SANS NewsBites October 23, 2002 Vol. 4, Num. 44
TOP OF THE NEWS
28 October 2002 Government, ICANN Considering DDoS Protections
23 October 2002 There Were Two Attacks on the Internet
22, 23 & 28 October 2002 Internet DDoS Attack
28 October 2002 Reuters Charged with Hacking
THE REST OF THE WEEK'S NEWS
28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
25 October 2002 Visa is Testing Voice Authentication Technology
25 October 2002 NIST System Certification and Accreditation Program
25 October 2002 Professional Certifications Outpace Skills for Bonuses
24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
24 October 2002 Will NIST's Dept. of Computer Security be Part of DHS?
24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move Toward
24 October 2002 NTT DoCoMo Site Intrusion
24 October 2002 Brookings Study: Good Security Will Require More
than Market Forces
24 October 2002 A Palm Like an Open Book
24 October 2002 Canadian Inmates Pose Cyber Risk
23 October 2002 Bugbear Bites Australian Government Again
23 October 2002 Berman's Hack Back Bill Likely Candidate for Revision
28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
22 October 2002 Defacements Increasing
22 October 2002 Customs Wants to Build Secure Network
21 October 2002 Support Growing for Security Regulations
21 October 2002 NASA's Vulnerability Reduction Program Works
18 October 2002 NIST Draft: Recommendation for Block Cipher Modes
SECURITY TRAINING NEWS
*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20
features the eight highest rated teachers in the security
field. If you can attend only one conference this winter, try to
get a place in the courses in San Francisco. Also features a free,
evening step-by-step program for implementing a Top 20 vulnerability
remediation program. San Francisco is often warmer and less crowded
in December than in August.
*Twelve new Local Mentor Programs start in the next few weeks. Combine
online program with live training/practice sessions. Offers
the most cost-effective local training for both CISSP and GSEC
Certifications. Also included: free updated Internet Threat Briefing.
for details on San Francisco, Local Mentor
and other programs.
TOP OF THE NEWS
--28 October 2002 Government, ICANN Considering DDoS Protections
The government and the Internet Corporation for Assigned Names and
Numbers (ICANN), an Internet governing body, are trying to figure
out what to do to protect the domain name system (DNS) from further
distributed denial of service (DDoS) attacks like the one launched
last week. They are likely to take steps to require that packets with
forged return addresses be blocked. It is also likely the root-name
server operators will add more servers. Large buyers may be encouraged
to do business only with ISPs that have DDoS protection in place.
--23 October 2002 There Were Two Attacks on the Internet
According to officials at Verisign, a second large distributed denial
of service (DDoS) attack occurred just hours after the attack on
the Internet's root name servers, this time targeting the domain
name servers such as dot-com, dot-biz and dot-info, and country code
domains such as Great Britain's dot-uk and Canada's dot-ca.
--22, 23 & 28 October 2002 Internet DDoS Attack
White House spokesman Ari Fleischer said it is still unknown who is
responsible for the attack. The attacks were not sophisticated, and
there was no serious degradation of service; though all 13 servers
were targeted, at least 4 kept running uninterrupted. Experts have
expressed concern that this attack could be a precursor to a larger,
more serious one. The FBI's National Infrastructure Protection Center
(NIPC) and cybercrime division agents are investigating.
--28 October 2002 Reuters Charged with Hacking
Swedish IT company Intentia plans to file criminal charges against
Reuters; it alleges the news agency broke into its computers to obtain
company information. An internal investigation brought to light the
fact than an intrusion into company computers came from an IP address
belonging to Reuters, which published the disappointing figures ahead
of their official release. Several other Scandinavian companies
claim Reuters published their figures ahead of schedule as well.
[Editor's Note: (Shpantzer) Intentia, the company whose information
was published by Reuters, says that the information was on the
web server but could not be accessed "through normal channels."
It appears that Reuters used very basic URL guessing as a method
to obtain the information that was on the webserver, as it was
not immediately available to the casual surfer on the website via
hyperlink. Intentia is looking to the Swedish court system to create
a precedent stating that these methods are explicitly illegal.
This story got me curious so I did a little looking around in the
news room of the Intentia website, and found the following URLs:
This was the URL for their first quarter results.
This was the URL for their second quarter results:
And this is the URL for their third quarter results, published by
Reuters in the alleged hack:
1, 2, 3, 4, Intentia declares a legal war. Let's hope they don't
put the unpublished fourth quarter results on the web site with a Q4
replacing Q3 in the URL name.]
THE REST OF THE WEEK'S NEWS
--28 October 2002 Kournikova Virus Writer Loses Appeal In Dutch Court
Dutch judges meted out a sentence of 150 hours of community service
to the author of the Kourmikova virus. They didn't believe the
offender's claim that he didn't know (1) what he was doing or (2)
that releasing viruses would be damaging. He had over 7,000 virus
specimens on his computer and worked in a computer store.
--25 October 2002 Visa is Testing Voice Authentication Technology
Visa International, Inc. has begun using voice authentication
technology internally to allow employees to reset their passwords; the
technology could eventually be used for on line purchase verification.
[Editor's Note (Murray): If one goes to the trouble to enroll one's
users for a biometric, one ought to use it routinely as part of
a strong authentication scheme. To use it to manage passwords is
absurd; i.e., use a weak authenticator to manage an even weaker one.
Replacing passwords with strong authentication has been the biggest
agenda item for a generation]
--25 October 2002 NIST System Certification and Accreditation Program
As part of its System Certification and Accreditation Project, the
National Institute of Standards and Technology (NIST) has posted
Special Publication 800-37, proposed guidelines for performing
security checkups. Guidelines for minimum security requirements for
federal online systems (800-53) and techniques for determining systems'
security levels (800-53A) will follow over the next few months.
Download the draft: http://csrc.nist.gov/sec-cert/
[Editor's Note (Northcutt): Security accreditation is not the hottest
topic, but if you are a U.S. government worker, or do work with the
government, I strongly advise you to take a look at this document
and to send in your comments. My preference is rapid assessment
and remediation and specific checklists over fluffy process, but
Ron Ross and Marianne Swanson and their team have created a solid
first cut that does not appear to be so paperwork heavy it dies of
its own weight, a la DITSCAP. One of the interesting components
is the "type accreditation" in which you harden an OS to a certain
level and this serves as an initial or "interim" accreditation for a
number of different environments. Obviously, this could be abused,
but it could also be a powerful tool to encourage broad-based adoption
--25 October 2002 Professional Certifications Outpace Skills
In the first half of 2002, bonus pay for technical certifications
rose while bonuses for skills sagged, reaching a historic crossing
point. Foote Partners' survey summarizes the data and shows the
skills and certifications experiencing the largest changes in premium
bonus pay. Security certifications took four of the top six places.
(Note this site requires free registration to have report emailed)
--24 & 25 October 2002 CERT/CC Warns of Kerberos Vulnerability
The Computer Emergency Response Team Coordination Center (CERT/CC)
has issued an advisory warning of a buffer overflow vulnerability
in Kerberos Administration Daemon. The flaw could be exploited to
obtain root privileges on vulnerable systems. Patches and upgrades
are available to address the problem. Affected systems include
MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones
versions earlier than 1.2.1 and KTH Heimdal earlier than 0.5.1.
--24 October 2002 Will NIST's Computer Security Division be Part
Commerce Department Deputy Secretary Samuel Bodman said the National
Institute of Standards and Technology's (NIST's) Computer Security
Division should be transferred to the new Department of Homeland
Security. A bill that recently passed the House (H.R. 5005) would
block the transfer. The Business Software Alliance (BSA) feels the
move is unnecessary.
[Editor's Note (Paller): Deputy Secretary Bodman is probably right. The
computer security group at NIST has done a lot of good, but they
could have made a huge difference in the security of federal systems
and commercial systems had they been given substantial financial and
management support. Lacking such support at NIST, they risk being made
irrelevant unless they get some of the authority and money that will
accompany the new Department of Homeland Security. Quiz question: Why
would groups representing marketing interests in companies that sell
software, argue against including NIST's security responsibilities in
a new Department where NIST's excellent technical security staff could
establish security standards for software sold to the government and be
a force in helping agencies use the standards in their procurements?]
--24 October 2002 Poll Shows Mixed Reviews of Microsoft's Move
Toward Trustworthy Computing
An InternetWeek reader poll with 213 respondents found that 50%
feel Microsoft has made little or no progress toward Trustworthy
Computing, while 37% feel the company has made some or great progress;
the rest feel things are the same as they were before the initiative
was announced. The article includes reader comments.
[Editor's Note (Murray): By expecting results in six months
InternetWeek editors demonstrate a lack of understanding of the
problem. Much of it is related to MS's need to maintain backward
compatibility to popular applications. Much of the problem is related
to very old code; it will not be identified or fixed overnight.
(Paller): Though users are still feeling the pain of two decades
of security neglect by Microsoft, it is time for all other software
developers to step up and be measured against Microsoft's security
initiatives. Those who build Linux and Solaris and other operating
systems, those who build Oracle and DB2 and other databases and those
who build client software and applications (the two newest targets of
attackers) should report publicly the percent of all their software
developers who have taken and passed secure programming courses, the
depth of automated and manual security testing done on every line of
code they deliver, the automated systems they offer to update users'
systems automatically to fix critical security flaws, and the degree
to which their installed base of is being protected rather than being
forced to upgrade. Microsoft has a long way to go, but the other
vendors may be even further behind.]
--24 October 2002 NTT DoCoMo Site Intrusion
A cracker broke into NTT DoCoMo's web site and altered a web page
that lets customers modify contractual terms with the Japanese
mobile phone services company; the page was made inaccessible.
No individual customer data was altered; the company says it will
enhance its site security.
--24 October 2002 Brookings Study: Good Security Will Require More
than Market Forces
A study from the Brookings Institution, "Interdependent Security:
Implications for Homeland Security Policy and Other Areas" argues that
market forces alone do not provide adequate incentive for businesses
to implement strong security measures. Companies do not often see
security as providing a good return on investment, and when leading
companies don't spend the money on security, others don't either.
The study recommends regulations, insurance and third-party inspections
to help boost security to appropriate levels.
[Editor's Note (Murray): There are only the market and coercion;
those who argue that one will not work are arguing for the other.
Be careful what you ask for; you might get it.
(Paller) A balance between market forces and coercion is having
extraordinary impact: Buyers combine their technology purchasing power
to force suppliers to deliver safer systems. The federal government
is the leader in this, but hundreds of organizations have joined
forces in the Center for Internet Security (www.cisecurity.org
to establish standards for safer software, and they are beginning
to order software configured safely on delivery. Some buyers are
forcing software suppliers to take full economic responsibility for
security breaches caused by flaws in their software. Market forces
improve security when buyers unite.]
--24 October 2002 A Palm Like an Open Book
The ubiquity of personal digital assistants (PDAs) has helped
law enforcement agents gather evidence and successfully prosecute
crimes ranging from identity theft to corporate espionage to murder.
The convenience of having so much data in one place eliminates the
need for dumpster diving and other more tedious forms of evidence
gathering, and PDAs are rarely encrypted or even password protected.
(Please note: this site requires free registration)
[Editor's Note (Shpantzer): I spoke today with Amber Schroader,
from Paraben Software, who is quoted in this article. She says that
the current breed of PDA passwords typically crack within minutes,
including the encryption built into the word processing, spreadsheet
and zip applications for the PDAs. The more complex and lengthy
passwords take up to two weeks. The few cases in which forensics
personnel are not able to get the plaintext data are caused by a
strong third party encryption program installed on the device.]
--24 October 2002 Canadian Inmates Pose Cyber Risk
An internal report from Canada's Correctional Service (CSC) warns that
inmates with computers could spread viruses or break into the CSC's
network. Though the report strongly urges that inmates be allowed to
use only prison-issue PCs, inmates who already have their own computers
have been allowed to keep them. During the last five years, there have
been more than 600 security incidents involving inmates' computers;
the machines have also been used to plot escapes and create false IDs.
[Editor's Note (Northcutt): Heavy sigh. You would think 600 security
incidents would be enough to discover something is amiss.]
--23 October 2002 Bugbear Bites Australian Government Again
Australia's Parliament House in Canberra was hit with a second round of
the Bugbear virus, prompting the Department of Parliamentary Reporting
to ask everyone in the building to turn off printers. The October
3rd infection made some printers print pages and pages of gibberish.
--23 October 2002 Berman's Hack Back Bill Likely Candidate for
The P2P Piracy Prevention Act, widely criticized for its vague language
allowing copyright holders to hack back with impunity at suspected
digital pirates, will likely be revised to eliminate those problems,
according to an aide to bill author Representative Howard Berman
--28 October 2002 Root DDoS Attack May Have Been Info Gathering Probe
Several security pundits believe that last week's distributed denial
of service (DDoS) attack on the 13 Internet root servers was a probe
to gather information prior to an attack of much greater magnitude.
Ed Skoudis says it is possible that the Internet will be brought down
within the next few years, but compared it to a snow day rather than
an event with dire physical consequences.
--22 October 2002 Defacements Increasing
Roberto Preatoni, the owner of Zone-H.org, a web site that tracks
defacements, says web vandalism is on the rise; the number of
defacement notices he receives daily has jumped from about 40 last
year to 500 this year. Preatoni warns that while defacements are
largely vandalism, some of the attacks may give crackers root access.
--22 October 2002 Customs Wants to Build Secure Network
The U.S. Customs Service is expected to issue a draft request for
proposal (RFP) for building a classified network for law enforcement
data; the RFP will be available only to vendors with top-secret
facility security clearance and personnel with valid security
--21 October 2002 Support Growing for Security Regulations
During a meeting at MIT, Critical Infrastructure Protection Board
chairman Richard Clarke heard from academics, business people and
security experts about the necessity for some method to hold software
vendors accountable for product security. Though Clarke would prefer
to allow market pressure to take care of accountability, there is a
cry for regulations or a certification body to ensure the software
[Editor's Note (Murray): I will start to give credence to such
orchestrated whining on the same day I see any preference in the market
place for secure operating systems over popular ones. Bad software
is a fact of life; get used to it.]
--21 October 2002 NASA's Vulnerability Reduction Program Works
NASA began its Vulnerability Reduction Program in 1999 when it
became clear that the agency's 80,000 computers were plagued by
the same security holes again and again. NASA made a list of the
top 50 vulnerabilities, bought vulnerability scanning software and
began challenging each of its centers to gradually reduce the ratio
of vulnerabilities to computers. Each quarter the list is revised;
NASA has seen a marked decline in successful attacks against its
systems since the program has been implemented. Its success inspired
the SANS Top 10 and 20 lists.
[Editor's Note: This article provides details on NASA's efforts that
were not included in articles we covered last week.]
--18 October 2002 NIST Draft: Recommendation for Block Cipher Modes
NIST has recently developed the Draft Special Publication 800-38B,
"Recommendation for Block Cipher Modes of Operation: the RMAC
Authentication Mode." Public comments are welcome through December