***********************************************************************
SANS NewsBites September 4, 2002 Vol. 4, Num. 36
***********************************************************************
TOP OF THE NEWS
29 & 30 August 2002 iVillage.com E-Mail Shut Down Due to Security
and Privacy Problems
28 August 2002 Ziff Davis Media Settles Privacy Breach Investigation
27 August 2002 DoubleClick Settles Privacy Investigation
28 August 2002 On Line Gold Theft Attempt Thwarted
26 August 2002 Woman Pleads Guilty to Importing Phony Software
THE REST OF THE WEEK'S NEWS
2 September 2002 New Airline Passenger Screening System Expected Soon
28 August 2002 Proposed Legislation Would Have Biometric Data on
Drivers Licenses
26 August 2002 Biometrics in Travel Documents Raises Security and
Reliability Concerns
26 August 2002 DoD Testing Iris Recognition at Athletic Club
30 August 2002 Hacker Has Trouble Finding Work
28 & 30 August 2002 More Warflying
29 August 2002 Poll Says Half of CSO Subscribers Believe Major Cyber
Attack is Imminent
26 August 2002 Are Cyberterrorism Warnings Overstated?
29 August 2002 Microsoft Certificate Enrollment Control Security Hole
29 August 2002 Hard-To-Copy CD-ROMs
28 August 2002 Spyware Intercepts Web-Based E-Mail
30 August 2002 DOD Distributes One Millionth Smart Card
28 August 2002 RIAA Defaced, Taken Off Line
28 August 2002 Linux for Newbies
27 & 28 August 2002 Microsoft Releases APIs
27 August 2002 Lamo Segment Pulled from NBC Nightly News
27 August 2002 Developing a Database with a Conscience
27 August 2002 Hackers Threaten Retaliation if Duo Gets Jail Time
27 August 2002 Man Pleads Guilty to Stealing Microsoft Certification
Exam Questions
26 August 2002 Hacker Tools Can Help Too
26 August 2002 Government Wary of Handheld Wireless Due to Security
Concerns
26 August 2002 Enterprise AIM Addresses Security Issues
22 August 2002 The Ethics of Cyber Warfare
TOP OF THE NEWS
--29 & 30 August 2002 iVillage.com E-Mail Shut Down Due to Security
and Privacy Problems
iVillage.com shut down its e-mail service on August 29th after it
learned that users were logging on and finding other users' in-boxes
available for perusal. Some customers had been complaining about the
problem for a week. The violation of privacy policy could spell bad
news for iVillage.com based on the recent settlement agreed to by
Ziff Davis Media.
http://www.msnbc.com/news/800959.asp?0dm=T22FT
http://www.computerworld.com/securit...,73900,00.html
--28 August 2002 Ziff Davis Media Settles Privacy Breach
Investigation
Ziff Davis Media has agreed to pay $125,000 as part of a settlement
following an investigation into a breach of customer data privacy. Ziff
Davis Media will also establish security practices to better protect
information online. According to state attorneys general involved in
the investigation, some of the people whose information was exposed
were victims of identity theft.
http://news.com.com/2100-1023-955841.html
http://www.wired.com/news/business/0,1367,54817,00.html
Press Release from New York State Attorney General:
http://www.oag.state.ny.us/press/200...aug28a_02.html
--27 August 2002 DoubleClick Settles Privacy Investigation
DoubleClick has agreed to a settlement following an investigation into
its privacy practices regarding the data it collects. The investigation
was a joint effort on the part of 10 of the 50 States Attorneys
General. DoubleClick will pay $450,000 toward the investigation
costs and will amend its privacy practices. It will also store all
data more than three months old off line. The company will also be
subject to third-party audits to check for compliance with the terms
of the settlement.
http://www.theregister.co.uk/content/6/26817.html
[Editor's Note (Ranum): This is the way to make strides forward in
security: start making failure to do the right thing expensive.]
--28 August 2002 On Line Gold Theft Attempt Thwarted
Hackers placed a keystroke logger on gold dealer Crowne Gold's computer
system and harvested passwords. The hackers then used the passwords
to attempt a transfer of almost $200,000 worth of gold to another
brokerage; their attempt was foiled by the fact that they lacked
proper documentation. Crowne Gold shut down its system so customers
have not been able to access their accounts. The company hoped to
have the site up again soon.
http://www.wired.com/news/business/0,1367,54802,00.html
--26 August 2002 Woman Pleads Guilty to Importing Phony Software
A woman in Los Angeles has pleaded no contest to charges of importing
almost $75 million worth of counterfeit software. Lisa Chen will
receive a sentence of between five and nine years in federal prison
and pay restitution to Microsoft and Symantec. Chen and three other
people were arrested after an 18-month investigation; the others'
cases are pending in federal court. This is apparently the largest
seizure of counterfeit software ever in the United States.
http://www.siliconvalley.com/mld/sil...ey/3943489.htm
THE REST OF THE WEEK'S NEWS
--2 September 2002 New Airline Passenger Screening System Expected
Soon
Federal airport security officers hope to be using a significantly
enhanced version of the Computer Assisted Passenger Prescreening System
(CAPPS) before the end of the year. CAPPS II will provide real-time
threat evaluation of passengers; it will search through multiple
government and commercial databases for information and provide almost
immediate feedback on a passenger's background. Implementation of the
new system could be delayed if the Transportation Department becomes
part of the Department of Homeland Security.
http://www.fcw.com/fcw/articles/2002...s-09-02-02.asp
--28 August 2002 Proposed Legislation Would Have Biometric Data on
Drivers Licenses
Two US lawmakers from Virginia have proposed the 2003 Driver's License
Modernization Act which would have all US drivers' licenses include
biometric data. The legislators say the new licenses could help
prevent identity theft. There is also talk of issuing smart cards
to all federal employees, following in the footsteps of the Defense
Department's Common Access Card.
http://www.govexec.com/dailyfed/0802/082802s1.htm
[Editor's Note (Murray): There is already biometric data on the drivers
license; it is called the photograph. This particular biometric has
the advantage that it can be easily reconciled by people. Computers
cannot reconcile it very well but then they do not do very well at
any biometrics. That is why we must use strong authentication.]
- --26 August 2002 Biometrics in Travel Documents Raises Security and
Reliability Concerns
The US Patriot Act calls for the implementation of biometric
identifiers on travel documents for non-US citizens by the year
2004. The National Institute of Standards and Technology (NIST) has
been studying various biometric systems and has so far found areas
of concern with fingerprints, iris scanning and facial recognition
technology, leading to a preliminary conclusion that no one biometric
technology by itself is reliable. The use of biometric technology
also raises concerns about how the information will be stored: smart
cards must be managed so that various permissions can be revoked
easily, and network based authentication systems pose the risk of
data interception and altering.
http://www.gcn.com/21_25/security/19773-1.html
--26 August 2002 DoD Testing Iris Recognition at Athletic Club
The Defense Department Biometrics Management Office is testing an iris
recognition system at the Pentagon Athletic Club. Participation in the
testing is voluntary. Starting August 30th, the Defense Department's
Biometrics Management Office plans to use the system as the "sole tool"
for entry to the athletic club.
http://www.fcw.com/fcw/articles/2002...s-08-26-02.asp
--30 August 2002 Hacker Has Trouble Finding Work
Though hackers used to have little trouble finding jobs, the scene
is changing. Max Ray Butler once worked as a cyber informant for
the FBI, but recently served a year in federal prison for intruding
into government and military computer networks. Since his release,
Butler has had trouble finding a job and is working for minimum wage.
http://www.wired.com/news/culture/0,1284,54838,00.html
[Editor's Note (Murray): 14% percent of companies admit that they
will hire rogue hackers for security jobs. Would be nice to know who
they are so that we can avoid them.]
--28 & 30 August 2002 More Warflying
Following close on the heels of a warflying report from Sydney,
Australia, two hackers conducted a warflying (junket) above San Diego
County, California. The two discovered that the range of 802.11b WLAN
signals is greater than expected; they were able to detect access
points from 2,500 feet in the air.
http://arstechnica.com/wankerdesk/3q02/warflying-1.html
http://www.computerworld.com/mobilet...,73901,00.html
--29 August 2002 Poll Says Half of CSO Subscribers Believe Major
Cyber Attack is Imminent
Almost half of 1,009 subscribers of the new magazine CSO believe
that a major cyber attack from terrorists will occur during the
next year. Those polled are largely US and Canadian CSOs. The
magazine's editor in chief says the fear of the cyber attacks is
based on the plausibility of such attacks occurring rather than on
hard intelligence. Nearly all of those polled say vendors need to
improve product security.
http://www.washingtonpost.com/wp-dyn...2002Aug29.html
--26 August 2002 Are Cyberterrorism Warnings Overstated?
Talk of terrorists launching catastrophic cyberattacks that disable
the country's critical infrastructure and cause death and destruction
are largely hyperbole. Hackers could cause communications problems
however, and utilities which may have their control systems linked
to the Internet. A destructive attack would require a great deal of
inside knowledge as there are more often than not back-up procedures
that are not computerized. The major concern with terrorists and the
Internet is their use of it to plan a physical attack.
http://zdnet.com.com/2100-1105-955293.html
[Editor's Note (Schultz) Sadly, the threat of cyberterrorism is
indeed being badly overstated. But this is only part of a bigger
problem. There are too many alarmists who constantly tell the rest
of the world that "the sky is falling" in the cybersecurity arena.]
--29 August 2002 Microsoft Certificate Enrollment Control Security
Hole
Microsoft has issued a security bulletin warning of a critical
hole in the Certificate Enrollment Control component of Windows,
an ActiveX control used to request new certificates on line and
to install them. The bulletin says that the Certificate Enrollment
Control can also be used to remotely corrupt or delete certificates,
and urges vulnerable users to install a patch. The vulnerability could
be exploited by tricking users into visiting a specially crafted
malicious web page or opening HTML e-mail. Affected versions of
Windows include 98, 98SE, Millennium, NT 4.0, 2000 and XP; earlier
versions weren't tested because they are no longer supported.
http://www.theregister.co.uk/content/55/26859.html
http://www.computerworld.com/securit...,73864,00.html
http://www.microsoft.com/technet/sec...n/ms02-048.asp
--29 August 2002 Hard-To-Copy CD-ROMs
A new technology developed by JVC and Hudson Soft called "Root" is
designed to prevent people from copying CD-ROM disks. The contents
of the disk are encrypted and the required key also resides on the
disk. The key can be read by CD-ROM drives, but cannot be copied by
CD-R/RW drives. The key on each disk is different and is hidden on a
different place on the disk. The technology can be applied to software
disks and DVDs but not to audio CDs.
http://news.zdnet.co.uk/story/0,,t269-s2121508,00.html
[Editor's Note (Northcutt): These types of solutions are generally
defeated in short order as has been shown in the computer game
industry. This scheme makes a loser out of the honest person that
can't make a backup.
(Grefer) It's just a matter of time until this method will be cracked,
too. The only question is whether it will take months, weeks or days.]
--28 August 2002 Spyware Intercepts Web-Based E-Mail
A new version of eBlaster spyware allows people to intercept outgoing
and incoming web based e-mail from employees, family members or
other spy targets. While some may contend that employers have a
right to see everything that takes place on company computers, others
have expressed concern that the spyware may violate the Electronic
Communications Privacy Act.
http://www.msnbc.com/news/800409.asp?0dm=C24FT
--30 August 2002 DoD Distributes One Millionth Smart Card
The Department of Defense (DoD) has issued the one millionth Common
Access Card (CAC) on August 28th. CACs are smart cards that are used
for identification and building and network access. The DoD, which
began distributing the cards in October 2001, hopes to have cards
for all 4 million employees by October 2003.
http://www.fcw.com/fcw/articles/2002...c-08-30-02.asp
--28 August 2002 RIAA Defaced, Taken Off Line
The web site of the Recording Industry Association of America (RIAA)
was apparently hacked in retaliation for a lawsuit it filed against
a Chinese site from which people could download music. The hackers
posted a phony apology message on RIAA's site and made some songs
available for download. An RIAA spokeswoman acknowledged a problem
with the site and said they would have it fixed soon, but provided
no details. The site was taken off-line. The RIAA was the victim of
a denial of service attack in July.
http://www.computerworld.com/securit...,73830,00.html
http://news.com.com/2100-1023-955776.html
http://www.wired.com/news/politics/0,1283,54812,00.html
http://www.newsfactor.com/perl/story/19227.html
--28 August 2002 Linux for Newbies
This article offers advice on setting up and securing Linux for
"newbies."
http://www.theregister.co.uk/content/4/26843.html
--27 & 28 August 2002 Microsoft Releases APIs
As part of its settlement with the US Justice Department and nine
US states, Microsoft has made available 289 application programming
interfaces (APIs). The APIs are available at Microsoft's Network
Developer web site.
http://news.com.com/2100-1001-955655.html
http://www.computerworld.com/governm...,73829,00.html
http://msdn.microsoft.com/library/en...i-overview.asp
--27 August 2002 Lamo Segment Pulled from NBC Nightly News
Adrian Lamo is the hacker known for breaking into the computer systems
of many highly visible corporations, including the New York Times,
where he made off with the names and addresses of famous guest
editorial contributors. Lamo was scheduled to appear in a segment
on the NBC Nightly News but the segment was pulled. Lamo alleges the
interviewer asked him if he could break into NBC's system, so he did.
http://online.securityfocus.com/news/595
[Editor's Note (Ranum): My hat's off to MBC for pulling the segment.]
--27 August 2002 Developing a Database with a Conscience
An IBM researcher is developing a database that takes responsibility
for the data it holds much as physicians are bound by the Hippocratic
oath to maintain confidentiality regarding what their patients tell
them. The database is set up with rules about what kind of data is
to be collected and how it is to be used.
http://www.idg.net/ic_940272_1794_9-10000.html
--27 August 2002 Hackers Threaten Retaliation if Duo Gets Jail Time
Other hackers are threatening to retaliate if the pair calling
themselves the "Deceptive Duo" is sent to prison. The two allegedly
defaced numerous United States government and corporate web
sites earlier this year in an attempt to alert the government to
vulnerabilities in the country's critical infrastructure.
http://vnunet.com/News/1134600
--27 August 2002 Man Pleads Guilty to Stealing Microsoft
Certification Exam Questions
Robert R. Keppel, owner of a "braindump" site called CheetSheets.com,
has pleaded guilty in federal court to theft of trade secrets;
Mr. Keppel apparently sold questions and answers to Microsoft security
certification examinations. The case is significant because most
other such cases have been pursued in civil court rather than in
criminal court. CheetSheets.com is now defunct.
http://certcities.com/editorial/news...itorialsID=336
--26 August 2002 Hacker Tools Can Help Too
Tools used by hackers to gain access to wireless networks can also
prove helpful to network administrators; the tools can be used to
identify dead spots in wireless networks and to detect the perimeter
of the wireless network. They can also be used to improve performance
by identifying overlapping signals.
http://www.eweek.com/article2/0,3959,485577,00.asp
--26 August 2002 Government Wary of Handheld Wireless Due to
Security Concerns
Government agencies are hesitant to use wireless handheld devices
because of the security risks they pose. Handhelds are often lost and
people who find or steal the devices could use them to access internal
networks. Even with good security in place, users need to be educated
in good security practices. The Advanced Encryption Standard (AES)
should prove helpful to wireless handheld device security because it
employs variable key lengths between 128 and 256 bits, unlike the older
Data Encryption Standard (DES) which has a fixed key length of 56 bits.
http://www.fcw.com/fcw/articles/2002...e-08-26-02.asp
http://www.fcw.com/fcw/articles/2002...1-08-26-02.asp
--26 August 2002 Enterprise AIM Addresses Security Issues
The soon-to-be-released Enterprise AOL Instant Messenger (AIM)
addresses security concerns that have sometimes led to companies
blocking the use of the technology in the workplace. Enterprise AIM
will allow the system administrator to set policies regarding who
can send and receive instant messages and what content may be sent
in those messages. Users will also be able to send encrypted instant
messages using a public key infrastructure (PKI).
http://www.fcw.com/fcw/articles/2002...l-08-26-02.asp
[Editor's Note (Murray) Perhaps this is the long-awaited "killer
application" for PKI.]
- --22 August 2002 The Ethics of Cyber Warfare
The Bush administration is examining the legal and ethical issues
surrounding cyber warfare as the specter of such an event looms. Some
countries are looking to cyberwar as a way to level the playing field,
as it is less expensive than conventional methods of attack. The US
must tread carefully because people are so dependent upon computers
that retaliation for a cyberattack could be costly.
http://www.washingtonpost.com/wp-dyn...2002Aug21.html