Results 1 to 8 of 8

Thread: NEWS: This weeks security news.

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123

    NEWS: This weeks security news.

    September 11, 2001 xmaddness remebers. In tribute to the more than 3,000 lives lost.

    Brought to you by our friends at the SANS Institute.

    Well, not much really that much going on this week.

    MS thinks that their security is lacking.

    New Wireless security device creates "noise" around WAPs.
    Although wardriving is still gaining in popularity and is exposing countless hundreds of unsecured networks.

    Yet another MS patch, this one for the digital certificate vulnerability. (what else is new)

    Intel decides to join MS in the Palladium effort.

    INTERVIEW: Kevin Mitnick on Social Engineering.

    Well, thats about it for this week.

    PS... I would like to get some discussion going on in these threads. If you see a topic in here that you want to comment on feel free too.


    Oh and feel free to bump this thread at will. It will usually die off after the week is over. Its always good to have the news on the front page. I know many have missed it from week to week. The past weeks threads you can find at the bottom of the page.



    ***********************************************************************
    SANS NewsBites September 11, 2002 Vol. 4, Num. 37
    ***********************************************************************

    TOP OF THE NEWS
    7 September 2002 LLNL Hacker Gets House Arrest and Community Service
    5 September 2002 Microsoft VP Not Proud of Company's Security
    5 & 6 September 2002 PGP Buffer Overflow Vulnerability
    26 August 2002 Federal Security Dollars Spent on OMB Reports Instead
    Of Fixing Security

    STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT
    7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to Improper
    Lockdown
    9 September 2002 Wardriving Reveals Lack of LAN Security
    7 September 2002 City Employee Opens Hard Drive to Kazaa NetworkThink he got fired?
    4 September 2002 Mitnick Describes Social Engineering Tactics

    THE REST OF THE WEEK'S NEWS
    9 September 2002 September 11th Renews Commitment to Security in
    the Workplace
    9 September 2002 Philippine Phreaking Bust
    9 September 2002 Intel Hardware will Integrate Security
    9 September 2002 Venezuelan CD Pirates Sold Confidential Data
    6 September 2002 Four Men Sentenced for Roles in Piracy Ring
    6 September 2002 Spammers Use Unprotected Wireless Networks to Wield
    their Wares
    5 September 2002 Biometrically Secured Airport Lockers Tested
    5 September 2002 OASIS Adopts New ebXML Standard
    5 & 6 September 2002 Microsoft Releases Windows Patch for Critical
    Digital Certificate Vulnerability

    4 & 8 September 2002 Dearth of Security Specialists Bemoaned
    4 September 2002 Security Tool Creates "Noise" Around Wireless
    Access Points

    3 September 2002 Citibank E-Mail Campaign May Have Breached Customer
    Privacy
    3 September 2002 Demand for Disaster Recovery and Business Continuity
    Planning is Up
    3 September 2002 FBI Application Process Weeds Out Many Potentially
    Valuable Cyber Security Workers
    3 September 2002 Are Viruses on the Decline?
    3 September 2002 Security Firm Says Hacks are on the Rise
    2 & 3 September 2002 Microsoft Enhances Passport Security
    2 September 2002 Higher Ed Funding May be Tied to Security Practices
    2 September 2002 Plan Will Establish Cybersecurity Network Operations
    Center
    2 September 2002 Plan Includes Privacy Czar




    TOP OF THE NEWS

    --7 September 2002 LLNL Hacker Gets House Arrest and Community
    Service
    Benjamin Troy Breuninger of Minnesota will serve six months under house
    arrest and give 400 hours of his time to community service as a penalty
    for breaking into a computer system at Lawrence Livermore National
    Laboratory. He will also have to pay $20,000 in restitution. He was
    convicted of causing damage in excess of $32,000. The judge in the
    case did not give the harshest sentence because, authorities say,
    Breuninger did not access classified information and he apologized,
    accepted responsibility for his actions and was cooperating with
    authorities, including telling the Laboratory how he broke in.
    http://www.bayarea.com/mld/cctimes/l...ce/4022958.htm

    --5 September 2002 Microsoft VP Not Proud of Company's Security
    Brian Valentine, senior VP in charge of the Windows development team,
    told a gathering of attendees of Microsoft's Windows .Net Server
    developer conference that the company has not done everything it could
    to protect customers because Microsoft products are not designed
    for security. Valentine observed that security is a problem that
    will never be solved because as concerns are addressed, hackers will
    devise new methods. He also pointed out that all major operating
    systems have security problems.
    http://www.infoworld.com/articles/hn...hnmssecure.xml
    [Editor's Note (Northcutt): Commercial operating system vendors,
    with Microsoft at the lead, have focused on features, not system and
    security engineering. Users have begun to realize they are sitting on
    a time bomb when they try to use Windows operating systems in commerce.
    Watch for early adopters of .NET to get hammered, as well. This is
    what drove the community to develop the Gold Standard to harden
    Windows 2000:
    http://www.fcw.com/fcw/articles/2002...n-07-22-02.asp
    and gold standard course schedule is at:
    http://www.sans.org/Win2KWorldTour/win2K.php]


    --5 & 6 September 2002 PGP Buffer Overflow Vulnerability
    A buffer overflow vulnerability in the way PGP Corporate Edition 7.1.0
    and 7.1.1 handle long file names in encrypted archives could crash
    the program. The vulnerability could be exploited to run malicious
    code on a targeted computer. A patch is available.
    http://news.com.com/2100-1001-956815.html
    http://www.theregister.co.uk/content/55/26998.html
    http://www.eweek.com/article2/0,3959,518907,00.asp
    http://www.nai.com/naicommon/downloa...-pgphotfix.asp

    --26 August 2002 Federal Security Dollars Spent on OMB Reports
    Instead Of Fixing Security
    Much of the money earmarked for making improvements in computer
    networks at federal agencies actually goes to preparing reports for
    Congress and the Office of Management and Budget (OMB). The OMB says
    the gathered data will help support requests for increased resources
    to address security; however, even if agencies complete the entire OBM
    checklist, it does nothing to guarantee the security of their systems.
    http://federaltimes.com/index.php?S=1072569


    STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT

    --7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to
    Improper Lockdown
    Microsoft has issued an advisory stating that the attacks on servers
    running Windows 2000 were the result of hackers taking advantage of
    inadequately locked down machines rather than exploiting a security
    hole. Microsoft said the attacked servers had blank or weak passwords,
    and it recommends that customers address the password problem, disable
    guest accounts, install firewalls, keep up to date with security
    patches and run anti-virus software. The attacks were designed to
    load a Trojan onto the server.
    http://zdnet.com.com/2100-1105-957159.html
    http://www.theregister.co.uk/content/55/27007.html
    Microsoft advisory:
    http://support.microsoft.com/default...;en-us;q328691

    --9 September 2002 Wardriving Reveals Lack of LAN Security
    A week-long worldwide wardrive revealed that many wireless LANs (local
    area networks) don't employ even basic security. A New Jersey-based
    company is selling complete wardriving kits. A consultant for the
    company observed that wardriving is legal and has legitimate uses.
    http://www.computerworld.com/mobilet...,74103,00.html
    http://www.computerworld.com/mobilet...,74102,00.html
    [Editor's Note (Murray): it is legal to look in your neighbor's open
    window but nice people do not do it. There is no more corrupting idea
    than the current one that that which is legal is, ipso facto, ethical.]


    --7 September 2002 City Employee Opens Hard Drive to Kazaa Network
    An Aspen, Colorado city employee who had installed Kazaa peer-to-peer
    file sharing software on his work computer inadvertently made
    his entire hard drive available to the network. The problem was
    discovered by Canadian Kazaa member James Pocock, who e-mailed the
    employee as well as the city's mayor and police chief about the
    information he'd been able to view. The city has changed passwords
    and installed a new firewall.
    http://www.denverpost.com/Stories/0,...43149~,00.html

    LOL... How dumb can you get? Well, this just goes to show that internal security is just as important (if not more) as outside security.

    --4 September 2002 Mitnick Describes Social Engineering Tactics
    Kevin Mitnick describes how companies leave themselves vulnerable
    to socially engineered cyber attacks: corporate culture and terrain
    can be discerned by examining documents found in trash cans, and
    help desk personnel are often easily tricked into handing over login
    names and passwords over the phone. Furthermore, if CEOs make a habit
    of ignoring security policies and procedures when they want a task
    accomplished quickly, this too can be exploited.
    http://www.infoconomy.com/pages/news...group66338.adp


    [Editor's Note (Northcutt): This note applies to all four of the
    preceding stories. If you agree there is a security awareness problem
    of epidemic proportions and want to make a difference, please help with
    SANS new project in security awareness. It turns out to be incredibly
    difficult to create powerful, believable security awareness training,
    that appeals to administrative workers as well as the system and
    network administrators who are some of the worst offenders. After two
    years of research, we have a tool that seems to work. True stories
    of the impact of security breaches, written in the first person,
    are the most effective tools to actually change behavior. If you
    would like to be involved in this consensus research project, contact
    awareness@sans.org]


    THE REST OF THE WEEK'S NEWS

    --9 September 2002 September 11th Renews Commitment to Security
    in the Workplace
    The September 11 terrorist attacks have changed some businesses'
    attitudes toward security. Companies have reevaluated their security
    policies and disaster preparedness plans and employees are more aware
    of the importance of security in their workplaces.
    http://www.computerworld.com/managem...,74049,00.html

    --9 September 2002 Philippine Phreaking Bust
    Philippine police arrested three men in connection with a ring
    believed to be responsible for hacking into the Philippine Long
    Distance Telephone Company's computers and selling phone time.
    If convicted, each of the men faced a six-year prison sentence and
    a fine of almost $2,000. The arrests were made in accordance with
    the Philippines' e-Commerce law, which was passed after the Love Bug
    author escaped prosecution because there was no applicable law.
    http://story.news.yahoo.com/news?tmp...s_arrests_dc_1
    http://www.manilatimes.net/national/...20910top3.html

    --9 September 2002 Intel Hardware will Integrate Security
    Intel plans to integrate security features into its new chips and
    other hardware. The features will work with Microsoft's Palladium.
    http://www.msnbc.com/news/805877.asp?0dm=C15JT


    --9 September 2002 Venezuelan CD Pirates Sold Confidential Data
    Two people have been arrested in Caracas, Venezuela for their roles
    in a CD piracy trade that included confidential phone company records
    and police files.
    http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=8953


    --6 September 2002 Four Men Sentenced for Roles in Piracy Ring
    Four men in the UK have been found guilty for conspiracy to defraud
    in connection with a software piracy ring. Two of the men received
    prison sentences of four-and-one-half years; the other two received
    four-month "custodial sentences."
    http://news.com.com/2100-1001-956884.html
    http://www.theregister.co.uk/content/51/26993.html

    --6 September 2002 Spammers Use Unprotected Wireless Networks to
    Wield their Wares
    A consultant claims spammers are taking advantage of unsecured
    wireless network access points and use the victim company's system
    to send out unsolicited e-mail.
    http://news.com.com/2100-1033-956911.html

    --5 September 2002 Biometrically Secured Airport Lockers Tested
    The Transportation Safety Administration (TSA) is testing biometrically
    secured public lockers at Minneapolis-St. Paul International
    airport. Following the September 11th attacks, the TSA has banned all
    such lockers. The lockers will require a fingerprint for rental and
    retrieval of stored items.
    http://www.fcw.com/fcw/articles/2002...k-09-05-02.asp

    --5 September 2002 OASIS Adopts New ebXML Standard
    The Organization for the Advancement of Structured Information
    Standards (OASIS) has announced that its members have approved and
    adopted the new ebXML Messaging Service Specification Version 2.0.
    http://www.computerworld.com/managem...,74001,00.html

    --5 & 6 September 2002 Microsoft Releases Windows Patch for Critical
    Digital Certificate Vulnerability
    Microsoft has released a patch for a security hole in Windows
    Cryptography API, which supports encryption, decryption and digital
    certificate handling. The vulnerability affects multiple versions
    of Windows and three Macintosh programs. Patches are not yet
    available for all versions of Windows, but exploit code has already
    been released, so Microsoft is making the patches available as they
    are ready. The vulnerability can be exploited to create phony digital
    certificates useful for launching "man-in-the middle" attacks.
    http://www.computerworld.com/securit...,73996,00.html
    http://www.theregister.co.uk/content/55/26972.html
    http://news.com.com/2100-1001-956729.html
    http://www.microsoft.com/technet/sec...n/MS02-050.asp


    --4 & 8 September 2002 Security Specialists in Short Supply
    Security experts speaking at a cybersecurity conference in Washington
    D.C. expressed concern that the country is going to need many more
    skilled IT workers to protect the critical infrastructure than are
    presently available. The military faces shortages of skilled IT
    workers because many command higher salaries in the private sector.
    In a related story, cyber forensic specialists are increasingly
    in demand.
    http://www.govexec.com/dailyfed/0902/090402td2.htm
    http://seattletimes.nwsource.com/htm...rensics08.html


    --4 September 2002 Security Tool Creates "Noise" Around Wireless
    Access Points
    Two computer programmers have developed a tool called Fake AP that
    generates 53,000 phony wireless access points around each real one.
    People who may legitimately access the network will be able to
    determine the actual access point. Some hackers are likely to rise
    to the challenge and develop tools that test all the points quickly
    to determine the real one.
    http://www.newscientist.com/news/news.jsp?id=ns99992760


    --3 September 2002 Citibank E-Mail Campaign May Have Breached
    Customer Privacy
    Citibank used two outside companies to gather e-mail addresses of its
    customers. The companies then sent e-mails offering the opportunity
    to receive information about Citibank accounts on line. However,
    some of the e-mails addresses did not belong to the Citibank customers.
    http://www.msnbc.com/news/802701.asp?0dm=H24BTs

    --3 September 2002 Demand for Disaster Recovery and Business
    Continuity Planning is Up
    Companies that offer disaster recovery planning services have noticed
    an increase in their business since the September 11th terrorist
    attacks. Previously, many businesses had not given much thought to
    such widespread catastrophe. Businesses want help drafting business
    continuity plans. Plans in place had not taken into account the
    possibility of a "regional disaster." Companies are reevaluating
    back-up plans and increasing the distances between data centers.
    http://www.computerworld.com/managem...,73956,00.html

    --3 September 2002 FBI Application Process Weeds Out Many Potentially
    Valuable Cyber Security Workers
    Although the FBI is interested in recruiting security experts for their
    agency, the application process weeds out many based on their ethics,
    ages and levels of physical fitness. The FBI does have civilian
    employees, though employees who are not agents are "at the bottom of
    the food chain." One security consultant says that even if hacker
    applicants are hired, they won't be put on computer security cases
    for several years.
    http://www.wired.com/news/politics/0,1283,54850,00.html

    --3 September 2002 Are Viruses on the Decline?
    Though the number of worms and viruses have grown about 50% each year
    since 1990, this year, that number is expected to decline by 5%,
    according to some security specialists. The reasons for the drop
    could be increased penalties for (creating and spreading malware)
    or increased use of anti-virus software. There is still a risk of
    infection, however; researchers estimate that up to 7% of e-mail
    messages contain a virus or a worm.
    http://europe.cnn.com/2002/BUSINESS/...rus/index.html

    --3 September 2002 Security Firm Says Hacks are on the Rise
    Security firm mi2g has reported more hacks in the first eight months
    of 2002 than the total number of hacks reported in all of 2001.
    The company also says that cyber terrorism organizations are trying
    to harvest information about computer networks in the financial sector
    and other targets through electronic bulletin boards.
    http://news.bbc.co.uk/2/hi/technology/2231205.stm

    --2 & 3 September 2002 Microsoft Enhances Passport Security
    Microsoft has improved the security of its Passport single sign-on
    authentication technology. First, in order to establish an account,
    users must submit a valid e-mail address; they will then receive an
    e-mail message with links that will allow them to validate the account.
    Second, it is now easier to cancel accounts that are no longer needed.
    http://news.com.com/2100-1001-956246.html
    http://www.computerworld.com/managem...,73945,00.html

    --2 September 2002 Higher Ed Funding May be Tied to Security
    Practices
    The National Strategy to Secure Cyberspace is likely to tie state and
    federal funding for colleges and universities to compliance with cyber
    security rules, including the designation of a CIO for each institution
    and establishing an Information Sharing and Analysis Center (ISAC)
    for US institutions of higher education.
    http://www.eweek.com/article2/0,3959,508676,00.asp

    --2 September 2002 Plan Will Establish Cybersecurity Network
    Operations Center
    The National Strategy to Secure Cyberspace, which will be released
    September 18 at Stanford University in California, includes plans to
    create a cybersecurity network operations center (NOC). Despite rumors
    to the contrary, the NOC does not intend to intercept and examine
    e-mail and data traffic from major ISPs and private networks.
    The plan is to model the NOC after the Incident.org web site and
    Internet Storm Center.
    http://www.computerworld.com/securit...,73922,00.html

    --2 September 2002 Plan Includes Privacy Czar
    The National Strategy to Secure Cyberspace is likely to include
    the appointment of a "privacy czar" or chief privacy officer (CPO)
    who will examine government data collection and security initiatives
    and ensure that privacy is protected. The CPO would also oversee
    privacy advocates at each government agency. The Czar would be in
    the new Department of Homeland Security.
    http://www.eweek.com/article2/0,3959,503728,00.asp


  2. #2
    Lol, M$ VP is not happy with Microsoft's security. Guess what chief? Neither are we! Anywhoo, thanks xmadd. I somehow can always count on you for always bringing this week's security news. Oh btw, Microsoft increasing it's security with passport won't help. People find flaws and whatnot and it'll take them a long time to patch those.. -- Jason Copeland

  3. #3
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Microsoft VP Not Proud of Company's Security
    Brian Valentine, senior VP in charge of the Windows development team,
    told a gathering of attendees of Microsoft's Windows .Net Server
    developer conference that the company has not done everything it could
    to protect customers because Microsoft products are not designed
    for security.

    In todays security conscious market, MS is really going downhill. The .NET was supposed to be their answer to linux and unix/sun systems. To bad companies are looking for security now. If MS continues this trend we are going to see .NET not even make it out the door. I really hope Bill G knows that he is tying his own noose with this one. Maybe he should stop saving money by getting inexperienced programers strait out of college.

    The passport system is eternally flawed. The on;y way they would fully secure it was to totally scrap the old programming and start all over again, of course with their effort in backwards compatibility they are once again going to shoot themselves in the foot.

  4. #4
    I agree, I never did like M$'s approace with the whole .NET B.S but hey. I think they should hire people with actual EXPERIENCE for their stuff because this sh*t is really flawed.

  5. #5
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Heh.....I guess next week we'll see a story on FORMER M$ VP Brian Valentine being spotted at the unemployment office in Redmond. It's refreshing to see a M$ executive's lips moving and the truth coming out as opposed to the norm, but somehow I can't picture the big kahuna appreciating it the way I do.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  6. #6
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    In August, Microsoft warned in one of eight security bulletins issued that month, that many of its customers have experienced "an increased amount of hacking," in their various Windows systems. The Redmond, Wash., company has yet to identify the root of the problem, only saying that it has noticed some major similarities between the string of hack attacks.
    It looks to me like the only cause of this could be an insider exposing flaws in the systems. I think MS laid off someone and now that person is exploiting all the things he/she knows about and getting back at them.

    This comment doesn't exactly sit very well. It almost sounds like they can't build a patch that will succesfully secure the os. I don't know about you but that is a major major problem. Digital espionage?

  7. #7
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236

    MS VP

    Next Month:

    M$ reports that a M$ VP was using a blank or weak password. The VP was exploited and forced to say he was upset with M$ security. In reality M$ reports that their security is extremely tight and that the VP has now reset his password and should be totally safe from further exploitation.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    hey xmaddness thanks for posting the weekly security news i read it every week
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •