Results 1 to 2 of 2

Thread: NEWS: This weeks security news.

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123

    NEWS: This weeks security news.

    This newsletter brought to you by our friends at the SANS Institute.


    *********************************************************************
    SANS NewsBites August 14, 2002 Vol. 4, Num. 33
    **********************************************************************

    TOP OF THE NEWS
    12 August 2002 Hacker Claims He Stole NASA Documents
    11 August 2002 Hackers Face Stiffer Penalties
    8, 9 & 12 August 2002 New OECD Security Guidelines
    8 August 2002 Microsoft and FTC Reach Passport Privacy and Security
    Settlement
    7 & 8 August 2002 Researcher Claims Win32 Messaging System is
    Irreparably Flawed

    THE REST OF THE WEEK'S NEWS
    12 August 2002 Macromedia Flash Buffer Overflow Flaw
    12 August 2002 CDE ToolTalk Flaw
    12 August 2002 CMU to Help Other Schools Develop Cyber Security
    Programs
    12 August 2002 PGP Flaw
    9 August 2002 Money for Bugs
    9 August 2002 University Reactor Access to be Secured with Face
    Recognition Technology
    6 August 2002 Iowa College to Use Thumbprints for Computer Access
    9 August 2002 CAIDA's Network Telescope
    8 August 2002 US Military Laptops Unaccounted For
    8 August 2002 Google Toolbar Flaws Patched
    7 & 8 August 2002 Microsoft Issues Patch for Content Management
    Server 2001
    7 August 2002 Australian Students Pay to Have Grades Deleted
    7 August 2002 DeCSS Author Trial Date Set
    7 August 2002 Dutch ISP Exposes Customer Banking Info
    6 & 7 August 2002 Sun XDR Library Flaw
    2 & 7 August 2002 Other Backbone Providers Could Manage UUNet Traffic
    if Necessary
    6 August 2002 Israeli Teens Charged in Goner Case
    6 August 2002 Setiri Trojan Eludes Firewalls
    6 August 2002 Information About Japanese Defense Agency Network Leaked
    6 August 2002 Indonesian Student Charged with Using Stolen Credit
    Card On Line
    6 August 2002 Warning of Impending Cyber Attacks Doesn't Play Out
    5 & 6 August 2002 400 Laptops Missing at DoJ
    5 August 2002 Former DEA Agent Pleads Guilty in Data Selling Case
    5 August 2002 Japanese Mandatory ID System Irks Privacy Advocates
    7 August 2002 Japanese ID System Exposes Personal Data



    TOP OF THE NEWS

    --12 August 2002 Hacker Claims He Stole NASA Documents
    A Latin American-based hacker allegedly stole restricted NASA
    documents that deal with next generation reusable spacecraft; he has
    allegedly broken into other NASA computer systems. He also provided
    Computerworld with evidence of his intrusion into NASA's White Sands
    Test facility; he claims to have exploited an FTP vulnerability to
    gain access to the systems. A NASA spokesman said the documents
    contained sensitive military information. NASA is investigating.
    http://www.computerworld.com/securit...,73402,00.html

    --11 August 2002 Hackers Face Stiffer Penalties
    The US judicial system has become more aggressive in prosecuting
    cyber criminals. The passage of the Patriot Act increased the maximum
    sentence for breaking into a computer from five to ten years in prison,
    and the Cyber Security Enhancement Act could bring a hacker life in
    prison for recklessly causing or attempting to cause death.
    http://www.reuters.com/news_article....toryID=1315067
    [Editor's Note (Ranum): It doesn't matter what the maximum is, when
    the minimum is the slap on the wrist that hackers usually get.
    (Murray) Most hackers are never caught. Most that are caught never see
    a court room. After being threatened with the maximum if they go to
    trial, they cop plea. (I have one client serving four years for the
    moral equivalent of joy riding. When he gets out of Federal prison
    he will be deported to his country of origin, Panama, a country he
    left at the age of two and has not seen since.) Often they do not
    see a courtroom because the state does not have a very good case.
    The sentence is often more a function of the quality of the state's
    case than of the offense. Welcome to modern justice.]

    --8, 9 & 12 August 2002 New OECD Security Guidelines
    The Organisation for Economic Cooperation and Development (OECD),
    which is comprised of 30 member nations, has updated its guidelines
    for information security. Titled "Guidelines for the Security
    of Information Systems and Networks," the document advocates such
    principles as awareness, responsibility, ethics, risk assessment
    and security design and implementation. This is the first time
    in a decade the OECD has updated its cybersecurity guidelines.
    Although the guidelines are non-binding, OECD hopes member nations
    will use them as a basis for forming cyber security initiatives.
    The US Department of State has endorsed the guidelines.
    http://www.computerworld.com/governm...,73297,00.html
    http://www.theregister.co.uk/content/55/26607.html
    http://www.gcn.com/vol1_no1/daily-updates/19599-1.html
    OECD Guidelines: http://www.oecd.org/pdf/M00033000/M00033182.pdf
    [Editor's Note (Paller): The Federal Trade Commission, under
    Commissioner Orson Swindle, took the US lead on creating the
    Guidelines. FTC is also leading the way in creating new security
    guides for home users and in forcing companies to match their security
    practices to their security promises as shown in the next story. If
    you know of organizations that are making claims about the security
    of their sites or of their products, but not meeting the claims, send
    an email to info@sans.org with the subject "Unmet security promises."
    If the submitted facts can be verified, we'll pass the most egregious
    examples along to the government, and we'll publish the others.]

    --8 August 2002 Microsoft and FTC Reach Passport Privacy and Security
    Settlement
    A Federal Trade Commission (FTC) investigation found that Microsoft
    misrepresented both the level of security provided and amount of
    data collected by its Passport services. As part of a settlement
    with the government, Microsoft will refrain from making false claims
    about the information it collects and will submit to an independent
    audit of its security program every two years. Microsoft could face
    fines of $11,000 a day if it fails to comply with the agreement.
    http://www.cnn.com/2002/TECH/interne...ftc/index.html
    http://www.eweek.com/article2/0,3959,449429,00.asp

    --7 & 8 August 2002 Researcher Claims Win32 Messaging System is
    Irreparably Flawed
    Chris Paget says there is an irreparable hole in Win32.
    Any application can send a message to any window on the same
    desktop regardless of whether or not the window is owned by the
    application, and there is no authentication mechanism to prevent
    this from happening. Paget has published a white paper describing a
    "shatter attack" which allows an attacker to gain control of a system
    by elevating his or her privileges. Microsoft says this does not
    fit their criteria/definition of a security vulnerability.
    http://www.theregus.com/content/55/25883.html
    http://zdnet.com.com/2100-1105-948931.html
    [Editor's Note (Murray): The messaging system works as documented.
    What Paget proposes to exploit is a documented feature. One of the
    things that makes it "irreparable" is that it is widely used in ways
    that do not compensate for its fundamental vulnerability. What Paget
    describes is an attack that might permit an otherwise unprivileged,
    but identified and authenticated, user in a multi-user system to
    assume the privileges and identity of another more privileged user.
    However, such a user is not an arbitrary "attacker" as our abstract
    might be read to say. And the Messaging System is not one between
    users but one between operating system objects.]




    THE REST OF THE WEEK'S NEWS

    --12 August 2002 Macromedia Flash Buffer Overflow Flaw
    A buffer overflow security hole in Macromedia's Flash player could let
    attackers run malicious code on vulnerable computers. The flaw affects
    all versions of Flash Player older than 6.0.40.0. The problem has been
    fixed in a new software update, available on Macromedia's web site.
    http://zdnet.com.com/2100-1104-949344.html
    http://www.pcworld.com/news/article/0,aid,103841,00.asp

    --12 August 2002 CDE ToolTalk Flaw
    CERT/CC has warned of a buffer overflow vulnerability in the CDE
    ToolTalk RPC database server that could be exploited to run code or
    cause a denial of service on a vulnerable machine. Users of vulnerable
    systems should apply patches from vendors as they become available.
    Users can also disable the ToolTalk RPC database service.
    http://www.computerworld.com/securit...,73408,00.html
    http://www.theregister.co.uk/content/55/26641.html
    http://www.cert.org/advisories/CA-2002-26.html

    --12 August 2002 CMU to Help Other Schools Develop Cyber Security
    Programs
    Carnegie Mellon University (CMU) received a $400,000 grant from the
    National Science Foundation's Federal Cyber Service program to help
    other colleges and universities develop strong information security
    programs. The four-week residential program included curriculum
    development and interdisciplinary applications of information security.
    http://www.fcw.com/fcw/articles/2002...o-08-12-02.asp

    --12 August 2002 PGP Flaw
    A flaw in Pretty Good Privacy (PGP) encryption technology could allow
    someone who intercepts a message to manipulate the recipient into
    decrypting the text. Here's how it works. The interceptor collects
    the message and scrambles it; the recipient may respond and ask for
    a resend because the message was gibberish; if the recipient's e-mail
    software includes the original message, it will arrived scrambled, but
    decrypted, in the interceptor's mailbox. The vulnerability is hard
    to exploit; if the message is compressed, the trick may not work.
    Also, it requires that the user's e-mail software automatically
    decrypt messages.
    http://www.washingtonpost.com/wp-dyn...?referer=email
    http://www.computerworld.com/securit...,73409,00.html
    http://zdnet.com.com/2100-1105-949368.html
    [Editor's Note (Murray: This is an attack, not a flaw. It exploits
    a fundamental vulnerability that is covered in the documentation.]

    --9 August 2002 Money for Bugs
    Security company iDefense plans to offer payments of up to $400 in
    return for reports of software vulnerabilities. While some people feel
    the industry has been making money off bug hunters for a long time,
    many others envision scenarios in which the money for bugs system
    could be abused. An iDefense spokesman says his company will only
    work with ethical bug finders.
    http://www.wired.com/news/technology...,54450,00.html

    --9 August 2002 University Reactor Access to be Secured with Face
    Recognition Technology
    Access to a nuclear reactor at the University of Missouri-Rolla will
    be secured with face recognition biometric technology. Research has
    identified weakness in the technology: some systems have correctly
    recognized approved people less than half the time (47%) and another
    was fooled by people holding up laptop computers with photos as they
    passed by. The face recognition system will not be the only security
    measure used at the facility.
    http://www.wired.com/news/technology...,54423,00.html
    [Editor's Note (Murray): While most biometrics can be tuned to produce
    a lower ratio of false accepts to false positives than can passwords,
    no authentication technology works as well as any two in combination.
    Sensitive applications should employ strong authentication; i.e.,
    two or more forms of evidence, at least one of which is resistant
    to replay.]

    --6 August 2002 Iowa College to Use Thumbprints for Computer Access
    The West Des Moines campus of the Des Moines Area Community College
    plans to use thumbprint scanners for access to college computer
    systems. Some experts have pointed out that cracking thumbprints can
    be even easier than cracking passwords; passwords can be changed, but
    "[g]etting a replacement thumb is expensive and painful," according
    to one privacy advocate.
    http://www.wired.com/news/technology...,53912,00.html
    [Editor's Note (Murray) Biometrics do not work because they are
    secret; they work because they are difficult to forge. The remedy for
    a forgery is not to change the individual. It is to resist forgeries
    by having a trusted reader and by collecting complimentary evidence. ]

    --9 August 2002 CAIDA's Network Telescope
    The Cooperative Association for Internet Development and Analysis
    (CAIDA) in San Diego, CA is using a "network telescope" to monitor
    approximately 1/256 of the Internet for cyber attacks.
    http://www.infoworld.com/articles/hn...telescopes.xml

    --8 August 2002 US Military Laptops Unaccounted For
    Two laptop computers are reportedly missing from a US military command
    center in Florida; that center is responsible for coordinating US
    military efforts in Afghanistan. No one is sure if the computers are
    merely missing or if they have been stolen. One reportedly contains
    sensitive data.
    http://www.theaustralian.news.com.au...0,5744,4861349^1702,00.html
    The two missing laptops have been recovered after a member of the
    military confessed to having them. The motive for the theft was not
    espionage, according to a spokesman for the Air Force's Office of
    Special Investigations.
    http://www.usatoday.com/news/nation/...-laptops_x.htm

    --8 August 2002 Google Toolbar Flaws Patched
    A cluster of nine security vulnerabilities in the Google toolbar
    could have allowed attackers to see what users type into the toolbar
    search field, to read files or even execute scripts on a vulnerable
    computer. Google has patched all the holes in an automatic update.
    The affected version was 1.1.58; Google is now distributing versions
    1.1.59 and 1.1.60. Users should check which version of Google's
    toolbar their computers are running.
    http://www.pcworld.com/news/article/0,aid,103706,00.asp

    --7 & 8 August 2002 Microsoft Issues Patch for Content Management
    Server 2001
    Microsoft has released a patch for three security vulnerabilities
    in its Content Management Server 2001. The most critical of the
    vulnerabilities is in a user authentication function: an attacker
    could offer malformed data to a web page using the authentication
    function and gain control of the system.
    http://news.com.com/2100-1001-948850.html
    http://www.computerworld.com/securit...,73299,00.html
    http://www.microsoft.com/technet/sec...n/MS02-041.asp

    --7 August 2002 Australian Students Pay to Have Grades Deleted
    The Independent Commission Against Corruption (ICAC) found that eleven
    students at the University of Technology, Sydney (UTS) paid a student
    liaison officer to delete their failing marks from the University's
    computer system. An ICAC commissioner said a survey of New South
    Wales's 10 public universities indicated that all were vulnerable to
    computer record tampering.
    http://www.smh.com.au/articles/2002/...157935947.html
    [Editor's Note (Ranum: This is really a human problem rather
    than a technology problem. Someone in a position of trust was
    untrustworthy. This is nothing new.]

    --7 August 2002 DeCSS Author Trial Date Set
    The trial of Jon Johansen, the Norwegian man who wrote the DVD
    descrambling tool DeCSS, will begin on December 9 in Norwegian
    district court. Though Johansen was indicted in January, the trial
    was postponed until a judge with adequate technical knowledge could
    be found.
    http://www.vnunet.com/News/1134178

    --7 August 2002 Dutch ISP Exposes Customer Banking Info
    When a man tried to cancel his cable Internet service with a Dutch ISP,
    he instead received e-mails containing banking information belonging
    to other ISP customers. The man contacted some of the people and
    told them of the security breach. A spokesman for the ISP says they
    do not know how the error occurred.
    http://www.vnunet.com/News/1134161

    --6 & 7 August 2002 Sun XDR Library Flaw
    A security flaw in some implementations of the External Data
    representation, or XDR Library derived from Sun Microsystems' SunRPC
    technology could let attackers run code and possibly take control of
    vulnerable systems.
    http://www.eweek.com/article2/0,3959,439927,00.asp
    http://www.computerworld.com/securit...,73291,00.html
    http://news.com.com/2100-1001-948777.html
    CERT Advisory: http://www.cert.org/advisories/CA-2002-25.html
    MIT Kerberos Development Team Advisory:
    http://web.mit.edu/kerberos/www/advi...02-001-xdr.txt

    --2 & 7 August 2002 Other Backbone Providers Could Manage UUNet
    Traffic if Necessary
    AT&T officials have reassured government officials that should UUNet
    go down due to parent company WorldCom's bankruptcy, other backbone
    providers could easily absorb the extra traffic. Last week, Federal
    Communications Commission (FCC) chairman Michael Powell told the
    Senate Commerce Committee that the FCC does not have the authority to
    prevent an Internet backbone provider from shutting down its services.
    WorldCom CEO John Sidgmore doesn't think UUNet will go down in
    any case.
    http://www.gcn.com/vol1_no1/daily-updates/19533-1.html
    http://www.newsfactor.com/perl/story/18843.html

    --6 August 2002 Israeli Teens Charged in Goner Case
    Five Israeli teenagers have been charged in Haifa District Court with
    willfully causing damage to computers for their roles in creating
    the Goner virus. One of the five is charged with actually writing
    the virus; the others are charged with spreading it. The Goner
    virus arrives in the guise of an attached screensaver and shuts down
    firewalls and anti-virus software running on infected computers.
    http://news.com.com/2100-1001-948596.html

    --6 August 2002 Setiri Trojan Eludes Firewalls
    Three security consultants at DefCon demonstrated Setiri, a Trojan
    horse that evades firewall detection. The researchers do not plan to
    release Setiri for use but do want Microsoft to fix the parts of its
    Internet Explorer that allow Setiri to work. Instead of containing
    executable commands, Setiri opens an invisible window in IE that
    connects to a web server through a proxy site. Protective measures
    include turning off the invisible windows function in IE, but that
    could erode the performance of some IE operations.
    http://www.computerworld.com/securit...,73260,00.html

    --6 August 2002 Information About Japanese Defense Agency Network
    Leaked
    Fujitsu, the company that created a network for Japan's Defense Agency,
    says information about the network may have been leaked to outsiders.
    In June, a group of men attempted to extort money from the company for
    the return of network diagrams and other information useful to hackers.
    Fujitsu says outsiders could not have broken into the network because
    it is not connected to the Internet.
    http://www.reuters.com/news_article....toryID=1294756
    [Editor's Note (Ranum: I think that saying a network can't be broken
    into because it is not connected to the Internet shows an amazing
    level of naiveté.]

    --6 August 2002 Indonesian Student Charged with Using Stolen Credit
    Card On Line
    A 22-year-old Indonesian university student was arrested after he
    used stolen credit card numbers, which he got from the Internet, to
    purchase $365.93 worth of motorcycle accessories on line. He faces
    charges that carry maximum prison sentences of a total of eleven years.
    http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=8658

    --6 August 2002 Warning of Impending Cyber Attacks Doesn't Play Out
    Despite a warning from the National Infrastructure Protection Center
    (NIPC) of imminent cyber attacks on US web sites and ISPs (Internet
    Service Providers), nothing out of the ordinary occurred.
    http://www.cnn.com/2002/TECH/interne....02/index.html
    http://www.wired.com/news/politics/0,1283,54382,00.html

    --5 & 6 August 2002 400 Laptops Missing at DoJ
    An investigation conducted by the Office of The Inspector General of
    the Department of Justice revealed that they have lost track of 400
    laptop computers, some of which may contain sensitive law enforcement
    or national security information. The investigation also showed that
    close to 800 weapons were unaccounted for. It has been nearly ten
    years since the FBI's last complete inventory of laptops and weapons;
    the FBI is responsible for 371 of the missing laptops. Recommendations
    include using bar codes and scanning devices, implementing more
    stringent requirements for reporting lost laptops and revising the
    guidelines that govern getting property back from erstwhile employees.
    http://www.wired.com/news/politics/0,1283,54343,00.html
    http://www.govexec.com/dailyfed/0802/080502m1.htm
    http://www.fcw.com/fcw/articles/2002...j-08-06-02.asp
    http://zdnet.com.com/2100-1103-948595.html
    DOJ Report: http://www.usdoj.gov/oig/audit/0231/fullpdf.htm

    --5 August 2002 Former DEA Agent Pleads Guilty in Data Selling Case
    Former US Drug Enforcement Administration Agent Emilio Calatayud has
    pleaded guilty to selling DEA information to LA private investigation
    firms. In a plea agreement, Calatayud admitted to stealing the data
    from federal databases including the FBI's National Crime Information
    Center (NCIC), and the California Law Enforcement Telecommunications
    System (CLETS); he received more than $22,000 in exchange for the
    information. Calatayud faces between one and two years in custody
    for his crimes.
    http://online.securityfocus.com/news/562
    [Editor's Note (Ranum: A violation of the public trust in the US:
    1-2 years. A $360 stolen credit card transaction in Indonesia: up to
    11 years. No wonder we have so many problems like this.]

    --5 August 2002 Japanese Mandatory ID System Irks Privacy Advocates
    Japan has instituted a mandatory ID program called "Juki Net" that
    assigns citizens an 11-digit identification number and links municipal
    computer systems. The database will store citizens' names, genders,
    addresses, dates of birth and ID numbers. Critics say the system
    violates privacy and presents opportunities for hackers to access
    personal data. Some municipalities are refusing to join the system;
    others are making participation optional, though the government says
    non-participation is illegal. Abuse of the system carries a maximum
    sentence of two years in prison and an $8,300 fine.
    http://www.cnn.com/2002/TECH/ptech/0...eut/index.html
    http://www.wired.com/news/politics/0,1283,54324,00.html
    http://www.newsfactor.com/perl/story/18892.html

    --7 August 2002 Japanese ID System Exposes Personal Data
    Two days after the launch of Juki Net, the new Japanese computerized
    ID network sent letters containing the personal information of more
    than 2500 people to the wrong households.
    http://www.usatoday.com/tech/news/te...d-system_x.htm

  2. #2
    Thanks xmaddness! I was barely checking the news too. Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •