September 11, 2001 xmaddness remebers. In tribute to the more than 3,000 lives lost.

Brought to you by our friends at the SANS Institute.

Well, not much really that much going on this week.

MS thinks that their security is lacking.

New Wireless security device creates "noise" around WAPs.
Although wardriving is still gaining in popularity and is exposing countless hundreds of unsecured networks.

Yet another MS patch, this one for the digital certificate vulnerability. (what else is new)

Intel decides to join MS in the Palladium effort.

INTERVIEW: Kevin Mitnick on Social Engineering.

Well, thats about it for this week.

PS... I would like to get some discussion going on in these threads. If you see a topic in here that you want to comment on feel free too.


Oh and feel free to bump this thread at will. It will usually die off after the week is over. Its always good to have the news on the front page. I know many have missed it from week to week. The past weeks threads you can find at the bottom of the page.



***********************************************************************
SANS NewsBites September 11, 2002 Vol. 4, Num. 37
***********************************************************************

TOP OF THE NEWS
7 September 2002 LLNL Hacker Gets House Arrest and Community Service
5 September 2002 Microsoft VP Not Proud of Company's Security
5 & 6 September 2002 PGP Buffer Overflow Vulnerability
26 August 2002 Federal Security Dollars Spent on OMB Reports Instead
Of Fixing Security

STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT
7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to Improper
Lockdown
9 September 2002 Wardriving Reveals Lack of LAN Security
7 September 2002 City Employee Opens Hard Drive to Kazaa NetworkThink he got fired?
4 September 2002 Mitnick Describes Social Engineering Tactics

THE REST OF THE WEEK'S NEWS
9 September 2002 September 11th Renews Commitment to Security in
the Workplace
9 September 2002 Philippine Phreaking Bust
9 September 2002 Intel Hardware will Integrate Security
9 September 2002 Venezuelan CD Pirates Sold Confidential Data
6 September 2002 Four Men Sentenced for Roles in Piracy Ring
6 September 2002 Spammers Use Unprotected Wireless Networks to Wield
their Wares
5 September 2002 Biometrically Secured Airport Lockers Tested
5 September 2002 OASIS Adopts New ebXML Standard
5 & 6 September 2002 Microsoft Releases Windows Patch for Critical
Digital Certificate Vulnerability

4 & 8 September 2002 Dearth of Security Specialists Bemoaned
4 September 2002 Security Tool Creates "Noise" Around Wireless
Access Points

3 September 2002 Citibank E-Mail Campaign May Have Breached Customer
Privacy
3 September 2002 Demand for Disaster Recovery and Business Continuity
Planning is Up
3 September 2002 FBI Application Process Weeds Out Many Potentially
Valuable Cyber Security Workers
3 September 2002 Are Viruses on the Decline?
3 September 2002 Security Firm Says Hacks are on the Rise
2 & 3 September 2002 Microsoft Enhances Passport Security
2 September 2002 Higher Ed Funding May be Tied to Security Practices
2 September 2002 Plan Will Establish Cybersecurity Network Operations
Center
2 September 2002 Plan Includes Privacy Czar




TOP OF THE NEWS

--7 September 2002 LLNL Hacker Gets House Arrest and Community
Service
Benjamin Troy Breuninger of Minnesota will serve six months under house
arrest and give 400 hours of his time to community service as a penalty
for breaking into a computer system at Lawrence Livermore National
Laboratory. He will also have to pay $20,000 in restitution. He was
convicted of causing damage in excess of $32,000. The judge in the
case did not give the harshest sentence because, authorities say,
Breuninger did not access classified information and he apologized,
accepted responsibility for his actions and was cooperating with
authorities, including telling the Laboratory how he broke in.
http://www.bayarea.com/mld/cctimes/l...ce/4022958.htm

--5 September 2002 Microsoft VP Not Proud of Company's Security
Brian Valentine, senior VP in charge of the Windows development team,
told a gathering of attendees of Microsoft's Windows .Net Server
developer conference that the company has not done everything it could
to protect customers because Microsoft products are not designed
for security. Valentine observed that security is a problem that
will never be solved because as concerns are addressed, hackers will
devise new methods. He also pointed out that all major operating
systems have security problems.
http://www.infoworld.com/articles/hn...hnmssecure.xml
[Editor's Note (Northcutt): Commercial operating system vendors,
with Microsoft at the lead, have focused on features, not system and
security engineering. Users have begun to realize they are sitting on
a time bomb when they try to use Windows operating systems in commerce.
Watch for early adopters of .NET to get hammered, as well. This is
what drove the community to develop the Gold Standard to harden
Windows 2000:
http://www.fcw.com/fcw/articles/2002...n-07-22-02.asp
and gold standard course schedule is at:
http://www.sans.org/Win2KWorldTour/win2K.php]


--5 & 6 September 2002 PGP Buffer Overflow Vulnerability
A buffer overflow vulnerability in the way PGP Corporate Edition 7.1.0
and 7.1.1 handle long file names in encrypted archives could crash
the program. The vulnerability could be exploited to run malicious
code on a targeted computer. A patch is available.
http://news.com.com/2100-1001-956815.html
http://www.theregister.co.uk/content/55/26998.html
http://www.eweek.com/article2/0,3959,518907,00.asp
http://www.nai.com/naicommon/downloa...-pgphotfix.asp

--26 August 2002 Federal Security Dollars Spent on OMB Reports
Instead Of Fixing Security
Much of the money earmarked for making improvements in computer
networks at federal agencies actually goes to preparing reports for
Congress and the Office of Management and Budget (OMB). The OMB says
the gathered data will help support requests for increased resources
to address security; however, even if agencies complete the entire OBM
checklist, it does nothing to guarantee the security of their systems.
http://federaltimes.com/index.php?S=1072569


STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT

--7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to
Improper Lockdown
Microsoft has issued an advisory stating that the attacks on servers
running Windows 2000 were the result of hackers taking advantage of
inadequately locked down machines rather than exploiting a security
hole. Microsoft said the attacked servers had blank or weak passwords,
and it recommends that customers address the password problem, disable
guest accounts, install firewalls, keep up to date with security
patches and run anti-virus software. The attacks were designed to
load a Trojan onto the server.
http://zdnet.com.com/2100-1105-957159.html
http://www.theregister.co.uk/content/55/27007.html
Microsoft advisory:
http://support.microsoft.com/default...;en-us;q328691

--9 September 2002 Wardriving Reveals Lack of LAN Security
A week-long worldwide wardrive revealed that many wireless LANs (local
area networks) don't employ even basic security. A New Jersey-based
company is selling complete wardriving kits. A consultant for the
company observed that wardriving is legal and has legitimate uses.
http://www.computerworld.com/mobilet...,74103,00.html
http://www.computerworld.com/mobilet...,74102,00.html
[Editor's Note (Murray): it is legal to look in your neighbor's open
window but nice people do not do it. There is no more corrupting idea
than the current one that that which is legal is, ipso facto, ethical.]


--7 September 2002 City Employee Opens Hard Drive to Kazaa Network
An Aspen, Colorado city employee who had installed Kazaa peer-to-peer
file sharing software on his work computer inadvertently made
his entire hard drive available to the network. The problem was
discovered by Canadian Kazaa member James Pocock, who e-mailed the
employee as well as the city's mayor and police chief about the
information he'd been able to view. The city has changed passwords
and installed a new firewall.
http://www.denverpost.com/Stories/0,...43149~,00.html

LOL... How dumb can you get? Well, this just goes to show that internal security is just as important (if not more) as outside security.

--4 September 2002 Mitnick Describes Social Engineering Tactics
Kevin Mitnick describes how companies leave themselves vulnerable
to socially engineered cyber attacks: corporate culture and terrain
can be discerned by examining documents found in trash cans, and
help desk personnel are often easily tricked into handing over login
names and passwords over the phone. Furthermore, if CEOs make a habit
of ignoring security policies and procedures when they want a task
accomplished quickly, this too can be exploited.
http://www.infoconomy.com/pages/news...group66338.adp


[Editor's Note (Northcutt): This note applies to all four of the
preceding stories. If you agree there is a security awareness problem
of epidemic proportions and want to make a difference, please help with
SANS new project in security awareness. It turns out to be incredibly
difficult to create powerful, believable security awareness training,
that appeals to administrative workers as well as the system and
network administrators who are some of the worst offenders. After two
years of research, we have a tool that seems to work. True stories
of the impact of security breaches, written in the first person,
are the most effective tools to actually change behavior. If you
would like to be involved in this consensus research project, contact
awareness@sans.org]


THE REST OF THE WEEK'S NEWS

--9 September 2002 September 11th Renews Commitment to Security
in the Workplace
The September 11 terrorist attacks have changed some businesses'
attitudes toward security. Companies have reevaluated their security
policies and disaster preparedness plans and employees are more aware
of the importance of security in their workplaces.
http://www.computerworld.com/managem...,74049,00.html

--9 September 2002 Philippine Phreaking Bust
Philippine police arrested three men in connection with a ring
believed to be responsible for hacking into the Philippine Long
Distance Telephone Company's computers and selling phone time.
If convicted, each of the men faced a six-year prison sentence and
a fine of almost $2,000. The arrests were made in accordance with
the Philippines' e-Commerce law, which was passed after the Love Bug
author escaped prosecution because there was no applicable law.
http://story.news.yahoo.com/news?tmp...s_arrests_dc_1
http://www.manilatimes.net/national/...20910top3.html

--9 September 2002 Intel Hardware will Integrate Security
Intel plans to integrate security features into its new chips and
other hardware. The features will work with Microsoft's Palladium.
http://www.msnbc.com/news/805877.asp?0dm=C15JT


--9 September 2002 Venezuelan CD Pirates Sold Confidential Data
Two people have been arrested in Caracas, Venezuela for their roles
in a CD piracy trade that included confidential phone company records
and police files.
http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=8953


--6 September 2002 Four Men Sentenced for Roles in Piracy Ring
Four men in the UK have been found guilty for conspiracy to defraud
in connection with a software piracy ring. Two of the men received
prison sentences of four-and-one-half years; the other two received
four-month "custodial sentences."
http://news.com.com/2100-1001-956884.html
http://www.theregister.co.uk/content/51/26993.html

--6 September 2002 Spammers Use Unprotected Wireless Networks to
Wield their Wares
A consultant claims spammers are taking advantage of unsecured
wireless network access points and use the victim company's system
to send out unsolicited e-mail.
http://news.com.com/2100-1033-956911.html

--5 September 2002 Biometrically Secured Airport Lockers Tested
The Transportation Safety Administration (TSA) is testing biometrically
secured public lockers at Minneapolis-St. Paul International
airport. Following the September 11th attacks, the TSA has banned all
such lockers. The lockers will require a fingerprint for rental and
retrieval of stored items.
http://www.fcw.com/fcw/articles/2002...k-09-05-02.asp

--5 September 2002 OASIS Adopts New ebXML Standard
The Organization for the Advancement of Structured Information
Standards (OASIS) has announced that its members have approved and
adopted the new ebXML Messaging Service Specification Version 2.0.
http://www.computerworld.com/managem...,74001,00.html

--5 & 6 September 2002 Microsoft Releases Windows Patch for Critical
Digital Certificate Vulnerability
Microsoft has released a patch for a security hole in Windows
Cryptography API, which supports encryption, decryption and digital
certificate handling. The vulnerability affects multiple versions
of Windows and three Macintosh programs. Patches are not yet
available for all versions of Windows, but exploit code has already
been released, so Microsoft is making the patches available as they
are ready. The vulnerability can be exploited to create phony digital
certificates useful for launching "man-in-the middle" attacks.
http://www.computerworld.com/securit...,73996,00.html
http://www.theregister.co.uk/content/55/26972.html
http://news.com.com/2100-1001-956729.html
http://www.microsoft.com/technet/sec...n/MS02-050.asp


--4 & 8 September 2002 Security Specialists in Short Supply
Security experts speaking at a cybersecurity conference in Washington
D.C. expressed concern that the country is going to need many more
skilled IT workers to protect the critical infrastructure than are
presently available. The military faces shortages of skilled IT
workers because many command higher salaries in the private sector.
In a related story, cyber forensic specialists are increasingly
in demand.
http://www.govexec.com/dailyfed/0902/090402td2.htm
http://seattletimes.nwsource.com/htm...rensics08.html


--4 September 2002 Security Tool Creates "Noise" Around Wireless
Access Points
Two computer programmers have developed a tool called Fake AP that
generates 53,000 phony wireless access points around each real one.
People who may legitimately access the network will be able to
determine the actual access point. Some hackers are likely to rise
to the challenge and develop tools that test all the points quickly
to determine the real one.
http://www.newscientist.com/news/news.jsp?id=ns99992760


--3 September 2002 Citibank E-Mail Campaign May Have Breached
Customer Privacy
Citibank used two outside companies to gather e-mail addresses of its
customers. The companies then sent e-mails offering the opportunity
to receive information about Citibank accounts on line. However,
some of the e-mails addresses did not belong to the Citibank customers.
http://www.msnbc.com/news/802701.asp?0dm=H24BTs

--3 September 2002 Demand for Disaster Recovery and Business
Continuity Planning is Up
Companies that offer disaster recovery planning services have noticed
an increase in their business since the September 11th terrorist
attacks. Previously, many businesses had not given much thought to
such widespread catastrophe. Businesses want help drafting business
continuity plans. Plans in place had not taken into account the
possibility of a "regional disaster." Companies are reevaluating
back-up plans and increasing the distances between data centers.
http://www.computerworld.com/managem...,73956,00.html

--3 September 2002 FBI Application Process Weeds Out Many Potentially
Valuable Cyber Security Workers
Although the FBI is interested in recruiting security experts for their
agency, the application process weeds out many based on their ethics,
ages and levels of physical fitness. The FBI does have civilian
employees, though employees who are not agents are "at the bottom of
the food chain." One security consultant says that even if hacker
applicants are hired, they won't be put on computer security cases
for several years.
http://www.wired.com/news/politics/0,1283,54850,00.html

--3 September 2002 Are Viruses on the Decline?
Though the number of worms and viruses have grown about 50% each year
since 1990, this year, that number is expected to decline by 5%,
according to some security specialists. The reasons for the drop
could be increased penalties for (creating and spreading malware)
or increased use of anti-virus software. There is still a risk of
infection, however; researchers estimate that up to 7% of e-mail
messages contain a virus or a worm.
http://europe.cnn.com/2002/BUSINESS/...rus/index.html

--3 September 2002 Security Firm Says Hacks are on the Rise
Security firm mi2g has reported more hacks in the first eight months
of 2002 than the total number of hacks reported in all of 2001.
The company also says that cyber terrorism organizations are trying
to harvest information about computer networks in the financial sector
and other targets through electronic bulletin boards.
http://news.bbc.co.uk/2/hi/technology/2231205.stm

--2 & 3 September 2002 Microsoft Enhances Passport Security
Microsoft has improved the security of its Passport single sign-on
authentication technology. First, in order to establish an account,
users must submit a valid e-mail address; they will then receive an
e-mail message with links that will allow them to validate the account.
Second, it is now easier to cancel accounts that are no longer needed.
http://news.com.com/2100-1001-956246.html
http://www.computerworld.com/managem...,73945,00.html

--2 September 2002 Higher Ed Funding May be Tied to Security
Practices
The National Strategy to Secure Cyberspace is likely to tie state and
federal funding for colleges and universities to compliance with cyber
security rules, including the designation of a CIO for each institution
and establishing an Information Sharing and Analysis Center (ISAC)
for US institutions of higher education.
http://www.eweek.com/article2/0,3959,508676,00.asp

--2 September 2002 Plan Will Establish Cybersecurity Network
Operations Center
The National Strategy to Secure Cyberspace, which will be released
September 18 at Stanford University in California, includes plans to
create a cybersecurity network operations center (NOC). Despite rumors
to the contrary, the NOC does not intend to intercept and examine
e-mail and data traffic from major ISPs and private networks.
The plan is to model the NOC after the Incident.org web site and
Internet Storm Center.
http://www.computerworld.com/securit...,73922,00.html

--2 September 2002 Plan Includes Privacy Czar
The National Strategy to Secure Cyberspace is likely to include
the appointment of a "privacy czar" or chief privacy officer (CPO)
who will examine government data collection and security initiatives
and ensure that privacy is protected. The CPO would also oversee
privacy advocates at each government agency. The Czar would be in
the new Department of Homeland Security.
http://www.eweek.com/article2/0,3959,503728,00.asp