Results 1 to 3 of 3

Thread: NEWS: This weeks security news

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123

    NEWS: This weeks security news

    Brought to you by our friends at the SANS Institute

    ***********************************************************************
    SANS NewsBites August 21, 2002 Vol. 4, Num. 34
    ***********************************************************************

    TOP OF THE NEWS
    19 August 2002 NIST Warns Against Wireless LANs for Government
    16 August 2002 DoD Wireless Policy Nearly Ready
    19 August 2002 DrinkOrDie Ringleader Sentenced
    15 August 2002 Library Site Defacer Gets 1-3 Year Prison Sentence
    14 August 2002 Princeton Admissions Dean/Hacker to be Reassigned
    15 & 16 August 2002 FBI Agent Accused of Illegal Computer Access

    THE REST OF THE WEEK'S NEWS
    15 & 16 August 2002 Apache Web Server has Vulnerability; Upgrade
    is Available
    16 August 2002 Microsoft Releases Patches for Windows 2000, SQL
    Server 7.0 and 2000
    16 August 2002 Microsoft Funds Initiative For Software Choice
    16 August 2002 Think Tank Wants Linux Certified Under Common Criteria
    16 August 2002 NIPC Requests Quotes for Contractor Support
    15 & 16 August 2002 IRS Can't Account for Computers Lent to Volunteers
    15 August 2002 Researchers Develop Personalized Laptop Crypto System
    15 August 2002 Variety of Anti-Virus Products Proves Helpful to
    Scottish Bank
    14 August 2002 Oracle Releases Patch for Debugger Vulnerability
    14 August 2002 Cyber Corps Gets an Additional $19.2 Million
    14 August 2002 UK E-Commerce Site Removes Exposed Customer Data
    14 August 2002 InfraGard Members Warned About Warchalking
    14 August 2002 Security Certifications Down Except for Disaster
    Planning and Recovery (Not!)
    13 August 2002 Burma to Test Passports with Embedded Chips
    13 August 2002 Crackers are Targeting Security Professionals
    13 & 14 August 2002 Digital Pearl Harbor Simulation
    13 August 2002 SSL Vulnerability in Microsoft, KDE
    15 August 2002 Microsoft Says SSL Problem is in Windows, Not IE
    19 August 2002 Microsoft's Lag Time Frustrates
    12 August 2002 Virus Activity Down


    TOP OF THE NEWS

    --19 August 2002 NIST Warns Against Wireless LANs for Government
    The National Institute of Standards and Technology (NIST) is putting
    the final touches on a report that will recommend the US government
    not use wireless LANs (local area networks) except in rare cases.
    NIST also advises placing LAN access points where unauthorized users
    cannot access them and using VPN (virtual private network) clients
    and gateways.
    http://www.nwfusion.com/news/2002/13...8-19-2002.html

    --16 August 2002 DoD Wireless Policy Nearly Ready
    The Defense Department wireless use policy should be finalized soon.
    The policy will address the use of wireless devices in and around
    the Pentagon. The policy will prohibit wireless connections to
    classified networks or computers. Another policy submitted for formal
    consideration addresses wireless devices on the global grid.
    http://www.govexec.com/dailyfed/0802/081602td2.htm

    --19 August 2002 DrinkOrDie Ringleader Sentenced
    Christopher Tresco, who was reportedly a ringleader in the DrinkOrDie
    digital piracy ring, received a 33-month sentence for "conspiracy to
    violate criminal copyright laws." Tresco was a system administrator
    at MIT and allegedly used university computers to distribute the
    pirated content.
    http://www.securitynewsportal.com/cg...=viewone&id=95

    --15 August 2002 Library Site Defacer Gets 1-3 Year Prison Sentence
    Christopher J. Chinnichi received a sentence of between 1 and 3
    years in state prison and was ordered to pay restitution of $15,000
    for twice defacing the Monroe County (NY) Library System's web site.
    The site was shut down for two days after one attack and for three
    weeks after the other.
    http://www.democratandchronicle.com/...800_news.shtml

    --14 August 2002 Princeton Admissions Dean/Hacker to be Reassigned
    The Princeton University dean who hacked into a Yale University
    admissions site meant only for applicants has lost his job. Stephen
    LeMenager said he was only trying to test the security of the site.
    Disciplinary action will be taken against other Princeton admissions
    office employees. LeMenager will work in Princeton's communications
    office until he is placed in another job at the university.
    http://www.usatoday.com/news/nation/...-hacking_x.htm

    --15 & 16 August 2002 FBI Agent Accused of Illegal Computer Access
    A Russian Federal Security Service investigator has begun criminal
    proceedings against an FBI agent has allegedly lured two Russian
    hackers to the US, offered them jobs at a fictional company and
    harvested passwords to their computer in Russia. The FBI downloaded
    the evidence before they had a search warrant. The two allegedly
    stole information from large US companies and from two banks, and
    may be tied to the theft of credit card numbers from CD Universe and
    Western Union. The agent is accused of gaining unauthorized access
    to the pair's computers.
    http://www.msnbc.com/news/563379.asp?0dm=T22DT
    http://news.com.com/2100-1001-950719.html
    http://www.theregister.co.uk/content/55/26715.html



    THE REST OF THE WEEK'S NEWS

    --15 & 16 August 2002 Apache Web Server has Vulnerability; Upgrade
    is Available
    A security hole in Apache Web server version 2.0 could allow attackers
    to gain control of vulnerable systems. An upgraded version of the
    software is available. The vulnerability researcher who discovered
    the vulnerability waited until Apache had posted the upgraded version
    of the software to announce the flaw.
    http://www.pcworld.com/news/article/0,aid,104073,00.asp
    http://www.theregister.co.uk/content/4/26686.html
    http://httpd.apache.org/info/securit..._20020809a.txt
    http://www.apache.org/dist/httpd/

    --16 August 2002 Microsoft Releases Patches for Windows 2000,
    SQL Server 7.0 and 2000
    Microsoft released patches for two of its products. The first is for
    a critical flaw in the Network Connection Manager (NCM) component
    of Windows 2000 that could allow an attacker to gain control of a
    vulnerable system. The second is a cumulative patch for SQL server
    7.0 and 2000.
    http://www.computerworld.com/securit...,73566,00.html
    Windows 2000:
    http://www.microsoft.com/technet/sec...n/ms02-042.asp
    SQL Server 7.0 and 2000:
    http://www.microsoft.com/technet/sec...n/MS02-043.asp
    [Editor's Note (Ranum): Shoot. I guess this means that Microsoft's
    "stand-down" to fix all the bugs didn't work. I'm shocked, shocked,
    I tell you.]

    --16 August 2002 Microsoft Funds Initiative For Software Choice
    Microsoft has joined a group called the Initiative for Software
    Choice, which was created after several countries including, France,
    Germany and Peru passed or were considering legislation requiring
    their governments to use open source software.
    http://news.zdnet.co.uk/story/0,,t269-s2120759,00.html
    http://www.vnunet.com/News/1134428
    [Editor's Note (Northcutt): In what is probably a tempest in a teacup,
    the Digital Software Security Act, has been proposed to require
    California state government to use open source.
    http://www.usatoday.com/tech/news/te...grammers_x.htm
    (Schultz) Secure software does not depend on whether it is open-
    or closed-source, but rather on the quality of the development process.
    (Paller): Microsoft has a valid case in asking that governments not
    automatically exclude Microsoft software in favor of open source
    software. However, two Microsoft pressure tactics may backfire.
    The first is the company's expansive funding and subsequent control of
    specific lobbying initiatives of organizations that claim to represent
    far broader interests. The second is Microsoft's more direct efforts
    to pressure US Department of Defense executives to halt support for SE
    Linux when, in reality, the government has spent far more on projects
    that help improve security of Microsoft products than on projects
    that make Linux products secure.]

    --16 August 2002 Think Tank Wants Linux Certified Under Common
    Criteria
    The Cyberspace Policy Institute at George Washington University
    wants Linux to be certified under the Common Criteria, which would
    allow Linux to be purchased for "sensitive government applications."
    The Institute is offering to be the repository for the federally,
    certified Linux. http://zdnet.com.com/2100-1104-950123.html
    http://www.vnunet.com/News/1134428

    --16 August 2002 NIPC Requests Quotes for Contractor Support
    The National Infrastructure Protection Center (NIPC) is requesting
    quotes for contractor support in identifying and predicting threats,
    analyzing and assessing threat information and disseminating
    information among its partners and the public. NIPC has been
    criticized for being slow to issue warnings about cyber security
    threats.
    http://www.fcw.com/fcw/articles/2002...c-08-16-02.asp
    http://newsfactor.com/perl/story/19059.html

    --15 & 16 August 2002 IRS Can't Account for Computers Lent to
    Volunteers
    According to an audit report from the Office of the Treasury Inspector
    General for Tax Administration, the Internal Revenue Service
    (IRS) cannot account for some portion of 6,600 computers it lent
    to volunteers to help prepare returns for low income, disabled and
    senior citizens. Earlier this year, the Inspector General found 2,300
    computers missing from other areas of the IRS. The missing machines
    may contain sensitive taxpayer data.
    http://www.govexec.com/dailyfed/0802/081502t1.htm
    http://www.washingtonpost.com/wp-dyn...2002Aug15.html
    http://zdnet.com.com/2100-11-950160.html

    --15 August 2002 Researchers Develop Personalized Laptop Crypto
    System
    Brian Noble and Mark Corner, researchers at the University of Michigan,
    have developed a system that will encrypt computer data when the
    computer's owner steps away from the machine. The system works by
    the owner wearing a transmitter strapped on like a watch; when the
    owner is a designated distance away from the computer, the data is
    automatically encrypted. The wireless communication is also encrypted.
    http://www.newscientist.com/news/news.jsp?id=ns99992683
    [Editor's Note (Schultz): File encryption is such a two-edged sword.
    It can assure confidentiality of data, but can also result in
    effectively losing encrypted files. I know of several Windows 2000
    users who have lost all their files due to loss or corruption of their
    File Encrypting Key. And, unfortunately, key management schemes are
    usually pretty inadequate.]

    --15 August 2002 Variety of Anti-Virus Products Proves Helpful to
    Scottish Bank
    The Halifax/Bank of Scotland uses different anti-virus products at
    each layer of its IT infrastructure, a strategy it says has reduced
    the number of virus incidents in its systems by a factor of 10,
    from 3,000 to 300 a month.
    http://www.vnunet.com/News/1134385

    --14 August 2002 Oracle Releases patch for Debugger Vulnerability
    A security hole in Oracle9i's debugging mechanism could crash
    vulnerable servers. The mechanism is enabled by default. Oracle has
    issued a patch for the vulnerability.
    http://www.theregister.co.uk/content/55/26678.html
    http://bvlive01.iss.net/issEn/delive....jsp?oid=20941

    --14 August 2002 Cyber Corps Gets an Additional $19.2 Million
    President Bush signed into law a supplemental funding bill that
    allocates an additional $19.2 million for the Cyber Corps: the
    federal scholarship for service program in information security.
    Cyber Corps also funds capacity-building programs.
    http://www.fcw.com/fcw/articles/2002...r-08-14-02.asp
    [Editor's Note (Schultz): This investment in cybersecurity will
    undoubtedly return huge benefits in time.]

    --14 August 2002 UK E-Commerce Site Removes Exposed Customer Data
    Personal data belonging to about 1,700 UK Shopping City on-line
    customers was exposed on a website. A UK Information Commissioner's
    Office compliance manager said the unauthorized release is a
    violation of the Data Protection Act. UK Shopping City has removed
    the exposed customer data. The affected customers had each referred
    three friends whose names and e-mail addresses were also exposed.
    The managing director speculated that the problem occurred when the
    company changed servers recently.
    http://zdnet.com.com/2100-1106-949706.html
    http://news.com.com/2100-1017-949868.html

    --14 August 2002 InfraGard Members Warned About Warchalking
    An FBI special agent warned Pittsburgh-area InfraGard members about
    warchalking - the practice of marking the locations of wireless access
    points on sidewalks and the outsides of buildings. One web site lets
    wardrivers submit their information and then creates street maps that
    note the access points. The agent says warchalking poses a threat
    to criminal investigations. InfraGard is a partnership between the
    FBI and businesses that allows them to share information about cyber
    security concerns.
    http://www.computerworld.com/securit...,73479,00.html

    --14 August 2002 Security Certifications Down Except for Disaster
    Planning and Recovery (Not!)
    The number of security certifications obtained during an 8-month period
    in 2002 is significantly lower than the number obtained during the same
    span a year earlier, according to a Brainbench Cyber IQ Defense Report.
    The trend affects all areas except disaster planning and recovery
    certifications, which are up 90% over last year.
    http://www.ntsecurity.net/Articles/I...rticleID=26262
    [Editor's Note (Murray): CISSP certifications and still growing.
    (Northcutt) After reading this story, and seeing fellow Editor Bill
    Murray's comment that the CISSP was continuing to grow, I checked
    the GIAC certification numbers: They have grown substantially in the
    past year. So it was obvious something was wrong with this story.
    I contacted Eileen Townsend, one of the principle authors of the
    technical report on which this article is based, and she told me that
    the only source of data were the number of people taking their own
    Brainbench tests. Lower numbers of people using their service does
    not mean fewer people are attempting to earn security certifications.]

    --13 August 2002 Burma to Test Passports with Embedded Chips
    Burma will test an electronic passport system. As part of the 5,000
    person pilot program, diplomats and some business people will receive
    passports with embedded microchips that contain personal information
    like fingerprints and photographs.
    http://news.bbc.co.uk/1/hi/world/asi...ic/2191883.stm

    --13 August 2002 Crackers are Targeting Security Professionals
    A hacker group called "e18" appears to be targeting security
    professionals. The group may be responsible for a Trojan that
    infected OpenBSD code. The group has intercepted e-mail, stolen
    files from people's computers and published the personal documents
    in their e-zine. The group is unhappy with the fact that security
    professionals publish vulnerabilities.
    http://www.wired.com/news/technology...,54400,00.html

    Unhappy that vulnerabilities are being published? Yet they are using them to do malicious activities? Idiots...

    --13 & 14 August 2002 Digital Pearl Harbor Simulation
    The US Naval War College and Gartner Research teamed up to conduct a
    "Digital Pearl Harbor" simulation. Analysts concluded that cyber
    terrorists could do serious damage to US critical infrastructure,
    but they would require five years of preparation time and significant
    amounts of money and intelligence. Recovery from the attacks would
    be difficult because there are no early warning systems for cyber
    attacks and no organized response to them.
    http://news.com.com/2100-1017-949605.html
    http://www.theregister.co.uk/content/55/26675.html

    --13 August 2002 SSL Vulnerability in Microsoft, KDE
    Microsoft is investigating a vulnerability in the way Internet
    Explorer (IE) versions 5.0, 5.5 and 6.0 handles digital certificates.
    The security hole in IE's implementation of the Secure Socket Layer
    (SSL) standard could be exploited to trick users into thinking they
    are visiting a legitimate website that can be trusted with personal
    information.
    http://www.computerworld.com/securit...,73437,00.html
    http://www.usatoday.com/tech/news/co...rer-flaw_x.htm

    --15 August 2002 Microsoft Says SSL Problem is in Windows, Not IE
    Microsoft says the SSL implementation problem lies not in Internet
    Explorer (IE) but in Windows itself. Microsoft is developing patches
    for Windows 98, Me, NT4, 2000 and XP.
    http://www.computerworld.com/securit...,73507,00.html

    --19 August 2002 Microsoft's Lag Time Frustrates
    Microsoft's delay in addressing this and other security issues has
    frustrated users. KDE, developers of other software with the same
    security hole, released a patch within hours of the vulnerability's
    disclosure.
    http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=8772
    http://www.theregister.co.uk/content/55/index.html

    --12 August 2002 Virus Activity Down
    Explanations offered for the decline in virus activity over the past
    year include improved anti-virus software, more secure systems and
    new laws that assign stiffer penalties for hacking and the like,
    including life in prison. Some warn that people should not get
    complacent; virus activity will pick up again.
    http://www.reuters.com/news_article....toryID=1318312
    [Editor's Note (Schultz): This is a fascinating statistic. If it holds
    over time, it will represent a genuine victory for the information
    security arena.]

  2. #2
    Banned
    Join Date
    Jun 2002
    Posts
    119
    Thanks, xmaddness. I always look forward to your weekly security news posts. There is usually a lot of news that i miss each week.

  3. #3
    Thanks for the post!
    Time is a created thing -- to say \"I don\'t have time\" is like saying \"I don\'t want to.\"

    Lao-Tzu

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •