Brought to you by our firends at the SANS Institute.

***********************************************************************
SANS NewsBites July 31, 2002 Vol. 4, Num. 31
***********************************************************************

TOP OF THE NEWS
25 & 26 July 2002 Princeton Admissions Dean Charged with Hacking
Yale Admissions Site
26 July 2002 New DoD IDs Will Contain Biometrics
25 July 2002 Eli Lilly Settles Data Exposure Case
25 July 2002 Legal Liability Due to Unsecured Wireless Network
24 & 26 July 2002 Man Indicted for Accessing Wireless Network

THE REST OF THE WEEK'S NEWS
29 July 2002 RIAA Hit with DoS Attack
26 July 2002 Perens Declines to Provide Details on DVD Hack for Fear
of Violating DMCA
25 July 2002 ACLU Case Challenges DMCA on Behalf of Filtering
Researcher
29 July 2002 Wireless Honeypot
29 July 2002 Symbols of Security are No Guarantee
26 July 2002 NIST Releases Two More Draft Security Guides
25 July 2002 SQL and Exchange Server Vulnerabilities
25 July 2002 Employees Fired in Grade Altering Scheme at Florida
School
25 July 2002 New Security Specification for Flash Memory Cards
25 July 2002 Keeping Your Computer Safe
25 July 2002 NASCIO Takes First Step Toward Forming ISAC
25 July 2002 Police and Computer Science Students Collaborate in Tulsa
23 July 2002 National Cyber Security Strategy Plans to Extend Cyber
Corps to State Level
23 July 2002 Microsoft Changes Vulnerability Reporting Method
23 & 24 July 2002 Malware Changes MSNTV Dial Up Number to 911
23 July 2002 NASCIO Report Urges Cooperation, Info Sharing
22 July 2002 The Long Arm of Cyber Law Reaches Beyond National Borders
17 July 2002 Symantec Buys BugTraq



TOP OF THE NEWS

--25 & 26 July 2002 Princeton Admissions Dean Charged with Hacking
Yale Admissions Site
Princeton University associate dean of admissions Stephen LeMenager
has been placed on administrative leave after evidence surfaced that
computers there were used to log in to a Yale University admissions
website without authorization. LeMenager maintains he was merely
testing the security of the site, which allows Yale applicants to
find out whether or not they have been accepted; birthdates and
social security numbers are used as authentication tools. The site
was apparently accessed from a variety of computers. The FBI is
assessing the situation to determine if federal charges are applicable.
http://www.yaledailynews.com/article.asp?AID=19455
http://www.cnn.com/2002/US/07/25/yal...ton/index.html
http://www.washingtonpost.com/wp-dyn...2002Jul25.html
http://www.computerworld.com/securit...,73065,00.html

--26 July 2002 New DoD IDs Will Contain Biometrics
Future generations of Defense Department ID cards will contain
biometric data in an embedded computer chip; presently used cards
already contain chips with such personal data as name, rank and
serial number. The cards will be used not just for physical access
to facilities, but also for access to computer files.
http://www.washingtonpost.com/wp-dyn...2002Jul26.html
[Editor's Note (Northcutt): Northcutt: This is an amazing project
and a victory for Federal Information Processing Standard 140.
Netscape has a great FAQ to help get up to speed fast on FIPS 140 -1
http://developer.netscape.com/tech/s.../fips/faq.html
The document itself which is not for the faint of heart:
http://www.itl.nist.gov/fipspubs/fip140-1.htm
The Schlumberger press release has some more information about
the cards:
http://www1.slb.com/smartcards/infosec/dod.html]

--25 July 2002 Eli Lilly Settles Data Exposure Case
Pharmaceutical manufacturer Eli Lilly and eight US states have agreed
to a settlement in a case involving Lilly's inadvertent exposure
of more that 650 customer e-mail addresses. In addition to paying
a $160,000 fine to be split among the states, Lilly must improve
internal security practices.
http://www.computerworld.com/securit...,72978,00.html
[Editor's Note (Murray): Security managers take note. Do not be
misled by the fact that the state was the plaintiff. A one-tme leak
of only 650 names results in a $160K loss. I suspect that the cost
of litigation was ten times that.]

--25 July 2002 Legal Liability Due to Unsecured Wireless Network
This article discusses a hypothetical liability, but there is an
actual case in the Scottish courts that is testing the "downstream
liability" concept. A Scottish ISP is suing Nike because hackers were
able to redirect people wishing to visit the Nike site, to another
site. This disrupted service for the ISP's customers.
http://techupdate.zdnet.co.uk/story/...119788,00.html
A brief on the legal aspects may be found at
http://www.lanepowell.com/pressroom/...tisonk_001.pdf
[Editor's Note (Schultz) To date there has been a lot more "hype"
than substance to the downstream liability issue. The verdict of this
case will be interesting. If the ruling is in favor of the plaintiff,
it could open the door for more downstream liability suits.
(Northcutt): The legal story is fascinating and worth tracking.
On the technology front for wireless, guest editor Bryce Alexander,
GCIA points out: "802.1X is an up and coming standard for layer two
security, it grew out of the wireless world, but is equally good at
protecting Ethernet. Most people are looking at it as a wireless only
security, but I am seeing a lot of support growing for it being used
as port level security across the board.
It does require some ancillary equipment such as a radius or other
authentication server. Network equipment like Cisco Catalyst switches
and wireless access points are aware of 802.1x and with it enabled,
won't even allow a device onto the network until it is validated
with an authentication server. This helps to eliminate most layer
two exploits such as ARP poisoning and MITM.
Here are a couple of URL's for more information.
http://msdn.microsoft.com/library/de...entication.asp
http://www.microsoft.com/windowsxp/p.../solutions.asp
http://www.cisco.com/warp/public/784...ive/apr02.html]

--24 & 26 July 2002 Man Indicted for Accessing Wireless Network
Stefan Puffer has been indicted by a grand jury on two counts of fraud
for accessing a wireless network at the county district clerk's office.
Puffer allegedly accessed the network on March 8; on March 18,
Puffer demonstrated to a county official and a newspaper reporter
the ease with which he was able to access the network using only a
laptop computer and an inexpensive wireless LAN card. The March 8
intrusion did no damage, but the network has been shut down because
it lacked security.
http://www.chron.com/cs/CDA/story.hts/tech/news/1507766
http://www.theregister.co.uk/content/55/26397.html


THE REST OF THE WEEK'S NEWS

--29 July 2002 RIAA Hit with DoS Attack
RIAA.org, the web site of the Recording Industry Association of America
(RIAA) was hit by a denial-of-service attack lasting from Friday,
July 26 until today. No one has claimed responsibility for the
attack, which comes after the RIAA endorsed legislation proposed by
Representative Howard Berman (D-Calif.) which would allow copyright
holders to hack back at peer-to-peer networks which violate copyright
laws.
http://news.com.com/2100-1023-947072.html?tag=fd_top

--26 July 2002 Perens Declines to Provide Details on DVD Hack for
Fear of Violating DMCA
Bruce Perens had planned to reveal his method for circumventing the
protections on US-bought DVD players that prevent them from playing
most DVDs purchased in other "zones." His employer, Hewlett Packard,
stepped in and convinced him not to disclose the details of his work
at an open source convention because they were fearful he would be
arrested and prosecuted for violating the Digital Millennium Copyright
Act (DMCA).
http://zdnet.com.com/2100-1104-946792.html
http://www.wired.com/news/business/0,1367,54168,00.html

--25 July 2002 ACLU Case Challenges DMCA on Behalf of Filtering
Researcher
The American Civil Liberties Union (ACLU) has filed a lawsuit
challenging several parts of the 1998 Digital Millennium Copyright
Act (DMCA) on behalf of a young researcher. Ben Edelman evaluates
filtering software used in public schools and libraries; the software
often includes an encrypted list of banned sites. Edelman wants to
decrypt and publish the banned list that accompanies N2H2's filtering
software; he also wants to distribute the utility used to decrypt
the list.
http://zdnet.com.com/2100-1106-946270.html
http://www.reuters.com/news_article....toryID=1253564

--29 July 2002 Wireless Honeypot
Researchers at the Science Applications International Corporation
(SAIC) have built the Wireless Information Security Experiment
(WISE), a wireless honeypot designed to attract wireless hackers
and to gather information on their activities. Due to the nature
of wireless networks, it may be difficult to differentiate between
deliberate war drivers and those who discover the network by accident.
http://online.securityfocus.com/news/552

--29 July 2002 Symbols of Security are No Guarantee
Security seals and lock icons do not guarantee a site's security,
according to Netcraft. Many sites that display the images may be
vulnerable to security exploits
http://www.smh.com.au/articles/2002/...818508949.html
The article is based on information from the following links:
http://www.theregister.co.uk/content/6/26344.html
http://www.netcraft.com/survey/

--26 July 2002 NIST Releases Two More Draft Security Guides
The National Institute of Standards and Technology's (NIST's)
Computer Security Division has released two more draft guides for
federal agencies: a highly technical wireless security guide and a
security training guide for CIOs and program managers. Comments on
the wireless guide are due September 1; comments on the training
guide are due August 16.
http://www.fcw.com/fcw/articles/2002...t-07-26-02.asp

--25 July 2002 SQL and Exchange Server Vulnerabilities
Microsoft has released advisories warning of a variety of security
vulnerabilities in SQL Server 2000 database, Exchange Server and
metadirectory service. Three of the security flaws, all in SQL
Server 2000, are deemed critical: two buffer overflow holes, which
could allow an attacker to gain control of vulnerable systems, and
a denial-of-service vulnerability. A patch is available.
http://news.com.com/2100-1001-946333.html
http://www.computerworld.com/securit...,72967,00.html
SQL Critical Severity Vulnerabilities:
http://www.microsoft.com/technet/sec...n/MS02-039.asp
SQL Moderate Severity Vulnerabilities:
http://www.microsoft.com/technet/sec...n/MS02-038.asp
Exchange Server advisory:
http://www.microsoft.com/technet/sec...n/MS02-037.asp
Metadirectory advisory:
http://www.microsoft.com/technet/sec...n/MS02-036.asp

--25 July 2002 Employees Fired in Grade Altering Scheme at Florida
School
Three students have been expelled and two employees fired from Florida
Memorial College for their involvement in a grade-altering scheme.
Insiders in the registrar's office allegedly used their valid
passwords to access and significantly change students' grades in
exchange for money. An additional 69 people face disciplinary action.
The scheme was discovered during a routine grade audit held in May.
http://www.miami.com/mld/miamiherald...al/3728808.htm

--25 July 2002 New Security Specification for Flash Memory Cards
A group of five companies calling itself 5C has announced the creation
of the Mobile Commerce Extension Specification for flash memory cards.
5C is hopeful the new specification will make flash memory cards
useful and desirable to industries that store sensitive information
like medical records and financial data. The specification, which
can be used in all major flash memory card formats, will help prevent
data from being stolen during wireless transmission, and will be
inaccessible if the a lost card is found by a stranger.
http://news.com.com/2100-1040-946353.html

--25 July 2002 Keeping Your Computer Safe
The author advises protecting yourself from lurking cyber dangers
by choosing Macs or Linux over Microsoft products. If that is not
a possibility, apply all patches, use anti-virus software, firewalls
and a safe password. You should also employ secure practices, like not
opening unexpected attachments, maintaining several e-mail addresses
for various purposes, and being cautious about giving out personal
information on the Internet.
http://news.bbc.co.uk/2/hi/technology/2143630.stm

--25 July 2002 NASCIO Takes First Step Toward Forming ISAC
The National Association of State Chief Information Officers (NASCIO)
has signed an agreement with the FBI's National Infrastructure
Protection Center (NIPC) that will let the states receive computer
and physical security threat alerts. The agreement is a step toward
the establishment of an Interstate Information Sharing and Analysis
Center (ISAC).
http://www.fcw.com/geb/articles/2002...c-07-25-02.asp

--25 July 2002 Police and Computer Science Students Collaborate
in Tulsa
Police in Tulsa, Oklahoma are working with computer science students
at the University of Tulsa to investigate cyber crimes. The students
will learn how a forensic investigator works while the police will
gain experience with new software tools and research techniques.
http://www.fcw.com/geb/articles/2002...a-07-25-02.asp
[Editor's Note (Schultz): We badly need much more of this type
of collaboration, yet I'd like law enforcement to go farther by
requiring officers to take a variety of relevant computer science
and other courses.]

--23 July 2002 National Cyber Security Strategy Plans to Extend
Cyber Corps to State Level
Richard Clarke says the national cyber security strategy, due to be
released in September, will extend the Federal Cyber Service Program,
which provides scholarships to both undergraduate and graduate
computer security students in exchange for two years of federal
service employment, to the state level. The Cyber Service Program
is also expected to receive $19 million for a supplemental funding
bill to be voted on soon.
http://www.fcw.com/geb/articles/2002...r-07-23-02.asp

--23 July 2002 Microsoft Changes Vulnerability Reporting Method
Microsoft has removed secure@microsoft.com, the dedicated e-mail
address for reporting vulnerabilities, from its "Alert Us" page; while
Microsoft will continue to monitor the address, users are encouraged
to report vulnerabilities by filling out a Web-based input form.
The form is designed to provide the company with adequate information
to begin investigations more quickly; often vulnerabilities reported
at the web address required some back and forth communication before
an investigation could be launched. Critics say the web form is not
flexible enough and does not provide a "paper trail" to show when
Microsoft was first notified of the vulnerability.
http://online.securityfocus.com/news/545

--23 & 24 July 2002 Malware Changes MSNTV Dial Up Number to 911
Some MSNTV users' machines have become infected with malicious code
that changes the dial up number to 911. The code arrives as an
e-mail attachment. Users are being advised to reset their machines;
a patch is due to be issued.
http://abcnews.go.com/sections/scite...rus020723.html
http://zdnet.com.com/2100-1105-945985.html
http://www.vnunet.com/News/1133850

--23 July 2002 NASCIO Report Urges Cooperation, Info Sharing
A report from the National Association of State Chief Information
Officers (NASCIO) implores government leaders to work together to
address cybersecurity and critical infrastructure protection.
http://www.computerworld.com/governm...,72947,00.html
http://endowment.pwcglobal.com/pdfs/HeimanReport.pdf

--22 July 2002 The Long Arm of Cyber Law Reaches Beyond National
Borders
Internet content is facing increasing scrutiny and legal action from
governments around the world, regardless of where the offending content
is hosted. For example, web sites allegedly run by two Italian men
were deemed offensive, and Italian police replaced the images with a
police unit insignia, despite the fact that the sites were hosted in
the US. Differing laws regarding freedom of speech and the European
Union's privacy laws are making it difficult for Internet businesses
to know what to do.
http://www.cnn.com/2002/TECH/interne....ap/index.html

--17 July 2002 Symantec Buys BugTraq
Symantec has purchased the BugTraq computer security e-mail list,
"the computer security world's equivalent of a professional journal."
The change of hands raises the question of whether or not hackers
will continue to publish vulnerabilities and exploits on the list.
http://www.msnbc.com/news/781975.asp?0dm=T279T
[Editors' Note: Symantec also bought Riptech (a managed services
company) and Recourse Technologies (a security software company).]