017-870959.html --25 March 2002 Air Force Network Targeted With Copious Probes A computer network at Wright-Patterson Air Force base detected 125,000 probes in a two-hour period. A public affairs officer confirmed reports that the probes originated outside the US and said that the network was not breached. http://www.fcw.com/fcw/articles/2002/0325/web-af-03-27-02.asp --25 March 2002 FrontPage Vulnerability Exploited Using an exploit published by a computer security company, crackers took advantage of a known buffer overflow flaw in IIS's FrontPage Server Extensions to deface three Microsoft websites. A patch for the vulnerability has been available since June of last year. http://www.newsbytes.com/news/02/175442.html --25 March 2002 Georgia Tech IT Handled Intrusion Well The IT people at the Georgia Institute of Technology handled a recent intrusion into a business office server proficiently. They limited access to the server as soon as the problem was discovered, held meetings to assess what they knew and, within three days of the incident, contacted everyone affected by the incident. http://www.computerworld.com/storyba/0,4125,NAV47_STO69478,00.html [Editor's (Murray) Note: An ounce of prevention is worth a pound of cure.] --25 March 2002 Web Services Security Draft protocols to address web services security that have been submitted to the World Wide Web Consortium (W3C) include XML encryption and key management. http://zdnet.com.com/2100-1107-867689.html --21 March 2002 Gartner Explains Why Complete Software Security Won't Happen Gartner analysts say that while open source software may reach a certain level of security more quickly than proprietary software will, neither will ever be completely secure. Businesses should make purchasing decisions based on product security, and should bolster software security with firewalls, vulnerability assessments and other additional security measures. http://zdnet.com.com/2100-1107-865731.html --20 March 2002 Open Source Software Review is Uneven While open source software is available for users to inspect and alter, Sardonix founder Crispin Cowan says that no one is auditing the software; open source software review is uneven because people tend to examine the more interesting sections of code and ignore the duller ones. http://zdnet.com.com/2100-1104-864256.html RECENT TUTORIAL ARTICLES --26 March 2002 Broadband Security Individuals with broadband connections at home lack the security resources of a company with an IT department, but they need to protect their machines from attacks nonetheless. Broadband users should install a firewall and remove unnecessary services and components from all their devices before putting them on line. Finally, users need to make sure that their on-line behavior emphasizes security. http://online.securityfocus.com/infocus/1560 [Editor's (Grefer) Note: Broadband users are urged to employ hardware based solutions, like the LinkSys, NetGear or DLink DSL/Cable-Routers, which typically include NAT and limited firewall capabilities. Using personal firewall software like ZoneAlarm, Tiny, BlackIce, McAfee Personal Firewall or Norton Internet Security will provide an additional layer of defense.] --29 March 2002 The Internet A Root Server and Security VeriSign's Network Operations Center, that houses the Internet's A root server and several important domain servers, employs considerable physical security, including cameras and biometric scanners in "mantraps" which are triggered when an unauthorized palm is scanned. Though security is high, a VeriSign VP said that even if the A root server went down, the Internet would not feel a significant impact. http://www.washingtonpost.com/wp-dyn/articles/A33447-2002Mar28.html --15 March 2002 Developing an Incident Response Plan It's a good idea to have an incident response plan in place to deal quickly and efficiently with cyber attacks. Among the recommended steps to take: establishing a team, deciding who has the authority to do what, and speaking with law enforcement ahead of time so you know who to call when an incident does occur. http://www.cio.com/archive/031502/plan.html ==end== Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8qaKQ+LUG5KFpTkYRAsBJAJ0fO31R/AB49QeLs+wGAVUMu3GEKACfaiAk cByYhvcD3NHAq//PnWQJwAM= =9CnR -----END PGP SIGNATURE-----