Results 1 to 3 of 3

Thread: This weeks security news 1/23/03

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    South Florida

    NEWS: This weeks security news 1/23/03

    Brought to you by our friends at the SANS Institute.
    SANS NewsBites January 22, 2003 Vol. 5, Num. 3

    $4.7 Billion Budgeted for Federal IT Security
    Virus Writer Jailed for Two Years
    Rumsfeld Orders Material Removed from Web
    Ohio State Computer System Overwhelmed with 11 Million e-Mails
    Microsoft to Share Windows Source Code

    Peer-to-Peer Hydra Worm Claim is a Hoax
    Study Shows Old Drives Not Adequately Cleaned
    Allstate Banned from On-Line CA DMV Access
    SPV Phone Vulnerability
    Advice for Choosing a VPN
    Agencies are Encouraged to Use FedCIRC's Patch System
    DHCP Buffer Overflow Flaws
    New Mexico to Deploy Identity Management Program for State Web Access
    Sobig Worm Upgraded
    Spammer's Site Exposes Customer Data
    Mullen Defends Striking Back at Systems Running Worms
    Instant Messaging Security Risks
    Microsoft Will Release APIs to Ensure Longhorn Works Well with AV

    SANS seeks reviewers for Business Law and Computer Security and for
    New SSH Step-by-Step
    Dartmouth ISTS Seeks Comments on Security Research Gap Analysis


    4.7 Billion Budgeted for Federal IT Security
    (21 January 203)
    President Bush will ask Congress for $59 billion in new information
    technology spending in his FY 2004 budget. $4.9 billion of that is
    targeted for computer security.

    Virus Writer Jailed for Two Years
    (21 January 2003)
    Simon Vallor, a Welsh web designer, was jailed for 24 months for
    writing and spreading viruses. This sentence is four moths longer
    than the one given in the US to David Smith, author of Melissa.

    Rumsfeld Orders Material Removed from Web
    (16 January 2003)
    Defense Secretary Donald Rumsfeld has issued an order restricting
    what information is to be available on armed forces web sites. An al
    Qaeda training manual found in Afghanistan indicates the group used
    US military web sites to gather information.
    [Editor's Note (Ranum): Some of us pointed this out back in the early
    1990's, when (for example) Ft Huachuca posted intelligence analysts'
    training manuals on the web. It's sad that something so obvious had
    to go as high as the SecDef.
    (Denning): The DoD has been cracking down on this since at least 1998.
    See the 1998 memo from the secdef on information vulnerability on
    the web http://www.defenselink.mil/other_info/depsecweb.pdf .
    The official DoD policy on web content (issued Nov 98 and updated
    Jan 02) is at http://www.defenselink.mil/webmasters/]

    Ohio State Computer System Overwhelmed with 11 Million e-Mails
    (15 January 2003)
    Police believe they know who is responsible for sending 11 million
    e-mail messages into Ohio State University's computer system.
    The attack made Internet access difficult and delayed e-mail delivery
    for several days.

    Microsoft to Share Windows Source Code
    (15 January 2003)
    Microsoft will share Windows source code with governments and
    international organizations to allow them to conduct security reviews.
    Participants in the Government Security program will also be able to
    visit Microsoft's development facilities.

    SANS Local Mentor Programs begin in 31 cities in 5 countries
    during the next 16 days. Details and schedule at the SANS Web site:


    Peer-to-Peer Hydra Worm Claim is a Hoax
    (14/16 January 2003)
    A hacking group called Gobbles Security admitted that claims it had
    been hired by the Recording Industry Association of America (RIAA)
    to create a worm to infect peer-to-peer file sharing networks was
    a hoax. However, the phony announcement included a description of
    a real security flaw and source code to exploit it. The flaw could
    be exploited to delete files on Unix-based computers.

    Study Shows Old Drives Not Adequately Cleaned
    (15/16 January 2003)
    According to a study conducted by two MIT graduate students, people who
    sell their old disk drives are not doing an adequate job of ensuring
    the information they hold is removed. Of 158 drives purchased on eBay
    or computer salvage stores, only 12 had been appropriately sanitized;
    of the rest were either broken or contained personal data that were
    easy to recover and read. The report says people need to be better
    educated about methods for cleaning their data off drives they are
    [Editor's Note (Shpantzer): IT assets should be tracked and
    managed in some sort of formal manner. One way to do this is to
    use the System Development Life Cycle model (SDLC). This model
    includes the disposal phase of assets, which should be given
    due regard in accordance with the data sensitivity, as well as
    updated to defend against new threats such as advances in forensic
    recovery techniques. Here is how one agency works with the SDLC:

    Allstate Banned from On-Line CA DMV Access
    (16 January 2003)
    Allstate Insurance has been banned from checking on line driving
    records at the California Department of Motor Vehicles after officials
    discovered that employees at the company were violating confidentiality
    rules. Among the infractions: a confidential home address of one
    driver was given to another driver, computer passwords were shared,
    and false claim numbers were submitted to gain access to friends and
    family members' records.
    [Editor's Note (Grefer): Who'd believe that they're the only ones
    abusing the system?]

    SPV Phone Vulnerability
    (16 January 2003)
    Microsoft and Orange, a mobile phone operator, are together developing
    a patch for a vulnerability in the SPV phone, which they market
    in Europe. The SPV phone is able to run certain downloadable
    applications; users and developers who were unhappy with the
    restrictions apparently circulated information about disarming that
    security feature.

    Advice for Choosing a VPN
    (16 January 2003)
    This article describes the differences between trusted virtual
    private networks (VPNs) and secure VPNs. The article also discusses
    implementing VPNs, deciding how they will be managed and what to
    expect to pay for VPN gateways and client software.

    Agencies are Encouraged to Use FedCIRC's Patch System
    (16 January 2003)
    Presidential cyber security advisor Richard Clarke and the Office of
    Management and Budget's (OMB's) associate director for IT Mark Forman
    both recommend that government agencies make use of the Federal
    Computer Incident Response Center's (FedCIRC's) security patch
    distribution service. The Patch Authentication and Dissemination
    Capability (PADC) could help agencies meet the FISMA requirements.
    Agencies can enter system profiles and receive information about
    potential vulnerabilities and how to address them. Patches will
    be tested and stored to a secure server for agencies to download
    as needed.

    DHCP Buffer Overflow Flaws
    (16 January 2003)
    The Computer Emergency Response Team Coordination Center (CERT/CC)
    has issued an advisory warning of buffer overflow vulnerabilities
    in Internet Software Consortium's (ISC) Dynamic Host Configuration
    Protocol (DHCP) software. DHCP versions 3.0 through 3.0.1RC10 are
    affected. The ISC has released an update that addresses the flaws.

    New Mexico to Deploy Identity Management Program for State Web Access
    (16 January 2003)
    Within the next month, the state of New Mexico plans to implement a
    centralized identity management program so that employees and citizens
    can access web applications securely. Administrators will be able
    to alter employees' profiles, so that if they leave their job, their
    permissions change at the same time.
    [Editor's Note (Schultz): New Mexico's system appears to be a big
    step forward. Too often organizations neglect revoking access to
    former employees. Hopefully, the changes in profiles and permissions
    that New Mexico is implementing will occur soon after employees leave
    their jobs.]

    Sobig Worm Upgraded
    (15 January 2003)
    Several anti-virus companies have upgraded warnings for the Sobig worm
    which spreads through e-mail and shared folders affects Windows-based

    Spammer's Site Exposes Customer Data
    (15 January 2003)
    A web site operated by a spammer who mass mails people with offers
    of cheap, pirated software has exposed customer data, leaving it ripe
    for picking by other spammers.

    Mullen Defends Striking Back at Systems Running Worms
    (13 January 2003)
    Tim Mullen defends his "strikeback" position; he believes people
    should be allowed to "neutralize a worm process" on others' systems.
    He reasons that if an entity has no responsibility for worms running
    on their systems without their knowledge, they have no rights to the
    process, either. In other words, if entities claim their rights were
    violated by a strikeback, that claim carries with it an acknowledgment
    of responsibility for the worm's actions.
    [Editor's Note (Ranum): "Blame the victim" is not a moral position.
    (Paller) Whether or not it is moral, blaming the victim may be
    legal. In the BNA Electronic Commerce Law Report, Raul, Volpe and
    Meyer write, "Under a tort liability model, security breach victims
    may be able to seek damages from a company if they can prove the
    existence of: (1) a reasonable duty of care necessary to prevent
    security breaches, (2) a breach of that duty, (3) a proximate
    relationship between the breach of the duty and the injury, and
    (4) actual loss or damage sustained as a result of the breach."
    The problem with Tim Mullen's thesis is that he is not asking for
    damages from the victim, but for a right to break into the victim's
    computer. Federal statutes clear say that is illegal without the
    victim's permission.
    (Schultz) Mr. Mullen certainly has the right to his opinions, but
    frankly, I'm disappointed that a well-respected site like Security
    Focus would resort to publishing a white paper that advocates the
    right to become a cyber-vigilante.]

    Instant Messaging Security Risks
    (13 January 2003)
    This article describes the various security threats associated with
    Instant Messaging clients: worms, backdoors, hijacking, and denial
    of service. Because the use of Instant Messaging is increasing, the
    possibility of becoming infected with malware is increasing as well.

    Microsoft Will Release APIs to Ensure Longhorn Works Well with
    AV Products
    (13 January 2003)
    Microsoft is taking steps to ensure that its next-generation operating
    system, code-named Longhorn, will work well with anti-virus software.
    The company is releasing approximately 100 APIs to anti-virus
    vendors, which should help with virus scanning and detection and
    reduce interference with operating systems and applications.


    SANS seeks reviewers for Business Law and Computer Security and for
    New SSH Step-by-Step
    Two consensus research opportunities:
    The first draft of our new SANS SSH Step-By-Step is ready for review.
    This work includes configuration, usage and verification steps for SSH.

    In addition, we are seeking Attorneys who are interested in reviewing
    the first draft of our new SANS one day course that is slated to be
    come the book: Business Law and Computer Security

    To participate in either project, please include any relevant
    experience and credentials along with your Bio/resume and respond
    to review@sans.org

    Selected reviewers who make substantial contributions will receive
    credit by having your name and organization listed on the inside
    front cover. In addition, you will receive a free copy of the book.

    Dartmouth ISTS Seeks Comments on Security Research Gap Analysis
    The Institute for Security Technology Studies (ISTS) is doing an
    analysis of the gap between needs and available technology for cyber
    attack investigation. If you have tools that are useful in this field,
    email Andrew MacPherson at amacpherson@ists.dartmouth.edu.

  2. #2
    Senior Member
    Join Date
    Nov 2002
    on the topic of M$ putting out there source code for from what i understand XP ,2000, and server2003, i know it sid it was for use of national and international government use only and it will be issued in a debugger etc, etc ......but my first thought was knowin damn well that thing will be available on the web in a years time and knowin for sure that someone will be putting it in a compiler, oh man this should be good. i knew they were going to release the TCPA source code, which im not sure why, i mean i have just began learning C++ but from what i understand, and anyone feel free to correct me if im wrong, but this o/s is supposed to be the most secure win o/s yet and its supposed to be taking peoples rights away and putting them in the hands of M$ and the government, so by realesing the source code not only for TCPA but now XP, 2000, and server 2003......arent they being really counter-productive to all the rehtiric they have been preachin for years now? dunno, its just my thought.
    Don\'t be a bitch! Use Slackware.

  3. #3
    Join Date
    Dec 2002
    U're right hatebreed!
    So is M$ going open source. It be hard to believe hehe!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts