Results 1 to 2 of 2

Thread: NEWS: This weeks security news

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123

    NEWS: This weeks security news

    Brought to you by our friends at the SANS Institute.


    Please bump at will.

    ***********************************************************************
    SANS NewsBites September 4, 2002 Vol. 4, Num. 36
    ***********************************************************************

    TOP OF THE NEWS
    29 & 30 August 2002 iVillage.com E-Mail Shut Down Due to Security
    and Privacy Problems
    28 August 2002 Ziff Davis Media Settles Privacy Breach Investigation
    27 August 2002 DoubleClick Settles Privacy Investigation
    28 August 2002 On Line Gold Theft Attempt Thwarted
    26 August 2002 Woman Pleads Guilty to Importing Phony Software

    THE REST OF THE WEEK'S NEWS
    2 September 2002 New Airline Passenger Screening System Expected Soon
    28 August 2002 Proposed Legislation Would Have Biometric Data on
    Drivers Licenses
    26 August 2002 Biometrics in Travel Documents Raises Security and
    Reliability Concerns
    26 August 2002 DoD Testing Iris Recognition at Athletic Club
    30 August 2002 Hacker Has Trouble Finding Work
    28 & 30 August 2002 More Warflying
    29 August 2002 Poll Says Half of CSO Subscribers Believe Major Cyber
    Attack is Imminent
    26 August 2002 Are Cyberterrorism Warnings Overstated?
    29 August 2002 Microsoft Certificate Enrollment Control Security Hole
    29 August 2002 Hard-To-Copy CD-ROMs
    28 August 2002 Spyware Intercepts Web-Based E-Mail
    30 August 2002 DOD Distributes One Millionth Smart Card
    28 August 2002 RIAA Defaced, Taken Off Line
    28 August 2002 Linux for Newbies
    27 & 28 August 2002 Microsoft Releases APIs
    27 August 2002 Lamo Segment Pulled from NBC Nightly News
    27 August 2002 Developing a Database with a Conscience
    27 August 2002 Hackers Threaten Retaliation if Duo Gets Jail Time
    27 August 2002 Man Pleads Guilty to Stealing Microsoft Certification
    Exam Questions
    26 August 2002 Hacker Tools Can Help Too
    26 August 2002 Government Wary of Handheld Wireless Due to Security
    Concerns
    26 August 2002 Enterprise AIM Addresses Security Issues
    22 August 2002 The Ethics of Cyber Warfare




    TOP OF THE NEWS

    --29 & 30 August 2002 iVillage.com E-Mail Shut Down Due to Security
    and Privacy Problems
    iVillage.com shut down its e-mail service on August 29th after it
    learned that users were logging on and finding other users' in-boxes
    available for perusal. Some customers had been complaining about the
    problem for a week. The violation of privacy policy could spell bad
    news for iVillage.com based on the recent settlement agreed to by
    Ziff Davis Media.
    http://www.msnbc.com/news/800959.asp?0dm=T22FT
    http://www.computerworld.com/securit...,73900,00.html

    --28 August 2002 Ziff Davis Media Settles Privacy Breach
    Investigation
    Ziff Davis Media has agreed to pay $125,000 as part of a settlement
    following an investigation into a breach of customer data privacy. Ziff
    Davis Media will also establish security practices to better protect
    information online. According to state attorneys general involved in
    the investigation, some of the people whose information was exposed
    were victims of identity theft.
    http://news.com.com/2100-1023-955841.html
    http://www.wired.com/news/business/0,1367,54817,00.html
    Press Release from New York State Attorney General:
    http://www.oag.state.ny.us/press/200...aug28a_02.html

    --27 August 2002 DoubleClick Settles Privacy Investigation
    DoubleClick has agreed to a settlement following an investigation into
    its privacy practices regarding the data it collects. The investigation
    was a joint effort on the part of 10 of the 50 States Attorneys
    General. DoubleClick will pay $450,000 toward the investigation
    costs and will amend its privacy practices. It will also store all
    data more than three months old off line. The company will also be
    subject to third-party audits to check for compliance with the terms
    of the settlement.
    http://www.theregister.co.uk/content/6/26817.html
    [Editor's Note (Ranum): This is the way to make strides forward in
    security: start making failure to do the right thing expensive.]

    --28 August 2002 On Line Gold Theft Attempt Thwarted
    Hackers placed a keystroke logger on gold dealer Crowne Gold's computer
    system and harvested passwords. The hackers then used the passwords
    to attempt a transfer of almost $200,000 worth of gold to another
    brokerage; their attempt was foiled by the fact that they lacked
    proper documentation. Crowne Gold shut down its system so customers
    have not been able to access their accounts. The company hoped to
    have the site up again soon.
    http://www.wired.com/news/business/0,1367,54802,00.html

    --26 August 2002 Woman Pleads Guilty to Importing Phony Software
    A woman in Los Angeles has pleaded no contest to charges of importing
    almost $75 million worth of counterfeit software. Lisa Chen will
    receive a sentence of between five and nine years in federal prison
    and pay restitution to Microsoft and Symantec. Chen and three other
    people were arrested after an 18-month investigation; the others'
    cases are pending in federal court. This is apparently the largest
    seizure of counterfeit software ever in the United States.
    http://www.siliconvalley.com/mld/sil...ey/3943489.htm




    THE REST OF THE WEEK'S NEWS

    --2 September 2002 New Airline Passenger Screening System Expected
    Soon
    Federal airport security officers hope to be using a significantly
    enhanced version of the Computer Assisted Passenger Prescreening System
    (CAPPS) before the end of the year. CAPPS II will provide real-time
    threat evaluation of passengers; it will search through multiple
    government and commercial databases for information and provide almost
    immediate feedback on a passenger's background. Implementation of the
    new system could be delayed if the Transportation Department becomes
    part of the Department of Homeland Security.
    http://www.fcw.com/fcw/articles/2002...s-09-02-02.asp


    --28 August 2002 Proposed Legislation Would Have Biometric Data on
    Drivers Licenses
    Two US lawmakers from Virginia have proposed the 2003 Driver's License
    Modernization Act which would have all US drivers' licenses include
    biometric data. The legislators say the new licenses could help
    prevent identity theft. There is also talk of issuing smart cards
    to all federal employees, following in the footsteps of the Defense
    Department's Common Access Card.
    http://www.govexec.com/dailyfed/0802/082802s1.htm
    [Editor's Note (Murray): There is already biometric data on the drivers
    license; it is called the photograph. This particular biometric has
    the advantage that it can be easily reconciled by people. Computers
    cannot reconcile it very well but then they do not do very well at
    any biometrics. That is why we must use strong authentication.]

    - --26 August 2002 Biometrics in Travel Documents Raises Security and
    Reliability Concerns
    The US Patriot Act calls for the implementation of biometric
    identifiers on travel documents for non-US citizens by the year
    2004. The National Institute of Standards and Technology (NIST) has
    been studying various biometric systems and has so far found areas
    of concern with fingerprints, iris scanning and facial recognition
    technology, leading to a preliminary conclusion that no one biometric
    technology by itself is reliable. The use of biometric technology
    also raises concerns about how the information will be stored: smart
    cards must be managed so that various permissions can be revoked
    easily, and network based authentication systems pose the risk of
    data interception and altering.
    http://www.gcn.com/21_25/security/19773-1.html

    --26 August 2002 DoD Testing Iris Recognition at Athletic Club
    The Defense Department Biometrics Management Office is testing an iris
    recognition system at the Pentagon Athletic Club. Participation in the
    testing is voluntary. Starting August 30th, the Defense Department's
    Biometrics Management Office plans to use the system as the "sole tool"
    for entry to the athletic club.
    http://www.fcw.com/fcw/articles/2002...s-08-26-02.asp

    --30 August 2002 Hacker Has Trouble Finding Work
    Though hackers used to have little trouble finding jobs, the scene
    is changing. Max Ray Butler once worked as a cyber informant for
    the FBI, but recently served a year in federal prison for intruding
    into government and military computer networks. Since his release,
    Butler has had trouble finding a job and is working for minimum wage.
    http://www.wired.com/news/culture/0,1284,54838,00.html
    [Editor's Note (Murray): 14% percent of companies admit that they
    will hire rogue hackers for security jobs. Would be nice to know who
    they are so that we can avoid them.]

    --28 & 30 August 2002 More Warflying
    Following close on the heels of a warflying report from Sydney,
    Australia, two hackers conducted a warflying (junket) above San Diego
    County, California. The two discovered that the range of 802.11b WLAN
    signals is greater than expected; they were able to detect access
    points from 2,500 feet in the air.
    http://arstechnica.com/wankerdesk/3q02/warflying-1.html
    http://www.computerworld.com/mobilet...,73901,00.html

    --29 August 2002 Poll Says Half of CSO Subscribers Believe Major
    Cyber Attack is Imminent
    Almost half of 1,009 subscribers of the new magazine CSO believe
    that a major cyber attack from terrorists will occur during the
    next year. Those polled are largely US and Canadian CSOs. The
    magazine's editor in chief says the fear of the cyber attacks is
    based on the plausibility of such attacks occurring rather than on
    hard intelligence. Nearly all of those polled say vendors need to
    improve product security.
    http://www.washingtonpost.com/wp-dyn...2002Aug29.html

    --26 August 2002 Are Cyberterrorism Warnings Overstated?
    Talk of terrorists launching catastrophic cyberattacks that disable
    the country's critical infrastructure and cause death and destruction
    are largely hyperbole. Hackers could cause communications problems
    however, and utilities which may have their control systems linked
    to the Internet. A destructive attack would require a great deal of
    inside knowledge as there are more often than not back-up procedures
    that are not computerized. The major concern with terrorists and the
    Internet is their use of it to plan a physical attack.
    http://zdnet.com.com/2100-1105-955293.html
    [Editor's Note (Schultz) Sadly, the threat of cyberterrorism is
    indeed being badly overstated. But this is only part of a bigger
    problem. There are too many alarmists who constantly tell the rest
    of the world that "the sky is falling" in the cybersecurity arena.]

    --29 August 2002 Microsoft Certificate Enrollment Control Security
    Hole
    Microsoft has issued a security bulletin warning of a critical
    hole in the Certificate Enrollment Control component of Windows,
    an ActiveX control used to request new certificates on line and
    to install them. The bulletin says that the Certificate Enrollment
    Control can also be used to remotely corrupt or delete certificates,
    and urges vulnerable users to install a patch. The vulnerability could
    be exploited by tricking users into visiting a specially crafted
    malicious web page or opening HTML e-mail. Affected versions of
    Windows include 98, 98SE, Millennium, NT 4.0, 2000 and XP; earlier
    versions weren't tested because they are no longer supported.
    http://www.theregister.co.uk/content/55/26859.html
    http://www.computerworld.com/securit...,73864,00.html
    http://www.microsoft.com/technet/sec...n/ms02-048.asp

    --29 August 2002 Hard-To-Copy CD-ROMs
    A new technology developed by JVC and Hudson Soft called "Root" is
    designed to prevent people from copying CD-ROM disks. The contents
    of the disk are encrypted and the required key also resides on the
    disk. The key can be read by CD-ROM drives, but cannot be copied by
    CD-R/RW drives. The key on each disk is different and is hidden on a
    different place on the disk. The technology can be applied to software
    disks and DVDs but not to audio CDs.
    http://news.zdnet.co.uk/story/0,,t269-s2121508,00.html
    [Editor's Note (Northcutt): These types of solutions are generally
    defeated in short order as has been shown in the computer game
    industry. This scheme makes a loser out of the honest person that
    can't make a backup.
    (Grefer) It's just a matter of time until this method will be cracked,
    too. The only question is whether it will take months, weeks or days.]

    --28 August 2002 Spyware Intercepts Web-Based E-Mail
    A new version of eBlaster spyware allows people to intercept outgoing
    and incoming web based e-mail from employees, family members or
    other spy targets. While some may contend that employers have a
    right to see everything that takes place on company computers, others
    have expressed concern that the spyware may violate the Electronic
    Communications Privacy Act.
    http://www.msnbc.com/news/800409.asp?0dm=C24FT

    --30 August 2002 DoD Distributes One Millionth Smart Card
    The Department of Defense (DoD) has issued the one millionth Common
    Access Card (CAC) on August 28th. CACs are smart cards that are used
    for identification and building and network access. The DoD, which
    began distributing the cards in October 2001, hopes to have cards
    for all 4 million employees by October 2003.
    http://www.fcw.com/fcw/articles/2002...c-08-30-02.asp

    --28 August 2002 RIAA Defaced, Taken Off Line
    The web site of the Recording Industry Association of America (RIAA)
    was apparently hacked in retaliation for a lawsuit it filed against
    a Chinese site from which people could download music. The hackers
    posted a phony apology message on RIAA's site and made some songs
    available for download. An RIAA spokeswoman acknowledged a problem
    with the site and said they would have it fixed soon, but provided
    no details. The site was taken off-line. The RIAA was the victim of
    a denial of service attack in July.
    http://www.computerworld.com/securit...,73830,00.html
    http://news.com.com/2100-1023-955776.html
    http://www.wired.com/news/politics/0,1283,54812,00.html
    http://www.newsfactor.com/perl/story/19227.html

    --28 August 2002 Linux for Newbies
    This article offers advice on setting up and securing Linux for
    "newbies."
    http://www.theregister.co.uk/content/4/26843.html

    --27 & 28 August 2002 Microsoft Releases APIs
    As part of its settlement with the US Justice Department and nine
    US states, Microsoft has made available 289 application programming
    interfaces (APIs). The APIs are available at Microsoft's Network
    Developer web site.
    http://news.com.com/2100-1001-955655.html
    http://www.computerworld.com/governm...,73829,00.html
    http://msdn.microsoft.com/library/en...i-overview.asp

    --27 August 2002 Lamo Segment Pulled from NBC Nightly News
    Adrian Lamo is the hacker known for breaking into the computer systems
    of many highly visible corporations, including the New York Times,
    where he made off with the names and addresses of famous guest
    editorial contributors. Lamo was scheduled to appear in a segment
    on the NBC Nightly News but the segment was pulled. Lamo alleges the
    interviewer asked him if he could break into NBC's system, so he did.
    http://online.securityfocus.com/news/595
    [Editor's Note (Ranum): My hat's off to MBC for pulling the segment.]

    --27 August 2002 Developing a Database with a Conscience
    An IBM researcher is developing a database that takes responsibility
    for the data it holds much as physicians are bound by the Hippocratic
    oath to maintain confidentiality regarding what their patients tell
    them. The database is set up with rules about what kind of data is
    to be collected and how it is to be used.
    http://www.idg.net/ic_940272_1794_9-10000.html

    --27 August 2002 Hackers Threaten Retaliation if Duo Gets Jail Time
    Other hackers are threatening to retaliate if the pair calling
    themselves the "Deceptive Duo" is sent to prison. The two allegedly
    defaced numerous United States government and corporate web
    sites earlier this year in an attempt to alert the government to
    vulnerabilities in the country's critical infrastructure.
    http://vnunet.com/News/1134600

    --27 August 2002 Man Pleads Guilty to Stealing Microsoft
    Certification Exam Questions
    Robert R. Keppel, owner of a "braindump" site called CheetSheets.com,
    has pleaded guilty in federal court to theft of trade secrets;
    Mr. Keppel apparently sold questions and answers to Microsoft security
    certification examinations. The case is significant because most
    other such cases have been pursued in civil court rather than in
    criminal court. CheetSheets.com is now defunct.
    http://certcities.com/editorial/news...itorialsID=336

    --26 August 2002 Hacker Tools Can Help Too
    Tools used by hackers to gain access to wireless networks can also
    prove helpful to network administrators; the tools can be used to
    identify dead spots in wireless networks and to detect the perimeter
    of the wireless network. They can also be used to improve performance
    by identifying overlapping signals.
    http://www.eweek.com/article2/0,3959,485577,00.asp

    --26 August 2002 Government Wary of Handheld Wireless Due to
    Security Concerns
    Government agencies are hesitant to use wireless handheld devices
    because of the security risks they pose. Handhelds are often lost and
    people who find or steal the devices could use them to access internal
    networks. Even with good security in place, users need to be educated
    in good security practices. The Advanced Encryption Standard (AES)
    should prove helpful to wireless handheld device security because it
    employs variable key lengths between 128 and 256 bits, unlike the older
    Data Encryption Standard (DES) which has a fixed key length of 56 bits.
    http://www.fcw.com/fcw/articles/2002...e-08-26-02.asp
    http://www.fcw.com/fcw/articles/2002...1-08-26-02.asp

    --26 August 2002 Enterprise AIM Addresses Security Issues
    The soon-to-be-released Enterprise AOL Instant Messenger (AIM)
    addresses security concerns that have sometimes led to companies
    blocking the use of the technology in the workplace. Enterprise AIM
    will allow the system administrator to set policies regarding who
    can send and receive instant messages and what content may be sent
    in those messages. Users will also be able to send encrypted instant
    messages using a public key infrastructure (PKI).
    http://www.fcw.com/fcw/articles/2002...l-08-26-02.asp
    [Editor's Note (Murray) Perhaps this is the long-awaited "killer
    application" for PKI.]

    - --22 August 2002 The Ethics of Cyber Warfare
    The Bush administration is examining the legal and ethical issues
    surrounding cyber warfare as the specter of such an event looms. Some
    countries are looking to cyberwar as a way to level the playing field,
    as it is less expensive than conventional methods of attack. The US
    must tread carefully because people are so dependent upon computers
    that retaliation for a cyberattack could be costly.
    http://www.washingtonpost.com/wp-dyn...2002Aug21.html

  2. #2
    --30 August 2002 DoD Distributes One Millionth Smart Card

    Whoa, 4 million employees..... Where do they all go?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •