NEWS: This weeks security news. 10/2/02
Results 1 to 2 of 2

Thread: NEWS: This weeks security news. 10/2/02

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,121

    NEWS: This weeks security news. 10/2/02

    Brought to you by our friends at the SANS Institute.


    Things to note in this weeks issue:
    • Top 20 Vulnerabilities List Out This Week With Testing Tools
    • Secret Service Agents are Wardriving
    • Security Firm Warns of Microsoft VPN Vulnerability
    • Slapper Variants on the Loose
    • Survey Says CEOs Don't Put Security First
    • Congress Holds Hearings on Berman Bill




    ***********************************************************************
    SANS NewsBites October 2, 2002 Vol. 4, Num. 40
    ***********************************************************************

    TOP OF THE NEWS
    30 September 2002 Top 20 Vulnerabilities List Out This Week With
    Testing Tools

    30 September 2002 DISA Database Exposed Confidential Information
    25 & 27 September 2002 Inter-University Research Project Aims to
    Build Resilient Internet System
    23 September 2002 Oregon's DHS Computer System Plagued by
    Vulnerabilities

    THE REST OF THE WEEK'S NEWS
    30 September 2002 Secret Service Agents are Wardriving
    30 September 2002 Bugbear Worm
    30 September 2002 Proprietary Info is at Greater Risk From Insiders
    than from Hackers
    27 September 2002 Coalition Will Publish Disclosure Guidelines
    27 September 2002 Military Action Could Prompt Cyberattacks
    27 September 2002 Security Firm Warns of Microsoft VPN Vulnerability
    26 September 2002 Security Firm Says Number of Cyberattacks is Higher
    than Ever
    26 September 2002 Integrating Security Products
    26 September 2002 Only You Can Prevent DDoS Attacks
    26 September 2002 Congress Holds Hearings on Berman Bill
    25 & 26 September 2002 FrontPage Vulnerabilities
    25 September 2002 China Denies Responsibility or Dalai Lama Site
    Attacks
    25 September 2002 Slapper Variants on the Loose
    24 & 25 September 2002 Falun Gong Activists Hijack TV Again
    30 September 2002 Suspected Falun Gong TV Hacker Arrested for
    April Event
    24 September 2002 State Dept. Employees to Get Smart Cards
    24 September 2002 Arrest of T0rn Rootkit Author Raises Concerns
    24 September 2002 UCLA Researchers Developing Program to Prevent
    DDoS Attacks
    24 September 2002 Survey Says CEOs Don't Put Security First
    24 September 2002 NIPC Warns of Possible Hacktivism During World
    Bank/IMF Meetings
    23 September 2002 FERC Wants to Restrict Access to Some Data

    FREE WEB BROADCAST: October 2, 1:00 PM EDT (1700 UTC).
    Dustin Childs covers the basics of event logs in Windows NT
    and 2000, the managing of logs, and when you can and cannot
    completely trust those logs. Listen live and ask questions, or,
    once you have an access code, sign on later to listen to the web
    cast at your leisure. Register in advance to get the handouts:
    http://sans.digisle.tv/audiocast_100202/brief.htm

    SECURITY TRAINING NEWS
    *SANS Network Security 2002 in October: Largest security conference &
    expo: http://www.sans.org/NS2002
    *SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
    Featuring 8 hands-on SANS immersion training tracks. San Francisco
    is often warmer in December than it is in August.
    *Advanced security training in fifty additional cities, plus Local
    Mentor programs in 35 cities. See: http://www.sans.org



    TOP OF THE NEWS

    --30 September 2002 Top 20 Vulnerabilities List Out This Week With
    Testing Tools

    The US General Services Administration (GSA), FBI's NIPC, and the
    SANS Institute announced a new list of the top 20 Internet security
    vulnerabilities on Wednesday, October 2nd. Five network vulnerability
    assessment companies announced tools to mitigate these problems at
    the same time. A companion free email service will identify the
    most critical new vulnerabilities and tell what to do about them,
    every week.
    The Top Twenty and Tool Announcements:
    http://www.sans.org/top20
    Critical Vulnerability Analysis Service:
    http://www.sans.org/top20/CVA.pdf
    http://www.washingtonpost.com/wp-dyn...-2002Oct1.html
    http://www.computerworld.com/securit...,74750,00.html
    http://news.com.com/2100-1001-960215.html
    [Editor's Note (Paller): These announcements are particularly important
    because they are accompanied by a case study of a federal agency
    that has actually turned the tide - radically reducing the number of
    compromises despite substantial growth in attacks. The resources
    being announced allow all organizations to follow in that agency's
    footsteps. The case study is the second half of the report posted
    at http://www.sans.org/top20/GISRA_NASA.pdf.]
    [Note from SANS: This week's Top Twenty announcement are wonderful,
    but cover only Windows and UNIX. The definitive, 86-page step-by-step
    guide to securing Cisco routers was also released this week and
    may be ordered from http://store.sans.org under "Consensus Guides"
    on paper or as a PDF file.]

    --30 September 2002 DISA Database Exposed Confidential Information
    The US Defense Information System Agency's (DISA) Requirements
    Identification and Tracking System (RITS) website was apparently
    running an unsecured version of Lotus Domino database; visitors to the
    site could view requisition documents that contained names, addresses,
    phone numbers and in some instances social security numbers belonging
    to contractors and military personnel. The site has reportedly been
    locked down.
    http://online.securityfocus.com/news/911
    [Editor's Note (Ranum) This illustrates the problem of government
    systems being hacked. Data like names, addresses, social security
    numbers - logistical information - is often "sensitive but
    unclassified." That's often the kind of data that is exposed when
    the government sites get hacked.
    (Paller) Lotus Notes, Oracle and other applications are the next
    frontier for establishing safe configuration benchmarks. Attackers
    know the flaws and applications often hold the organization's most
    valuable data. Applications need to be hardened with the same energy
    and care given to operating systems.]

    --25 & 27 September 2002 Inter-University Research Project Aims to
    Build Resilient Internet System
    Researchers at five US universities received a $12 million grant
    from the National Science Foundation (NSF) to develop a project
    called Infrastructure for Resilient Internet Systems, or IRIS.
    The project aims to develop a system that resembles peer-to-peer
    networking for storing and serving information on the Internet.
    The researchers at MIT, UC Berkeley, Rice University, NYU and the
    International Computer Science Institute hope to develop the system
    within the next five years.
    http://www.infoworld.com/articles/hn...nsecurenet.xml
    http://www.cnn.com/2002/TECH/interne...net/index.html

    --23 September 2002 Oregon's DHS Computer System Plagued by
    Vulnerabilities
    The Oregon Department of Human Services' (DHS) computer system is
    allegedly rife with security problems that let employees pay themselves
    public benefits. The DHS has reportedly known about problems for
    years, but they have not been alleviated. The DHS director says
    he doesn't have the money needed to address the problems, and won't
    take money away from needy people to fix computer vulnerabilities.
    The computers store information on Oregonians receiving aid from the
    DHS; the information could be used to steal identities. The one
    employee who understood the system's security reportedly left the
    department three years ago and cannot be located.
    http://www.oregonlive.com/news/orego...2122290112.xml



    THE REST OF THE WEEK'S NEWS

    --30 September 2002 Secret Service Agents are Wardriving
    Secret Service agents have taken to wardriving to find vulnerable
    wireless networks in Washington. Their primary concern is ensuring
    the security of the President and other dignitaries. Agents will
    share information about security problems that they discover with
    the affected businesses.
    http://www.cnn.com/2002/TECH/industr....ap/index.html

    --30 September 2002 Bugbear Worm
    The Bugbear worm arrives as an attachment to an e-mail with a randomly
    selected subject line. If the attachment is opened, Bugbear, which
    is also known as Tanatos, disables antivirus software and installs
    a Trojan horse, called PWS-Hooker, that logs all keystrokes and
    saves the information in encrypted form on the infected computer;
    attackers can come back later to retrieve the information. The worm
    affects Internet Explorer 5.01 and 5.5 users who have not patched
    the Incorrect Mime header flaw.
    http://www.msnbc.com/news/815117.asp?0dm=C218T
    http://zdnet.com.com/2100-1105-960139.html

    --30 September 2002 Proprietary Info is at Greater Risk from Insiders
    than from Hackers
    A study from PricewaterhouseCoopers, the U.S. Chamber of Commerce and
    the American Society for Industrial Security (ASIS) International
    found that intellectual property and proprietary information theft
    was committed more often by insiders, including current and former
    employees, competitors and on-site trainees, than from hackers.
    http://www.infoworld.com/articles/hn...hninsiders.xml
    (Editor's Note: (Northcutt): If you leave your money lying around,
    sooner or later someone will pick it up. The same is true for
    trade secrets. Three simple questions will help you assess your
    organization's risk to theft of proprietary information. (1) Does
    your organization label proprietary information? I am not talking
    about the silly boilerplate you see on email. Do they label the
    documents and include who should be able to access the information?
    (2) Are senior managers, and others in a position of trust, reminded
    on a regular basis that they have access to critical information
    they are expected to protect? (3) As an employee, are you aware
    of and capable of following simple processes to encrypt sensitive
    information in transit and apply appropriate protections when stored?
    (Schultz) Hmmm, it looks as if a lot of money was spent to prove the
    obvious. Does anyone doubt that insider misbehavior poses a greater
    threat to proprietary information?]

    --27 September 2002 Coalition Will Publish Disclosure Guidelines
    The Organization for Internet Safety (OIS), a coalition of software
    developers and security firms, plans to publish draft guidelines
    for vulnerability disclosure. Among the rules proposed: software
    companies would respond to researchers within a week of receiving
    information about a vulnerability in one of their products; researchers
    would give the companies at least 30 days to develop a fix before
    publishing exploits. OIS members would be bound by the honor system;
    the group does not plan to enforce the guidelines.
    http://zdnet.com.com/2100-1104-959860.html
    http://www.theregister.co.uk/content/55/27312.html
    http://www.oisafety.org/about.html

    --27 September 2002 Military Action Could Prompt Cyberattacks
    If the past is a good indicator, a decision from the Bush
    administration to take action in Iraq is likely to invite a maelstrom
    of hacking activity on US computer networks and infrastructure.
    http://www.computerworld.com/securit...,74688,00.html

    --27 September 2002 Security Firm Warns of Microsoft VPN
    Vulnerability

    A German security company has posted an advisory warning of a buffer
    overflow vulnerability in the point-to-point tunneling protocol (PPTP)
    in Microsoft Windows 2000 and XP. The Microsoft Security Response
    Center is investigating the claim.
    http://www.computerworld.com/securit...,74697,00.html
    http://zdnet.com.com/2100-1105-959849.html

    --26 September 2002 Security Firm Says Number of Cyberattacks is
    Higher than Ever
    According to statistics from security consultancy Mi2g the instance
    of cyberattacks is higher than it's ever been. Most attacks are
    launched against US computers, a trend which Mi2g attributes to
    increasing anti-American sentiment. The report also notes that
    Windows machines are targeted more often than are any others.
    Mi2g has tracked computer attacks since 1995.
    http://www.cnn.com/2002/TECH/biztech...cks/index.html
    http://www.theregus.com/content/55/26448.html

    --26 September 2002 Integrating Security Products
    Three major security software and device makers, Cisco Systems, Nortel
    Networks and Check Point Software, have announced initiatives to
    integrate management of their own products. Gartner's John Pescatore
    observed that there is movement within the network security industry
    toward offering security management software that can manage and
    monitor information from security tools from multiple vendors.]
    http://news.com.com/2100-1001-959721.html

    --26 September 2002 Only You Can Prevent DDoS Attacks
    The Federal Trade Commission (FTC) has launched Dewie the Turtle,
    the Internet's version of Smokey the Bear. Because many home users
    don't pay much attention to cyber security, crackers can use their
    vulnerable machines to launch distributed denial of service attacks;
    Dewie will offer simple and straightforward computer security advice
    for home users. The goal of the campaign is to encourage a "Culture
    of Security." Dewie arrives in the aftermath of a failed attempt
    to require ISPs to provide security measures, including firewalls,
    to their customers.
    http://www.washingtonpost.com/wp-dyn...2002Sep26.html
    http://www.gcn.com/vol1_no1/daily-updates/20121-1.html
    Dewie's Site:
    http://www.ftc.gov/bcp/conline/edcam...ity/index.html
    [Editor's Note (Shultz): This should be interesting. Will home users
    be interested in advice from a turtle? Stay tuned!
    (Northcutt): I have serious reservations that Dewie will ever become
    a cultural icon, but if you can get past the dry writing style,
    their business page has a lot of well organized material that anyone
    responsible for an Internet presence in the U.S. ought to know:
    http://www.ftc.gov/bcp/conline/edcam...y/businfo.html]

    --26 September 2002 Congress Holds Hearings on Berman Bill
    During congressional hearings on a bill aimed at thwarting peer-to-peer
    trading of music and movies, supporters of the proposed legislation
    said concerns about misguided attacks were blowing things out
    of proportion. The bill would allow copyright holders to use a
    variety of methods to prevent their property from being pirated on
    the Internet. Critics of the bill say its wording is vague and could
    conceivably grant immunity to people who intrude into others' computers
    and delete files, even if they do so mistakenly. Representative Berman
    (D-California) refutes that assertion, but conceded that the bill
    might need to be reworded for clarification.
    http://news.com.com/2100-1023-959774.html
    http://story.news.yahoo.com/news?tmp...atoday/4483264
    http://www.siliconvalley.com/mld/sil...ey/4159160.htm
    [Editor's Note (Schultz): You would think that by now Rep. Berman
    would realize that he is going nowhere with this bill. Its passage
    would be bad news for the infosec community. Fortunately, there
    appears to be little support for it in Congress.]

    --25 & 26 September 2002 FrontPage Vulnerabilities
    A security flaw in the SmartHTML interpreter for Microsoft's
    FrontPage Server Extensions (FPSE) could be exploited to launch a
    denial of service (DoS) attack against a vulnerable machine or to
    run malicious code via a buffer overflow, depending upon the version
    of FPSE. FPSE 2000 is vulnerable to the DoS attack, while FPSE 2002
    is vulnerable to the buffer overflow attack. Earlier versions may
    be vulnerable as well, but they are no longer supported. Microsoft
    says that On FrontPage Server Extensions 2002 and SharePoint Team
    Services 2002, the same type of request could cause a buffer overrun,
    potentially allowing an attacker to run code of his choice. Users
    should install a patch for the problem or run the IIS Lockdown Tool.
    http://news.com.com/2100-1001-959577.html
    http://www.computerworld.com/securit...,74605,00.html
    http://www.microsoft.com/technet/sec...n/MS02-053.asp

    --25 September 2002 China Denies Responsibility or Dalai Lama
    Site Attacks
    Jigme Tsering, manager of the Tibetan Computer Resource Centre in
    Dharmsala, India says the Chinese government has been attempting to
    hack the Dalai Lama's computer network. According to Tsering, a virus
    sent to the network is designed to grab data and send it back to China;
    the virus arrives in an e-mail with a spoofed return address, designed
    to appear as though it is coming from Tsering's office. The virus has
    also targeted other organizations that have lobbied on Tibet's behalf.
    A spokeswoman for the Chinese government says China opposes hacking.
    http://star-techcentral.com/tech/sto...sec=technology
    http://www.theregister.co.uk/content/55/27291.html
    http://www.wired.com/news/politics/0,1283,55382,00.html

    --25 September 2002 Slapper Variants on the Loose
    Two variants of the Slapper worm are circulating on the Internet.
    Known as Slapper.B or "Cinik" and Slapper.C or "Unlock," the two
    exploit the same SSL vulnerability in Apache servers that the original
    worm exploited. The worms also create a peer-to-peer network of
    infected servers. Reports that a Ukrainian suspect had been arrested
    in connection with the worm have proven false. This worm is morphing
    daily. Track the changes under "ISC Analysis" www.incidents.org
    http://www.idg.com.hk/cw/readstory.asp?aid=20020925003
    http://zdnet.com.com/2100-1105-959385.html

    --24 & 25 September 2002 Falun Gong Activists Hijack TV Again
    Falun Gong activists have once again hijacked television broadcasts
    in China to air footage that supports the movement. Chinese officials
    maintain the attack emanated from Taiwan and are demanding that Taiwan
    find those responsible. A Taiwanese official says the allegations
    are "a bit farfetched."
    http://www.wired.com/news/politics/0,1283,55350,00.html
    http://www.cnn.com/2002/WORLD/asiapc...iwan.falungong

    --30 September 2002 Suspected Falun Gong TV Hacker Arrested for
    April Event
    The South China morning Post reported on September 28th that a man
    was arrested in Shandong for hacking into a cable television channel
    and broadcasting footage supportive of Falun Gong on April 20, 2002.
    http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=9147

    --24 September 2002 State Dept. Employees to Get Smart Cards
    State Department employees will soon be receiving smart cards with
    32K memory chips that will be used to access buildings and secure
    areas. The cards presently contain no biometric data, but they may
    in the future. To gain access to a site, a card holder will swipe
    the smart card and key in a personal identification number (PIN);
    the card will be swiped again upon leaving the site.
    http://www.fcw.com/fcw/articles/2002...t-09-24-02.asp

    --24 September 2002 Arrest of T0rn Rootkit Author Raises Concerns
    The arrest of the suspected T0rn root kit author marks the first
    time someone has been arrested under the UK's Computer Misuse Act
    for writing code that has the potential to be used maliciously.
    Though tools like the T0rn rootkit can be used for malicious purposes,
    they also have beneficial uses, like penetration testing. Though the
    kit cannot spread by itself, a Scotland Yard spokesman said the
    offense is the writing and distribution of the tool.
    http://online.securityfocus.com/news/813

    --24 September 2002 UCLA Researchers Developing Program to Prevent
    DDoS Attacks
    Scientists at UCLA's Henry Samueli School of Engineering and Applied
    Science are developing a program that they say will protect entire
    networks from being used as hosts in distributed denial of service
    (DDoS) attacks. The program, DDoS netWork Attack Recognition and
    Defense or D-WARD, will detect and halt attacks being launched from
    computers before they have traveled far enough to become disruptive.
    http://sanjose.bizjournals.com/sanjo...3/daily23.html
    [Editor's Note (Ranum): This basically says they're building an IDS,
    and it will have all the same issues as other IDS.]

    --24 September 2002 Survey Says CEOs Don't Put Security First
    A survey of 250 Canadian companies found that many CEOs do not
    consider computer security to be a significant business priority;
    they maintain it should be a priority for IT departments, but many
    of those departments are not receiving enough funding to adequately
    secure company systems. In addition, 80% of the CEOs said their
    companies had not been hacked in the last year, but 40% said their
    companies did not have intrusion detection systems.
    http://rtnews.globetechnology.com/se...hnology/techBN
    [Editor's Note (Murray): I would certainly hope that all CEOs
    put security second to an equitable return to investors, jobs for
    their employees, service to their customers, and paying their taxes.
    Only security purists, not to say bigots, expect otherwise. That is
    why security is a hard problem and we get paid the big bucks.]

    --24 September 2002 NIPC Warns of Possible Hacktivism During World
    Bank/IMF Meetings
    The National Infrastructure Protection Center (NIPC) warned that
    protesters may be planning to launch cyber attacks as a way of
    demonstrating against the scheduled meeting of the World Bank and
    the International Monetary Fund in Washington DC. NIPC urged
    administrators to monitor their systems for signs of attacks.
    http://news.com.com/2100-1023-959118.html
    http://www.washingtonpost.com/wp-dyn...2002Sep24.html
    http://www.nipc.gov/warnings/assessm...002/02-002.htm

    --23 September 2002 FERC Wants to Restrict Access to Some Data
    The Federal Energy Regulatory Committee (FERC) plans to restrict
    access to certain information on its computer systems, and those
    who are permitted to view the information may be required to sign
    non-disclosure agreements. Some public interest groups are concerned
    that the information being withheld in the interest of homeland
    security is information citizens need to access for their own safety.
    Even if data is removed from web sites, it still may be accessible
    through search engine caches. Comments on the proposal will be accepted
    until October 13.
    http://www.fcw.com/fcw/articles/2002...y-09-23-02.asp
    [Editor's Note (Murray) No one with a legitimate need-to-know has
    anything to fear. This is simply another case of the press viewing
    with alarm. This is merely good security. It is a far cry from the
    earlier knee-jerk reaction of the administration that wanted to simply
    disconnect everything from the internet.]

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    Thanks for these. Does *anyone* have *any* idea whatever happened to the official AO news? I somehow missed the message about them being removed (as well as the message of them being added..). They didn't live very long...
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •