-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ********************************************************************** SANS NEWSBITES The SANS Weekly Security News Overview Volume 4, Number 15 April 10, 2002 Editorial Team: Kathy Bradford, Dorothy Denning, Roland Grefer, Bill Murray, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz ********************************************************************** TOP OF THE NEWS 8 April 2002 Cyber Attacks Are Up But Not Reported 5 April 2002 LANL Security Improvements 3 April 2002 Cyber Crime Conviction Overturned 2 & 3 April 2002 Judge Denies Dismissal Motion in DMCA Case THE REST OF THE WEEK'S NEWS 4 April 2002 NIST Releases Two More Draft Guides 4 April 2002 Sentencing Study Examines Cyber Crime Motives 3 April 2002 eBay Fixes One Security Hole, Still Working on Another 3 April 2002 Expiration Dates for Open Source Software 3 April 2002 Pirates' Software Supplier Pleads Guilty 3 April 2002 Office XP Flaws 2 & 3 April 2002 Brilliant Network Software Bundled with Kazaa 2 April 2002 Cyber Insurance Market is Thriving 2 April 2002 Some Government Sites are Leaking Information 1 April 2002 Proactive Antivirus Software 1 April 2002 What Makes A Great CIO 1 April 2002 Survey Says Only Half of Businesses Have Continuity Plans 1 April 2002 CVE Dictionary Expands to More than 2,000 Items 1 April 2002 Some Sites Still Using Flawed Shopping Cart Software 1 April 2002 Protecting Company Information on the Internet IN-DEPTH TECHNICAL SECURITY TRAINING (AND MANAGEMENT COURSES) IN THE NEXT 120 DAYS Large SANS GIAC Certification and Training programs in Toronto, Boston, London, Washington, Denver, New York, and Los Angeles. Smaller programs in Phoenix, Minneapolis, Portland, Colorado Springs, Chicago, Detroit. Details and registration information: www.sans.org ************************ SPONSORED BY NetIQ ************************** FREE - SANS Top Trends in Security Management What's the hottest trend shaping security this year? Read the FREE SANS report co-distributed by NetIQ to find out what top industry experts had to say about security management in 2002. Don't get left behind--download the must-have report today! http://www.netiq.com/f/form/form.asp?id=1009 ********************************************************************** TOP OF THE NEWS --8 April 2002 Cyber Attacks Are Up But Not Reported An FBI survey indicates that most businesses have been victims of cyberattacks, but few have chosen to contact law enforcement officials largely because they feared bad PR. http://www.usatoday.com/life/cyber/tech/2002/04/08/fbi-survey.htm http://www.bayarea.com/mld/siliconvalley/business/special_packages/security/3014527.htm [Editor's (Ranum) Note: I wonder whether they feared bad PR or whether they simply expect that nothing would come of getting law enforcement involved. (Schultz) I am sure that, as stated in this news item, organizations avoid contacting the FBI after incidents occur because they are afraid of negative PR. But that is not the only reason. Despite good efforts on its part, the FBI has not really established the level of trust and rapport with industry to make turning to the FBI a viable alternative.] --5 April 2002 LANL Security Improvements Los Alamos National Laboratories has taken measures to improve security without impeding employee productivity. Employees use tokens that require them to memorize only one PIN; computer peripherals have been moved to a secure vault, and employees have been educated about the Internet security. http://www.govexec.com/dailyfed/0402/040502td2.htm --3 April 2002 Cyber Crime Conviction Overturned A computer technician who was convicted of sending his employer a computer virus has had that conviction erased because the jury found the damages to be less than $5,000, the minimum requirement in such a case. http://www.usatoday.com/life/cyber/tech/2002/04/03/hacker-conviction.htm http://www.theregister.co.uk/content/55/24688.html [Editor's (Schultz) Note: This outcome illustrates more flaws in U.S. computer crime legislation.] --2 & 3 April 2002 Judge Denies Dismissal Motion in DMCA Case A lawyer for Russian software firm ElcomSoft argued that the US does not have jurisdiction in the case because the transactions took place over the Internet; the judge disagreed and denied the motion to dismiss. Two other motions to dismiss maintain that the Digital Millennium Copyright Act (DMCA) is "too broad and vague" and that the charges against the firm are likely to be unconstitutional. http://www.usatoday.com/life/cyber/tech/2002/04/02/russian-programmer.htm http://www.theregister.co.uk/content/55/24691.html ************************** SPONSORED LINKS **************************** (1) Get flexible, reliable USB-based strong authentication with Aladdin's eToken. http://www.sans.org/cgi-bin/sanspromo/NB23 (2) THE Security Solution for Authentication, Administration, Auditing for UNIX/LINUX http://www.sans.org/cgi-bin/sanspromo/NB24 (3) Why anti-virus is no longer enough - FREE Beyond Viruses white paper. http://www.sans.org/cgi-bin/sanspromo/NB25 *********************************************************************** THE REST OF THE WEEK'S STORIES --4 April 2002 NIST Releases Two More Draft Guides The National Institute of Standards and Technology (NIST) has released two draft guides: one concerned with securely configuring e-mail servers and another outlining a systematic process for dealing with software patches. Comments on the first draft guide are due by April 30; comments on the second are due by May 2. http://www.fcw.com/fcw/articles/2002/0401/web-nist-04-04-02.asp --4 April 2002 Sentencing Study Examines Cyber Crime Motives A member of the United States Sentencing Commission is conducting a study that could produce new sentencing guidelines for computer criminals. The USA Patriot Act lumps all cyber criminals together, but the results of the study could provide for lesser sentences for some, depending on their motives. Jennifer Granick, litigation director at the Stanford Center for Internet and Society, is skeptical that the minimum sentences will be reduced. http://online.securityfocus.com/news/363 --3 April 2002 eBay Fixes One Security Hole, Still Working on Another On-line auction company eBay has fixed a security hole in a password-changing function that could have allowed unauthorized people to gain access to others' accounts. The company is also working on a fix for a dictionary attack vulnerability. http://www.computerworld.com/storyba/0,4125,NAV47_STO69781,00.html http://zdnet.com.com/2100-1106-874389.html --3 April 2002 Expiration Dates for Open Source Software Jon Lasser proposes building expiration dates into open source networking and security software to ensure that people are running more secure and interoperable versions. http://online.securityfocus.com/columnists/72 [Editor's (Ranum) Note: If a new vulnerability comes out you need to be able to expire a version of software _right_ _now_ - in order to make that work, it's just a small incremental cost (I'm not saying this is an easy problem, though!) to simply make the software update itself with a newer version in near-real time. (Grefer) Any such immediate expiration functionality can and will also be targeted as an additional attack vector] --3 April 2002 Pirates' Software Supplier Pleads Guilty Nathan Hunt, who supplied software to an international piracy group, pleaded guilty to one count of conspiracy to commit copyright infringement; he could receive a sentence of up to five years in prison and a fine of $250,000. http://www.msnbc.com/news/733694.asp?0dm=T218T --3 April 2002 Office XP Flaws Georgi Guninski has found two security holes in Microsoft's Office XP. The first hole, in Outlook XP, could allow active content to be embedded in e-mail, which could forcibly direct a user to a specific web page. The other hole, in Office XP's spreadsheet, could be used to put certain files in the start-up directory and when used in conjunction with the first hole, could be exploited to take control of the affected machine. http://www.computerworld.com/storyba/0,4125,NAV47_STO69779,00.html --2 & 3 April 2002 Brilliant Network Software Bundled with Kazaa Brilliant Digital Entertainment has been sending out software bundled with Kazaa file-trading software; Brilliant's goal is to create a giant network for content distribution or distributed computing projects, but the company CEO says no computer would be used without its owner's permission. http://zdnet.com.com/2100-1105-873416.html http://zdnet.com.com/2100-1107-874885.html http://zdnet.com.com/2100-1105-875111.html How to uninstall the Brilliant Software: http://zdnet.com.com/2100-11-875278.html --2 April 2002 Cyber Insurance Market is Thriving Revenues from cyber insurance purchases reached almost $100 million in 2001. Businesses are purchasing the policies because traditional business coverage policies are being written to exclude the threats posed by digital vectors of attack. Some experts say the insurance industry could begin to mandate security practices and products. http://www.businessweek.com/bwdaily/dnflash/apr2002/nf2002042_8163.htm [Editor's (Paller) Note: The estimates of industry growth information in this article are far greater than estimates SANS has received from insurance industry insiders. One potential explanation is that marketing people in the insurance industry are renaming policies they already had in place (and are renewing), and calling them cyber insurance policies. Reinsurance industry executives tell us that there is a critical problem in the application of the insurance model to cyber crimes - leading to policy language that excludes many of the more important threats.] --2 April 2002 Some Government Sites are Leaking Information A French security group says that several US government web sites running on Domino servers have allowed access to internal documents. A spokesman for the Federal Judicial center, which tuns one of the affected web sites, says no sensitive data were exposed. http://www.computerworld.com/storyba/0,4125,NAV47_STO69764,00.html --1 April 2002 Proactive Antivirus Software New software from Network Associates looks for holes that worms are likely to exploit so they can be fixed before an infestation. http://news.com.com/2100-1001-873157.html [Editor's (Grefer) Note: Interesting how they are trying to sell a pair of old shoes (with holes in them) as brand new sandals. Vulnerability scanners have been around for quite a while, as have a multitude of utilities to check current patch levels.] --1 April 2002 What Makes A Great CIO Tips for becoming a top-notch CIO include advice in such areas as communication, vision, security sense and best practices. Also included are examples of excellence among government CIOs and deputy CIOs. http://www.govexec.com/features/0402/0402s5.htm http://www.govexec.com/features/0402/0402s5s2.htm http://www.govexec.com/features/0402/0402s5s1.htm --1 April 2002 Survey Says Only Half of Businesses Have Continuity Plans A survey conducted by Ernst and Young two months after the September 11th attacks revealed that only about half of the companies polled had business continuity plans in place; even fewer had awareness and training programs established. While some security experts say two months is enough time to get a plan in place, others maintain the process requires more time. The article includes a list of questions to ask about your business and security. http://www.computerworld.com/storyba/0,4125,NAV47_STO69705,00.html --1 April 2002 CVE Dictionary Expands to More than 2,000 Items The Common Vulnerabilities and Exposures (CVE) lexicon, which began in 1999 with 321 entries, now contains 2,032 standardized descriptions of security holes. There are nearly 2,000 additional entries currently under review. http://www.gcn.com/vol1_no1/daily-updates/18320-1.html http://cve.mitre.org/ --1 April 2002 Some Sites Still Using Flawed Shopping Cart Software Two web sites are still running unpatched versions of PDG shopping cart software that publishes customer credit card details on the web. The security hole was discovered nearly a year ago and PDG contacted its customers by phone and e-mail to inform them about the problem and tell them how to fix it. http://www.msnbc.com/news/732515.asp?0dm=C11LT --1 April 2002 Protecting Company Information on the Internet Companies may be surprised at how much of their intellectual property is available on the Internet. Companies would be well advised to see who is linking to their web site and not to put too much information in their job postings. http://www.computerworld.com/storyba/0,4125,NAV47_STO69658,00.html **************** Awesome TCP/IP Header T-Shirt Offer ***************** One of the most popular items that we sell at conferences is our TCP/IP Header T-shirt. The unique aspect of the shirt is that the TCP and IP header diagram is upside down, allowing the wearer to actually use the shirt to decode packets. Show the world you can decode hex! For a limited time, we are making the shirt available via mail order from the SANS Store, so if you missed it at a conference, this is your chance. While supplies last, the T-shirt is available for 15.00 (plus shipping), a five dollar savings from the normal price. To get yours, visit: http://www.sansstore.org/ *********************************************************************** ==end== Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) e-mail sans@sans.org with the subject: Subscribe NewsBites To change your subscription, address, or other information, visit http://www.sans.org/sansurl and enter your SD number (from the headers.) You will receive your personal URL via email. You may also email with complete instructions and your SD number for subscribe, unsubscribe, change address, add other digests, or any other comments. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tIHA+LUG5KFpTkYRAmx+AKCWTGuG94dSiWFsCBrOBE1h4MGBjgCdHdA6 RLLSYVHh7E/ofbnHrlWAHz4= =h47G -----END PGP SIGNATURE-----