NEWS: This Week in Security
Results 1 to 2 of 2

Thread: NEWS: This Week in Security

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,121

    NEWS: This Week in Security

    The Week in Security, brought to you by the SANS Institute.
    *********************************************************************
    SANS NEWSBITES
    The SANS Weekly Security News Overview
    Volume 4, Number 29 July 17, 2002
    Editorial Team:
    Kathy Bradford, Dorothy Denning, Roland Grefer,
    Bill Murray, Stephen Northcutt, Alan Paller,
    Marcus Ranum, Eugene Schultz
    *********************************************************************

    TOP OF THE NEWS
    16 July 2002 Government and Industry Agree On Minimum Security
    Configuration Benchmarks
    15 July 2002 OMB Establishes Security Measurements for Agencies
    12 July 2002 Will Home Appliances Be the Next Target For Viruses?
    10 July 2002 British ISPs Have Two Weeks to Set Up Tracking Systems
    11 July 2002 Congressional Committee Adds Cybersecurity Program to
    Homeland Security Bill

    THE REST OF THE WEEK'S NEWS
    15 July 2002 Elcomsoft Posts More Adobe Vulnerabilities
    15 July 2002 Frethem Variant Making the Rounds
    15 July 2002 House Overwhelmingly Approves CSEA
    15 July 2002 Operation Dark Screen To Test US Response To Cyber Attack
    10 & 15 July 2002 Consulting Firms Lobby For Federal Insurance
    Against Liability
    15 July 2002 IT Professionals Enumerate Their Security Gripes
    12 July 2002 Chemical Industry is Developing Cyber Security Strategy
    12 July 2002 Microsoft SQL Labs is Not Using its Own Security Product
    11 July 2002 Telecom Hacker Charged
    11 & 15 July 2002 Liberty Alliance Releases Identity Authentication
    Standard
    12 July 2002 Study Finds Attacks On Open Source Increasing; Windows
    Decreasing
    12 July 2002 USA Today Web Site Hacked
    11 July 2002 Vulnerabilities in CDE ToolTalk
    11 July 2002 Datom.A Windows Virus/Worm Masquerades as Microsoft
    Update
    11 July 2002 PGP Flaw Puts Outlook Users At Risk
    11 July 2002 Security Flaw in Outlook Exposed Before Patch Was
    Available
    10 July 2002 Two Men Arrested in Brazil for ATM Hack
    10 July 2002 Al Qaeda Uses Internet for Communications
    9 July 2002 Phone Service Web Log Exposes Student Data
    9 July 2002 W32.Liac.A Worm
    8 July 2002 Reporter Says Survey Says Users Want Vulnerabilities
    Disclosed
    8 July 2002 Critical Infrastructure Protection Exercise
    8 July 2002 Copyright Hack Back Law Not a Good Idea
    8 July 2002 Security Researcher Claims Apple Update Vulnerable
    8 July 2002 Proposed XML Security Standards
    9 July 2002 Philippine Internet Service Group To Fight Back Against
    Hackers
    5 July 2002 Virus Traced to Temp Worker
    1 July 2002 Where's The Money in Security




    TOP OF THE NEWS

    --16/17 July 2002 Government/Industry Alliance Announces Minimum
    Security Configuration Benchmarks
    In a high-tech, high-powered version of a neighborhood watch,
    a group of government agencies and industry leaders announce
    today a common set of standards and software to fight computer
    hacking. The initial security benchmark applies to Microsoft
    Windows 2000 Professional. Benchmarks for other operating systems,
    including Cisco IOS, Solaris, and other Microsoft products are being
    developed. Government agencies involved include the National Institutes
    of Standards and Technology, the National Security Agency, The General
    Services Administration and the Defense Information Systems Agency.
    The Center for Internet Security, which published the benchmark, also
    released a free tool that tests systems, scores them on compliance
    with the benchmark, and guides users to the corrections needed to
    raise the score.
    http://www.foxnews.com/story/0,2933,57870,00.html
    http://www.washingtonpost.com/wp-dyn...2002Jul16.html

    --15 July 2002 OMB Establishes Security Measurements for Agencies
    The Office of Management and Budget released new regulations providing
    specific measures to evaluate performance of federal security managers
    and CIOs.
    http://www.fcw.com/fcw/articles/2002...a-07-15-02.asp
    The regulations: http://www.whitehouse.gov/omb/memoranda/m02-09.pdf
    [Editor's Note (Paller): An important element is missing from the
    regulation, but could be easily added. NASA and other organizations
    have provided proof that safe configuration of systems can be measured
    and does reduce attacks. And the benchmarks announced today provide
    additional measurement tools. OMB could ask agencies to measure the
    safety of their systems' configuration as an essential part of their
    security report card.]

    --12 July 2002 Will Home Appliances Be the Next Target For Viruses?
    Virus expert Eugene Kaspersky warns that embedded computers in home
    appliances provide an appealing target for virus writers because they
    will have a common operating system and millions of potential victims.
    http://zdnet.com.com/2100-1103-943408.html
    [Editor's Note (Schultz): Kaspersky might well be correct.
    The monoculture that Microsoft has created has already proverbially
    bitten us several times, and Murphy's Law says that matters will only
    get worse.
    (Grefer): Kaspersky's warning should serve as a reminder to include
    defense mechanism in the appliances' operating system(s), and
    preferably design it with security in mind, rather than trying to
    apply security as an after-thought.]

    --10 July 2002 British ISPs Have Two Weeks to Set Up Tracking Systems
    The British Home Office is requiring that Internet Service Providers
    (ISPs) in the United Kingdom intercept and store electronic
    communications such as faxes, e-mails, and Web surfing information in
    an effort to curb organized crime and terrorism. The new Regulation of
    Investigatory Powers Act (RIPA), which goes into effect on August 1,
    exempts ISPs with fewer than 10,000 customers.
    http://news.zdnet.co.uk/story/0,,t269-s2118894,00.html

    --11 July 2002 Congressional Committee Adds Cybersecurity Program
    to Homeland Security Bill
    House Energy and Commerce Committee passed a version of HR 5005,
    the Homeland Security Bill, after adding a specific cybersecurity
    component. The new program will be a resource to other federal agencies
    to help identify and correct weaknesses in federal computer systems.
    http://www.govexec.com/dailyfed/0702/071102td1.htm


    THE REST OF THE WEEK'S NEWS

    --15 July 2002 Elcomsoft Posts More Adobe Vulnerabilities
    Elcomsoft has posted details of security vulnerabilities in Adobe's
    eBook software on the BugTraq and Vuln-dev mailing lists; the company
    did not inform Adobe of the problems before the postings. Elcomsoft is
    the Russian company at the center of a case brought under the Digital
    Millennium Copyright Act (DMCA).
    http://www.vnunet.com/News/1133551

    --15 July 2002 Frethem Variant Making the Rounds
    The Frethem worm exploits a Microsoft Outlook vulnerability that
    executes attachments when e-mail is previewed. Users who have
    installed the patch to fix the flaw can still become infected
    if they click on the .exe attachment that accompanies the worm.
    Apart from bogging down corporate e-mail systems, Frethem does not
    appear to carry a malicious payload. The worm is a variant of one
    released several weeks ago. Frethem was reported to have already
    hit twenty-five organizations, including the National Institute of
    Standards and Technology (NIST).
    http://www.msnbc.com/news/780651.asp?0dm=C21BT

    --15 July 2002 House Overwhelmingly Approves CSEA
    By a vote of 385-3, the House of representatives approved the Cyber
    Security Enhancement Act (CSEA), which provides for life sentences
    for people convicted of malicious cyber crimes. The bill now heads
    to the Senate.
    http://news.com.com/2100-1040-944023.html

    --15 July 2002 Operation Dark Screen To Test US Response To Cyber
    Attack
    Federal, state and local officials are partnering with utility
    companies in a test of the nation's response to cyberattacks. The
    University of Texas at San Antonio and the Air Force Air Intelligence
    Agency, Lackland Air Force Base, Texas are taking the lead in this
    project sponsored by Texas Congressman Ciro Rodriguez.
    http://www.fcw.com/geb/articles/2002...k-07-15-02.asp

    --10 & 15 July 2002 Consulting Firms Lobby For Federal Insurance
    Against Liability
    Businesses that plan to manufacture products to be used in homeland
    defense want indemnity from liability should their products fail
    on the job. Representative Tom Davis (R-Va.) plans to attach such
    a provision to the Homeland Security Bill wending its way through
    the legislature. The amendment would place the onus of liability on
    the government rather than the companies. Companies may be reluctant
    to bid on homeland defense contracts if they are required to shoulder
    the associated burden of product failure liability.
    http://digitalmass.boston.com/news/w...hes_leg:.shtml
    http://www.fcw.com/fcw/articles/2002...e-07-15-02.asp
    [Editor's Note (Murray): Microsoft, Sun, and IBM enjoy no such
    protection and do not seem to need it.
    (Grefer) Without liability, companies could deliver "anything"
    at any level of quality, without risking any repercussions.
    (Schultz) It's ironic how consulting firms are so apt to point out
    the lack of responsibility organizations frequently demonstrate
    in securing their own systems and networks, but now try to avoid
    responsibility for what they deliver.]

    --15 July 2002 IT Professionals Enumerate Their Security Gripes
    A survey of more than 1200 security professionals, including system
    administrators, consultants and auditors yielded a list of their
    security frustrations. Topping the list are bosses who won't provide
    an adequate budget and who undermine initiatives, and who ignore
    simple precautions by taping passwords to monitors, failing to update
    anti-virus software and clicking on attachments of unknown origin.
    http://www.uniontrib.com/news/uniont...b15securi.html

    --12 July 2002 Chemical Industry is Developing Cyber Security
    Strategy
    The US chemical industry is developing a plan to improve cyber security
    at chemical facilities; the plan will be submitted for inclusion in the
    White House's National Strategy for Protecting Cyberspace. The plan
    is flexible enough to allow IT managers at various chemical facilities
    to select appropriate modules for their individual organizations.
    http://www.computerworld.com/governm...,72672,00.html

    --12 July 2002 Microsoft SQL Labs is Not Using its Own Security
    Product
    Microsoft's SQL Labs is using a NetScreen security appliance instead
    of its own Internet Security and Acceleration (ISA) Server to protect
    its systems against Nimda and other worm threats.
    http://computerworld.com/securitytop...,72686,00.html

    --11 July 2002 Telecom Hacker Charged
    A 22-year-old Sydney man has been charged with "unauthorised
    modification of data with intent to cause impairment to a computer."
    The man allegedly accessed the accounts of more than 400,000 Optus
    dial-up Internet customers; his arrest is the result of a six-month
    investigation.
    http://www.themercury.news.com.au/co...0,5936,4683306^421,00.html

    --11 & 15 July 2002 Liberty Alliance Releases Identity Authentication
    Standard
    The Liberty Alliance, which includes Sun Microsystems, American
    Express and Sony, among other companies, released a standard for
    Internet identity authentication. The standard facilitates logging
    into a variety of systems. The standard also gives rise to concerns
    of on line profiling and data security threats.
    http://www.usatoday.com/life/cyber/2...nternet-id.htm
    http://www.wired.com/news/business/0,1367,53859,00.html
    [Editor's Note (Murray): It seems likely that the identity of users
    in the WWW will be vouched for by trusted third parties. I think
    that it is noble of Microsoft to volunteer for this role. However,
    the role already belongs to the credit card companies. They also
    vouch for payment. Given a choice between MS and AmEx, I choose AmEx.]

    --12 July 2002 Study Finds Attacks On Open Source Increasing;
    Windows Decreasing
    London-based consulting firm mi2g reports 7,630 digital attacks
    on Linux systems in the first six months of 2002 vs. 5,736 attacks
    on Linux systems for all of 2001. Conversely, attacks on Microsoft
    Windows/IIS have fallen by 20 percent in the first six months of 2002
    to 9,404 compared to 11,828 in the same period of 2001.
    http://www.content-wire.com/security...cs=121&cs=2045
    [Editor's Note (Schultz): The credibility of data such as these is at
    best questionable. For one thing, can mi2g say unequivocally that
    they standardized and applied a consistent definition of "attack?"
    Additionally, attacks in and of themselves are commonplace. What about
    "successful attacks." Caveat emptor!]

    --12 July 2002 USA Today Web Site Hacked
    The "USA Today" Website was defaced with six bogus stories late
    Thursday July 11, 2002. The site was taken offline for three hours
    and was restored at 2 am Friday morning.
    http://www.reuters.com/news_article....toryID=1195754
    http://www.usatoday.com/news/site-vandalism.htm

    --11 July 2002 Vulnerabilities in CDE ToolTalk
    CERT/CC released a security bulletin warning of flaws in the ToolTalk
    component of the Common Desktop Environment (CDE). The flaws could be
    exploited to launch a denial of service attack or to overwrite files.
    http://www.computerworld.com/securit...,72666,00.html
    http://www.cert.org/advisories/CA-2002-20.html

    --11 July 2002 Datom.A Windows Virus/Worm Masquerades as Microsoft
    Update
    A worm that purports to be "Copyrighted Microsoft Code" is spreading.
    It contains three programs, MSVXD.exe, MSVXD16.dll and MSVXD32.dll,
    which work together to delete personal firewalls and for other
    mischief. The worm uses innovative tricks to hide itself.
    http://www.vnunet.com/News/1133455

    --11 July 2002 PGP Flaw Puts Outlook Users At Risk
    A buffer overflow flaw in certain versions of the Microsoft Outlook
    implementation of Pretty Good Privacy (PGP) allows hackers to send a
    special email to gain control of the target system. Network Associates
    has posted a patch for the vulnerability.
    http://www.usatoday.com/life/cyber/t...1/pgp-hack.htm
    http://www.theregister.co.uk/content/55/26145.html
    http://www.computing.vnunet.com/News/1133441
    The Network Associates patch:
    http://www.nai.com/naicommon/downloa...-pgphotfix.asp

    --11 July 2002 Security Flaw in Outlook Exposed Before Patch Was
    Available
    Security Researcher Thor Larholm issued an advisory about a cross
    domain scripting flaw in Web Browser ActiveX Control that can
    give attackers the ability to read files and execute malicious
    code. Microsoft claims it is not an important problem and criticized
    Larholm for releasing the advisory before a fix was available.
    http://news.zdnet.co.uk/story/0,,t269-s2118911,00.html
    http://www.finjan.com/mcrc/alert_sho..._release_id=73

    --10 July 2002 Two Men Arrested in Brazil for ATM Hack
    Brazilian police have arrested two men - an electrician and an IT
    specialist - who allegedly installed a device inside ATMs to gather
    card numbers and placed digital cameras outside the machines to
    capture the corresponding PIN numbers.
    http://www.vnunet.com/News/1133401

    --10 July 2002 Al Qaeda Uses Internet for Communications
    Unnamed officials say Al Qaeda is using the Internet to spread
    propaganda, recruit members and solicit donations to fund their cause.
    The group also uses web sites to communicate in Arabic, often encrypts
    its transmissions, and changes web addresses frequently.
    http://www.newsfactor.com/perl/story/18535.html

    --9 July 2002 Phone Service Web Log Exposes Student Data
    The permission level to access web logs at Resicom,
    a telecommunications (company) that provides intra-campus phone
    services to colleges, was set too low, allowing people to search for
    student names, social security numbers and addresses. The personal
    data of about 2,000 students had the security flaw; Resicom says it
    has fixed the problem.
    http://computerworld.com/securitytop...,72584,00.html
    http://story.news.yahoo.com/news?tmp...9/tc_cn/942274

    --9 July 2002 W32.Liac.A Worm
    W32.Liac.A is a worm written in Visual Basic Script (VBS) that
    arrives with an attachment purporting to be a video clip. The worm
    mails itself out to everyone in the Outlook address book, modifies
    the registry and displays this error message: "Error54: Media Player
    not installed correctly."
    http://www.itweb.co.za/sections/comp...0207091142.asp

    --8 July 2002 Reporter Says Survey Says Users Want Vulnerabilities
    Disclosed
    A reporter at the Register concludes that a survey conducted by the
    Hurwitz group found that end-users are overwhelmingly in favor of
    full disclosure for computer vulnerabilities. Thirty-nine percent
    of the more than 300 survey participants wanted the vulnerabilities
    disclosed immediately upon discovery, while another twenty-eight
    percent wanted them disclosed within a week.
    http://www.theregister.co.uk/content/55/26090.html
    [Editor's Note (Denning): The reporter's conclusion is not accurate
    if you define "full disclosure" to include publication of exploit
    code (which I do). The survey found that only 13% favored posting
    "proof of concept" exploit software.]

    --8 July 2002 Critical Infrastructure Protection Exercise
    The Blue Cascades regional critical infrastructure protection
    exercise was held in Portland, Oregon in mid June. The exercise
    focused on power outages coupled with natural gas infrastructure and
    telecommunications failures, and highlighted the problems that attend
    interdependent systems. An action plan based on the results of the
    exercise will be released soon.
    http://computerworld.com/securitytop...,72532,00.html

    --8 July 2002 Copyright Hack Back Law Not a Good Idea
    Computerworld senior columnist Frank Hayes finds the legislation
    proposed by Representative Howard Berman (D-Calif.) - which would
    allow copyright holders to launch cyber attacks against peer-to-peer
    networks and others suspected digital content piracy - reprehensible.
    Hayes observes that the law could be interpreted to justify hacking
    back at companies suspected of proprietary information theft and
    could be used by crackers who say if the studios can do it, so can we.
    http://www.computerworld.com/securit...,72519,00.html
    [Editor's Note (Schultz): Hays has spoken well--Berman, the apparent
    new champion of cybervilaganteeism, is way out of line.]

    --8 July 2002 Security Researcher Claims Apple Update Vulnerable
    Russell Harding of the University of Colorado claims a vulnerability
    in Mac OS 10.1.X and possibly 10.0.X allows hackers to hijack automatic
    software updating and install malicious programs on any Mac.
    http://www.vnunet.com/News/1133364
    http://news.com.com/2100-1001-942265.html

    --8 July 2002 Proposed XML Security Standards
    This article describes five proposed security-related XML standards:
    XML Encryption (Xenc), XML signatures (XML-SIG), XML key management
    specification (XKMS), extensible access control markup language
    (XACML) and Security assertion markup language (SAML).
    http://techupdate.zdnet.com/techupda...873295,00.html

    --9 July 2002 Philippine Internet Service Group To Fight Back
    Against Hackers
    Members of the Philippine Internet Service Organization (PISO) will
    work together to share information on spammers and hackers. Each
    participating ISP will promise to cut off access for any uncooperative
    user who is a danger to the Internet community. Spammers who do not
    cooperate will not only have their service terminated, but their
    phone numbers will also be posted on an information exchange provided
    by PISO.
    http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=8485
    [Editor's Note (Murray): We must hold ISPs responsible for some
    of the behavior of the users that they connect to the Internet.
    AOL sets the example for how it should be done. AOL enforces its
    acceptable use policies for the benefit of its users and the rest
    of us. PISO is recognizing what other ISPs will have to recognize.]

    --5 July 2002 Virus Traced to Temp Worker
    A temporary agency worker at the Aberdeen (Scotland) city council
    was fired for allegedly allowing the Metrion-B virus to infect the
    computer system. The virus infects executables and overwrites batch
    and HTML files. An estimated 200 PCs were infected, and the Council
    shut down its entire computer system to avoid any further infection.
    Police are exploring the possibility that the virus, which does not
    spread through e-mail, was deliberately introduced.
    http://www.theregister.co.uk/content/56/26067.html

    --1 July 2002 Where's The Money in Security
    Most managed security firms, security consulting firms and security
    product firms have seen their hopes of a post-911 surge in business
    dashed by the economic recession. But a few organizations, the federal
    contractors that already had security practices, are doing very well.
    http://www.fcw.com/fcw/articles/2002...e-07-01-02.asp

  2. #2
    Banned
    Join Date
    Jul 2002
    Posts
    33
    Whoa, now that's alotta news. Thanks xmaddness.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •