NEWS: This weeks Security News 10/30/02

View Poll Results: Select from below

Voters
4. You may not vote on this poll
  • This post is really informing

    1 25.00%
  • this post is boring

    0 0%
  • This post is a waste of my time

    0 0%
  • I\'ve seen this before

    3 75.00%
Results 1 to 6 of 6

Thread: NEWS: This weeks Security News 10/30/02

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,121

    NEWS: This weeks Security News 10/30/02

    Brought to you by our friends at the SANS Institute.



    It has come to my attention that some don't like my postings of these. So please post to the poll and let me know what you think. BTW: Posting this falls under the Fair Use act for educational purposes under the copyright law.



    ***********************************************************************
    SANS NewsBites October 23, 2002 Vol. 4, Num. 44
    ***********************************************************************

    TOP OF THE NEWS
    28 October 2002 Government, ICANN Considering DDoS Protections
    23 October 2002 There Were Two Attacks on the Internet
    22, 23 & 28 October 2002 Internet DDoS Attack
    28 October 2002 Reuters Charged with Hacking

    THE REST OF THE WEEK'S NEWS
    28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
    25 October 2002 Visa is Testing Voice Authentication Technology
    25 October 2002 NIST System Certification and Accreditation Program
    25 October 2002 Professional Certifications Outpace Skills for Bonuses
    24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
    24 October 2002 Will NIST's Dept. of Computer Security be Part of DHS?
    24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move Toward
    Trustworthy Computing
    24 October 2002 NTT DoCoMo Site Intrusion
    24 October 2002 Brookings Study: Good Security Will Require More
    than Market Forces
    24 October 2002 A Palm Like an Open Book
    24 October 2002 Canadian Inmates Pose Cyber Risk
    23 October 2002 Bugbear Bites Australian Government Again
    23 October 2002 Berman's Hack Back Bill Likely Candidate for Revision
    28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
    22 October 2002 Defacements Increasing
    22 October 2002 Customs Wants to Build Secure Network
    21 October 2002 Support Growing for Security Regulations
    21 October 2002 NASA's Vulnerability Reduction Program Works
    18 October 2002 NIST Draft: Recommendation for Block Cipher Modes
    of Operation

    SECURITY TRAINING NEWS
    *SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
    features the eight highest rated teachers in the security
    field. If you can attend only one conference this winter, try to
    get a place in the courses in San Francisco. Also features a free,
    evening step-by-step program for implementing a Top 20 vulnerability
    remediation program. San Francisco is often warmer and less crowded
    in December than in August.
    *Twelve new Local Mentor Programs start in the next few weeks. Combine
    online program with live training/practice sessions. Offers
    the most cost-effective local training for both CISSP and GSEC
    Certifications. Also included: free updated Internet Threat Briefing.
    *See: http://www.sans.org for details on San Francisco, Local Mentor
    and other programs.


    TOP OF THE NEWS
    --28 October 2002 Government, ICANN Considering DDoS Protections
    The government and the Internet Corporation for Assigned Names and
    Numbers (ICANN), an Internet governing body, are trying to figure
    out what to do to protect the domain name system (DNS) from further
    distributed denial of service (DDoS) attacks like the one launched
    last week. They are likely to take steps to require that packets with
    forged return addresses be blocked. It is also likely the root-name
    server operators will add more servers. Large buyers may be encouraged
    to do business only with ISPs that have DDoS protection in place.
    http://www.eweek.com/article2/0,3959,651686,00.asp

    --23 October 2002 There Were Two Attacks on the Internet
    According to officials at Verisign, a second large distributed denial
    of service (DDoS) attack occurred just hours after the attack on
    the Internet's root name servers, this time targeting the domain
    name servers such as dot-com, dot-biz and dot-info, and country code
    domains such as Great Britain's dot-uk and Canada's dot-ca.
    http://www.washingtonpost.com/wp-dyn...2002Oct23.html

    --22, 23 & 28 October 2002 Internet DDoS Attack
    White House spokesman Ari Fleischer said it is still unknown who is
    responsible for the attack. The attacks were not sophisticated, and
    there was no serious degradation of service; though all 13 servers
    were targeted, at least 4 kept running uninterrupted. Experts have
    expressed concern that this attack could be a precursor to a larger,
    more serious one. The FBI's National Infrastructure Protection Center
    (NIPC) and cybercrime division agents are investigating.
    http://www.idg.net/go.cgi?id=755556
    http://www.msnbc.com/news/824620.asp?0dm=B259T
    http://news.com.com/2100-1001-963095.html
    http://www.cnn.com/2002/TECH/interne...ack/index.html

    --28 October 2002 Reuters Charged with Hacking
    Swedish IT company Intentia plans to file criminal charges against
    Reuters; it alleges the news agency broke into its computers to obtain
    company information. An internal investigation brought to light the
    fact than an intrusion into company computers came from an IP address
    belonging to Reuters, which published the disappointing figures ahead
    of their official release. Several other Scandinavian companies
    claim Reuters published their figures ahead of schedule as well.
    http://www.theregister.co.uk/content/6/27816.html
    http://salon.com/tech/wire/2002/10/2...ers/index.html
    [Editor's Note: (Shpantzer) Intentia, the company whose information
    was published by Reuters, says that the information was on the
    web server but could not be accessed "through normal channels."
    It appears that Reuters used very basic URL guessing as a method
    to obtain the information that was on the webserver, as it was
    not immediately available to the casual surfer on the website via
    hyperlink. Intentia is looking to the Swedish court system to create
    a precedent stating that these methods are explicitly illegal.
    This story got me curious so I did a little looking around in the
    news room of the Intentia website, and found the following URLs:
    This was the URL for their first quarter results.
    http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q1_US.pdf/$FILE/Intentia_02_Q1_US.pdf
    This was the URL for their second quarter results:
    http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q2_us.pdf/$FILE/Intentia_02_Q2_us.pdf
    And this is the URL for their third quarter results, published by
    Reuters in the alleged hack:
    http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf
    1, 2, 3, 4, Intentia declares a legal war. Let's hope they don't
    put the unpublished fourth quarter results on the web site with a Q4
    replacing Q3 in the URL name.]


    THE REST OF THE WEEK'S NEWS

    --28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
    Dutch judges meted out a sentence of 150 hours of community service
    to the author of the Kourmikova virus. They didn't believe the
    offender's claim that he didn't know (1) what he was doing or (2)
    that releasing viruses would be damaging. He had over 7,000 virus
    specimens on his computer and worked in a computer store.
    http://idg.net/ic_960118_1794_9-10000.html

    --25 October 2002 Visa is Testing Voice Authentication Technology
    Visa International, Inc. has begun using voice authentication
    technology internally to allow employees to reset their passwords; the
    technology could eventually be used for on line purchase verification.
    http://www.computerworld.com/databas...,75392,00.html
    [Editor's Note (Murray): If one goes to the trouble to enroll one's
    users for a biometric, one ought to use it routinely as part of
    a strong authentication scheme. To use it to manage passwords is
    absurd; i.e., use a weak authenticator to manage an even weaker one.
    Replacing passwords with strong authentication has been the biggest
    agenda item for a generation]

    --25 October 2002 NIST System Certification and Accreditation Program
    As part of its System Certification and Accreditation Project, the
    National Institute of Standards and Technology (NIST) has posted
    Special Publication 800-37, proposed guidelines for performing
    security checkups. Guidelines for minimum security requirements for
    federal online systems (800-53) and techniques for determining systems'
    security levels (800-53A) will follow over the next few months.
    http://www.gcn.com/vol1_no1/daily-updates/20332-1.html
    Download the draft: http://csrc.nist.gov/sec-cert/
    [Editor's Note (Northcutt): Security accreditation is not the hottest
    topic, but if you are a U.S. government worker, or do work with the
    government, I strongly advise you to take a look at this document
    and to send in your comments. My preference is rapid assessment
    and remediation and specific checklists over fluffy process, but
    Ron Ross and Marianne Swanson and their team have created a solid
    first cut that does not appear to be so paperwork heavy it dies of
    its own weight, a la DITSCAP. One of the interesting components
    is the "type accreditation" in which you harden an OS to a certain
    level and this serves as an initial or "interim" accreditation for a
    number of different environments. Obviously, this could be abused,
    but it could also be a powerful tool to encourage broad-based adoption
    of standards.]

    --25 October 2002 Professional Certifications Outpace Skills
    for Bonuses
    In the first half of 2002, bonus pay for technical certifications
    rose while bonuses for skills sagged, reaching a historic crossing
    point. Foote Partners' survey summarizes the data and shows the
    skills and certifications experiencing the largest changes in premium
    bonus pay. Security certifications took four of the top six places.
    http://www.footepartners.com/SANS_trendreport.htm
    (Note this site requires free registration to have report emailed)

    --24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
    The Computer Emergency Response Team Coordination Center (CERT/CC)
    has issued an advisory warning of a buffer overflow vulnerability
    in Kerberos Administration Daemon. The flaw could be exploited to
    obtain root privileges on vulnerable systems. Patches and upgrades
    are available to address the problem. Affected systems include
    MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones
    versions earlier than 1.2.1 and KTH Heimdal earlier than 0.5.1.
    http://www.cert.org/advisories/CA-2002-29.html
    http://zdnet.com.com/2100-1105-963250.html
    http://www.theregister.co.uk/content/55/27791.html

    --24 October 2002 Will NIST's Computer Security Division be Part
    of DHS?
    Commerce Department Deputy Secretary Samuel Bodman said the National
    Institute of Standards and Technology's (NIST's) Computer Security
    Division should be transferred to the new Department of Homeland
    Security. A bill that recently passed the House (H.R. 5005) would
    block the transfer. The Business Software Alliance (BSA) feels the
    move is unnecessary.
    http://207.27.3.29/dailyfed/1002/102402td1.htm
    [Editor's Note (Paller): Deputy Secretary Bodman is probably right. The
    computer security group at NIST has done a lot of good, but they
    could have made a huge difference in the security of federal systems
    and commercial systems had they been given substantial financial and
    management support. Lacking such support at NIST, they risk being made
    irrelevant unless they get some of the authority and money that will
    accompany the new Department of Homeland Security. Quiz question: Why
    would groups representing marketing interests in companies that sell
    software, argue against including NIST's security responsibilities in
    a new Department where NIST's excellent technical security staff could
    establish security standards for software sold to the government and be
    a force in helping agencies use the standards in their procurements?]

    --24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move
    Toward Trustworthy Computing
    An InternetWeek reader poll with 213 respondents found that 50%
    feel Microsoft has made little or no progress toward Trustworthy
    Computing, while 37% feel the company has made some or great progress;
    the rest feel things are the same as they were before the initiative
    was announced. The article includes reader comments.
    http://www.internetwk.com/security02/INW20021024S0004
    [Editor's Note (Murray): By expecting results in six months
    InternetWeek editors demonstrate a lack of understanding of the
    problem. Much of it is related to MS's need to maintain backward
    compatibility to popular applications. Much of the problem is related
    to very old code; it will not be identified or fixed overnight.
    (Paller): Though users are still feeling the pain of two decades
    of security neglect by Microsoft, it is time for all other software
    developers to step up and be measured against Microsoft's security
    initiatives. Those who build Linux and Solaris and other operating
    systems, those who build Oracle and DB2 and other databases and those
    who build client software and applications (the two newest targets of
    attackers) should report publicly the percent of all their software
    developers who have taken and passed secure programming courses, the
    depth of automated and manual security testing done on every line of
    code they deliver, the automated systems they offer to update users'
    systems automatically to fix critical security flaws, and the degree
    to which their installed base of is being protected rather than being
    forced to upgrade. Microsoft has a long way to go, but the other
    vendors may be even further behind.]

    --24 October 2002 NTT DoCoMo Site Intrusion
    A cracker broke into NTT DoCoMo's web site and altered a web page
    that lets customers modify contractual terms with the Japanese
    mobile phone services company; the page was made inaccessible.
    No individual customer data was altered; the company says it will
    enhance its site security.
    http://www.wirelessweek.com/index.as...l=Applications

    --24 October 2002 Brookings Study: Good Security Will Require More
    than Market Forces
    A study from the Brookings Institution, "Interdependent Security:
    Implications for Homeland Security Policy and Other Areas" argues that
    market forces alone do not provide adequate incentive for businesses
    to implement strong security measures. Companies do not often see
    security as providing a good return on investment, and when leading
    companies don't spend the money on security, others don't either.
    The study recommends regulations, insurance and third-party inspections
    to help boost security to appropriate levels.
    http://www.computerworld.com/securit...,75347,00.html
    [Editor's Note (Murray): There are only the market and coercion;
    those who argue that one will not work are arguing for the other.
    Be careful what you ask for; you might get it.
    (Paller) A balance between market forces and coercion is having
    extraordinary impact: Buyers combine their technology purchasing power
    to force suppliers to deliver safer systems. The federal government
    is the leader in this, but hundreds of organizations have joined
    forces in the Center for Internet Security (www.cisecurity.org)
    to establish standards for safer software, and they are beginning
    to order software configured safely on delivery. Some buyers are
    forcing software suppliers to take full economic responsibility for
    security breaches caused by flaws in their software. Market forces
    improve security when buyers unite.]

    --24 October 2002 A Palm Like an Open Book
    The ubiquity of personal digital assistants (PDAs) has helped
    law enforcement agents gather evidence and successfully prosecute
    crimes ranging from identity theft to corporate espionage to murder.
    The convenience of having so much data in one place eliminates the
    need for dumpster diving and other more tedious forms of evidence
    gathering, and PDAs are rarely encrypted or even password protected.
    http://www.nytimes.com/2002/10/24/te...ts/24palm.html
    (Please note: this site requires free registration)
    [Editor's Note (Shpantzer): I spoke today with Amber Schroader,
    from Paraben Software, who is quoted in this article. She says that
    the current breed of PDA passwords typically crack within minutes,
    including the encryption built into the word processing, spreadsheet
    and zip applications for the PDAs. The more complex and lengthy
    passwords take up to two weeks. The few cases in which forensics
    personnel are not able to get the plaintext data are caused by a
    strong third party encryption program installed on the device.]

    --24 October 2002 Canadian Inmates Pose Cyber Risk
    An internal report from Canada's Correctional Service (CSC) warns that
    inmates with computers could spread viruses or break into the CSC's
    network. Though the report strongly urges that inmates be allowed to
    use only prison-issue PCs, inmates who already have their own computers
    have been allowed to keep them. During the last five years, there have
    been more than 600 security incidents involving inmates' computers;
    the machines have also been used to plot escapes and create false IDs.
    http://www.theregister.co.uk/content/6/27770.html
    [Editor's Note (Northcutt): Heavy sigh. You would think 600 security
    incidents would be enough to discover something is amiss.]

    --23 October 2002 Bugbear Bites Australian Government Again
    Australia's Parliament House in Canberra was hit with a second round of
    the Bugbear virus, prompting the Department of Parliamentary Reporting
    to ask everyone in the building to turn off printers. The October
    3rd infection made some printers print pages and pages of gibberish.
    http://news.zdnet.co.uk/story/0,,t269-s2124317,00.html
    http://australianit.news.com.au/articles/0,7204,5344158^15331^^nbv^15306-15319,00.html

    --23 October 2002 Berman's Hack Back Bill Likely Candidate for
    Revision
    The P2P Piracy Prevention Act, widely criticized for its vague language
    allowing copyright holders to hack back with impunity at suspected
    digital pirates, will likely be revised to eliminate those problems,
    according to an aide to bill author Representative Howard Berman
    (D-Calif.).
    http://news.com.com/2100-1023-963087.html

    --28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
    Several security pundits believe that last week's distributed denial
    of service (DDoS) attack on the 13 Internet root servers was a probe
    to gather information prior to an attack of much greater magnitude.
    Ed Skoudis says it is possible that the Internet will be brought down
    within the next few years, but compared it to a snow day rather than
    an event with dire physical consequences.
    http://www.msnbc.com/news/827209.asp?0dm=C21AT

    --22 October 2002 Defacements Increasing
    Roberto Preatoni, the owner of Zone-H.org, a web site that tracks
    defacements, says web vandalism is on the rise; the number of
    defacement notices he receives daily has jumped from about 40 last
    year to 500 this year. Preatoni warns that while defacements are
    largely vandalism, some of the attacks may give crackers root access.
    http://www.internetnews.com/dev-news...le.php/1485601

    --22 October 2002 Customs Wants to Build Secure Network
    The U.S. Customs Service is expected to issue a draft request for
    proposal (RFP) for building a classified network for law enforcement
    data; the RFP will be available only to vendors with top-secret
    facility security clearance and personnel with valid security
    clearances.
    http://www.fcw.com/fcw/articles/2002...s-10-22-02.asp

    --21 October 2002 Support Growing for Security Regulations
    During a meeting at MIT, Critical Infrastructure Protection Board
    chairman Richard Clarke heard from academics, business people and
    security experts about the necessity for some method to hold software
    vendors accountable for product security. Though Clarke would prefer
    to allow market pressure to take care of accountability, there is a
    cry for regulations or a certification body to ensure the software
    security.
    http://www.eweek.com/article2/0,3959,642940,00.asp
    [Editor's Note (Murray): I will start to give credence to such
    orchestrated whining on the same day I see any preference in the market
    place for secure operating systems over popular ones. Bad software
    is a fact of life; get used to it.]

    --21 October 2002 NASA's Vulnerability Reduction Program Works
    NASA began its Vulnerability Reduction Program in 1999 when it
    became clear that the agency's 80,000 computers were plagued by
    the same security holes again and again. NASA made a list of the
    top 50 vulnerabilities, bought vulnerability scanning software and
    began challenging each of its centers to gradually reduce the ratio
    of vulnerabilities to computers. Each quarter the list is revised;
    NASA has seen a marked decline in successful attacks against its
    systems since the program has been implemented. Its success inspired
    the SANS Top 10 and 20 lists.
    http://www.gcn.com/21_31/news/20283-1.html
    [Editor's Note: This article provides details on NASA's efforts that
    were not included in articles we covered last week.]

    --18 October 2002 NIST Draft: Recommendation for Block Cipher Modes
    of Operation
    NIST has recently developed the Draft Special Publication 800-38B,
    "Recommendation for Block Cipher Modes of Operation: the RMAC
    Authentication Mode." Public comments are welcome through December
    2, 2002.
    http://csrc.nist.gov/publications/drafts.html

  2. #2
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,121

    NEWS: This weeks Security News 10/30/02

    Brought to you by our friends at the SANS Institute.



    It has come to my attention that some don't like my postings of these. So please post to the poll and let me know what you think. BTW: Posting this falls under the Fair Use act for educational purposes under the copyright law.



    ***********************************************************************
    SANS NewsBites October 23, 2002 Vol. 4, Num. 44
    ***********************************************************************

    TOP OF THE NEWS
    28 October 2002 Government, ICANN Considering DDoS Protections
    23 October 2002 There Were Two Attacks on the Internet
    22, 23 & 28 October 2002 Internet DDoS Attack
    28 October 2002 Reuters Charged with Hacking

    THE REST OF THE WEEK'S NEWS
    28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
    25 October 2002 Visa is Testing Voice Authentication Technology
    25 October 2002 NIST System Certification and Accreditation Program
    25 October 2002 Professional Certifications Outpace Skills for Bonuses
    24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
    24 October 2002 Will NIST's Dept. of Computer Security be Part of DHS?
    24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move Toward
    Trustworthy Computing
    24 October 2002 NTT DoCoMo Site Intrusion
    24 October 2002 Brookings Study: Good Security Will Require More
    than Market Forces
    24 October 2002 A Palm Like an Open Book
    24 October 2002 Canadian Inmates Pose Cyber Risk
    23 October 2002 Bugbear Bites Australian Government Again
    23 October 2002 Berman's Hack Back Bill Likely Candidate for Revision
    28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
    22 October 2002 Defacements Increasing
    22 October 2002 Customs Wants to Build Secure Network
    21 October 2002 Support Growing for Security Regulations
    21 October 2002 NASA's Vulnerability Reduction Program Works
    18 October 2002 NIST Draft: Recommendation for Block Cipher Modes
    of Operation

    SECURITY TRAINING NEWS
    *SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
    features the eight highest rated teachers in the security
    field. If you can attend only one conference this winter, try to
    get a place in the courses in San Francisco. Also features a free,
    evening step-by-step program for implementing a Top 20 vulnerability
    remediation program. San Francisco is often warmer and less crowded
    in December than in August.
    *Twelve new Local Mentor Programs start in the next few weeks. Combine
    online program with live training/practice sessions. Offers
    the most cost-effective local training for both CISSP and GSEC
    Certifications. Also included: free updated Internet Threat Briefing.
    *See: http://www.sans.org for details on San Francisco, Local Mentor
    and other programs.


    TOP OF THE NEWS
    --28 October 2002 Government, ICANN Considering DDoS Protections
    The government and the Internet Corporation for Assigned Names and
    Numbers (ICANN), an Internet governing body, are trying to figure
    out what to do to protect the domain name system (DNS) from further
    distributed denial of service (DDoS) attacks like the one launched
    last week. They are likely to take steps to require that packets with
    forged return addresses be blocked. It is also likely the root-name
    server operators will add more servers. Large buyers may be encouraged
    to do business only with ISPs that have DDoS protection in place.
    http://www.eweek.com/article2/0,3959,651686,00.asp

    --23 October 2002 There Were Two Attacks on the Internet
    According to officials at Verisign, a second large distributed denial
    of service (DDoS) attack occurred just hours after the attack on
    the Internet's root name servers, this time targeting the domain
    name servers such as dot-com, dot-biz and dot-info, and country code
    domains such as Great Britain's dot-uk and Canada's dot-ca.
    http://www.washingtonpost.com/wp-dyn...2002Oct23.html

    --22, 23 & 28 October 2002 Internet DDoS Attack
    White House spokesman Ari Fleischer said it is still unknown who is
    responsible for the attack. The attacks were not sophisticated, and
    there was no serious degradation of service; though all 13 servers
    were targeted, at least 4 kept running uninterrupted. Experts have
    expressed concern that this attack could be a precursor to a larger,
    more serious one. The FBI's National Infrastructure Protection Center
    (NIPC) and cybercrime division agents are investigating.
    http://www.idg.net/go.cgi?id=755556
    http://www.msnbc.com/news/824620.asp?0dm=B259T
    http://news.com.com/2100-1001-963095.html
    http://www.cnn.com/2002/TECH/interne...ack/index.html

    --28 October 2002 Reuters Charged with Hacking
    Swedish IT company Intentia plans to file criminal charges against
    Reuters; it alleges the news agency broke into its computers to obtain
    company information. An internal investigation brought to light the
    fact than an intrusion into company computers came from an IP address
    belonging to Reuters, which published the disappointing figures ahead
    of their official release. Several other Scandinavian companies
    claim Reuters published their figures ahead of schedule as well.
    http://www.theregister.co.uk/content/6/27816.html
    http://salon.com/tech/wire/2002/10/2...ers/index.html
    [Editor's Note: (Shpantzer) Intentia, the company whose information
    was published by Reuters, says that the information was on the
    web server but could not be accessed "through normal channels."
    It appears that Reuters used very basic URL guessing as a method
    to obtain the information that was on the webserver, as it was
    not immediately available to the casual surfer on the website via
    hyperlink. Intentia is looking to the Swedish court system to create
    a precedent stating that these methods are explicitly illegal.
    This story got me curious so I did a little looking around in the
    news room of the Intentia website, and found the following URLs:
    This was the URL for their first quarter results.
    http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q1_US.pdf/$FILE/Intentia_02_Q1_US.pdf
    This was the URL for their second quarter results:
    http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q2_us.pdf/$FILE/Intentia_02_Q2_us.pdf
    And this is the URL for their third quarter results, published by
    Reuters in the alleged hack:
    http://www.intentia.com/w2000.nsf/(files)/Intentia_02_Q3_us.pdf/$FILE/Intentia_02_Q3_us.pdf
    1, 2, 3, 4, Intentia declares a legal war. Let's hope they don't
    put the unpublished fourth quarter results on the web site with a Q4
    replacing Q3 in the URL name.]


    THE REST OF THE WEEK'S NEWS

    --28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
    Dutch judges meted out a sentence of 150 hours of community service
    to the author of the Kourmikova virus. They didn't believe the
    offender's claim that he didn't know (1) what he was doing or (2)
    that releasing viruses would be damaging. He had over 7,000 virus
    specimens on his computer and worked in a computer store.
    http://idg.net/ic_960118_1794_9-10000.html

    --25 October 2002 Visa is Testing Voice Authentication Technology
    Visa International, Inc. has begun using voice authentication
    technology internally to allow employees to reset their passwords; the
    technology could eventually be used for on line purchase verification.
    http://www.computerworld.com/databas...,75392,00.html
    [Editor's Note (Murray): If one goes to the trouble to enroll one's
    users for a biometric, one ought to use it routinely as part of
    a strong authentication scheme. To use it to manage passwords is
    absurd; i.e., use a weak authenticator to manage an even weaker one.
    Replacing passwords with strong authentication has been the biggest
    agenda item for a generation]

    --25 October 2002 NIST System Certification and Accreditation Program
    As part of its System Certification and Accreditation Project, the
    National Institute of Standards and Technology (NIST) has posted
    Special Publication 800-37, proposed guidelines for performing
    security checkups. Guidelines for minimum security requirements for
    federal online systems (800-53) and techniques for determining systems'
    security levels (800-53A) will follow over the next few months.
    http://www.gcn.com/vol1_no1/daily-updates/20332-1.html
    Download the draft: http://csrc.nist.gov/sec-cert/
    [Editor's Note (Northcutt): Security accreditation is not the hottest
    topic, but if you are a U.S. government worker, or do work with the
    government, I strongly advise you to take a look at this document
    and to send in your comments. My preference is rapid assessment
    and remediation and specific checklists over fluffy process, but
    Ron Ross and Marianne Swanson and their team have created a solid
    first cut that does not appear to be so paperwork heavy it dies of
    its own weight, a la DITSCAP. One of the interesting components
    is the "type accreditation" in which you harden an OS to a certain
    level and this serves as an initial or "interim" accreditation for a
    number of different environments. Obviously, this could be abused,
    but it could also be a powerful tool to encourage broad-based adoption
    of standards.]

    --25 October 2002 Professional Certifications Outpace Skills
    for Bonuses
    In the first half of 2002, bonus pay for technical certifications
    rose while bonuses for skills sagged, reaching a historic crossing
    point. Foote Partners' survey summarizes the data and shows the
    skills and certifications experiencing the largest changes in premium
    bonus pay. Security certifications took four of the top six places.
    http://www.footepartners.com/SANS_trendreport.htm
    (Note this site requires free registration to have report emailed)

    --24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
    The Computer Emergency Response Team Coordination Center (CERT/CC)
    has issued an advisory warning of a buffer overflow vulnerability
    in Kerberos Administration Daemon. The flaw could be exploited to
    obtain root privileges on vulnerable systems. Patches and upgrades
    are available to address the problem. Affected systems include
    MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones
    versions earlier than 1.2.1 and KTH Heimdal earlier than 0.5.1.
    http://www.cert.org/advisories/CA-2002-29.html
    http://zdnet.com.com/2100-1105-963250.html
    http://www.theregister.co.uk/content/55/27791.html

    --24 October 2002 Will NIST's Computer Security Division be Part
    of DHS?
    Commerce Department Deputy Secretary Samuel Bodman said the National
    Institute of Standards and Technology's (NIST's) Computer Security
    Division should be transferred to the new Department of Homeland
    Security. A bill that recently passed the House (H.R. 5005) would
    block the transfer. The Business Software Alliance (BSA) feels the
    move is unnecessary.
    http://207.27.3.29/dailyfed/1002/102402td1.htm
    [Editor's Note (Paller): Deputy Secretary Bodman is probably right. The
    computer security group at NIST has done a lot of good, but they
    could have made a huge difference in the security of federal systems
    and commercial systems had they been given substantial financial and
    management support. Lacking such support at NIST, they risk being made
    irrelevant unless they get some of the authority and money that will
    accompany the new Department of Homeland Security. Quiz question: Why
    would groups representing marketing interests in companies that sell
    software, argue against including NIST's security responsibilities in
    a new Department where NIST's excellent technical security staff could
    establish security standards for software sold to the government and be
    a force in helping agencies use the standards in their procurements?]

    --24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move
    Toward Trustworthy Computing
    An InternetWeek reader poll with 213 respondents found that 50%
    feel Microsoft has made little or no progress toward Trustworthy
    Computing, while 37% feel the company has made some or great progress;
    the rest feel things are the same as they were before the initiative
    was announced. The article includes reader comments.
    http://www.internetwk.com/security02/INW20021024S0004
    [Editor's Note (Murray): By expecting results in six months
    InternetWeek editors demonstrate a lack of understanding of the
    problem. Much of it is related to MS's need to maintain backward
    compatibility to popular applications. Much of the problem is related
    to very old code; it will not be identified or fixed overnight.
    (Paller): Though users are still feeling the pain of two decades
    of security neglect by Microsoft, it is time for all other software
    developers to step up and be measured against Microsoft's security
    initiatives. Those who build Linux and Solaris and other operating
    systems, those who build Oracle and DB2 and other databases and those
    who build client software and applications (the two newest targets of
    attackers) should report publicly the percent of all their software
    developers who have taken and passed secure programming courses, the
    depth of automated and manual security testing done on every line of
    code they deliver, the automated systems they offer to update users'
    systems automatically to fix critical security flaws, and the degree
    to which their installed base of is being protected rather than being
    forced to upgrade. Microsoft has a long way to go, but the other
    vendors may be even further behind.]

    --24 October 2002 NTT DoCoMo Site Intrusion
    A cracker broke into NTT DoCoMo's web site and altered a web page
    that lets customers modify contractual terms with the Japanese
    mobile phone services company; the page was made inaccessible.
    No individual customer data was altered; the company says it will
    enhance its site security.
    http://www.wirelessweek.com/index.as...l=Applications

    --24 October 2002 Brookings Study: Good Security Will Require More
    than Market Forces
    A study from the Brookings Institution, "Interdependent Security:
    Implications for Homeland Security Policy and Other Areas" argues that
    market forces alone do not provide adequate incentive for businesses
    to implement strong security measures. Companies do not often see
    security as providing a good return on investment, and when leading
    companies don't spend the money on security, others don't either.
    The study recommends regulations, insurance and third-party inspections
    to help boost security to appropriate levels.
    http://www.computerworld.com/securit...,75347,00.html
    [Editor's Note (Murray): There are only the market and coercion;
    those who argue that one will not work are arguing for the other.
    Be careful what you ask for; you might get it.
    (Paller) A balance between market forces and coercion is having
    extraordinary impact: Buyers combine their technology purchasing power
    to force suppliers to deliver safer systems. The federal government
    is the leader in this, but hundreds of organizations have joined
    forces in the Center for Internet Security (www.cisecurity.org)
    to establish standards for safer software, and they are beginning
    to order software configured safely on delivery. Some buyers are
    forcing software suppliers to take full economic responsibility for
    security breaches caused by flaws in their software. Market forces
    improve security when buyers unite.]

    --24 October 2002 A Palm Like an Open Book
    The ubiquity of personal digital assistants (PDAs) has helped
    law enforcement agents gather evidence and successfully prosecute
    crimes ranging from identity theft to corporate espionage to murder.
    The convenience of having so much data in one place eliminates the
    need for dumpster diving and other more tedious forms of evidence
    gathering, and PDAs are rarely encrypted or even password protected.
    http://www.nytimes.com/2002/10/24/te...ts/24palm.html
    (Please note: this site requires free registration)
    [Editor's Note (Shpantzer): I spoke today with Amber Schroader,
    from Paraben Software, who is quoted in this article. She says that
    the current breed of PDA passwords typically crack within minutes,
    including the encryption built into the word processing, spreadsheet
    and zip applications for the PDAs. The more complex and lengthy
    passwords take up to two weeks. The few cases in which forensics
    personnel are not able to get the plaintext data are caused by a
    strong third party encryption program installed on the device.]

    --24 October 2002 Canadian Inmates Pose Cyber Risk
    An internal report from Canada's Correctional Service (CSC) warns that
    inmates with computers could spread viruses or break into the CSC's
    network. Though the report strongly urges that inmates be allowed to
    use only prison-issue PCs, inmates who already have their own computers
    have been allowed to keep them. During the last five years, there have
    been more than 600 security incidents involving inmates' computers;
    the machines have also been used to plot escapes and create false IDs.
    http://www.theregister.co.uk/content/6/27770.html
    [Editor's Note (Northcutt): Heavy sigh. You would think 600 security
    incidents would be enough to discover something is amiss.]

    --23 October 2002 Bugbear Bites Australian Government Again
    Australia's Parliament House in Canberra was hit with a second round of
    the Bugbear virus, prompting the Department of Parliamentary Reporting
    to ask everyone in the building to turn off printers. The October
    3rd infection made some printers print pages and pages of gibberish.
    http://news.zdnet.co.uk/story/0,,t269-s2124317,00.html
    http://australianit.news.com.au/articles/0,7204,5344158^15331^^nbv^15306-15319,00.html

    --23 October 2002 Berman's Hack Back Bill Likely Candidate for
    Revision
    The P2P Piracy Prevention Act, widely criticized for its vague language
    allowing copyright holders to hack back with impunity at suspected
    digital pirates, will likely be revised to eliminate those problems,
    according to an aide to bill author Representative Howard Berman
    (D-Calif.).
    http://news.com.com/2100-1023-963087.html

    --28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
    Several security pundits believe that last week's distributed denial
    of service (DDoS) attack on the 13 Internet root servers was a probe
    to gather information prior to an attack of much greater magnitude.
    Ed Skoudis says it is possible that the Internet will be brought down
    within the next few years, but compared it to a snow day rather than
    an event with dire physical consequences.
    http://www.msnbc.com/news/827209.asp?0dm=C21AT

    --22 October 2002 Defacements Increasing
    Roberto Preatoni, the owner of Zone-H.org, a web site that tracks
    defacements, says web vandalism is on the rise; the number of
    defacement notices he receives daily has jumped from about 40 last
    year to 500 this year. Preatoni warns that while defacements are
    largely vandalism, some of the attacks may give crackers root access.
    http://www.internetnews.com/dev-news...le.php/1485601

    --22 October 2002 Customs Wants to Build Secure Network
    The U.S. Customs Service is expected to issue a draft request for
    proposal (RFP) for building a classified network for law enforcement
    data; the RFP will be available only to vendors with top-secret
    facility security clearance and personnel with valid security
    clearances.
    http://www.fcw.com/fcw/articles/2002...s-10-22-02.asp

    --21 October 2002 Support Growing for Security Regulations
    During a meeting at MIT, Critical Infrastructure Protection Board
    chairman Richard Clarke heard from academics, business people and
    security experts about the necessity for some method to hold software
    vendors accountable for product security. Though Clarke would prefer
    to allow market pressure to take care of accountability, there is a
    cry for regulations or a certification body to ensure the software
    security.
    http://www.eweek.com/article2/0,3959,642940,00.asp
    [Editor's Note (Murray): I will start to give credence to such
    orchestrated whining on the same day I see any preference in the market
    place for secure operating systems over popular ones. Bad software
    is a fact of life; get used to it.]

    --21 October 2002 NASA's Vulnerability Reduction Program Works
    NASA began its Vulnerability Reduction Program in 1999 when it
    became clear that the agency's 80,000 computers were plagued by
    the same security holes again and again. NASA made a list of the
    top 50 vulnerabilities, bought vulnerability scanning software and
    began challenging each of its centers to gradually reduce the ratio
    of vulnerabilities to computers. Each quarter the list is revised;
    NASA has seen a marked decline in successful attacks against its
    systems since the program has been implemented. Its success inspired
    the SANS Top 10 and 20 lists.
    http://www.gcn.com/21_31/news/20283-1.html
    [Editor's Note: This article provides details on NASA's efforts that
    were not included in articles we covered last week.]

    --18 October 2002 NIST Draft: Recommendation for Block Cipher Modes
    of Operation
    NIST has recently developed the Draft Special Publication 800-38B,
    "Recommendation for Block Cipher Modes of Operation: the RMAC
    Authentication Mode." Public comments are welcome through December
    2, 2002.
    http://csrc.nist.gov/publications/drafts.html

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Please xmaddness, don't stop to post your weekly Security News threads. They are probably some of the best threads on AO. Moreover, without this weekly threads.... I couldn't know on what week I am.
    Life is boring. Play NetHack... --more--

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Please xmaddness, don't stop to post your weekly Security News threads. They are probably some of the best threads on AO. Moreover, without this weekly threads.... I couldn't know on what week I am.
    Life is boring. Play NetHack... --more--

  5. #5
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Hehe, yeah that's basically the same for me too. I like hearing my weekly updates and I like knowing which week were on. Please, don't stop posting them.
    Space For Rent.. =]

  6. #6
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Hehe, yeah that's basically the same for me too. I like hearing my weekly updates and I like knowing which week were on. Please, don't stop posting them.
    Space For Rent.. =]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •