SANS NewsBites August 21, 2002 Vol. 4, Num. 34
TOP OF THE NEWS
19 August 2002 NIST Warns Against Wireless LANs for Government
16 August 2002 DoD Wireless Policy Nearly Ready
19 August 2002 DrinkOrDie Ringleader Sentenced
15 August 2002 Library Site Defacer Gets 1-3 Year Prison Sentence
14 August 2002 Princeton Admissions Dean/Hacker to be Reassigned
15 & 16 August 2002 FBI Agent Accused of Illegal Computer Access
THE REST OF THE WEEK'S NEWS
15 & 16 August 2002 Apache Web Server has Vulnerability; Upgrade
16 August 2002 Microsoft Releases Patches for Windows 2000, SQL
Server 7.0 and 2000
16 August 2002 Microsoft Funds Initiative For Software Choice
16 August 2002 Think Tank Wants Linux Certified Under Common Criteria
16 August 2002 NIPC Requests Quotes for Contractor Support
15 & 16 August 2002 IRS Can't Account for Computers Lent to Volunteers
15 August 2002 Researchers Develop Personalized Laptop Crypto System
15 August 2002 Variety of Anti-Virus Products Proves Helpful to
14 August 2002 Oracle Releases Patch for Debugger Vulnerability
14 August 2002 Cyber Corps Gets an Additional $19.2 Million
14 August 2002 UK E-Commerce Site Removes Exposed Customer Data
14 August 2002 InfraGard Members Warned About Warchalking
14 August 2002 Security Certifications Down Except for Disaster
Planning and Recovery (Not!)
13 August 2002 Burma to Test Passports with Embedded Chips
13 August 2002 Crackers are Targeting Security Professionals
13 & 14 August 2002 Digital Pearl Harbor Simulation
13 August 2002 SSL Vulnerability in Microsoft, KDE
15 August 2002 Microsoft Says SSL Problem is in Windows, Not IE
19 August 2002 Microsoft's Lag Time Frustrates
12 August 2002 Virus Activity Down
TOP OF THE NEWS
--19 August 2002 NIST Warns Against Wireless LANs for Government
The National Institute of Standards and Technology (NIST) is putting
the final touches on a report that will recommend the US government
not use wireless LANs (local area networks) except in rare cases.
NIST also advises placing LAN access points where unauthorized users
cannot access them and using VPN (virtual private network) clients
--16 August 2002 DoD Wireless Policy Nearly Ready
The Defense Department wireless use policy should be finalized soon.
The policy will address the use of wireless devices in and around
the Pentagon. The policy will prohibit wireless connections to
classified networks or computers. Another policy submitted for formal
consideration addresses wireless devices on the global grid.
--19 August 2002 DrinkOrDie Ringleader Sentenced
Christopher Tresco, who was reportedly a ringleader in the DrinkOrDie
digital piracy ring, received a 33-month sentence for "conspiracy to
violate criminal copyright laws." Tresco was a system administrator
at MIT and allegedly used university computers to distribute the
--15 August 2002 Library Site Defacer Gets 1-3 Year Prison Sentence
Christopher J. Chinnichi received a sentence of between 1 and 3
years in state prison and was ordered to pay restitution of $15,000
for twice defacing the Monroe County (NY) Library System's web site.
The site was shut down for two days after one attack and for three
weeks after the other.
--14 August 2002 Princeton Admissions Dean/Hacker to be Reassigned
The Princeton University dean who hacked into a Yale University
admissions site meant only for applicants has lost his job. Stephen
LeMenager said he was only trying to test the security of the site.
Disciplinary action will be taken against other Princeton admissions
office employees. LeMenager will work in Princeton's communications
office until he is placed in another job at the university.
--15 & 16 August 2002 FBI Agent Accused of Illegal Computer Access
A Russian Federal Security Service investigator has begun criminal
proceedings against an FBI agent has allegedly lured two Russian
hackers to the US, offered them jobs at a fictional company and
harvested passwords to their computer in Russia. The FBI downloaded
the evidence before they had a search warrant. The two allegedly
stole information from large US companies and from two banks, and
may be tied to the theft of credit card numbers from CD Universe and
Western Union. The agent is accused of gaining unauthorized access
to the pair's computers.
THE REST OF THE WEEK'S NEWS
--15 & 16 August 2002 Apache Web Server has Vulnerability; Upgrade
A security hole in Apache Web server version 2.0 could allow attackers
to gain control of vulnerable systems. An upgraded version of the
software is available. The vulnerability researcher who discovered
the vulnerability waited until Apache had posted the upgraded version
of the software to announce the flaw.
--16 August 2002 Microsoft Releases Patches for Windows 2000,
SQL Server 7.0 and 2000
Microsoft released patches for two of its products. The first is for
a critical flaw in the Network Connection Manager (NCM) component
of Windows 2000 that could allow an attacker to gain control of a
vulnerable system. The second is a cumulative patch for SQL server
7.0 and 2000.
SQL Server 7.0 and 2000:
[Editor's Note (Ranum): Shoot. I guess this means that Microsoft's
"stand-down" to fix all the bugs didn't work. I'm shocked, shocked,
I tell you.]
--16 August 2002 Microsoft Funds Initiative For Software Choice
Microsoft has joined a group called the Initiative for Software
Choice, which was created after several countries including, France,
Germany and Peru passed or were considering legislation requiring
their governments to use open source software.
[Editor's Note (Northcutt): In what is probably a tempest in a teacup,
the Digital Software Security Act, has been proposed to require
California state government to use open source.
(Schultz) Secure software does not depend on whether it is open-
or closed-source, but rather on the quality of the development process.
(Paller): Microsoft has a valid case in asking that governments not
automatically exclude Microsoft software in favor of open source
software. However, two Microsoft pressure tactics may backfire.
The first is the company's expansive funding and subsequent control of
specific lobbying initiatives of organizations that claim to represent
far broader interests. The second is Microsoft's more direct efforts
to pressure US Department of Defense executives to halt support for SE
Linux when, in reality, the government has spent far more on projects
that help improve security of Microsoft products than on projects
that make Linux products secure.]
--16 August 2002 Think Tank Wants Linux Certified Under Common
The Cyberspace Policy Institute at George Washington University
wants Linux to be certified under the Common Criteria, which would
allow Linux to be purchased for "sensitive government applications."
The Institute is offering to be the repository for the federally,
certified Linux. http://zdnet.com.com/2100-1104-950123.html
--16 August 2002 NIPC Requests Quotes for Contractor Support
The National Infrastructure Protection Center (NIPC) is requesting
quotes for contractor support in identifying and predicting threats,
analyzing and assessing threat information and disseminating
information among its partners and the public. NIPC has been
criticized for being slow to issue warnings about cyber security
--15 & 16 August 2002 IRS Can't Account for Computers Lent to
According to an audit report from the Office of the Treasury Inspector
General for Tax Administration, the Internal Revenue Service
(IRS) cannot account for some portion of 6,600 computers it lent
to volunteers to help prepare returns for low income, disabled and
senior citizens. Earlier this year, the Inspector General found 2,300
computers missing from other areas of the IRS. The missing machines
may contain sensitive taxpayer data.
--15 August 2002 Researchers Develop Personalized Laptop Crypto
Brian Noble and Mark Corner, researchers at the University of Michigan,
have developed a system that will encrypt computer data when the
computer's owner steps away from the machine. The system works by
the owner wearing a transmitter strapped on like a watch; when the
owner is a designated distance away from the computer, the data is
automatically encrypted. The wireless communication is also encrypted.
[Editor's Note (Schultz): File encryption is such a two-edged sword.
It can assure confidentiality of data, but can also result in
effectively losing encrypted files. I know of several Windows 2000
users who have lost all their files due to loss or corruption of their
File Encrypting Key. And, unfortunately, key management schemes are
usually pretty inadequate.]
--15 August 2002 Variety of Anti-Virus Products Proves Helpful to
The Halifax/Bank of Scotland uses different anti-virus products at
each layer of its IT infrastructure, a strategy it says has reduced
the number of virus incidents in its systems by a factor of 10,
from 3,000 to 300 a month.
--14 August 2002 Oracle Releases patch for Debugger Vulnerability
A security hole in Oracle9i's debugging mechanism could crash
vulnerable servers. The mechanism is enabled by default. Oracle has
issued a patch for the vulnerability.
--14 August 2002 Cyber Corps Gets an Additional $19.2 Million
President Bush signed into law a supplemental funding bill that
allocates an additional $19.2 million for the Cyber Corps: the
federal scholarship for service program in information security.
Cyber Corps also funds capacity-building programs.
[Editor's Note (Schultz): This investment in cybersecurity will
undoubtedly return huge benefits in time.]
--14 August 2002 UK E-Commerce Site Removes Exposed Customer Data
Personal data belonging to about 1,700 UK Shopping City on-line
customers was exposed on a website. A UK Information Commissioner's
Office compliance manager said the unauthorized release is a
violation of the Data Protection Act. UK Shopping City has removed
the exposed customer data. The affected customers had each referred
three friends whose names and e-mail addresses were also exposed.
The managing director speculated that the problem occurred when the
company changed servers recently.
--14 August 2002 InfraGard Members Warned About Warchalking
An FBI special agent warned Pittsburgh-area InfraGard members about
warchalking - the practice of marking the locations of wireless access
points on sidewalks and the outsides of buildings. One web site lets
wardrivers submit their information and then creates street maps that
note the access points. The agent says warchalking poses a threat
to criminal investigations. InfraGard is a partnership between the
FBI and businesses that allows them to share information about cyber
--14 August 2002 Security Certifications Down Except for Disaster
Planning and Recovery (Not!)
The number of security certifications obtained during an 8-month period
in 2002 is significantly lower than the number obtained during the same
span a year earlier, according to a Brainbench Cyber IQ Defense Report.
The trend affects all areas except disaster planning and recovery
certifications, which are up 90% over last year.
[Editor's Note (Murray): CISSP certifications and still growing.
(Northcutt) After reading this story, and seeing fellow Editor Bill
Murray's comment that the CISSP was continuing to grow, I checked
the GIAC certification numbers: They have grown substantially in the
past year. So it was obvious something was wrong with this story.
I contacted Eileen Townsend, one of the principle authors of the
technical report on which this article is based, and she told me that
the only source of data were the number of people taking their own
Brainbench tests. Lower numbers of people using their service does
not mean fewer people are attempting to earn security certifications.]
--13 August 2002 Burma to Test Passports with Embedded Chips
Burma will test an electronic passport system. As part of the 5,000
person pilot program, diplomats and some business people will receive
passports with embedded microchips that contain personal information
like fingerprints and photographs.
--13 August 2002 Crackers are Targeting Security Professionals
A hacker group called "e18" appears to be targeting security
professionals. The group may be responsible for a Trojan that
infected OpenBSD code. The group has intercepted e-mail, stolen
files from people's computers and published the personal documents
in their e-zine. The group is unhappy with the fact that security
professionals publish vulnerabilities.